FG München - 15 K 118/20
From GDPRhub
| FG München - 15 K 118/20 | |
|---|---|
 | |
| Court: | FG München (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 4(7) GDPR Article 15(1) GDPR § 30 AO |
| Decided: | 04.11.2021 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 15 K 118/20 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Bayern.Recht (in German) |
| Initial Contributor: | Florian Wuttke |
The Tax Court of München held that, amongst other things, the right of access to personal data under Article 15(1) GDPR does not amount to a right of access to (administrative) files.
English Summary
Facts
The data subject requested information on all data processed by the tax office, invoking Article 15 GDPR, in particular a complete colour copy of the tax files including all side files and the internal comments on all data processed by the tax office. The data subject accused the tax office of file manipulation as well as "recording false data".
The tax office provided the data subject with copies of all current tax assessments, a printout of the tax collection account, as well as a basic data overview and an overview of the electronic record. It refused to provide further information. At the hearing, the tax office submitted extensive further printouts from its databases, but still refused to provide information on any assessment-related data, tax audits and risk management system data and, in particular, a copy of the tax files.
The court had to decide whether tax offices are obliged to grant full access to tax files under Article 15(1) GDPR.
Holding
The Tax Court of Munich (Finanzgericht München - FG München) held that by handing over the additional copies of its databases at the court hearing, the tax office fulfilled its duty under Article 15(1) GDPR. The data subject was not entitled to further disclosure.
On the applicability of the GDPR:
The court determined that the GDPR and the data protection provisions of the German General Tax Code (AO) are applicable to the processing of personal data by tax offices. By referring to its previous decision (FG München 15 K 81/20) the court confirmed that the area of direct taxation is not excluded from the scope of the GDPR under Article 2(2)(a) GDPR. Furthermore, the court extensively discussed the material scope of application according to Article 2(1) GDPR.
At first, it referred to the decisions of the CJEU in C-434/16 and C-141/12+C-372/12 to establish that only legal evaluations do not constitute personal data but all other content referring to the fiscal situation of the data subjects does. This includes all assessments, opinions and evaluations about the data subject itself or its fiscal situation written done by hand, e.g. as notes.
Secondly, the court determined that the phrase “partly by automated means” in Article 2(1) GDPR is to be interpreted broadly due to the first sentence of Recital 15. It, therefore, covers all individual operations carried out with the help of the tax administration’s computer systems.
Thirdly, the court assessed the meaning of the term “filing system” in Article 2(1) GDPR. In doing so it took Recitals 15 and 27 of the 95/46 directive into account as well as the CJEU decision C-25/17. All of these sources indicated that the distinctive criterion is the ease of retrieving the personal data. However, the court found this approach being without any clear confines. It, therefore, took the second sentence of Recital 15 into consideration and came to the conclusion that the paper records of a tax authority do no constitute a filing system. It took the opinion of many German scholars that a set of files needs to sorted according to at least two criteria to count as “structured”. A set of tax files is, however, organized only by the file number or the tax number. The file itself is not organized. All documents are just filed by their date. The court also based this finding on the objective of Article 15 GDPR. Despite the obligation of the controller under Article 12(1) GDPR, it cannot the objective of Article 15 GDPR that the controller has to sort through all of its paper records to single out and extract every (little) individual personal information he has on the data subject from every piece of paper.
On the scope of the right to access:
The Financial Court’s decision has three main takeaways concerning the right to access under Article 15(1) GDPR.
First, the court stipulated that the right of access to personal data under Article 15(1) GDPR does not amount to a right of access to (administrative) files. Otherwise Article 15 GDPR would not serve the GDPR’s purpose of guaranteeing the protection of the applicant’s right to privacy, but would serve the purpose of guaranteeing him a right of access to administrative document, which is not covered by the GDPR (cmp. CJEU C-141/12+C-372/12 recital 46).
Second, the court determined that the tax authority has no discretionary power to answer access requests under Article 15(1) GDPR. It has only a discretionary power concerning requests of access to files.
Thirdly, the court stipulated that the right of access to personal data under Article 15(1) GDPR is limited by the law. Limitations result from Article 13(4) GDPR and Article 23(1)(e) GDPR in conjunction with §§ 32a ff. AO. The FG seems to be of the opinion that Article 13(4) GDPR is applicable to the right of access pursuant to Article 15(1) GDPR because of the reference in § 32c(1)(no. 1) AO to § 32a(1) AO where Article 13(4) GDPR GDPR is mentioned.
The court then comes to the conclusion that basically almost all personal data which is accrued during the proceedings falls under these limitations. This especially results from the court applying Article 13(4) GDPR. Although it comes to this conclusion, at the end of its judgement it compares the interests of the data subject with the interests of the tax authority.
It differentiates between data in unstructured paper files and data in databases.
With regard to data in unstructured paper files the court is of the opinion that the interests of the tax authority outweigh the interests of the data subject. The court invokes the strong protection of tax secrecy according to § 30 AO and the impracticality to manually extract the data.
With regard to the information stored in databases data subjects are generally entitled to access due to the low technical hurdles of aggregating this information. However, information which the tax office needs to verify the veracity of declarations of the tax subject is excluded (cmp. above limits). Notes on communications between the tax office and the tax audits authority or tax investigation authority are also excluded as well as notes regarding future tax reviews and the data of the "risk management system" (cmp. above limits).
Moreover, the court clarified that data subjects do not have a right to information regarding data that concerns completed taxation periods and that is retained only due to statutory retention requirements or, for example, data in backup files, provided that this data is no longer subject to the general access by tax office employees. In such a case the interests of the tax authority to retain the data outweighs the interests of the data subject to access the data.
The court does not explicitly refer to this provision but this situation is regulated in § 32c(1)(3) AO.
Comment
For tax law enthusiasts: See numbers 2 and 3 of the guidelines of the judgement for a detailed listing of tax related information which can and cannot be procured from a tax authority under Article 15(1) GDPR according to the FG München.
The decision itself tries to harmonise data protection and tax (procedural) law. Thought the decision is comprehensive, the legal outcome does leave the reader with some questions:
First of all, if almost all personal data accrued during the administrative proceedings falls under rules limiting the right of Article 15 GDPR, Article 15 GDPR is basically moot for German tax law. So why even bother with a such comprehensive decision and why make remarks on the balancing of the interests of the parties.
Second, where does the court infer the necessity and limitation on Article 15 GDPR to weigh the interests of the data subject against the interests of the tax authority. Such a general limitation is neither foreseen in the GDPR nor in the AO. Only one particular rule of limitation - § 32c(1)(no. 3) AO - provides for such a balancing of interests.
The court seems to infer this requirement from decisions by the Federal Fiscal Court (Bundesfinanzhof – BFH). The Federal Fiscal Court created a right of access to records if no interests of the tax authority or a third person outweigh the interests of the applicant.
