FG München - 15 K 1212/19
|FG München - 15 K 1212/19|
|Court:||FG München (Germany)|
|Relevant Law:||Article 2(2)(d) GDPR|
Article 4(7) GDPR
Article 12(1) GDPR
Article 13(4) GDPR
Article 14(5)(a) GDPR
Article 15 GDPR
§ 2a Fiscal Code of Germany (Abgabenordnung - AO)
|National Case Number/Name:||15 K 1212/19|
|European Case Law Identifier:||ECLI:DE:FGMUENC:2022:0203.15K1212.19.00|
|Original Source:||BAYERN.RECHT (in German)|
|Initial Contributor:||Robert Straub|
The Financial Court of Munich held that there is no general right to inspect files towards tax authorities pursuant to Article 15(1) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
In 2019, the data subject, a bank, received a letter from the controller, the tax authority, informing it of a number of investigation results and announcing that the data subject would have to pay the taxes in the cases discovered by the investigation. Furthermore, the letter contained tax summary reports on the change of the data subject's capital gains tax filings in tax matters of various investment funds.
Subsequently, the data subject applied to the controller for the right to be heard and to inspect and access the files, based on the German Fiscal Code (Abgabenordnung - AO) and Article 15 GDPR.
The controller refused, arguing that the data subject already had knowledge of the files on capital gains tax and that all other documents listed were part of investigation files in criminal tax proceedings conducted by public prosecutor's office. Regarding the investigation files, the controller questioned whether Article 15 GDPR was even applicable. It stated that the data subject might be able to substantially complicate investigations if given access.
The data subject argued that it did not have full knowledge of the data processed. It claimed that when balancing the parties' interests, its own would outweigh the controller's.
The Financial Court of Munich (FG München) had to decide whether the data subject had a claim under Article 15 GDPR, what was the scope of the data subject's claim and whether the claim was satisfied by granting access to individual documents or providing copies.
Holding[edit | edit source]
The FG München dismissed the claim. It held that, while the data subject generally would have a right to access pursuant to Article 15(1) GDPR, that did not encompass the data in question.
First, the court established that the GDPR applies to the bank as a data subject since § 2a(5) AO orders the corresponding application of the GDPR to entities with or without legal capacity such as the data subject in this case.
Then, the court clarified that there is no general right to inspect files towards the tax authorities. It named seven general principles that can limit the right to information. The right to information is suspended if - subject to the balancing of interests - the information enables the person concerned, (1) to adjust their behaviour to the level of knowledge of the tax authority so they would be put in a position to conceal or cover tracks, (2) to draw conclusions about the risk management system or (3) to draw conclusions about planned control or audit measures, (4) if overriding confidentiality interests of third parties conflict with this, (5) if confidence in the confidential disclosure of protected data would be jeopardised, (6) if the information is not already known to the data subject or (7) if the information is essentially retained because of statutory retention requirements.
Furthermore, it cited the Court of Justice of the European Union (Case C-141/12) according to which the right of access under Article 15 GDPR does not secure a right of access to administrative documents, so that this must apply a fortiori to the entire collection of documents.
In the case at hand, the court stated that the data subject't right to access had already been fulfilled by the controller by sending the summary reports. Moreover, it already had knowledge of the data on which the taxation was based. Therefore, the controller was not obliged to grant access to the tax file beyond the information provided, to provide copies of the file or to search out and communicate data from the tax file.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
FG Munich, court order v. 02/03/2022 – 15 K 1212/19 Title: Right to information according to Art. 15 GDPR chains of standards: StPO § 147 paragraph 5, § 496 paragraph 3 AO § 91, § 364 GDPR Art. 2 Para. 2 d, Art. 4 No. 7, Art. 12 Para. 1, Art. 13 Para. 4, Art. 14 Para. 5 a, Art. 15, Art. 23 para. 1 e and i FGO § 32a Paragraph 1 No. 1, Paragraph 2, § 32c Paragraph 1 No. 1§ 33, § 90 a, § 115 Paragraph 2 No. 1 and 2, § 135 Paragraph 1 VwGO § 40 paragraph 1 OWiG § 49 BDSG § 19 GG Art. 19 Para. 4 BDSG § 1 Section 8 Guiding principles: 1. A general right to inspect the files from the tax authorities exists according to std. Correspondence of the BFH not (cf. BFH, decision of November 3rd, 2020 - III R 59/19). (Rn. 155) (editorial motto) 2. ECJ clarifies that the right to information under Art. 15 GDPR does not secure a right of access to administrative documents (ECJ, C-141/12, loc. cit. on the previous provision), so that this must apply even more to the entire collection of documents. (Rn. 131) (editorial guiding principle) tags: Right to information according to Art. 15 GDPR, discretionary decision, discretion, right to information, information, right to inspect files, inspect files, processing of personal data, personal data, requests for a preliminary ruling, administrative legal process Further information: Revision approved Source: BeckRS 2022, 5603 tenor 1. The lawsuit is dismissed. 2. The plaintiff bears the costs of the proceedings. 3. The revision is allowed. Reasons for decision I It is disputed whether the plaintiff has a claim under Article 15 of the General Data Protection Regulation (GDPR), the scope of this claim and whether it was satisfied by granting inspection of individual documents or providing copies. 1. The plaintiff is a bank (...). 2. On ... ... 2019, the plaintiff received a letter dated ... ... 2019 from the tax office X, tax investigation office (hereinafter: tax investigation). In it, the plaintiff was informed of a large number of investigation results, the content of which relates to certain investment funds for which the plaintiff acted as custodian bank in 2010. The letter announced that the tax consequences should be drawn from the plaintiff. With the letter, brief tax reports were sent on the change in the plaintiff's capital gains tax registrations in tax matters of various investment funds (for the exact list of documents sent with the letter, reference is made to Annex K2 submitted by the plaintiff - file of the case, sheet 32). 3. With reference to the above letter, the plaintiff applied to the defendant - the tax office - in a letter dated ... ... 2019 for a right to be heard and for inspection of files. The plaintiff derived the latter claim from Section 91 of the German Fiscal Code (AO), or a right to inspect files at due discretion, and alternatively from Section 32c AO and Art. 15 (3) GDPR. 4. In a letter dated ... ...2019, the tax office pointed out that the application for inspection of the files of the tax investigation under Section 147 (5) of the Code of Criminal Procedure (StPO) should be submitted to the X public prosecutor's office. The tax office refused to inspect the capital gains tax file because the entire content of this file was already known to the plaintiff. The investment income tax office had already received the investigation reports from the investment funds. It is intended to use the results of these investigation reports as a basis for taxation and to change the capital gains tax returns concerned accordingly. The plaintiff has the opportunity to comment on the facts relevant to the decision until ... ... 2019. A separate letter will be sent out shortly about the application under Art. 15 (3) GDPR. The plaintiff lodged an objection to this rejection notice (Annex K7, complaint file sheet 117), on which a decision has not yet been made. 5. In a letter dated ... ...2019, the tax office rejected the alternative request for information under the GDPR (action file, sheet 45). It justified the rejection by saying that the capital gains tax file only contained documents that were already known to the applicant. All other documents listed are the content of investigation files in criminal tax proceedings conducted by public prosecutor X. In this regard, it is doubtful whether Art. 15 GDPR applies to the investigation files at all, since according to Art. 2 Para. 2 d GDPR, Section 2a Para. 4 AO, the GDPR does not apply to the processing of personal data by the competent authorities for the purpose of prevent, investigate, detect or prosecute criminal offences. Even if this were the case, §§ 32c paragraph 1 number 1, 32b paragraph 1 sentence 1 number 1 a, sentence 2, § 32a paragraph 2 AO - endangering the proper fulfillment of tasks - would prevent the provision of information. By inspecting the files, it cannot be ruled out that information would be revealed that could enable the plaintiff or the investment fund to conceal tax-related facts, to cover up tax-related tracks, or to allow conclusions to be drawn about planned control or audit measures, and thus make it much more difficult to uncover tax-related facts. Moreover, this exception to the obligation to provide information is of particular importance in an ex-post view, since, according to the current state of knowledge, preliminary proceedings by public prosecutor X have been initiated against the plaintiff in the meantime. In addition, the tax office referred to the right to inspect files under Section 147 StPO. However, such an application would have to be submitted to the public prosecutor's office. 6. In a letter dated ... ...2019, the plaintiff brought an action against the rejection of the information on the basis of Art. 15 (3) GDPR by the decision of ... ...2019. In doing so, it is pursuing its goal of obtaining a copy of the data relating to the plaintiff which is the subject of processing by the tax office (file of the complaint, page 90 et seq.). a. The obligation action is admissible, the Munich Finance Court has factual and local jurisdiction. A preliminary procedure does not take place, the legal period has been observed. The lawsuit is also well founded. The claim from Art. 15 GDPR is aimed directly at a data copy. According to § 2a Para. 5 No. 2 AO, the plaintiff is covered by the scope of protection of the GDPR as “Société Anonyme”, S.A., as an identified legal entity. The tax office, as the processor of the plaintiff's personal data, is the opponent of the claim. The area exception complained about by the tax office does not apply, since the adoption of the findings of the criminal proceedings in the taxation procedure resulted in a change of purpose, so that the area exception no longer applies. Also, no other exclusions of the right to information are evident. b. The plaintiff has no comprehensive knowledge of the processed data. The defendant's allegation in this regard is sweeping and unsubstantiated. The documents mentioned in the references and footnotes were not attached to any letter from the defendant. The claim is also not limited to the capital gains tax file. According to the substantive concept of files, all documents related to the applicant are included, and consequently also the documents to which the references and footnotes in question relate. c. The information also does not jeopardize the proper fulfillment of the tasks that are the responsibility of the tax office. The tax office did not state to what extent the plaintiff should be able to conceal tax-relevant facts or to take misleading measures by providing the information. The tax office essentially reproduces the text of the law without going into individual cases. Apart from that, the plaintiff has an overriding interest in the disclosure of the information. The defendant did not put forward any specific indications of a specific collision situation. The explanations in the rejection were exhausted in clichéd reproductions of the legal text without considering individual cases. In the concrete balancing of interests, the interests of the plaintiff clearly prevail. The significant financial consequences of a tax arrears were particularly significant. The amount required a precise examination of the facts for the purpose of full clarification. The plaintiff's rights to a fair trial and a fair hearing continue to speak for her. On the one hand, the defendant could not process the knowledge of the tax investigator X for the purposes of issuing notices of additional claims, but on the other hand, it could not provide full insight into the personal data of the plaintiff that were the subject of the processing. The imbalance is not compensated for by the right to inspect files. Both rights have existed side by side since the introduction of the GDPR. i.e. The right to information is also not excluded by reference to § 147 StPO. As already explained, criminal tax proceedings are different from taxation proceedings. Contrary to the opinion of the tax office, the decision to provide information in the form of a data copy is no longer at the discretion of the tax authorities. Thus, the tax office has no discretion regarding the provision of a copy. The scope of the copy is also not at the discretion of the person responsible. For the legal argumentation in detail, reference is made to the statement of claim (particularly file of the lawsuit sheet 90 ff., 179 ff., 251 ff., 278 ff., and pleading of January 28, 2022). 