CJEU - C-496/17 - Deutsche Post AG v. Hauptzollamt Köln

From GDPRhub
Revision as of 16:23, 7 July 2020 by AN (talk | contribs)
CJEU - Case C‑496/17 Deutsche Post AG v. Hauptzollamt Köln
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(2) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 24(1) of Regulation 2015/2447
Decided: 16.01.2019
Parties: Deutsche Post AG
Hauptzollamt Köln
Case Number/Name: Case C‑496/17 Deutsche Post AG v. Hauptzollamt Köln
European Case Law Identifier: ECLI:EU:C:2019:26
Reference from:
Language: 24 EU Languages
Original Source:
Initial Contributor: Panayotis Yannakas

How data collection and the GDPR Regulation falls under of the Customs Code

English Summary


The German Customs Authority, through a self-evaluation questionnaire, requested of Deutsch Post AG the persons in charge of managing customs matters or those responsible for dealing with such matters, by sending, among other things, the tax identification numbers of all those natural persons and the details of the tax offices responsible for their taxation.

The German Customs Authority stated that, if there were no cooperation, it would be impossible to determine whether the requirements laid down in the German Customs Code, as well as in the Commission Implementing Regulation (EU/2015/2447), were satisfied. If it would be impossible that determination, then the German Customs Authority is obliged to revoke any custom authorisations held by Deutsche Post.

Deutsche Post AG was concerning the nature and extent of the personal data of third parties that must be submitted so that an undertaking can qualify for the customs status of an authorised economic operator (AEO).


According to the EU Regulation 2015/2447, Customs authorities shall, after the recognition of the status of AEO, provide to the customs user some simplifications. For example, Customs authorities shall not re-examine those criteria which have already been examined when granting the status of AEO.

Deutsche Post AG claims that the individuals who are undertaking affected by the fulfilment requirements raised by the German Customs Authority, are numerous. Also claims that some of those individuals are unwilling to agree to the transmission of their personal data. The third claim of Deutsche Post AG was that the collection of tax identification numbers is neither necessary nor appropriate for determining the reliability of entity, in term of customs law, and the verification of the individual tax situation of all the individuals affected is disproportionate in relation to the objective.

The main argument of the German Customs Authority is that the exchange of these data is necessary to ensure unmistakeable identification of the persons in charge of customs duties, as well as that the exchange of these informations is provided only if the entity has evidence of serious or repeated infringements of the tax legislation and only on a case-by-case basis.


The CJEU held that the reading of the provisions of the German Customs Code, or the provisions of the Commission Implementing Regulation (EU/2015/2447) indicates a list of affected individuals, which list is exhaustive. The persons specified are solely the applicant, the person in charge of the applicant or exercising control over its management, and the employee in charge of the applicant’s customs matters.

Furthermore is delegated that an applicant for AEO status should provide, annexed to the prescribed form for an application for that status, the names and positions within the applicant’s organisation of a more extended list of natural persons than that to be found in the second subparagraph of Article 24(1) of Implementing Regulation 2015/2447. In order the customs authorities may respond to an application for AEO status, the provision implies that the applicant should be permitted access to data that makes it possible to establish that none of the natural persons specified have committed any serious infringements or repeated infringements of customs legislation and taxation rules and/or have any record of serious criminal offences relating to his economic activity. So, the question is if the practice of those authorities involves the processing of personal data, within the meaning of Article 4(2) of Regulation 2016/679, EU legislation on the protection of that data must be respected.

More particularly, the personal data must, under Article 5(1)(b) or (c) of Regulation 2016/679, be collected for specified, explicit and legitimate purposes and must be adequate, relevant and not excessive in relation to those purposes, the processing of that data being lawful, under Article 6(1)(c) of that regulation, only if it is necessary for compliance with a legal obligation to which the controller is subject. Inter alia, that entails an obligation to inform the data subjects of the transfer of that data.

The CJEU considered the subsequent collection of that personal data by the customs authorities in order to make a decision on an application for AEO status is clearly necessary to comply with a legal obligation. To that extent, that data is collected, and therefore processed, for specified, explicit and legitimate purposes. Also, these data collection is adequate, relevant, and not excessive in relation to the purposes for which that data is collected.

Under the CJEU's view the fact of the customs authorities granting AEO status to an operator is the equivalent, in reality, of delegating to that operator some of the customs legislation control functions. Consequently, it is important that, before that status is granted, those authorities can obtain information on the reliability of the applicant for that status.

Finally, having regard to the level of responsibility of the persons in charge of managing customs matters, or those responsible for dealing with such matters, it seems right that Customs Authorities require the questionable process of tax data collection, before the grant of the AEO status to an applicant.


The CJEU do not suggest a lack of awareness of the fact the tax identification number constitutes, by its very nature, tax data relating to an identified or identifiable natural person and, therefore, personal data. The Tax Identification Number must also be deemed to be personal data, mainly on the basis on the link between a specifically identified individual and the information as to the tax office responsible for the taxation of that individual.

Further Resources

Share blogs or news articles here!