It may further be noted that taking into account the effort which it takes for the controller to extract the personal data from its files might contradict the CJEU decision C-141/12+C-372/12 which the court itself cited. In recital 59 of this decision the CJEU clearly states that also personal data that is part of a legal evaluation must be part of an answer to an access request. The CJEU did not limit the right of access of the data subject on the basis of the controller’s effort to extract the data from the legal evaluation. Article 12(1) GDPR also contradicts the notion of such a limitation.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Title:
Right to information under the General Data Protection Regulation from the tax office
chains of standards:
DSGVO Art. 15 Para. 1
AO § 32b, § 32c
Guiding principles:
1. The GDPR applies to the data processing of all taxes administered by the tax office - including direct ones. (paragraph 14)
2. Art. 15 GDPR grants a non-discretionary right to information about the data processed by the tax office. It includes the right to printouts or data made available online from the databases of the tax office, in particular the "basic data" and the "edata", in the case of the assessment data, the input data and calculation results, the assessment information, the survey overview and the legal remedies database, as well as the survey account . (paragraphs 55, 71 and 115)
3. On the other hand, he does not provide any information about control material or traces of suspicion, such as BP reports, BP information, the risk management system data sheet, the "data close to the determination", as well as notes on the preparation of the decision and the documentation of the decision. (paragraph 117)
4. In principle, it does not include the right to inspect the tax file or individual administrative documents or to be provided with a copy thereof. The entitlement is limited to the dates of uncompleted tax periods. (paragraphs 86 and 102)
tags:
Right to information, tax office, data, tax files, right to inspect files
Source:
BeckRS 2021, 41761
facts
1
Referring to Art. 15 GDPR, the plaintiff had requested information about all data processed by the tax office. What was particularly important to him was a complete (color) copy of the tax files, including all ancillary files and the notes contained therein. He accused the tax office of file manipulation and the "recording of incorrect data". Criminal charges and supervisory complaints had preceded this. The tax assessment is also no longer comprehensible after many changes to assessments, objection and lawsuits.
2
The tax office gave the plaintiff duplicate copies of all open tax assessments, as well as the year preceding the first year (over 10 years), a printout of the survey account, as well as a basic data and an e-data overview. It declined any further information. The lawsuit is aimed at the obligation to submit further data and in particular a complete copy of the file. During the oral hearing, the tax office presented extensive further printouts from its databases, but continued to refuse information from the areas of "assessment-related data, BP information, risk management system" and in particular the provision of a copy of the tax files.
Reasons for decision
3
1. The action is admissible.
4
In the event of a dispute, legal recourse to the financial courts is available in accordance with Section 32i (2) AO, insofar as the complaint by the data subject against the tax office as the tax authority (Section 6 (2) No. 5 AO) with regard to the processing of personal data relates to rights under the GDPR (here: Art. 15 Para. 1 GDPR), otherwise according to Section 33 Para. 1 No. 1 and Para. 2 FGO.
5
The permissible type of action for the judicial assertion of a claim for information against an authority under Art. 15 Para. 1 of the GDPR is the obligation action. (...) (cf. BVerwG, judgment of September 16, 2020 - 6 C 10/19 -, para. 12, HFR 2021, 419).
6
The lawsuit is also addressed to the right defendant. The person responsible for the data protection claims from the GDPR is passively legitimate (Art. 15 Para. 1 GDPR). According to Art. 4 No. 7 GDPR, this is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. § 2a AO also links the responsibilities in connection with the protection of personal data to the tax authority or public administration body. The subject of the rights and obligations in the area of data protection is therefore the authority that decides on this processing within the scope of its responsibility. The claim can therefore only relate to the processing of data that is within the decision-making authority of the respective authority and to this data. In the event of a dispute - insofar as information about the processed data is requested - this is the defendant tax office.
7
2. The lawsuit is ready for a decision.
8th
The lawsuit can be decided on the basis of the available files and presentations of facts. In particular, the submission of the tax files can be dispensed with because their content is not decisive for the question of the duty to provide information, which is independent of the specific content.
9
Pursuant to Section 71 (2) FGO, the tax office must transmit the files relating to the dispute to the court after receipt of the statement of claim. The tax office initially refused this in a letter dated March 9th, 2020. In doing so, however, it was evidently assumed that the files to be transmitted also included the tax files, which the plaintiff mainly requested to inspect.
10
Based on this point of view, the plaintiff submitted an application under Section 86 (3) FGO, which the BFH rejected as inadmissible under Az. II S 8/20 (...).
11
The rapporteur has therefore asked the tax office to submit the process "entitlement to information under data protection law or inspection of files", i.e. only the plaintiff's request for information under data protection law, the correspondence that has been issued and the information or refusal to provide information". The tax office submitted these delimited files relating to the dispute (cf. BFH decision of June 3, 2015 VII S 11/15, BFH/NV 2015, 1100, para. 7). In addition, it gave the court and the plaintiff further printouts from the databases when requested to do so during the oral hearing (...).
12
4. The lawsuit is unfounded after further information has been provided.
13
The plaintiff has a right to information according to Art. 15 Para. 1 GDPR, which was fulfilled with the handing over of the further copies from the databases of the tax office in the oral hearing. The tax office is not obligated by the right to information to grant access to the tax files, to provide copies of the files or to search for and communicate data from the tax files.
14
The GDPR is also applicable in the area of direct taxes (a.).
15
As a processor within the meaning of the GDPR, the tax office is also the correct defendant or passive legitimizer of the right to information (b.).
16
In the event of a dispute, the substantive scope of application of the GDPR is open to the extent that the processing of personal data is to be assessed (c.), but only to the extent that the personal data are also processed by the tax office in a partially or partially automated manner (d.).
17
The right to information, which is already limited by this, is correspondingly limited with regard to the restrictions on the right to information in the GDPR itself, as well as by the AO and general principles (e.).
18
It grants no right to inspect the files and has been fulfilled in the course of the proceedings to the extent that the information provided before the court was insufficient (f.).
GDPR is applicable to direct tax administration…
19
a. The GDPR is also applicable to the processing of data in the administration of direct taxes.
(... This part has been shortened. Its content corresponds to the explanations in the other decision of the FG Munich [FG Munich, court decision of July 23, 2021 15 K 81/21, EFG 2021, 1789].)
20
b. The GDPR and the related provisions of the AO apply to the processing of personal data by the tax office.
21
The data protection regulations of the AO, the tax laws and the GDPR apply to the processing of personal data by tax authorities according to § 2a Para. 1 AO. The tax office is one (§ 6 Para. 2 No. 5 AO). The defendant tax office is "responsible" within the meaning of Art. 4 No. 7 GDPR as the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data and is therefore the passive legitimate Claim from Art. 15 GDPR.
