CJEU - C-175/20 - Valsts ieņēmumu dienests (Processing of personal data for tax purposes)

From GDPRhub
CJEU - C-175/20 Valsts ieņēmumu dienests (Processing of personal data for tax purposes)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(b) GDPR
Decided:
Parties: SIA SS
Valsts ieņēmumu dienests
Case Number/Name: C-175/20 Valsts ieņēmumu dienests (Processing of personal data for tax purposes)
European Case Law Identifier:
Reference from: Administratīvā apgabaltiesa (Latvia)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


The CJEU ruled that, to request customers' personal data from companies, the tax authority must have legal authorization and must specify the purposes for the request, in addition to observing data minimization principle.

English Summary

Facts

SIA ‘SS’ (‘the applicant’) is a company specialized in online advertising services in Latvia. Private individuals may post and advertise various products on the applicant's website (www.ss.com) with a view of selling them. These products may include vehicles such as second-hand cars or motorbikes.

On 28 August 2018, the Director of the Latvian Tax Inspection Office (‘the defendant’) sent to the applicant a request for information on the basis of Article 15(6) of the national law on taxes and duties. In that request, the defendant asked the applicant to grant them access to information, and in particular to provide information on: a) the telephone numbers of advertisers; b) the chassis numbers of vehicles featured in advertisements published on the applicant’s website; and c) information on advertisements published in the ‘Motor Vehicles’ section of the website from 14 July to 31 August 2018.

The applicant was asked to send the information electronically, in a format that would allow the data to be filtered and selected. The applicant was also asked to include the following information in the data file: a link to the advertisement; the advertisement text; make of vehicle; model; chassis number; price; and the vendor’s telephone numbers.

The applicant lodged an administrative complaint challenging the request for information. According to the applicant, the requested information constituted personal data within the meaning of Article 4(1) GDPR and its disclosure was not justified by the law. The applicant argued, in particular, that the defendant, in its capacity as controller, did not comply with the principle of proportionality or the principle of minimisation enshrined in Article 5(1) GDPR.

The defendant dismissed the applicant's complaint and upheld the request for information. The dispute escalated before the national courts. In this context, the referring court referred the following questions to the CJEU:

1. Must the requirements laid down in the General Data Protection Regulation be interpreted as meaning that a request for information issued by a tax authority, such as the request at issue in this case, which seeks the disclosure of information containing a considerable amount of personal data, must comply with the requirements laid down in the General Data Protection Regulation (in particular Article 5(1) thereof)?

2. Must the requirements laid down in the General Data Protection Regulation be interpreted as meaning that the Tax Administration may depart from the provisions of Article 5(1) of that regulation even though the legislation in force in the Republic of Latvia does not empower it to do so?

3. For the purposes of interpreting the requirements laid down in the General Data Protection Regulation, can there be considered to be a legitimate objective justifying the obligation, imposed by a request for information such as that at issue in this case, to provide all of the data requested in an undefined amount and for an undefined period of time, in the case where there is no prescribed expiry date for the fulfilment of that request for information?

4. For the purposes of interpreting the requirements laid down in the General Data Protection Regulation, can there be considered to be a legitimate objective justifying the obligation, imposed by a request for information such as that at issue in this case, to provide all of the data requested even if the request for information does not (or does not fully) specify the purpose of disclosing that information?

5. For the purposes of interpreting the requirements laid down in the General Data Protection Regulation, can there be considered to be a legitimate objective justifying the obligation, imposed by a request for information such as that at issue in this case, to provide all of the data requested even if that request relates in practice to absolutely all data subjects who have published advertisements in the ‘Motor Vehicles’ section of a portal?

6. What criteria must be used to verify that a tax authority, acting as controller, is duly ensuring that the processing of data (including the collection of information) is compliant with the requirements laid down in the General Data Protection Regulation?

7. What criteria must be used to verify that a request for information such as that at issue in this case is duly reasoned and occasional?

8. What criteria must be used to verify that personal data are being processed to the extent necessary and in a manner compatible with the requirements laid down in the General Data Protection Regulation?

9. What criteria must be used to verify that a tax authority, acting as controller, ensures that data are processed in accordance with the requirements laid down in Article 5(1) of the General Data Protection Regulation (accountability)?

On 2 September 2021, AG Bobek rendered his opinion in this case.