7. The plaintiff requests annul the decision of ... ... 2019 and oblige the tax office to provide the plaintiff with a copy of the data relating to her that are the subject of the processing by the defendant. The tax office requests reject the complaint. 8. a. The request for information under the GDPR has already been partially granted. The plaintiff has no right to further information. The plaintiff can only refer to the GDPR because Section 2a (5) No. 2 AO extends its scope to legal entities, which should be taken into account when interpreting the GDPR. In the event of a dispute, a clear distinction must be made between the information on processing operations in tax proceedings on the one hand and the processing operations in criminal tax proceedings on the other. This separation is imperative in a data protection assessment, since only parts of the requested information, namely that from the taxation procedure, fall within the scope of the GDPR. b. With regard to the processing of data in the context of the taxation procedure, the tax office has already provided the information. The tax office had already sent the plaintiff the investigative reports listed from the tax investigation office and informed them that the capital gains tax file contained the capital gains tax registration for 2010 with the associated correspondence. The plaintiff filled out the capital gains tax returns herself and was either the addressee or the sender of the associated correspondence. Accordingly, the plaintiff is aware of the entire content of the capital gains tax file. c. With regard to the other contents of the files, in which the plaintiff requests access to the files, she cannot invoke Art. 15 GDPR, since these contents are criminal files - including those of third parties - to which the GDPR does not apply. Rather, the BDSG applies in this respect. In this respect, however, legal recourse to the tax courts is not open. i.e. Alternatively, the tax office states that for all documents that are related to the ongoing criminal tax proceedings, the exception of Art. 23 Para. 1 e DSGVO in conjunction with §§ 32c Para. 1 No. 1, 32b Para. 1 Sentence 1 No 1 a, sentence 2, § 32 paragraph 2 AO intervene (endangerment of task fulfillment). It is obvious that the plaintiff or other persons against whom criminal proceedings have been initiated in some cases could rely on the state of knowledge of the tax authorities if the contents of the files were made known to them, especially since the investigations have not yet been completed. If the tax investigation offices had to disclose the findings of their investigations during the ongoing proceedings, all criminal offenses under Section 370 AO could no longer be effectively prosecuted in the future. The evaluation of § 147 StPO would be undermined. e. In the event that more information was provided, this would also be detrimental to the welfare of the federal government or a state (Article 23 (1) e GDPR in conjunction with Sections 32c (1) no. 1, 32b (1) sentence 1 no. 1 b AO). According to media reports, the ongoing criminal and investigation proceedings in connection with this are about damage to the state treasury in the billions. This would possibly thwart the investigation and criminal prosecution of “one of the biggest tax scandals in German history” (so-called “cum-ex” cases). In view of the extent of the damage, the federal interest in effective clarification and enforcement of the tax refunds clearly takes precedence over the plaintiff's individual interest in disclosure of information. f. Finally, with regard to all file contents from criminal proceedings against other persons, the exception of Art. 23 Para. 1 e and i DSGVO in conjunction with §§ 32c Para. 1 No. 1, 32b Para. 1 Sentence 1 No. 2 AO, Art. 15 Paragraph 4 GDPR. The requested documents therefore contained information which, if disclosed, would undoubtedly endanger the rights and freedoms of third parties. The interest of the person concerned in the provision of information must take second place to these rights of a large number of third parties (accused persons, witnesses, official employees, etc.). All investigation results fell under the tax secrecy, which is specially protected in § 30 AO. There is already no power of disclosure that would allow the defendant to inform the plaintiff about the data of third parties. G. Each of the exceptional circumstances presented is of such weight that the plaintiff's individual interest in the provision of information must take a back seat to each one. The plaintiff's interest in checking the data stored in the files is entirely understandable. However, you may assume that all processing operations within the defendant were carried out in a lawful manner in accordance with data protection on the basis of Sections 29b, 29c (1) AO. At the same time, the plaintiff is entitled to sufficient other legal protection options, which it can also take or has already taken and which also offer this possibility of verification. The plaintiff can apply for access to the files in administrative offense proceedings under Section 49 OWiG and in criminal proceedings under Section 147 StPO. The constitutional control of the tax assessments is carried out through the already ongoing fiscal court objection proceedings or, if necessary, in the context of a subsequent lawsuit. H. The tax office is of the opinion that Art. 15 GDPR does not provide for a right to inspect the files or to have a copy of the content of the files sent. The claim of the plaintiff has already expired, insofar as she already has the information. Furthermore, the right to information does not relate to all internal processes of a person responsible, such as notes, legal assessments or analyses. Such documents do not represent personal data. The publication of all internal documents would be equivalent to a right to inspect files, which Art. 15 GDPR does not offer. i. The tax office expressly contradicts the plaintiff's view that the right to information under Art. 15 GDPR is a bound right that excludes any discretion with regard to the type of information provided. Both in the GDPR itself (Art. 12 Para. 1 GDPR) and specifically in Section 32d Para. 1 AO, it is expressly stipulated that Art. 12-15 GDPR are regulations that are subject to due discretion. The view that a right to a copy of the content of the file can be derived from Art. 15 GDPR is also expressly contradicted. k. The tax office initially refused to send the files relating to the dispute, fearing that the main issue would be preempted. In this respect, it referred to the decision of the Federal Fiscal Court (BFH) of June 3, 2015 (VII S 11/15, BFH/NV 2015, 1100). For the argumentation in detail, reference is made to the written submissions (particularly the complaint file, pages 141 et seq., 219 et seq., 294 et seq., 384 et seq.). 9. a. In a letter dated ... ...2020, the plaintiff stated that she had now been able to inspect the investigation files of the X public prosecutor's office. The evaluation of the file of around 32,000 sheets is ongoing. By inspecting the investigation files, the claim asserted here for the submission of copies of personal data is neither fulfilled nor otherwise settled, because the plaintiff cannot find out which personal data the defendant is processing in the context of taxation by inspecting the files in criminal proceedings. Rather, the plaintiff must assume that the personal data processed by the defendant for the purpose of capital gains tax are still not available to her in full, since the defendant persistently denies her access. b. At the request of the court, the tax office has the files relating to the dispute (cf. BFH, decision of 19.12.2016 - XI B 57/16 -, BFH/NV 2017, 599) - this is the data protection request for information, the correspondence exchanged on this and the issued decision - filed. For the reasoning below, reference is made to the written submissions of the parties involved. II. The admissible action is unfounded. 1. The action is admissible. a. Legal recourse to the financial courts is open according to § 32i Para. 2 AO, since the complaint of the person concerned against the tax office as the tax authority (§ 6 Para. 2 No. 5 AO) with regard to the processing of personal data on rights from the DSGVO (here : Art. 15 (1) GDPR). The legal process is determined by the subject of the dispute. In the event of a dispute, this only includes the right to information from the GDPR against the tax authority as the authority responsible for taxation. (1) According to the so-called two-part concept of the subject matter of the dispute, the subject matter of the dispute is generally characterized as the procedural claim by the desired legal consequence described in the application and the cause of action, i.e. the facts from which the legal consequence should result (trial case, cf. BVerwG , decision of 20.09.2012 - 7 B 5/12 -, para. 6, NVwZ 2012, 1563). In the case of a request for a commitment, the legal basis for a claim is also used to determine, define and specify it (ibid; BFH decision of April 7th, 2020 - 2015 II B 82/19 -, BStBl II 2020, 624; BVerwG, decision of November 18th, 2019 - 10 B 20/19, BFH/NV 2020, 336, margin no. 7; the same result: BFH, decision of June 16, 2020 - II B 65/19 -, BStBl II 2020, 622). Even in the case of a single application, there can therefore be several issues in dispute. The prerequisite for this is that the application is based on several facts and claims (BGH, decision of 27.11.2013 - III ZB 59/13 -, BGHZ 199, 159, para. 16). (2) If information from the relationship between the data processor and the data subject is requested and presented at the intersection of taxation and criminal tax proceedings, and if this information gives rise to a right to a copy of the administrative files or parts thereof, four different disputes must be distinguished: aa) On the one hand, information on data protection law without cause - derived from data processing - and not dependent on a specific administrative legal relationship within the scope of the GDPR. bb) On the other hand, the equally unfounded - derived from the data processing -, process-independent information beyond the material scope of the GDPR, insofar as the data subject requests information from law enforcement authorities. cc) Thirdly, independent and dependent file inspection rights derived from a specific administrative legal relationship, aimed at the files of specific taxation procedures. dd) Fourth, rights to inspect files derived from the specific legal relationship as a subject to criminal investigations. Various legal avenues are open to these four matters of