The term "personal data" is to be interpreted broadly
22
c. In the event of a dispute, the material scope of the GDPR is open to the extent that the processing of personal data is to be assessed.
23
Not only the individual details stored in database fields with reference to the tax number or the name of the plaintiff are personal data. The information contained in unstructured full texts relating to his person is also personal data under the circumstances of the dispute.
24
(1) (1.1) The GDPR applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data that is stored or intended to be stored in a file system (Art. 2 Para. 1 GDPR).
25
§ 2a para. 5 AO orders the corresponding application of the GDPR to deceased natural persons and corporations, legal or unincorporated associations of persons or estates.
26
(1.2) According to Art. 4 No. 1 GDPR, personal data is all information relating to an identified or identifiable natural person. According to Regulation (EC) No. 45/2001 or the predecessor of the GDPR, Directive 95/46/EC, this is all information about an identified or identifiable natural person. The different terminology "obtain" instead of "via" does not result in a significantly different meaning. Accordingly, personal data are individual details (as expressly stated in § 3 Para. 1 BDSG old version), i.e. not files or collections of files (see recital 15 to the GDPR).
27
(1.3) The term "personal data" is interpreted broadly by the ECJ called upon to interpret it (cf. ECJ proposal: BVerwG, decision of July 4th, 2019 7 C 31/17, juris), so that the answers of the test participant to Examination questions and the examiner’s correction comments (but not the examination questions themselves) can represent personal data (ECJ, judgment of December 20, 2017 C-434/16, para. 34, juris; cf. also VG Gelsenkirchen, judgment of April 27, 2020, 20 K 6392/18, para. 140, juris). In his decision on Directive 95/46/EC, he derives this from the two objectives of the directive: Firstly, the protective principles provided for in it are reflected in the obligations incumbent on those responsible for processing; these obligations relate in particular to data quality, technical security, reporting to the supervisory authority and the conditions under which processing can be carried out. On the other hand, they would be expressed in the rights of the persons whose data is the subject of processing, to be informed about this, to have access to the data, to request their correction or, under certain conditions, to be able to object to the processing (ECJ, Judgment of December 20, 2017 C-434/16, para. 48).
28
(1.4) The ECJ is working on the difference between personal data and the documents that contain, among other things, personal data. In the proceedings on which the request for a preliminary ruling is based, the applicants requested access to a so-called "draft document" which contained data on the parties to the proceedings, but also a legal analysis. The ECJ has decided that the data contained in this draft document, which represents the factual basis for the legal analysis also contained in the draft document, is personal data of the person involved in the procedure. In this respect, he affirms a right to information. On the other hand, he denies a right to information regarding the legal analysis. This could not be the subject of a review by the applicant and a correction. In reality, extending the right of access to this legal analysis would not serve the aim of the directive, which is to ensure the protection of the privacy of that applicant when data concerning him are processed, but rather the aim of guaranteeing him a right of access to administrative documents , to which Directive 95/46 is not directed (ECJ, judgment of July 17, 2014 C-141/12 and C-372/12, CR 2015, 103, para. 46).
29
The ECJ also clarifies that the directive leaves it up to the member states to determine the specific form in which the information is to be provided, insofar as it enables the data subject to gain knowledge of the personal data concerning them and to check whether it is correct and processed in accordance with the Directive, so that it can, where appropriate, exercise the rights conferred on it by the Directive (ECJ, judgment of 17/07/2014 C-141/12 and C-372/12, CR 2015, 103, para. 57).
30
In order to safeguard the right to information, it is sufficient if the applicant receives a complete overview of the data presented in the draft document - i.e. also such personal data that are contained in the legal analysis - in an understandable form (ECJ judgment of 17.7.2014 C-141/ 12 and C-372/12, CR 2015, 103, paragraph 59).
31
Insofar as this information can be used to achieve the goal sought with the right to information, the data subject is not entitled, either under the right to information or under Article 2(2) of the Charter, to a copy of the document or the original file in which this data is contained , to obtain. In order to prevent the data subject from gaining access to information other than personal data concerning them, they can obtain a copy of the document or the original file in which this other information has been made unrecognizable (ECJ, judgment of 17.7.2014 C-141/12 and C-372/12, CR 2015, 103, paragraph 58).
32
(2) In accordance with these legal principles, personal data is not just all individual information that is stored in the database systems of the tax office with reference to the plaintiff or his tax or tax identification numbers - mostly under code numbers (their meaning roughly corresponds to the concept of category). are. Personal data is also available to the extent that tax files - regardless of whether they are electronic or on paper - contain documents whose unstructured texts contain individual information about the plaintiff's tax and thus always personal circumstances. Evaluations, value judgments and assessments of the plaintiff or his tax situation by clerks of the tax office contained under code numbers or in texts that are not themselves further structuring also have the character of personal data.
33
(2.1) There may be doubts as to whether unstructured or poorly structured texts that contain a large number of individual details in free linguistic description can be regarded as "data" as long as they have not been structured in individual details, i.e. in appropriately structured ordered pairs consisting of "Category" and "Value" or field identifier and field content have been extracted - for example by being transferred to a form in a structured and separated manner.
34
According to the broad interpretation of the term "data" by the ECJ, however, it is irrelevant what degree of formal structuring the individual information contained in a text has. According to the case of the ECJ cited above, it is sufficient for the existence of "data" that facts are described in a text in continuous, unstructured language that are assigned to the plaintiff - and are therefore personal.
35
(2.2) According to the decision of the ECJ cited above, according to which the examiner's corrections also become personal data of the test participant as soon as they - e.g. Assessments and comments in the form of memos and processing notes from clerks apply. Merely the pure legal analysis of a taxation issue does not represent any personal data. Of course, this can in turn contain individual information relating to the plaintiff in the text, and this is also typically in a professionally written legal subsumption part.
36
(2.3) It can be assumed that the data is assigned to the plaintiff, since the file containing the documents with the description of the facts is kept under his name or the tax number linked to it and thus the documents contained and notes made in relation to the plaintiff set. Due to their structure, individual details in databases can be assigned to the respective taxpayer anyway without any problems.
Manual or (partly) automated processing
37
i.e. The substantive scope of the GDPR is only open to the extent that the personal data are processed by the tax office in an automated or partially automated manner (Art. 2 Para. 1 Alt. 1 GDPR).
38
(1) Data processing is at least partially automated if data processing systems are used (Kuhling/Buchner, commentary on the GDPR and the Federal Data Protection Act, Beck, 3rd edition, GDPR Art. 2 para. 15 - Kühling -). There is no specific definition of "automated data processing" in the GDPR. This corresponds to the will of the legislator to design a technology-neutral protection system that also covers future technological developments (compare recital 15). As a result, the term partially automated data processing must be interpreted very broadly (Kuhling, GDPR Art. 2 para. 15). This unproblematically includes all processing steps that are carried out with the help of the computer systems of the tax administration.