Holding

With regard to the first question, the CJEU analyzed whether the provisions of the GDPR should be interpreted in the sense that the collection of information containing a significant amount of personal data by the Tax Authority of a Member State is subject to the requirements set forth in this regulation, especially those provisions provided for in Article 5(1).

First, it acknowledged that the information requested by the Tax Authority constitutes personal data under Article 4(1) GDPR. Similarly, it recognized that the collection, consultation, disclosure by transmission or any other way of making personal data available constitute 'processing' within the meaning of Article 4(2) GDPR.

In the present case, the CJEU highlighted that the Tax Authority requested an economic operator to communicate and make available personal data that the latter is obliged to provide and make available under the terms of national legislation. At the same time, according to the CJEU, the communication and making available of said data by the economic operator in question involves 'processing'.

Second, the CJEU rejected the application of the exception provided for in Article 2(2) GDPR, considering that, when requesting personal data for tax collection or the fight against tax fraud, the Tax Authority should not be considered a 'competent authority' within the meaning of Article 3(7) Directive 2016/680. Therefore, such requests do not fall under the exception provided for in Article 2(2)(d) GDPR, as this data is not collected for the specific purpose of initiating criminal proceedings.

Thus, it concluded that the activity is subject to compliance with the principles relating to the processing of personal data set out in the GDPR, notably those of Article 5 GDPR.

As for the second question, the CJEU assessed whether the provisions of the GDPR should be interpreted in the sense that the Tax Authority can derogate the provisions of Article 5(1) even if such power has not been conferred on it by the national law of the relevant Member State.

As a preliminary point, the CJEU emphasized that the GDPR aims to ensure a high level of protection for natural persons in the Union. For this purpose, chapters II and III set out, respectively, the principles governing the processing of personal data and the rights of the data subject that any processing of personal data must respect. The Court recognized that Article 23 GDPR authorizes the Union and the Member States to adopt legislative measures that limit the scope of the obligations and rights provided for by Article 5. However, such a limitation must respect the essence of fundamental freedoms and rights and constitute a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the Union or of the Member State concerned, including in the budgetary and fiscal fields.

In this regard, the CJEU also stated that the regulations that allow such interference must provide for clear and precise rules that regulate the scope and application of the measure in question and impose minimum requirements, so that the persons whose data have been transferred have sufficient safeguards to effectively protect such personal data against the risk of abuse. Consequently, the Tax Authority of a Member State cannot derogate from the provisions of Article 5 GDPR in the absence of a clear and precise legal basis in Union or national law that provides for the circumstances and conditions under which the right to data protection may be limited.

It therefore concluded that the Tax Authority of a Member State cannot derogate from the provisions of article 5(1) GDPR when that right has not been conferred on it by a legislative measure, within the meaning of article 23(1) GDPR.

As for the third to ninth questions, the CJEU assessed whether the provisions of the GDPR should be interpreted in the sense that the Tax Authority of a Member State is prohibited from requiring the provision of this information in a generic way, regarding all personal data, without specify the purpose of the request.

The CJEU recalled that article 5(1)(b) GDPR provides that personal data must be collected for specific, explicit and legitimate purposes. Such a requirement, as follows from Recital 39 GDPR, means that the purposes must be identified, at the latest, at the time of collection of personal data. In the present case, the CJEU noted that the communication of personal data is not directly based on the national tax law, but results from a request from the competent public authority. Therefore, it is necessary for that request to specify the purposes of that collection in the light of the public interest or the exercise of public authority. This is necessary to enable the addressee of said request to verify that the transmission is lawful and also to enable the courts to carry out legality control.

In addition, it recalled that Article 5(1)(c) GDPR establishes that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Thus, the controller, even when acting as a public authority, cannot proceed in a generalized and undifferentiated manner to the collection of personal data. On the contrary, they must refrain from collecting data that are not strictly necessary for the purpose of the processing activity. Therefore, it is for the Latvian Tax Authority to demonstrate that, in accordance with Article 25(2) GDPR, it has sought to minimize as much as possible the amount of personal data to be collected. T

For these reasons, the CJEU finally concluded that tax authorities of a Member State may request information containing personal data, provided that such data are necessary in light of the specific purposes for which they are collected and the period of collection of said data does not exceed the duration strictly necessary to achieve the general interest intended.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!