dispute. While for aa) according to § 32i AO the specially allocated financial legal recourse is open and for cc) the general financial legal recourse according to § 33 paragraph 1 of the Financial Court Code (FGO), for bb) the legal recourse to the administrative courts is open and for dd) the legal recourse to the criminal courts. This results from the fact that for data protection claims for information from the data processing relationship in the relationship between authorities and citizens (above aa and bb) - i.e. outside of a specific administrative legal relationship - there is in principle a public law dispute of a non-constitutional nature, for which, subject to a special assignment, the general Administrative legal recourse is given (§ 40 Para. 1 VwGO; BVerwG, decision of 18.11.2019 - 10 B 20/19 -, para. 4, BFH/NV 2020, 336). This also applies to data processing by law enforcement authorities (above bb., cf. BFH, decision of April 7th, 2020 - II B 82/19 -, BStBl II 2020, 624). With the repressive special allocation of § 32i AO, the legislature has assigned questions of data processing in the area of the tax authorities (above aa) to the more relevant tax courts. On the other hand, rights to inspect files are not rooted in the fact of data processing, but are derived from the specific administrative or taxation procedural legal relationship; the same applies to the accused who is subject to a criminal investigation. In the latter case, the right to inspect the files is regulated by ordinary law in Section 147 StPO, with the assignment of legal recourse to the criminal courts (Section 147 (5) StPO). The legislature has not standardized a statutory right to inspect files in the taxation procedure. For any disputes, however, the general financial legal recourse would be open (§ 33 FGO). The same applies to the direct constitutional right developed by case law to a decision based on due discretion regarding an application for inspection (cf. BFH, judgment of June 8, 2021 - II R 15/20 -, para. 10, juris; BFH, judgment of July 30, 2003 - VII R 45/02 -, BStBl II 2004, 387). (3) In the event of a dispute, only a request for information pursuant to Art. 15 GDPR is the subject of the dispute and not, for example, a claim to a legal hearing derived from the administrative legal relationship, to inspection of the files or a dependent claim to notification of the tax documents (§ 364 AO). The plaintiff also submitted these claims to the tax office before the trial, which denied these claims. However, a decision has not yet been made on the admissible appeal filed. The plaintiff does not seek a decision on this in the legal proceedings, but derives its claim solely from Art. 15 GDPR. Therefore, in the case of a dispute - unlike the decision of the BFH (BFH, judgment of June 8, 2021 - II R 15/20 -, para. 10, juris) - there is no uniform subject matter in dispute in relation to the right to inspect files from the specific taxation procedure and the right to information according to Art. 15 GDPR. In the opinion of the Senate, it cannot be deduced from the above-cited BFH decision that there is always a uniform subject matter of dispute as soon as the plaintiff also claims access to files from the GDPR. Since the subject matter of the dispute is decisively determined by the facts presented by the plaintiff in the respective proceedings, no general statement can be derived from the individual case decided by the BFH. In the event of a dispute, it is also decisive for the assumption of two different matters in dispute that the right to information under the GDPR differs fundamentally from the right to a decision on the request for inspection of files in the specific taxation procedure that is free of discretionary errors. While the right to information, as a bound decision, guarantees information from the data processor to the person concerned without cause, the independent right to a decision on a request for inspection of files that is free of discretionary errors is subject to the discretion of the tax office. The discretionary decision to be made in the second case is subject to completely different standards, not only with regard to the administrative decision and the objection decision to be made in the appeal proceedings, but also with regard to the judicial review. The facts on which the action is based also differ in the two claims: While the right to information under data protection law is justified by the fact that the person responsible processes personal data of the person concerned in a file system or intends to do so (Art. 2 DSGVO), a right to inspect the files is required to justify the claim Description of a specific administrative legal relationship on the basis of which the authority keeps files and specific facts which - contrary to the fundamentally not guaranteed by law access to files - in the specific case require a discretionary decision by the authority in favor of an inspection of files. Accordingly, the BVerwG also distinguishes between the right to inspect files in the specific taxation procedure and, for example, the right to information from freedom of information laws and in this respect assumes two matters in dispute, for which legal recourse to the finance courts and the administrative courts are open (BVerwG, decision of 18.11.2019 - 10 B 20/19 -, para. 4, BFH/NV 2020). (4) The plaintiff's application is also not aimed at data protection information from the area of activity of the tax office as a criminal investigation authority (subject of the dispute above bb). In response to the objection of the tax office, the plaintiff has made it clear that it is only requesting information from the area of the capital gains tax office, whereby it assumes that the relevant documents were handed over to them by the tax investigation office and thus became part of the taxation data (...). (5) Finally, the plaintiff's claim is not aimed at specific access to the files as a person subject to criminal investigations. She explicitly states that the subject of the dispute should not be an application for inspection of files under § 147 StPO (...). b. The permissible type of action for the judicial assertion of a claim for information against an authority under Art. 15 Para. 1 of the GDPR is the obligation action. Because the decision on a data protection right to information by an authority is an administrative act. The provision of information is preceded by an official decision, which is to be made on the basis of a statutory examination program and in which the authority has to observe special procedural precautions such as the obligation to provide reasons or to be heard. Therefore, the provision of information by an authority on the basis of Art. 15 Para. 1 DSGVO is always preceded by an examination of possible exclusions and restrictions (cf. BVerwG, judgment of September 16th, 2020 - 6 C 10/19 -, para. 12, HFR 2021, 419). c. The lawsuit is also directed against the correct defendant. The person responsible for the data protection claims from the GDPR is passively legitimate (Art. 15 Para. 1 GDPR). According to Art. 4 No. 7 GDPR, this is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. § 2a AO also links the responsibilities in connection with the protection of personal data to the tax authority or public administration body. Thus, the subject of the rights and obligations in the area of data protection is the authority that decides on this processing within the scope of its responsibility. The claim can therefore only relate to the processing of data that is within the decision-making authority of the respective authority and to this data. In the event of a dispute, since information about the data processed in the taxation procedure is requested, that is the defendant tax office. As already explained above, the lawsuit is not aimed at information about data from a criminal investigation. In this respect, the scope of the GDPR would not be open either. Rather, legal recourse to the administrative courts would be open to this extent. Incidentally, the specific public prosecutor's office would be passively legitimized, also insofar as the files of their auxiliary officials - such as the tax investigation office - are concerned. 2. The lawsuit is unfounded. The plaintiff has a right to information under Art. 15 (1) GDPR, which, however, does not include the requested inspection of administrative documents. The plaintiff is already aware of the data that was actually processed for the subsequent or repayment notice, i.e. on which the taxation is based. In addition, by sending the extensive reports in a letter dated ... ...2019 to the plaintiff, the tax office also communicated or disclosed tax documents and provided evidence that went beyond the claim under Art. 15 (1) GDPR. The plaintiff clearly does not seek access to the mere input data for the notification or the basic data overview - or a copy thereof - both would be covered by her claim under Art. 15 DSGVO. The tax office is not obligated by the right to information under data protection law to grant access to the tax files beyond the information provided, to provide copies of the files or to search for and communicate data from the tax files. The GDPR is also applicable in the area of direct taxes (a.). As a processor within the meaning of the GDPR, the tax office is also the correct defendant or passive legitimizer of the right to information (b.). In the event of a dispute, the substantive scope of application of the GDPR is open to the extent that the processing of personal data is to be assessed (c.), but only to the extent that the personal data are also processed by the tax office in a partially or partially automated manner (d.). The right to information, which is already limited by this, is correspondingly limited with regard to the restrictions on the right to information in the GDPR itself, as well as by the AO and general principles (e.). He does not grant any right to inspect files or administrative documents (f.). a. The GDPR is also applicable to the processing of data in the administration of direct taxes. (1) As an EU regulation, the GDPR applies in accordance with Article 288 of the Treaty on the Functioning of the European Union (TFEU) directly in every member state of the Union, without the need for further implementation by national law (cf. also FG Sachsen, Judgment of 08.05.2019 - 5 K 337/19 -, EFG 2020, 661, para. 12). According to Art. 1 GDPR, the regulation protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. According to the will of the EU legislator, the fundamentally comprehensive scope of the regulation derives directly from Article 8 (1) of the Charter of Fundamental Rights of the European Union (Charter) and Article 16 (1) TFEU (compare recitals to the GDPR [recital] 1, 2). It is intended to “contribute to the completion of an area of freedom, security and justice” (Recit. 