39
(2) Non-automated processing is only subject to the scope of the GDPR if the personal data are stored or are to be stored in a file system (Art. 2 Para. 1 Alt. 2 GDPR).
40
“Non-automated” means “manual” processing (Recit. 15). No sub-step of the processing may take place automatically. Insofar as the tax administration files documents in paper form in tax files, such manual processing is given.
41
(2.1) It has not yet been sufficiently clarified when there is (intended) storage in a file system (Article 2 (1) GDPR). Art. 4 No. 6 GDPR defines the file system as "any structured collection of personal data that is accessible according to certain criteria, regardless of whether this collection is centralized, decentralized or organized according to functional or geographical aspects". According to the H.M., this term is essentially synonymous with the term file used in the predecessor provision of the GDPR (Directive 95/46) (Kuhling, GDPR Art. 6 No. 6 para. 1). According to the common idea, a collection is a planned, structured compilation of individual information that shows an internal connection, either through the similarity of the information (e.g. customer data) or the purpose (e.g. access control) of the collection (Kuhling, DSGVO Art. 4 No. 6 para. 3). According to the BDSG old version, this meant a similar structure of the compilation, an external form that must have a certain arrangement. According to this, no random or changing structure of the information was allowed. Rather, it required a formal scheme of order (ibid.).
42
Term “file system” … (2.2) The case law of the ECJ on the interpretation of the term “file system” is - as far as can be seen - not yet available. The ECJ (ECJ, judgment of July 10, 2018 C-25/17, Celex no. 62017CJ0025) explains the term “file” used in the previous provision of the GDPR:
43
"According to recitals 15 and 27 of Directive 95/46, the content of a file must be structured in such a way that it enables easy access to personal data. Article 2(c) of this Directive does not specify the criteria according to which the file must be structured, but according to the recitals mentioned, the criteria must be "personal". Thus, the requirement that the collection of personal data must be "structured according to certain criteria" means only that the data about a specific individual can be easily retrieved.
44
Apart from this requirement, Article 2(c) of Directive 95/46 does not regulate the modalities according to which a file must be structured, nor the form it must have. In particular, neither this nor any other provision of this Policy indicates that the personal data in question must be contained in specific files or registers or any other search system in order for the existence of a file within the meaning of this Policy to be affirmed. […] The answer to the second [submission] question is that Art. 2 Letter c of Directive 95/46 is to be interpreted in such a way that the term “file” mentioned in this provision means a collection of personal data that is of a door-to-door preaching activity, which includes names and addresses and other information about the persons visited, provided that this data is structured according to certain criteria in such a way that it can be easily retrieved in practice for later use. In order to fall under this term, such a collection does not have to consist of specific card files or directories or other classification systems used for research (ECJ, judgment of July 10, 2018 C-25/17, Celex no. 62017CJ0025, para. 57 f, 62 )".
45
The request for a preliminary ruling was based on the visiting activities of Jehovah's Witnesses, who, as part of their door-to-door preaching work, make notes about visits to people who are unknown to them or to the community. The data collected may include: the names and addresses of the persons visited, as well as information about their religious beliefs and family circumstances. This data is collected as a memory aid and to be retrievable in the event of a return visit without the data subject having consented or having been informed of this.
46
The community of Jehovah's Witnesses has provided its members with instructions for making such notes, which are reproduced in at least one of their evangelical newsletters. In particular, the fellowship and its congregations organize and coordinate the door-to-door ministry of their members by preparing maps of areas based on which districts are divided among the members involved in the ministry and by keeping registers of publishers and the number of fellowship publications they distribute. In addition, the congregations of the Jehovah's Witnesses community keep a list of those who have asked to stop being visited by the publishers. The personal data contained in this list, the so-called "banned list", is used by the members of the community. In the past, the fellowship provided its members with forms for collecting this data as part of their preaching work; however, their use was discontinued as a result of a recommendation from the data protection officer. The data collected was not structured in the form of a card file.
47
(2.3) If, according to the case law of the ECJ, it is sufficient for the existence of a file or a file system that data are structured according to certain criteria in such a way that they can be easily found in practice for later use and such a collection does not consist of specific card files or directories or other classification systems used for research, then the term file system has no shape at first glance.
48
In order to resolve this apparent lack of contours, it is worth taking a look at Recital 15 of the GDPR, according to which files or collections of files and their cover sheets that are not arranged according to specific criteria should not fall within the scope of this regulation. The GDPR does not specify when files or collections of files "are not arranged according to specific criteria". However, this cannot mean that an individual file within a collection of files can be found according to the one criterion "name" or "tax number", since otherwise each collection of files would appear "sorted according to certain criteria" and their exception from the scope of the GDPR entirely empty. Because a collection of files without at least one classification criterion for arranging the files it contains is practically unimaginable.
49
Accordingly, the probably hM in the literature to affirm an "order according to criteria" (recital 15) requires that the collection can be sorted according to at least two criteria (Kuhling, DSGVO Art. 2 para. 18), which in the collection of tax files, that are only filed according to Az. or tax number is not the case.
50
This applies in particular to the content of each individual tax file in which documents are filed as full text in historical order without further "order according to criteria".
51
In the reference case of the ECJ (ECJ, judgment of July 10, 2018 C-25/17, Celex no. 62017CJ0025, Jehovah's Witnesses), there was a structure in the sense of easy retrieval of data because the individual visit reports were relatively few , concise data contained in a structured form. This is not the case with a file that without any further order contains a large number of non-uniform and largely unstructured documents in the order in which they were filed - with paper tax files it is not uncommon for high two-digit and also three-digit page numbers - not to be the case.
52
In contrast to a collection of structured individual sheets, the effort involved in searching for individual information on a specific criterion from a file is not "easy". Rather, a human processor who wanted to find all the individual information from the documents contained in a comprehensive tax file for information required a lot of time - in individual cases probably hours. As a result, it cannot be assumed from the outset that files - especially paper files - that contain extensive, unstructured individual documents will not be "stored in a file system".
Application to extensive file collections
53
(3) As far as can be seen, the respondent has not yet had the opportunity to comment in more detail on the data protection treatment of such extensive collections of files with a large number of unstructured bundles of documents, such as the tax files. The same applies to the question of whether the differentiation between fully and partially automated data processing and non-automated data processing in Art. 2 GDPR must result in conclusions for the scope of the right to information under Art. 15 GDPR.
54
The recognizing Senate considers it necessary to give a differentiated answer to the scope of the GDPR and the interplay of the rights of the GDPR for large file systems, based on their function.
