CJEU - C‑496/17 - Deutsche Post AG v. Hauptzollamt Köln

From GDPRhub
Revision as of 20:02, 4 January 2021 by Panayotis.Yannakas (talk | contribs) (General Editing)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - Case C‑496/17 Deutsche Post AG v. Hauptzollamt Köln
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(2) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 24(1) of Regulation 2015/2447
Decided: 16.01.2019
Parties: Deutsche Post AG, Hauptzollamt Köln
Case Number/Name: Case C‑496/17 Deutsche Post AG v. Hauptzollamt Köln
European Case Law Identifier: ECLI:EU:C:2019:26
Reference from:
Language: 24 EU Languages
Original Source:
Initial Contributor: Panayotis Yannakas

An applicant, when applying for the customs' AEO status, shall provide to the authority a significant range of personal information. The applicant wondered about, aside from the heavy workload, the matter of violating an individual's privacy and breaching his personal data. The CJEU held that this particular process of the customs authorities is granted on the basis that the data collection is adequate, relevant, and not excessive in relation to achieving a functioning tax system.

English Summary[edit | edit source]

Facts[edit | edit source]

The German Customs Authority, through a self-evaluation questionnaire, requested of Deutsch Post AG, all those natural persons who are in charge of managing customs matters (or those responsible for dealing with such matters) to send, among other things, the Tax Identification Numbers and the details of the tax offices responsible for their taxation.

The German Customs Authority stated that, if there were no cooperation, it would be impossible to determine whether the requirements, which were laid down in the German Customs Code as well as in the Commission Implementing Regulation (2015/2447/EU), were satisfied. If it would be impossible to make that determination, then the German Customs Authority is obliged to revoke any customs authorisations held by Deutsche Post.

Deutsche Post AG expanded upon the nature and extent of the personal data of third parties that must be submitted so that an undertaking can qualify for the customs status of an authorised economic operator (AEO).

Dispute[edit | edit source]

According to EU Regulation 2015/2447, customs authorities shall, after recognising the status of AEO, provide to the customs user some simplifications. For example, customs authorities shall not re-examine those criteria which have already been examined when granting the status of AEO.

Deutsche Post AG claims that individuals who are undertaking affected by the fulfilment requirements raised by the German Customs Authority, are numerous. It also claims that some of those individuals are unwilling to agree to the transmission of their personal data. The third claim of Deutsche Post AG was that the collection of Tax Identification Numbers is neither necessary nor appropriate for determining the reliability of an entity, in terms of customs law, and the verification of the individual tax situation of all the individuals affected is disproportionate in relation to the objective.

The main argument of the German Customs Authority is that the exchange of these data is necessary to ensure unmistakeable identification of the persons in charge of customs duties, as well as that the exchange of this information is provided only if the entity has evidence of serious or repeated infringements of the tax legislation and only on a case-by-case basis.

Holding[edit | edit source]

The CJEU held that the reading of the provisions of the German Customs Code, or the provisions of the Commission Implementing Regulation (2015/2447/EU) indicates a list of affected individuals, whose list is exhaustive. The persons specified are solely the applicant, the person in charge of the applicant or exercising control over its management, and the employee in charge of the applicant's customs matters.

Furthermore, it is stated that an applicant for AEO status should provide, annexed to the prescribed form for an application for that status, the names and positions within the applicant's organisation of a more extended list of natural persons than that to be found in the second subparagraph of Article 24(1) of Implementing Regulation 2015/2447. In order that customs authorities may respond to an application for AEO status, the provision implies that the applicant should be permitted access to data that makes it possible to establish that none of the natural persons specified have committed any serious infringements or repeated infringements of customs legislation and taxation rules and/or have any record of serious criminal offences relating to his economic activity. So the point is if the practice of those authorities involves the processing of personal data, within the meaning of Article 4(2) of Regulation 2016/679, EU legislation on the protection of that data must be respected.

More particularly, the personal data must, under Article 5(1)(b) or 5(1)(c) of Regulation 2016/679, be collected for specified, explicit, and legitimate purposes and must be adequate, relevant, and not excessive in relation to those purposes, the processing of that data being lawful, under Article 6(1)(c) of that regulation, only if it is necessary for compliance with a legal obligation to which the Data Controller is subject. Inter alia, that entails an obligation to inform the data subjects of the transfer of that data.

The CJEU considered the subsequent collection of that personal data by customs authorities in order to make a decision regarding an application for AEO status to be clearly necessary in order to comply with a legal obligation. To that extent, that data is collected, and therefore processed for specified, explicit, and legitimate purposes. Also, this data collection must be adequate, relevant, and not excessive in relation to the purposes for which that data is collected.

In the CJEU's view, the fact of the customs authorities granting AEO status to an operator, in reality, is the equivalent of delegating to that operator some of the customs legislation control functions. Consequently, it is vital that before that status is granted, those authorities can obtain information on the reliability of the applicant for that status.

Finally, regarding the level of responsibility of the persons in charge of managing customs matters or those responsible for dealing with such matters, it seems right that customs authorities require the questionable process of tax data collection, before granting of AEO status to an applicant.

Comment[edit | edit source]

The CJEU does not suggest a lack of awareness of that the fact the Tax Identification Number constitutes, by its very nature, tax data relating to an identified or identifiable natural person and, therefore, personal data. The Tax Identification Number must also be deemed to be personal data, mainly on the basis of the link between a specifically identified individual and the information as to the tax office responsible for the taxation of that individual.

Further Resources[edit | edit source]

Share blogs or news articles here!