2). In doing so, the legislator is claiming the competence of Art. 4 (2) j TFEU, which is shared between the Union and the member states. (2) The legislature restricts this scope of action, which is generally considered to be comprehensive, in Art. Accordingly, the regulation does not apply to the processing of personal data in the context of an activity that does not fall within the scope of Union law (Art. 2 Para. 2 a GDPR) or to data processing by the competent authorities for the purpose of prevention, investigation, Detection or prosecution of criminal offenses or the execution of sentences, including protection against and averting of threats to public security (Article 2 Paragraph 2 d GDPR). The legislator does not explicitly state which activities are to be excluded from the scope of the regulation because they do not fall within the scope of Union law (Art. 2 Para. 2 a GDPR). In the recitals, he gives examples of national security and data processing within the framework of the common foreign and security policy. The activity at issue in the dispute is data processing in the field of direct tax administration. Since the administrative activity itself falls within the competence of the member states, it can only be determined whether the administered taxes fall within the competence of the Union. This is basically to be denied for the non-harmonised direct taxes (Drüen in: Tipke/Kruse, AO/FGO, 166. Delivery 05.2021, § 2a AO, Rn. 6, with further reference). On the other hand, the ECJ claims competence to examine whether regulations of the member states in the area of direct taxes violate Union law or fundamental freedoms. The BFH recognizes this competence (cf. e.g. BFH, ECJ submission of November 6th, 2019 - IR 32/18 -, BFHE 269, 205, BStBl II 2021, 68, para. 21; judgment of April 20th, 1988 - IR 219/ 82 -, BFHE 154, 38, BStBl II 1990, 701, para. 21), so that the question arises whether for the application of Art. 2 Para. 2 a GDPR it can be said that direct taxes are not included in fall within the scope of Union law. This, especially since the GDPR is based on the shared competence of Art. 4 Para. 2 j TFEU (cf. above and recital 2). Accordingly, the answers to the question of the applicability of the GDPR in the area of direct taxes are controversial (cf. on the Drüen dispute in: Tipke/Kruse, AO/FGO, 166th delivery 05.2021, § 2a AO, para. 6). (3) However, the Senate can leave open the question of the direct application of the GDPR by virtue of a legislative act of the Union, since the federal legislature has ordered its application at least by reference in § 2a AO. Through the reference, the texts to which reference is made (reference norms and other reference texts) become part of the referring regulation (initial norm) (Federal Ministry of Justice and Consumer Protection, Handbuch der Rechtsformlichkeit, 3rd edition 2008, Part B, 4.1, 2018, quoted from http://hdr.bmj.de/page_b.4.html, accessed on July 16, 2021). The German legislator assumed the following understanding when standardizing § 2a AO and §§ 29b, 29c and 32a et seq. Drs. 18/12611, page 74): "The regulations of the AO are to be adapted to the law of the European Union, in particular the [GDPR]. Due to the regulatory mandates of the [GDPR], the existing regulations on the processing of personal data are to be adapted to the regulations and definitions of this regulation or new area-specific regulations are to be created in close accordance with the new Federal Data Protection Act. At the same time, on the basis of Art. 23 of the [GDPR], area-specific restrictions on the rights concerned are to be determined so that the financial authorities can continue to fulfill their constitutional mandate to set and collect taxes evenly in accordance with the law and to uncover tax cuts.” The explanatory memorandum to Section 2a (3) AO goes on to say: "Section. 3 clarifies that the directly applicable European law regulations on the protection of personal data of natural persons, in particular the [GDPR], take precedence over the regulations of the AO and the tax laws, insofar as these do not issue any regulatory mandates or grant regulatory powers to the member states and corresponding national regulations have been made .” This justification clearly expresses the unconditional will of the federal legislator that area-specific data protection in the area of all tax law should be regulated by the AO and the GDPR that precedes it, in the area of individual tax laws possibly modified for their area. In the opinion of the Senate, it cannot be deduced from the justification for the law or from the legal wording of § 2a AO that the regulations of the AO or the GDPR should only apply in the area of harmonized taxes and not also in the area of direct taxes. The explanatory memorandum to § 2a Para. 5 AO confirms the result found above. With this provision, the legislator is endeavoring to expand the scope of the GDPR to include cases in which it does not apply as such according to Recital 27 of the GDPR. This corresponds to the general principle of the AO that procedural regulations - which regularly also represent regulations on the processing of personal data - apply equally to all those affected by tax law and tax procedural law, regardless of their legal form. The unconditional will of the legislator for the validity of the European data protection regulations is also expressed in the general clause-like provision of § 1 Para. in the area-specific law - here the AO - something different is regulated. According to the above, it can be assumed that the German legislator assumes that the GDPR applies directly to the processing of personal data by the tax authorities (§ 2a Para. 1 AO). The reference to the same should therefore have been intended as a declarative reference. In the opinion of the Senate, however, this does not exclude an alternative interpretation as a constitutive reference. The legislator wanted the GDPR to apply - modified by its own regulations, e.g. in the AO - for the entire activity of the tax authorities - without differentiated handling depending on the type of tax. Otherwise he would have worded this differently in § 2a Para. 1 AO. This view also corresponds to the case law of the BVerwG (ECJ submission of July 4th, 2019 - 7 C 31/17 -, para. 14, juris), which states the following: "With the additions to the tax code, the legislator is pursuing the goal - as can be seen in particular from Section 2a (3) and (5) AO - of uniform procedural regulations in accordance with the general principle of the tax code that go beyond the direct scope of application of the [GDPR] - which regularly also contain regulations about the processing of personal data - to be provided for all those affected by tax law and tax procedural law, regardless of their legal form (cf. Bundestag printed paper 18/12611, p. 76). There are no indications that this regulatory objective is limited to taxes determined by Union law. Incidentally, as the representatives of the Federal Ministry of Finance, which is responsible for amending the tax code, explained in the oral hearing, it would also not be technically possible to process the data differently according to tax debtors and types of tax. […] Against this background, a “split” interpretation of the new provisions in the tax code for facts that are subject to Union law on the one hand and facts that are not on the other is out of the question.” After all this, the recognized Senate assumes that the GDPR is at least substantively valid for the entire data processing activity of the tax authorities (as here, but only in summary appraisal FG Saarland, decision of April 3rd, 2019 - 2 K 1002/16 -, EFG 2019, 1217; without problem discussion FG Sachsen, judgment of 08.05.2019 - 5 K 337/19 -, EFG 2020, 661; without problem discussion FG Cologne, judgment of 18.09.2019 - 2 K 312/19 -, EFG 2020, 413; loc Reference to the literature FG Lower Saxony, judgment of January 28, 2020 - 12 K 213/19 -, EFG 2020, 665). (4) The BMF letter of January 12, 2018, BStBl I 2018, 185 (replaced by BMF letter of January 13, 2020 IV A 3-S 0130/19/10017:004, 2019/1129406) reflects the legal opinion justified above , so that it can be stated that the financial administration also assumes that the GDPR applies in the area of tax administration. b. The GDPR and the related provisions of the AO apply to the processing of personal data by the tax office in the taxation procedure. The data protection regulations of the AO, the tax laws and the GDPR apply to the processing of personal data by tax authorities according to § 2a Para. 1 AO. The tax office is one (§ 6 Para. 2 No. 5 AO). The defendant tax office is "responsible" within the meaning of Art. 4 No. 7 GDPR as the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data and is therefore the passive legitimate Claim from Art. 15 GDPR. Since the plaintiff does not seek any information from the investigation files of the tax investigation (cf. above the explanations on the subject matter of the dispute), there is no need to go into the question of whether the tax office would have passive legitimacy as the organizational body of the tax investigation office, or - probably preferable - the functional investigative body Public prosecutor. The legal concept of § 147 StPO would probably speak for the latter. c. In the event of a dispute, the material scope of the GDPR is open to the extent that the processing of personal data is to be assessed. Not only the individual details stored in database fields with reference to the tax number or the name of the plaintiff are personal data. The information contained in unstructured full texts relating to your person is also personal data under the circumstances of the dispute. (1) (1.1) The GDPR applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data that is stored or intended to be stored in a file system (Art. 2 Para. 1 GDPR). § 2a para. 5 AO orders the corresponding application of the GDPR to deceased natural persons and corporations, legal or unincorporated associations of persons or assets like the plaintiff. (1.2) According to Art. 4 No. 1 GDPR, personal data is all information relating to an identified or identifiable natural person. According to Regulation (EC) No. 45/2001 or the predecessor of the GDPR, Directive 95/46/EC, this is all information about an identified or identifiable natural person. The different terminology "obtain" instead of "via" does not result in a significantly different meaning. Accordingly, personal data are individual details (as expressly stated in § 3 Para. 1 BDSG old version), i.e. not files or collections of files (see recital 15 to the GDPR). (1.3) The concept of "personal data" is interpreted broadly by the ECJ called upon to interpret (cf. BVerwG, ECJ proposal 7 C 31/17, loc. cit.), so that the test participant's answers to the test questions and the examiner's correction comments (but not the examination questions themselves) can represent personal data (ECJ, judgment of December 20, 2017 - C-434/16 -, para. 34, juris; cf. also VG Gelsenkirchen, judgment of April 27, 2020 - 20 K 6392/ 18 -, para. 140, juris; to a very large extent also Cologne Higher Regional Court, judgment of July 26, 2019 - I-20 U 75/18 -, para. 303, CR 2019, 654). In his decision on Directive 95/46/EC, he derives this from the two objectives of the directive: Firstly, the protective principles provided for in it are reflected in the obligations incumbent on those responsible for processing; these obligations relate in particular to data quality, technical security, reporting to the supervisory authority and the conditions under which processing can be carried out. On the other hand, they would be expressed in the rights of the persons whose data are the subject of processing, to be informed about this, to have access to the data, to request their correction or, under certain conditions, to be able to object to the processing (ibid., paragraph 48). (1.4) The ECJ works out the difference between personal data and the documents in a further decision of 17.07.2014 - C-141/12 and C-372/12 - CR 2015, 103, issued on Directive 95/46/EC , which contain, among other things, personal data. In the proceedings on which the request for a preliminary ruling is based, the applicants requested access to a so-called "draft document" which contained data on the parties to the proceedings, but also a legal analysis. The ECJ has decided that the data contained in this draft document, which represents the factual basis for the legal analysis also contained in the draft document, is personal data of the person involved in the procedure. In this respect, he affirms a right to information. On the other hand, he denies a right to information regarding the legal analysis. This could not be the subject of a review by the applicant and a correction. In reality, extending the right of access to this legal analysis would not serve the aim of the directive, which is to ensure the protection of the privacy of that applicant when data concerning him are processed, but rather the aim of guaranteeing him a right of access to administrative documents , to which Directive 95/46 is not directed (ECJ, ibid., para. 46). The ECJ also clarifies that the directive leaves it up to the member states to determine the specific form in which the information is to be provided, insofar as it enables the data subject to gain knowledge of the personal data