55
(3.1) In such systems, a distinction must be made between the individual information held in databases, such as, in the event of a dispute, the "eData" and the "basic data" in the databases of the tax offices. These are undoubtedly subject to the scope of the GDPR because they are specifically stored for machine processing.
56
(3.2) The same applies to the individual information on which the tax assessments are based as part of the tax assessment, such as the keyed tax bases on which the tax calculation is based. They are the starting point for the automatic tax calculation.
57
(3.3) The result of the tax calculation, the aggregated partial results and results shown in the notices also represent generated personal data. They are also stored in the databases for further processing if necessary.
58
(3.4) In the opinion of the judging Senate, the paper tax file itself, the chronologically sorted filing of the written communication between the administration and the person concerned/taxpayer and various other unstructured texts are generally not included in the scope of protection of the GDPR. While the individual details stored in the databases are structured and assigned criteria, the collection of written material contains texts that are unstructured and unequally structured. It is true that these themselves also contain such individual information that has a reference to the person concerned, i.e. "personal data". In addition to this, however, they also contain a large number of individual details without direct reference to the data subject - such as processing notes, processor names, legal analyzes and subsumptions. On the "collective" date - also related to the person concerned - the latter information only becomes available when the document is included in the collection of documents, which in turn is kept under the name of the person concerned. However, the individual information contained "slumbers" unexposed in the full texts of the collection of documents. The Senate does not recognize a "structuring according to certain criteria" for "easy retrieval" (cf. above 2.3) in these as yet "unresolved" individual details. In the opinion of the Senate, they are therefore only subject to the material scope of the GDPR if they are removed from the file by human action and transferred to a file system. In the opinion of the Senate, this act of extraction represents manual and therefore "non-automated" processing. First the "lifting" of the individual information, which represents an intellectual human act, by assigning the content to a criterion - the intended use of the date for the subsequent partially automated process Processing for taxation purposes - means that this date is/should be stored in a file system within the meaning of Art. 2 Para. 1 GDPR.
59
(3.5) Insofar as electronic indices or tables of contents are kept for the filing of written communication dealt with under 3.4, these enable "easy retrieval" (cf. 2.3 above), for example the knowledge that correspondence with a certain title or type on a certain day is listed. This index data, which is meaningless in itself, also becomes personal data through the assignment to the tax number and thus to the data subject. They are therefore subject to the scope of the GDPR.
60
(3.6) Control material from other taxation procedures is usually initially available as more or less unstructured full text correspondence, so that the principles set out under 3.4 apply. The Senate can leave it open whether particularly highlighted messages (e.g. the so-called "green arc") must be considered structured because of their color, since such content is subject to the restrictions of the right to information (see below).
61
(3.7) The contents of tax bases transmitted by third parties (e.g. transmitted health insurance contributions or paid wage taxes) are naturally computer-readable structured data for which the principles mentioned under 3.1 apply.
62
(3.8) Internal processing notes can be stored in database fields (e.g. the report on the tax audit) and are then subject to the principles mentioned under 3.1. Editing notes that are connected to or applied to documents should generally be subject to the principles of 3.4 as unstructured content. Due to their double nature as personal data of the author of the note or their decision-preparatory nature, such internal notes are likely to be regularly subject to restrictions on the right to information (see below).
63
(4) The differentiation made under (3) for extensive data collections including the associated file collections between easily retrievable data stored in a structured manner under criteria identifiers on the one hand and full text documents that are not further structured in themselves on the other hand is reflected in the effort required to provide information in accordance with Art. 15 GDPR caused for the person responsible. The person responsible can provide information about easily locatable, structured data with justifiable effort. On the other hand, an obligation to provide information about the individual details contained in the unstructured collection of documents would mean that these documents would have to be looked through by a human - and thus manually - in order - exclusively for information purposes - to first "raise" the individual details contained therein and thus into the easy-to-find data area.
64
The GDPR itself does not assume such a complex obligation to provide information. In Art. 12 (1) GDPR, it standardizes an obligation on the part of the person responsible to take measures that allow him to obtain information quickly. This does not mean, however, that the person responsible has to work through the entire correspondence as a precautionary measure in order to extract the individual information contained therein and only keep it available for potential requests for information.
65
(5) Individual information that is “dormant” in unstructured full-text documents has a completely different quality than individual information that is recorded under one criterion with the aim of basing a decision on it – data processing. Only this provision, "to be processed", makes it appear practicable to assess the individual data as "correct" or "incorrect" and to link the rights of the person concerned to correction, for example. On the other hand, the documents of the correspondence between the tax office and the taxpayer often contain factual information. However, these usually initially represent non-verifiable assertions by the taxpayer or preliminary assumptions by the tax office. An assumption by the tax office contained in an earlier document may also turn out to be wrong in further correspondence, or even be admitted by the tax office as wrong. But then it would be pointless to inform the person entitled to information of the earlier date recognized as incorrect.
66
In anticipation of the discussion of the Restrictions on the right to information (see below) have already been noted at this point.
67
The idea of the GDPR that data can be judged in binary terms as "correct" or "incorrect" often does not apply to the - unexamined - individual information contained in full texts.
68
(6) It is not only the recitals to the GDPR (recital 15) that exclude files and collections of files that are not classified according to specific criteria from the scope of the GDPR. The ECJ also makes it clear that the right to information under Art. 15 GDPR does not secure a right of access to administrative documents (ECJ, judgment of July 17, 2014 C-141/12 and C-372/12, CR 2015, 103 on the previous regulation). If this applies to the individual document, then this must certainly apply to the entire document collection. The tax office correctly points out (briefing of March 9th, 2020, page 4) that if the wording is interpreted in several language versions, it becomes clear that the GDPR distinguishes between “information” and “inspection of files” (cf. also below on the limitations of the right to information).
69
(7) The BFH and the BVerfG also saw it as justified - before the GDPR came into force - that the AO did not guarantee a general right to inspect files in the area of tax law (see also below).
Scope of the right to information
e. Scope of the right to information - limitations
70
Accordingly, the plaintiff has a right to information from the tax office in accordance with Art. 15 (1) GDPR, the scope of which must be outlined in accordance with the legal principles described above and limited accordingly with regard to the restrictions on the right to information in the GDPR itself, as well as by the AO and general principles is.
71
A bound right to information is to be assumed here. The case law of the BFH assumes that in the absence of a standardized entitlement, access to the files should be granted at the discretion of the authority. This cannot be transferred to the right to information under Art. 15 GDPR. The latter is not subject to the discretion of the authority. Section 32d (1) AO only allows the tax office discretion with regard to the form in which information is provided. In this context, for example, the latter is free to provide information by providing a data printout, granting online access or even granting access to files.
Restrictions on the right to information
(1) Restrictions of the GDPR and the AO
72
According to Art. 15 Para. 1 GDPR, the person concerned (Art. 4 No. 1 GDPR) has a right to information from the person responsible (Art. 4 No. 7 GDPR) about the personal data processed concerning him. This information is provided by the person responsible providing the data subject with a copy of the personal data that is the subject of the processing (Article 15 (3) GDPR). The right to receive a copy according to Art. 15 Para. 1 b) GDPR must not impair the rights and freedoms of other persons (Art. 15 Para. 4 GDPR - the legislator is thinking here of secrets or rights of intellectual property and in particular copyright Software, cf. Remark 63).
73
(1.1) §§ 32a AO et seq. limit the rights of data subjects in the exercise of the competence granted to the member states by Art. 23 GDPR, namely the limitation competence of Art. 23 Para. 1 e) GDPR. As far as relevant here, the AO standardizes the following restrictions:
74
According to Section 32c Paragraph 1 No. 1 AO in conjunction with Section 32a Paragraph 1 No. 1, Paragraph 2 AO, the person concerned does not have the right to information if the provision of the information would jeopardize the proper fulfillment of the tasks for which the tax authorities are responsible and the interests of the tax authorities in not providing the information outweigh the interests of the data subject. This is the case in particular if the provision of information
- could enable the person concerned or third parties to conceal tax-related facts (1.a), to cover up tax-related tracks (1.b) or to adapt the type and scope of the fulfillment of tax cooperation obligations to the state of knowledge of the tax authorities (1. c), or
- Allow conclusions to be drawn about the design of automated risk management systems or planned control or audit measures (2.)
- and thus the disclosure of tax-relevant facts would be made much more difficult.
75
The right to information does not exist according to § 32c paragraph 1 No. 1 AO in conjunction with § 32b paragraph 1 No. 2 AO if the data, their origin, their recipients or the fact of their processing according to § 30 AO or another legal regulation or by their very nature, in particular because of overriding legitimate interests of a third party within the meaning of Art. 23 Para. The latter corresponds to the restriction already contained in Art. 15 Para. 4 GDPR.
76
According to Section 32c (1) No. 1 AO in conjunction with Section 32b (1) No. 1a AO, the right to information does not exist insofar as the provision of information means that the tasks for which the tax authorities are responsible [...] are properly fulfilled within the meaning of Article 23 Para. 1 d to h of the GDPR would endanger.
77
There is also no right to information according to Section 32c Paragraph 1 No. 1 AO in conjunction with Section 32a Paragraph 1 No. 4 AO insofar as the provision of information would jeopardize the confidential disclosure of protected data to public authorities.
78
If the personal data is neither automated nor stored in non-automated file systems, information will only be provided if the data subject provides information that enables the data to be found and the effort required to provide the information is not disproportionate to that of the data subject person asserted interest in information (§ 32c Abs. 3 AO).
79
The GDPR itself restricts the obligation to provide information in Article 13 (4) GDPR in such a way that information known to the data subject does not fall under the obligation to provide information and thus also not the obligation to provide information (cf. Section 32c Section 1 No. 1 AO in conjunction with Section 32a Section 1 AO, Art. 13 Para. 4, Art. 14 Para. 5 a GDPR).
80
Furthermore, the right to information does not exist if the personal data
- are only stored because they may not be deleted due to statutory retention requirements, or
- exclusively serve the purposes of data backup or data protection control and the provision of information would require a disproportionate effort and processing for other purposes is excluded by suitable technical and organizational measures (§ 32c Para. 1 No. 3 AO).
81
(1.2) Some of the aforementioned restrictions already existed word for word before the GDPR or the provisions of the AO that completed it came into force (cf. in the scope of application of the old version of the BDSG that was in force until May 24, 2018: § 19 BDSG). The case law of the financial courts and the BVerfG on the right to information rejected, citing in this context, information about data stored at the information center abroad (IZA), because this would prevent the proper fulfillment of the tasks within their responsibility or the responsible tax offices in individual cases (Federal Fiscal Court ruling of July 30, 2003 VII R 45/02, BStBl II 2004, 387; BVerfG decision of March 10, 2008 1 BvR 2388/03, BStBl II 2009, 23). Financial case law assumes that this restriction will continue to apply under the GDPR (Cologne District Court, judgment of September 18, 2019 2 K 312/19, EFG 2020, 413; the appeal filed against the BFH bears the file number II R 43/19) .
Information does not include inspection of files
(2) No general right to inspect files
82
The case law before the GDPR came into force made a clear distinction between information and inspection of files. According to std. Rspr. of the BFH not (in summary with reference to: BFH decision of November 3rd, 2020 III R 59/19, NJW 2021, 1263, para. 7; BFH judgment of February 23rd, 2010 VII R 19/09, BStBl II 2010, 729) . In any case, the rejection of a bound right to inspect files was based on the consideration that the legislature had not considered a general right to inspect files in tax administration proceedings to be practicable, because this would conflict with aspects of the protection of third parties and the investigative interests of the tax authorities, as well as the administrative burden on the tax authorities, which would have to check before each file inspection , whether a third party's interest in secrecy could be affected and then the entire control material, authority-internal notes and instructions and the like would have to be removed from the files (BTDrs 7/4292, p. 24 f.). From this, the BFH deduced that the inspection of the files during the ongoing administrative or tax investigation procedure should only be an exception to be granted in application of § 91 AO or § 364 AO for reasons of the right to be heard.
83
In the decision of May 26, 1995 (BFH decision of May 26, 1995 VI B 91/94, BFH/NV 1995, 1004), the BFH assumed that the tax office can grant inspection of files at its discretion, although there is no general right of inspection of files in the AO is regulated, and this should in any case be done regularly if circumstances are not affected. As a result, the BFH assumes a right to a dutiful and error-free discretionary decision by the authority, which is guaranteed if the authority has weighed its interests and those of the authority against each other in the context of a weighing of interests (BFH decision of November 3, 2020 III R 59/19 , NJW 2021, 1263). In this decision, the BFH expressly left open the question of whether Art. 15 GDPR justifies a right to inspect the tax files in addition to the right to information (BFH decision of November 3, 2020 III R 59/19, NJW 2021, 1263, para. 16 ).