concerning them and to check whether it is correct and processed in accordance with the Directive, so that it may exercise the rights conferred on it by the Directive (ECJ, ibid., para. 57). In order to safeguard the right to information, it is sufficient if the applicant receives a complete overview of the data presented in the draft document - i.e. also such personal data that are contained in the legal analysis - in an understandable form (ECJ, ibid., para. 59). Insofar as this information can be used to achieve the goal sought with the right to information, the data subject is not entitled, either under the right to information or under Article 2(2) of the Charter, to a copy of the document or the original file in which this data is contained , to obtain. In order to prevent the data subject from having access to information other than personal data concerning him/her, he/she could obtain a copy of the document or the original file in which this other information had been redacted (ECJ, ibid., para. 58). (2) In accordance with these legal principles, personal data are not just all individual details that are stored in the database systems of the tax office with reference to the person concerned or their tax or tax identification numbers - mostly under code numbers (their meaning roughly corresponds to the concept of category). are. Personal data is also available to the extent that tax files - regardless of whether they are electronic or on paper - contain documents whose unstructured texts contain individual information about the plaintiff's tax and thus always personal circumstances. Evaluations, value judgments and assessments of the plaintiff or his tax situation by clerks of the tax office contained under code numbers or in texts that are not themselves further structuring also have the character of personal data. (2.1) There may be doubts as to whether unstructured or poorly structured texts that contain a large number of individual details in free linguistic description can be regarded as "data" as long as they are not structured in individual details, i.e. in appropriately structured, ordered pairs from "Category" and "Value" or field identifier and field content, have been extracted - for example by being structured and transferred separately to a form. According to the broad interpretation of the term "data" by the ECJ, however, it is irrelevant what degree of formal structuring the individual information contained in a text has. According to the case of the ECJ cited above, it is sufficient for the existence of "data" that facts are described in a text in continuous, unstructured language that are assigned to the person concerned - and are therefore personal. (2.2) According to the decision of the ECJ cited above, according to which the examiner's corrections also become personal data of the test participant as soon as they - e.g. Assessments and comments in the form of memos and processing notes from clerks apply. Merely the pure legal analysis of a taxation issue does not represent any personal data. Of course, this can in turn contain individual information relating to the person concerned, and this is also typically in a professionally written legal subsumption part. (2.3) It can be assumed that the data is assigned to the plaintiff, since the file containing the documents with the description of the facts is kept under her name or the tax number linked to it and thus the documents contained and notes made in relation to the plaintiff set. Due to their structure, individual details in databases can be assigned to the respective person concerned without any problems. i.e. The substantive scope of the GDPR is only open to the extent that the personal data are processed by the tax office in an automated or partially automated manner (Art. 2 Para. 1 Alt. 1 GDPR). (1) Data processing is at least partially automated if data processing systems are used (Kuhling/Buchner, commentary on the GDPR and the Federal Data Protection Act, Beck, 3rd edition, GDPR Art. 2 para. 15 - Kühling -). There is no specific definition of "automated data processing" in the GDPR. This corresponds to the will of the legislator to design a technology-neutral protection system that also covers future technological developments (compare recital 15). As a result, the term partially automated data processing must be interpreted very broadly (Kuhling, GDPR Art. 2 para. 15). This unproblematically includes all processing steps that are carried out with the help of the computer systems of the tax administration. The creation of a letter using data with a PC using a commercially available writing program is not to be regarded as automated data processing, since the rights of the person concerned are no more endangered than when a text is created with a typewriter (cf. FG Munich, Judgment of November 4th, 2021 - 15 K 2687/19 -, juris). (2) Non-automated processing is only subject to the scope of the GDPR if the personal data are stored or are to be stored in a file system (Art. 2 Para. 1 Alt. 2 GDPR). “Non-automated” means “manual” processing (Recit. 15). No sub-step of the processing may take place automatically. Insofar as the tax administration files documents in paper form in tax files, such manual processing is given. (2.1) It has not yet been sufficiently clarified when there is (intended) storage in a file system (Article 2 (1) GDPR). Art. 4 No. 6 GDPR defines the file system as "any structured collection of personal data that is accessible according to certain criteria, regardless of whether this collection is centralized, decentralized or organized according to functional or geographical aspects". According to the H.M., this term is essentially equivalent to the term file used in the predecessor provision of the GDPR (Directive 95/46) (Kuhling, GDPR Art. 6 No. 6 para. 1). According to the common idea, a collection is a planned, structured compilation of individual information that shows an internal connection, either through the similarity of the information (e.g. customer data) or the purpose (e.g. access control) of the collection (Kuhling, DSGVO Art. 4 No. 6 para. 3). According to the BDSG old version, this meant a similar structure of the compilation, an external form that must have a certain arrangement. According to this, no random or changing structure of the information was allowed. Rather, it required a formal scheme of order (ibid.). (2.2) Case law of the ECJ on the interpretation of the term "file system" is - as far as can be seen - not yet available. The ECJ (ECJ, judgment of 07/10/2018 - C-25/17 -, Celex no. 62017CJ0025) explains the term "file" used in the previous provision of the GDPR: "According to recitals 15 and 27 of Directive 95/46, the content of a file must be structured in such a way that it enables easy access to personal data. Article 2(c) of this Directive does not specify the criteria according to which the file must be structured, but according to the recitals mentioned, the criteria must be "personal". Thus, the requirement that the collection of personal data must be "structured according to certain criteria" means only that the data about a specific individual can be easily retrieved. Apart from this requirement, Article 2(c) of Directive 95/46 does not regulate the modalities according to which a file must be structured, nor the form that it must have. In particular, neither this nor any other provision of this Policy indicates that the personal data in question must be contained in specific files or registers or any other search system in order for the existence of a file within the meaning of this Policy to be affirmed. […] The answer to the second [submission] question is that Art. 2 Letter c of Directive 95/46 is to be interpreted in such a way that the term “file” mentioned in this provision means a collection of personal data that is of a door-to-door preaching activity, which includes names and addresses and other information about the persons visited, provided that this data is structured according to certain criteria in such a way that it can be easily retrieved in practice for later use. In order to fall under this term, such a collection does not have to consist of specific card files or directories or other classification systems used for research (ECJ, judgment of 10.07.2018 - C-25/17 -, Celex no. 62017CJ0025, para. 57 f , 62)". The request for a preliminary ruling was based on the visiting activities of the witnesses J., who, as part of their door-to-door preaching work, make notes about visits to people who are unknown to them or to the community. The data collected may include: the names and addresses of the persons visited, as well as information about their religious beliefs and family circumstances. This data is collected as a memory aid and to be retrievable in the event of a return visit without the data subject having consented or having been informed of this. The Fellowship of J. Witnesses has provided its members with instructions for making such notes, which are reproduced in at least one of their newsletters dedicated to preaching. In particular, the fellowship and its congregations organize and coordinate the door-to-door ministry of their members by preparing maps of areas based on which districts are divided among the members involved in the ministry and by keeping registers of publishers and the number of fellowship publications they distribute. In addition, the congregations of the J. Witnesses keep a list of those who have asked not to be visited by the publishers. The personal data contained in this list, the so-called "banned list", is used by the members of the community. In the past, the fellowship provided its members with forms for collecting this data as part of their preaching work; however, their use was discontinued as a result of a recommendation from the data protection officer. The data collected was not structured in the form of a card file. (2.3) If, according to the case law of the ECJ, it is sufficient for the existence of a file or a file system that data are structured according to certain criteria in such a way that they can be easily found in practice for later use and such a collection does not consist of specific card files or directories or other classification systems used for research, then the term file system has no shape at first glance. To resolve this apparent lack of contours, it is worth taking a look at Recital 15 of the GDPR, according to which files or collections of files and their cover sheets that are not arranged according to specific criteria should not fall within the scope of this regulation. The GDPR does not specify when files or collections of files "are not arranged according to specific criteria". However, this cannot mean that an individual file within a collection of files can be found according to the one criterion "name" or "tax number", since otherwise each collection of files would appear "sorted according to certain criteria" and their exception from the scope of the GDPR entirely empty. Because a collection of files without at least one classification criterion for arranging the files it contains is practically unimaginable. Accordingly, the probably hM in the literature to affirm an "order according to criteria" (recital 15) requires that the collection can be sorted according to at least two criteria (Kuhling, DSGVO Art. 2 para. 18), which in the collection of tax files, that are only filed according to Az. or tax number is not the case. This applies in particular to the content of each individual tax file in which documents are filed as full text in historical order without further "order according to criteria". In the reference case of the ECJ (C-25/17, Jehovah's Witnesses), there was a structure in the sense of easy retrieval of data because the individual visit report contained relatively little, manageable data in a structured form. This is not the case with a file that without any further order contains a large number of non-uniform and largely unstructured documents in the order in which they were filed - with paper tax files it is not uncommon for high two-digit and also three-digit page numbers - not to be