84
The BFH did not see the right of the taxpayer to be granted a fair hearing under Art. 103 (1) GG or his right to be granted judicial protection (Art. 19 (4) GG) as violated by the refusal to inspect the files in the administrative proceedings (BFH decision of 4.6.2003 VII B 138/01, BStBl II 2003, 790, para. 15). Art. 19 (4) GG guarantees the right to effective judicial control (BVerfG judgment of December 15, 1983 1 BvR 209/83 et al., BVerfGE 65, 1, 70 - census judgment -) and Art. 103 (1) GG guarantees, that the taxpayer is given the opportunity in court proceedings to comment on the facts on which a decision is based before it is issued. The rights to inspect files enshrined in the procedural codes served to secure these claims in accordance with Section 147 of the Code of Criminal Procedure in (tax) criminal proceedings and Section 78 of the FGO in fiscal court proceedings. In the opinion of the BVerfG, the right to a fair hearing in criminal tax proceedings and the right to fair legal proceedings are satisfied if the files and pieces of evidence are disclosed to the accused in criminal proceedings according to the rule of law after the investigation has been completed (BVerfG resolutions of January 12, 1983 2nd BvR 864/81, NJW 1983, 1043; dated February 10, 1981 7 B 26/81, NJW 1981, 2270).
85
The BFH also did not derive any binding right to information from previous regulations of the GDPR. Rather, in the light of the subsidiarity clause contained in the former BDSG, he judged the AO to be the final area-specific data protection regulation. The fact that the legislature did not standardize the right to inspect files there is to be respected as a "deliberate waiver of regulation" (Federal Fiscal Court decision of June 4, 2003 VII B 138/01, BStBl II 2003, 790).
86
The GDPR also does not grant the data subject a right to inspect files, as above under d. with a view to the ECJ case law to the previous provision (ECJ, judgment of July 17, 2014 C-141/12, CR 2015, 103). Art. 15 para. 1 GDPR does not guarantee a right of access to administrative documents and thus no right to inspect files.
Right to information includes...
87
(3) Scope of the right to information in the event of a dispute (3.1) Application of the restrictions to tax data All individual information in the tax file and the tax databases fall under the restrictions on the right to information listed under (1).
88
The restrictions set out under (1) apply - abbreviated and subject to the necessary balancing of interests - if the information enables the person concerned to adjust to the state of knowledge of the tax authority, he would be able to conceal or cover tracks (restriction 1), conclusions to the risk management system (limitation 2) or to planned control or audit measures (limitation 3), overriding confidentiality interests of third parties (limitation 4), trust in the confidential disclosure of protected data would be jeopardized (limitation 5) if the information is given to the data subject are not already known (Restriction 6) or if they are retained essentially because of statutory retention requirements (Restriction 7).
89
If these restrictions are measured against the typical content of the information entered by the tax administration in databases or contained in full text in the paper file, these are subject to the restrictions with the exception of less trivial information. The vast majority of information comes from the taxpayer himself, which he has previously communicated to the tax office in his tax returns or in letters, so that it must be assumed that this information is already known to the person concerned (limitation 6). The same applies to information in letters from the tax office to the taxpayer. This information, but also all information from third-party sources, should regularly meet restriction 1, because almost all data that is currently or could be relevant for taxation in the future can be “adjusted”. This applies in particular to control material or research by the tax office with other authorities. Restrictions 3 and 5 also apply to the latter, but also to notes about the report on the external audit. All data that is no longer relevant for current or future taxation must not be deleted due to statutory retention requirements (restriction 7). Processing notes regularly consist of a possibly abbreviated representation of a legal analysis, refer to other individual information and represent documentation of the decision, which is announced to the taxpayer in the notice; This means that these regularly fall under restriction 6 or do not represent any independent personal data at all. In addition, in the case of processing notes, notes in preparation for a decision and drafts, the author of the note has an inherently opposed interest in the information of the person concerned, since he can claim his own data protection right in this respect that these notices are subject to Limitation 4.
90
(3.2) Weighing of interests In the case of the interests attributable to the tax office, the effort caused by the provision of information must generally be included. In particular, a general right of the person concerned to - manual - extraction of all data contained in the files should be excluded. As far as data is recorded in databases, the effort is much lower, so that the interests of the tax office are assigned a much lower priority. In this respect, the obligation of the person concerned under Art. 12 (1) GDPR must also be taken into account, according to which the person responsible must take suitable measures in order to be able to meet the right to information.
91
Furthermore, an authority or its employees must also be granted a space for informal exchange and freedom from observation by third parties - including those affected - to form opinions and prepare decisions.
92
On the other hand, there are the recognized interests of the person concerned, in addition to his conventional procedural rights, which in certain stages of the process - at least when appealing - grant a right to inspect the files to be able to effectively pursue his rights under the GDPR. In the opinion of the Senate, however, it should be taken into account that in the case of tax files, the enforcement of a data protection right to deletion or correction is practically unimaginable. It would be contrary to the probative function inherent in administrative files if the person concerned was able to delete individual information in any administrative document or to replace it with his/her consent. However, if the person concerned requests the correction of individual information that he believes to be incorrect with the aim of taking it into account in the taxation, he has the much more effective legal recourse in the taxation procedure at his disposal in addition to the data protection claim.
93
If you weigh the above interests against each other, the following results for the individual data areas:
94
(3.2.1) Since searching for the individual information in the full text of the file involves a considerable amount of manual effort, the administration's interest in avoiding this generally prevails - insofar as the file is subject to the scope of the GDPR at all (see d. above). Information interest of the data subject. Due to the documentation function of the file, the practical implementation of a deletion or correction of individual information in full text documents is excluded and would at best be theoretically conceivable through comments by the taxpayer in the full texts, but in the opinion of the Senate not practically feasible. The person concerned knows the correspondence between the tax office and the person concerned, he can also perpetuate this knowledge by storing the correspondence himself accordingly, so that a later interest in information in this respect recedes. The right to information does not serve to save the taxpayer from having to keep his or her own files. Insofar as individual details from documents are used as a basis for taxation, they are necessarily transferred to the tax databases or calculation programs according to their importance and amount - coded - and are subject to the information principles applicable to these data areas. These individual details can also be found - as soon as the tax office intends to use them - in a duly justified administrative act (§ 121 AO) or in a notification letter issued in advance for the granting of a legal hearing (§ 91 AO). In addition, according to § 364 AO, taxation documents are to be disclosed to the objector upon request or, if the reason for the objection gives cause for this, ex officio. In view of this strong procedural situation, which grants the taxpayer far stronger rights in the "main matter" with regard to the data actually processed than the GDPR grants to the data subject, the data subject's interest in information with regard to "unclaimed" individual information must be behind the interest of the administration, insofar as the effort involved to limit, to withdraw.
95
Other individual details that are not or cannot become relevant for taxation may occasionally appear in the full text of the tax file. In view of the extremely strong protection of secrets of the tax file (§ 30 AO) both legally and in practice, and the factual impossibility of searching out such data from full texts with justifiable effort, there must be a potential interest in information about such uncollected data, of which the file-keeping tax office de facto, for reasons of practicability has no current knowledge at all, resign.