the case. In contrast to a collection of structured individual sheets, the effort involved in searching for individual information on a specific criterion from a file is not "easy". Rather, a human processor who wanted to find all the individual information from the documents contained in a comprehensive tax file for information required a lot of time - in individual cases probably hours. As a result, it cannot be assumed from the outset that files - especially paper files - that contain extensive, unstructured individual documents will not be "stored in a file system". Accordingly, the German legislator has made it clear in § 496 para. 3 StPO in the context there that files are not file systems within the meaning of the data processing regulations of the StPO. (3) As far as can be seen, the respondent has not yet had the opportunity to comment in more detail on the data protection treatment of such extensive collections of files with a large number of unstructured bundles of documents, such as the tax files. The same applies to the question of whether the differentiation between fully and partially automated data processing and non-automated data processing in Art. 2 GDPR must result in conclusions for the scope of the right to information under Art. 15 GDPR. The recognizing Senate considers it necessary to give a differentiated answer to the scope of the GDPR and the interplay of the rights of the GDPR for large file systems, based on their function. (3.1) In such systems, a distinction must be made between the individual information held in databases, such as, in the event of a dispute, the "eData" and the "basic data" in the databases of the tax offices. These are undoubtedly subject to the scope of the GDPR because they are specifically stored for machine processing. (3.2) The same applies to the individual information on which the tax assessments are based as part of the tax assessment, such as the keyed tax bases on which the tax calculation is based. They are the starting point for the automatic tax calculation. (3.3) The result of the tax calculation, the aggregated partial results and results shown in the notices also represent generated personal data. They are also stored in the databases for further processing if necessary. (3.4) In the opinion of the judging Senate, the paper tax file itself, the chronologically sorted filing of the written communication between the administration and the person concerned/taxpayer and various other unstructured texts are generally not included in the scope of protection of the GDPR. While the individual information stored in the databases is structured and assigned criteria, the collection of written material contains unstructured, unequally structured texts. It is true that these themselves also contain such individual information that has a reference to the person concerned, i.e. "personal data". In addition to this, however, they also contain a large number of individual details without direct reference to the data subject - such as processing notes, processor names, legal analyzes and subsumptions. On the "collective" date - also related to the person concerned - the latter information only becomes available when the document is included in the collection of documents, which in turn is kept under the name of the person concerned. However, the individual information contained "slumbers" unexposed in the full texts of the collection of documents. The Senate does not recognize a "structuring according to certain criteria" for "easy retrieval" (cf. above 2.3) in these as yet "unresolved" individual details. They are therefore only subject to the material scope of the GDPR if they are removed from the file by human action and transferred to a file system. This act of extraction represents manual and therefore "non-automated" processing. Only the "raising" of the individual information, which represents an intellectual human act, by assigning the content to a criterion - the intended use of the date for the subsequent partially automated processing for tax purposes - leads to the fact that this date is/should be stored in a file system within the meaning of Art. 2 Para. 1 GDPR. (3.5) Insofar as electronic indices or tables of contents are kept for the filing of written communication dealt with under 3.4, these enable "easy retrieval" (cf. 2.3 above), for example the knowledge that correspondence with a certain title or type on a certain day is listed. This index data, which is meaningless in itself, also becomes personal data through the assignment to the tax number and thus to the data subject. They are therefore subject to the scope of the GDPR. (3.6) Control material from other taxation procedures is usually initially available as more or less unstructured full text correspondence, so that the principles set out under 3.4 apply. The Senate can leave it open whether particularly highlighted messages (e.g. the so-called "green arc") must be considered structured because of their color, since such content is subject to the restrictions of the right to information and is irrelevant in the event of a dispute. (3.7) The contents of tax bases transmitted by third parties (e.g. transmitted health insurance contributions or paid wage taxes) are naturally computer-readable structured data for which the principles mentioned under 3.1 apply. (3.8) Internal processing notes can be stored in database fields (e.g. the report on the tax audit) and are then subject to the principles mentioned under 3.1. Editing notes that are connected to or applied to documents should generally be subject to the principles of 3.4 as unstructured content. Due to their double nature as personal data of the author of the note or their nature in preparation for a decision, such internal notes are likely to be regularly subject to restrictions on the right to information. (4) The differentiation made under (3) for extensive data collections including the associated file collections between easily retrievable data stored in a structured manner under criteria identifiers on the one hand and full-text documents that are not further structured in themselves on the other hand is reflected in the effort that information pursuant to Art. 15 GDPR requires caused for the person responsible. The person responsible can provide information about easily locatable, structured data with justifiable effort. On the other hand, an obligation to provide information about the individual details contained in the unstructured collection of documents would mean that these documents would have to be looked through by a human - and thus manually - in order - exclusively for information purposes - to first "raise" the individual details contained therein and thus into the easy-to-find data area. The GDPR itself does not assume such a complex obligation to provide information. In Art. 12 (1) GDPR, it standardizes an obligation on the part of the person responsible to take measures that allow him to obtain information quickly. This does not mean, however, that the person responsible has to work through the entire correspondence as a precautionary measure in order to extract the individual information contained therein and only keep it available for potential requests for information. (5) Individual information that is “dormant” in unstructured full-text documents has a completely different quality than individual information that is recorded under one criterion with the aim of basing a decision on it – data processing. Only this provision, "to be processed", makes it appear practicable to assess the individual data as "correct" or "incorrect" and to link the rights of the person concerned to correction, for example. On the other hand, the documents of the correspondence between the tax office and the person concerned often contain factual information. However, these usually initially represent not further verifiable allegations by the person concerned or preliminary assumptions by the tax office. An assumption by the tax office contained in an earlier document may also turn out to be wrong in further correspondence, even turn out to be wrong as admitted by the tax office. But then it would be pointless to inform the person entitled to information of the earlier date recognized as incorrect. The fact that because of the documentation function of the file, the person concerned cannot in any case have a claim for deletion with regard to the information provided in earlier correspondence and, on top of that, should already know the content of his correspondence with the tax office - or the tax office with him - is in view of the restrictions of the right to information has already been noted at this point. The idea of the GDPR that data can be judged in binary terms as "correct" or "incorrect" often does not apply to the - unexamined - individual information contained in full texts. (6) According to the Senate, another specific feature of the tax files prohibits equating information about the processed data with a right to inspect the files. Descriptions of assumed, asserted, true or false assessed or to be assessed taxation facts typically and diversely contained in full texts are usually descriptions of transactions between the person concerned and other persons. If one now wanted to grant access to the files, the entire correspondence contained in the files would have to be checked manually for the appearance of the names of third parties in order to protect the rights of these persons, these would have to be blacked out by hand because their rights would generally conflict with the information; if necessary, their consent would have to be requested in each individual case. The same applies to notes documenting the official decision-making process based on the division of labour, where their personal nature is based solely on the fact that they document a decision in a specific tax case. The expected effort of searching and anonymizing bears no relation to the knowledge gained by the person concerned. This, especially since he should know his own correspondence with the tax office anyway. (7) Reports, such as those issued by tax audit and tax investigation agencies, have a special function in the taxation process. They serve as a concentrated summary of complex taxation issues, which in turn consist of a large number of individual issues. You can claim provisional validity or mark the completion of investigations. Especially in the latter case, they serve as the basis and usually also justification for subsequent administrative acts. Therefore, as a rule, instead of a detailed justification in the administrative act itself, they are left to the person concerned as justification within the framework of the legal hearing or the notification of the tax bases - i.e. within the concrete administrative legal relationship. According to data protection law, data contained in such reports are only raised when the person responsible for taxation converts the data to produce the tax assessment - from this point in time the input data are undoubtedly subject to data protection information. However, details on the underlying tax issues elude structured recording. In this respect, these facts can only be taken from the more or less extensive linguistic descriptions of the facts in the report. This means that these facts are no longer “easily accessible” in the sense of the ECJ case law cited above. Rather, it requires a manual "viewing" of the facts in the sense that a human reader grasps the meaning of the described facts, taking into account linguistic inaccuracies. Therefore, with regard to the full texts of the reports themselves and the factual information contained therein, the same principles apply as are otherwise stated for full texts. This is acceptable despite the importance of these facts for the taxation procedure, because the procedural regulations applicable to the specific procedure require the justification of the administrative act and the corresponding report is usually left to the individual. Incidentally, this is also shown by the dispute in which the tax office left the essential reports to the plaintiff before issuing the additional claim notice. (8) It is not only the recitals to the GDPR (recital 15) that exclude files and collections of files that are not classified according to specific criteria from the scope of the GDPR. The ECJ also makes it clear that the right to information under Art. 15 GDPR does not secure a right of access to administrative documents (ECJ, C-141/12, loc. cit. on the previous provision). If this applies to the individual document, then this must certainly apply to the entire document collection. (9) The BFH and the BVerfG also saw it as justified - before the GDPR came into force - that the AO did not guarantee a general right to inspect files in the area of tax law (see also below). e. Scope of the right to information Accordingly, the plaintiff only has a right to information from the tax office in accordance with Art. 15 (1) GDPR, limited by the scope of application of the GDPR defined above, the scope of which must be outlined in accordance with the legal principles set out above and with a view to the restrictions on the right to information in the GDPR itself, as well as further limited by the AO and general principles. (1) A bound right to information is to be assumed. The case law of the BFH assumes that in the absence of a standardized entitlement, access to the files should be granted at the discretion of the authority. This cannot be transferred to the right to information under Art. 15 GDPR. According to the wording of the standard, the latter is not subject to the discretion of the authority. Section 32d (1) AO only allows the tax office discretion with regard to the form in which information is provided. In this context, for example, the latter is free to provide information by providing a data printout, granting online access or even granting access to files (for this special form of providing information see BFH, decision of 29.08.2019 - XS 6/19 -, para 23, BFH/NV 2020, 25). (2) If, according to Art. 15 (3) GDPR, the data subject is to be provided with a copy of the data that is the subject of the processing, then this does not mean - as claimed by the plaintiff - a photocopy of paper documents, for example. The “date” as such is bodiless. Copy means nothing other than a displayable duplicate of the data. The term "copy" therefore has no meaning beyond the "embodiment of the information" (as well as the hM in the commentary literature: Kamlah in Plath, DSGVO/BDSG, Art. 15 Rz. 16; Paal in Paal/Pauly, DSGVO/BDSG , Art. 15 margin no. 33; Schaffland/Holthaus in Schaffland/Wiltfang, GDPR, Art. 15 GDPR margin no. 44.; loc. A Härting, CR 2019, 219). (3) In accordance with the above legal principles, the plaintiff from Art. 15 GDPR cannot claim the requested inspection of or the provision of a copy of the documents that she describes in her briefs. Art. 15 GDPR does not grant a right to the full texts in the file, in particular if they contain unrecorded source data. Insofar as the plaintiff alleges that the tax office processed data from other source reports that were only cited by way of brief quotations, but that the claim for information extends to these source data, it cannot be followed. The right to information extends (only) to the (input) data processed for the specific tax assessment. If this is already aggregated data, such as total amounts, the right to information under Art. 15 GDPR does not grant the source data from other administrative documents or individual amounts that may first have to be collected via a chain of references. From the point of view of data protection, the provision of the reports with an explanation of the origin of the amounts is sufficient for the plaintiff's legitimate interest in information. In particular, the right to information from Art. 15 GDPR does not oblige the tax office to first consult files or parts of files or documents from other proceedings, specifically the criminal investigation proceedings in the tax investigation, in order to then provide information from them. In this respect, the tax office has declared (...) that it has already sent the plaintiff all the documents that are available at the capital gains tax office. The doubts expressed by the plaintiff in this respect are not substantiated. According to the previous submissions of the parties involved, the court therefore has no reason to doubt the truthfulness of the defendant. In addition, the GDPR does not provide for a "verification procedure" for the completeness of the information in the relationship between the person responsible and the person concerned. The plaintiff is therefore not without rights. Rather, the procedural provisions of the Fiscal Code give it extensive and stronger procedural and procedural rights than the unreasonable right to information from the GDPR. In order to fulfill the plaintiff's claims for information, the tax office gave her a whole folder with the essential documents for the intended subsequent taxation in a letter dated ... ... 2019. Insofar as their interest in information has not yet been fulfilled, they can, in accordance with the AO regulations, receive further information or access to the files to be submitted to the court in this process (which is in the objection process stage) or at the latest in a subsequent tax court process. In addition, according to her information, the plaintiff also asserted her rights to information in the criminal investigation proceedings and apparently gained access to essential documents there. The request for inspection of further documents can be pursued with the legal remedies provided for in the Code of Criminal Procedure and in accordance with the provisions of the Code of Criminal Procedure. It is also appropriate that the plaintiff, with the most substantial right to inspect the files, is referred to the rights to be derived from the specific taxation procedure relationship or to the rights as an accused or otherwise affected by a criminal investigation. The respective rules of procedure regulate the legal relationship between the taxpayer or the accused and the authority in a factual and balanced manner - more precisely than the standardization of the general and quite general right to information of the person affected by data processing. If the right to information from the GDPR were extended to allow access to the files without cause, there would inevitably be conflicts with the legislator’s process-specific standards in taxation or criminal proceedings. (4) After that, the limitations of the right to information put forward by the tax office and the counter-argument put forward by the plaintiff are no longer relevant. However, the reasons for exclusion of the GDPR and the AO also largely rule out an inspection of the tax files derived from the right to information. The arguments of the tax office clearly show that an extension of the right to information to all personal data contained in full texts would pose disproportionate problems for those obliged to provide information, firstly with the classification problem of what the reporting date is (4.1 below) and secondly with that for each date found, a decision to be made on a case-by-case basis as to whether a reason for exclusion applies (4.2) and how a weighing of interests required in the reason for exclusion results (4.2.3). (4.1) Classification problem While it is clear from the outset in a data record what the date is (the individual entry, e.g. the amount of the tax assessment basis for capital gains tax) and what the criterion (the field identifier, e.g. the designation that in the associated field the “tax assessment basis for capital gains tax " is indicated) and therefore the correctness of the date can be easily checked (by comparing the amount entered in the field with the amount proven to be correct in reality), this is not the case with full-text documents in files: Is the entire text written by the author of the document a personal date? Is it individual passages of text that describe specific taxation issues? Are they individual securities transactions with an indication of a total amount or is it broken down into each individual transaction? This classification problem is reflected in the question of how the correction of a date that is considered incorrect should look like in a full text - and the correction of an incorrect date is exactly one, if not the essential goal that the right to information should enable: - Is an entire letter the personal date: how should this be corrected? - Is the "date" the individual text passage that represents a taxable event: does the attribute claimed or assumed or used in an argument, that the taxpayer acted intentionally, make the entire text passage wrong, which e.g. represents a complex business transaction? - If the "date" is an individual piece of information, for example the amount or total amount of a transaction: Only in this case could the correctness of the date be clarified as easily as if the date had already been "raised", transferred to a database field. However, the question arises as to whether the point in time at which the comparison "right" or "wrong" is made is not the moment when the datum has been assigned the meaning that it should actually be processed through the "lifting". (4.2) Exclusions (4.2.1) GDPR and AO restrictions According to Art. 15 Para. 1 GDPR, the person concerned (Art. 4 No. 1 GDPR) has a right to information from the person responsible (Art. 4 No. 7 GDPR) about the personal data processed concerning him. This information is provided by the person responsible providing the data subject with a copy of the personal data that is the subject of the processing (Article 15 (3) GDPR). The right to receive a copy according to Art. 15 Para. 1 b) GDPR must not impair the rights and freedoms of other persons (Art. 15 Para. 4 GDPR - the legislator is thinking here of secrets or rights of intellectual property and in particular copyright Software, cf. Remark 63). (188.8.131.52) §§ 32a AO et seq. limit the rights of data subjects in the exercise of the competence granted to the member states by Art. 23 GDPR, namely the limitation competence of Art. 23 Para. 1 e) GDPR. As far as relevant here, the AO standardizes the following restrictions: According to Section 32c Paragraph 1 No. 1 AO in conjunction with Section 32a Paragraph 1 No. 1, Paragraph 2 AO, the person concerned does not have the right to information if the provision of the information would jeopardize the proper fulfillment of the tasks for which the tax authorities are responsible and the interests of the tax authorities in not providing the information outweigh the interests of the data subject. This is the case in particular if the provision of information - could enable the person concerned or third parties to conceal tax-related facts (1.a), to cover up tax-related tracks (1.b) or to adapt the type and scope of the fulfillment of tax cooperation obligations to the state of knowledge of the tax authorities (1. c), or - Allow conclusions to be drawn about the design of automated risk management systems or planned control or audit measures (2.) - and thus the disclosure of tax-relevant facts would be made much more difficult. The right to information does not exist according to § 32c paragraph no. 1 AO in conjunction with § 32b paragraph 1 no. 2 AO if the data, their origin, their recipient or the fact of their processing according to § 30 AO or another legal regulation or their By nature, in particular because of overriding legitimate interests of a third party within the meaning of Art. 23 Para. 1 i of the GDPR, must be kept secret and therefore the interest of the person concerned in the provision of information must take a back seat. The latter corresponds to the restriction already contained in Art. 15 Para. 4 GDPR. According to Section 32c Paragraph 1 No. 1 AO in conjunction with Section 32b Paragraph 1 No. 1a AO, the right to information does not exist if the provision of information means that the tasks for which the tax authorities are responsible [...] are properly fulfilled within the meaning of Article 23 Paragraph 1 d to h of the GDPR would endanger. There is also no right to information according to Section 32c Paragraph 1 No. 1 AO in conjunction with Section 32a Paragraph 1 No. 4 AO insofar as the provision of information would jeopardize the confidential disclosure of protected data to public authorities. If the personal data is neither automated nor stored in non-automated file systems, information will only be provided if the data subject provides information that enables the data to be found and the effort required to provide the information is not disproportionate to that of the data subject person asserted interest in information (§ 32c Abs. 3 AO). The GDPR itself restricts the obligation to provide information in Article 13 (4) GDPR in such a way that information known to the data subject does not fall under the obligation to provide information and thus also not the obligation to provide information (cf. Section 32c Section 1 No. 1 AO in conjunction with Section 32a Section 1 AO, Art. 13 Para. 4, Art. 14 Para. 5 a GDPR). Furthermore, the right to information does not exist if the personal data - are only stored because they may not be deleted due to statutory retention requirements, or - exclusively serve the purposes of data backup or data protection control and the provision of information would require a disproportionate effort and processing for other purposes is excluded by suitable technical and organizational measures (§ 32c Para. 1 No. 3 AO). (184.108.40.206) Some of the aforementioned restrictions already existed word for word before the GDPR came into force or the regulations of the AO that completed it (cf. for example in the scope of application of the old version of the BDSG that was in force until May 24th, 2018: § 19 BDSG). The case law of the financial courts and the BVerfG on the right to information rejected, citing in this context, information about data stored at the information center abroad (IZA), because this would prevent the proper fulfillment of the tasks within their responsibility or the responsible tax offices in individual cases (BFH, judgment of 07/30/2003 - VII R 45/02 -, BStBl II 2004, 387; BVerfG, decision of 03/10/2008 - 1 BvR 2388/03 -, BStBl II 2009, 23). Financial case law assumes that this restriction will continue to apply under the GDPR (Cologne District Court, judgment of September 18, 2019 - 2 K 312/19 -, EFG 2020, 413; the appeal filed against this at the BFH bears the file number II R 43/ 19). (4.2.2) No general right to inspect files The case law before the GDPR came into force made a clear distinction between information and inspection of files. According to std. Correspondence of the BFH not (in summary with reference to: BFH, decision of November 3rd, 2020 - III R 59/19 -, NJW 2021, 1263, para. 7; judgment of February 23rd, 2010 - VII R 19/09 -, BStBl II 2010, 729). In any case, the refusal of a bound right to inspect files was based on the consideration that the legislature had not considered a general right to inspect files in tax administration proceedings to be practicable, because this conflicted with aspects of the protection of third parties and the investigative interests of the tax authorities as well as the administrative burden of the tax authorities, which had to check before each file inspection , whether a third party's interest in secrecy could be impaired and then the entire control material, authority-internal notes and instructions and the like would have to be removed from the files (BTDrs 7/4292, p. 24 f.). From this, the BFH deduced that the inspection of the files during the ongoing administrative or tax investigation procedure should only be an exception to be granted in application of § 91 AO or § 364 AO for reasons of the right to be heard. In the decision of May 26, 1995 (- VI B 91/94 -, BFH/NV 1995, 1004), the BFH assumed that the tax office can grant access to files at its discretion, although the AO does not regulate a general right to inspect files, and this should in any case be done regularly if the circumstances of third parties are not affected. As a result, the BFH assumes a right to a dutiful and error-free discretionary decision by the authority, which is guaranteed if the authority has weighed up its interests and those of the authority against each other in the context of a weighing of interests (BFH, in III R 59/19, loc.cit.). In this decision, the BFH expressly left open the question of whether Art. 15 GDPR justifies a right to inspect the tax files in addition to the right to information (BFH, ibid., para. 16). The BFH did not see the right of the taxpayer to be granted a fair hearing under Art. 103 (1) GG or his right to be granted legal protection (Art. 19 (4) GG) as violated by the refused inspection of the files in the administrative proceedings (BFH, decision of 04.06.2003 - VII B 138/01 -, Federal Tax Gazette II 2003, 790, para. 15). Art. 19 para. 4 GG guarantees the right to effective judicial control (BVerfG, judgment of December 15, 1983 - 1 BvR 209/83 et al. - census judgment -, BVerfGE 65, 1, 70) and Art. 103 para. 1 GG guarantees that the taxpayer is given the opportunity in court proceedings to comment on the facts on which a decision is based before it is issued. The right to inspect files according to Section 147 of the Code of Criminal Procedure in (tax) criminal proceedings and Section 78 of the FGO in fiscal court proceedings served to secure these claims. In the opinion of the BVerfG, the right to a fair hearing in criminal tax proceedings and the right to fair legal proceedings are satisfied if the files and pieces of evidence are disclosed to the accused in criminal proceedings according to the rule of law after the investigation has been completed (BVerfG, resolutions of January 12, 1983 - 2 BvR 864/81 -, NJW 1983, 1043; dated February 10, 1981 - 7 B 26/81 -, NJW 1981, 2270). The BFH also did not derive any binding right to information from previous regulations of the GDPR. Rather, in the light of the subsidiarity clause contained in the former BDSG, he judged the AO to be the final area-specific data protection regulation. The fact that the legislature did not standardize the right to inspect files there should be respected as a "deliberate waiver of regulation" (BFH, dated 04.06.2003 - VII B 138/01 -, loc.cit.). The GDPR also does not grant the data subject a right to inspect files, as above under d. with a view to the ECJ case law to the previous provision (ECJ - C-141/12 -, loc.cit.). Art. 15 para. 1 GDPR does not guarantee a right of access to administrative documents and therefore no right to inspect files. (4.2.3) Application of Restrictions to Tax Records The restrictions cited in detail under (4.2) can be summarized in seven principles: The right to information is suspended if - subject to the weighing of interests, the information enables the person concerned - adjust to the state of knowledge of the tax authority, he would be able to cover up or cover tracks (restriction 1), - conclusions about the risk management system (constraint 2) or - draw on planned control or audit measures (Limitation 3), - if there are overriding confidentiality interests of third parties (restriction 4), - if confidence in the confidential disclosure of proprietary data would be compromised (Limitation 5), - if the information is not already known to the person concerned (limitation 6) - or if they are retained essentially for statutory retention requirements (Restriction 7). Compressed further, it contains the following assessments by the legislature: - The tax office may retain secret knowledge of taxation issues for future reviews of the taxpayer's declarations (Restrictions 1, 2, 3). - Confidentiality interests of third parties are to be protected (restriction 4). - The identity of an informant may be kept secret (restriction 5). - No information needs to be given about what is already known (restriction 6). - Retention rules take precedence (Restriction 7). Since these suspensions are sometimes completely contrary to the principle of transparency under data protection law, the decision can almost always only be found after weighing up the conflicting interests. If this weighing were to be carried out - specifically - on the individual date, the presentation of the argumentative weighing of interests in the justification of the negative decision would allow conclusions to be drawn about the state of knowledge of the tax office. If one wanted to carry out a specific assessment for each personal date in the tax file, the result would be a completely disproportionate amount of justification for answering every unreasonable (!) request for information under data protection law. In practical terms, therefore, the consideration can only be carried out abstractly in relation to classes of data, as has already been shown under d.(3). In this sense, the data contained in the full texts of the tax files basically form a class from the point of view of the senate. If one wanted to give priority to the principle of transparency under data protection law with regard to this entire class of "information in full texts", this would practically mean obliging the tax office to inspect every tax file without cause. And this despite the fact that the total of the restrictions suspend the right to information for almost all of the content of the tax file: The correspondence between the tax office and the taxpayer is known or should be known to him, earlier correspondence, but also data on tax matters that has become obsolete due to the passage of time, are subject to the retention requirements (limitations 6 and 7) due to the documentation function of the tax file. Insofar as the file contains data for future checks, the balancing of interests required by restrictions 1-3 should generally turn out in favor of the tax office's possibility of checking due to the taxpayer's obligation to tell the truth. The same applies to control material, audit reports and reports from informants, but also to file notes that provide information on the review of future tax returns. The contents of files for the current ongoing taxation fall - as the dispute shows in an example - under the restriction that the person concerned can adjust to the state of knowledge of the tax office. However, despite the taxpayer's obligation to tell the truth, a weighing of interests in this data does not always have to be at the expense of the taxpayer. He has a legitimate interest in checking the facts on which the taxation is based and, if necessary, uncovering doubts in the context of the taxation procedure and the legal hearing to which he is entitled. In this respect, there is little difference between the right to information and the dependent procedural law of § 364 AO. However, if the taxpayer is entitled to more information under the current taxation procedure with the justification of the administrative act and the disclosure of the taxation documents than a right to information under data protection law, it does not appear necessary when weighing up the interests to grant a right to information in addition to these basic procedural rights, which in a separate procedure ultimately gives the person concerned less information. (5) The claimant's right to a copy of, for example, the input and calculation data processed for the preparation of the notice and the basic data overview is obviously not relevant to the plaintiff. 3. The finance court did not need to submit the relevant legal issues to the ECJ (Gräber, Finanzgerichtsordnung, 8th ed., FGO § 115, para. 84). Courts of first instance are not obliged under Union law to make a submission (BFH, decision of January 14, 2014 - III B 89/13 -, BFH/NV 2014, 521). 4. The decision on costs is based on Section 135 (1) FGO. 5. The revision is permitted under Section 115 (2) Nos. 1 and 2 FGO, since the question of the scope of the right to information in the area of tax administration after the introduction of the GDPR in 2018 is of fundamental importance. In addition, in view of the conflicting decisions of the tax courts cited above on the scope of application of the GDPR in the area of direct taxes, it seems necessary to allow an appeal to ensure uniform case law. 6. It seems appropriate to decide by court order (§ 90 a FGO).