... but data in databases ...
96
(3.2.2) On the other hand, the data subject's interest in information with regard to the data recorded in the databases in categorized form only has to take a back seat to a few data categories. The information from database entries is basically easy and can be realized without special technical and organizational effort. In Art. 12 Para. 1, the GDPR imposes on the data processor the obligation to adapt the systems accordingly in order to enable the information.
... with the following restrictions:
97
In the area of assessment data, the right to information about the individual details that the tax office has stored in the database system for processing purposes is directed. In addition to the aggregated calculation bases already shown in the tax assessments, these are also the source or output data stored under “Input Codes”. It is not sufficient for the transparency requirement of the GDPR that the person concerned only receives data calculated and aggregated from this data - as shown in the tax assessment. The person concerned must therefore be given copies of the input data or code numbers for all tax assessments that are not yet formally final or are subject to verification or provisional notice.
98
The claim is basically aimed at information about all data fields that contain specific entries in the case of the person concerned - namely the semantic identifier of the data field and the content of the data field itself. As far as fields with a view to the restrictions (in particular § 32c Para. 1 No 1 AO in conjunction with Section 32a Paragraph 1 No. 1, Paragraph 2 AO) are omitted from the information, this must be indicated and information must be given about the existence of additional fields and the reason for the restriction.
99
For each data field entry, the information must state whether the date was collected from the data subject or otherwise all available information about the origin of the date (Article 15 (1) g GDPR).
100
Specific data transfers to third parties to whom the personal data have been disclosed or will be disclosed must be specifically mentioned in the information (Art. 15 Para. 1 c GDPR).
101
Excluded from the information from the outset, however, are details that the tax office needs to check the truthfulness of the (possibly future) details of the taxpayer or are intended for this purpose, such as control material or traces of suspicion. Here, the interest of the person concerned in “prophylactic” knowledge of the state of knowledge of the tax office must regularly take second place to the goal of securing tax revenue. This is constitutionally unproblematic because such information is to be disclosed to the person concerned at the time of use for taxation purposes and he then has the much more effective legal protection options already mentioned in the "main proceedings" (see already above and BVerfG decision of 10.3.2008 1 BvR 2388/03 , BStBl II 2009, 23). The same applies, for example, to notes on the report on the external audit and the tax investigation check, as well as on the examination of certain facts in future assessments and the data of the "risk management system".
Information only about current periods
102
In the case of data that relates to tax periods that have already been completed and may not be deleted due to statutory retention requirements or, for example, in the case of data in backup files, the interest of the data subject in the information subsides if this data is no longer subject to general access by the tax office employees, i.e. "condensed" or separate Memory areas have been relocated outside of general access. In addition, due to the strong procedural position of the taxpayer, they usually have knowledge of the taxation data from past periods, so that this "old data" is usually excluded from the information even without special compression.
No information about processing notes
103
The interest of the person concerned in information regarding processing notes, notes preparing for a decision and drafts, as well as the data contained in letters from the tax office - this information is particularly important to the plaintiff - takes a back seat to the interests of the tax office in the event of a dispute. These processing notes are already subject - insofar as they are handwritten on paper documents - to the assessment of the tax file content as unstructured, unraised data under (3.2.1). As a rule, these processing notes prepare the decision of the tax office and document it. As a result, they often have the character of a "legal analysis" within the meaning of ECJ case law. The taxpayer receives the processing result by way of the tax assessment notice with the effective legal protection options opened up against this in the main proceedings. The data blended with the legal analysis and internal process control instructions come from other sources - mostly from declarations made by the taxpayer himself. Given this, the effort of manually digging out all of these notes contained in the paper files, separating the data from the legal analysis and process control instructions, is in disproportionate to the taxpayer's interest in knowing the content of these notes.
104
Conflicting data secrecy rights of the processors must also be included in the weighing of interests, as must the freedom in internal opinion-forming and decision-making that is required for a functioning administration. Processing for other purposes is ruled out by tax secrecy and the high level of technical and organizational measures taken by the tax authorities based on this.
105
As soon as conclusions in administrative action are drawn from these notes or information, it is up to the person called upon to make an administrative decision to extract (“raise”) the now relevant data. This data, which is then recorded in the databases or tax calculation programs and intended for processing, is then subject to information about the input data for the tax assessments. Since this is associated with the notification to the person concerned as part of the justification of the tax assessment or the granting of a factual and legal hearing, the person concerned can subsequently sufficiently protect his rights in the opinion of the sentencing Senate. In the case of the alleged violations of proper file management (page 2 of the statement of claim: removing applications from the file, "wrong" file notes in terms of content, non-inclusion of evidence), the plaintiff has the option of taking action against the alleged - then of course to be substantiated - to act on decisions made about violations. However, the decision on this must be made in the respective "main proceedings" via the respective tax assessment. The decision as to which taxation facts are to be taken as a basis there cannot be anticipated within the framework of the data protection examination.
f. Application of the principles of law to the dispute
106
In accordance with the above legal principles, the plaintiff from the GDPR has no right to inspect the files (1). The tax office fulfilled its right to information by providing copies of the data before the court and additionally during the oral hearing (2).
Unsuccessful action for file copy
107
(1) The claim is unsuccessful in the most extensive request in terms of content, insofar as the plaintiff ultimately requests access to the files (in the form of the provision of a copy) or a substantive notification of all individual information contained in the unstructured correspondence of the files (...).
108
Insofar as § 32c Para. 3 AO also enables information about individual data within the file, its requirements are not met. The purpose of the provision is to also provide information about data in the files that need to be specified in more detail, weighing up the information interest of the person concerned against the effort involved in searching. In the case of a dispute, there is no such specific request; rather, the plaintiff demands full inspection of the files in order to investigate existing deficits in the management of the files, in his opinion. In doing so, he misjudges the character of the right to information under data protection law. It does not serve to ensure that the person entitled to information elevates himself to the file auditor of the administration. It is not enough to shift the weights in the balancing of interests that the plaintiff - ultimately unsubstantiated - attacks the entire file management of the tax office.
109
In the oral hearing, the plaintiff only made his request more precise, even after the court had asked, by providing an overview of the historical changes in the decision and how the estimates came about. The first-mentioned overview would first have to be created by the tax office, so it is not something that information could simply be given about. However, only existing individual information is subject to the right to information. The person responsible is not obliged to manually create complex overviews. The estimates are based on the information provided by the plaintiff or his wife and are explained in the justifications for the notices. In view of the plaintiff's massive violation of his duty to declare (no tax returns for years), his interest in data protection information without cause must take a back seat to the tax office's interest in avoiding considerable effort for additional lists or explanations - which in turn have to be newly created. At least as long as he does not use the possibility of making a correction by submitting a declaration in the taxation procedure.
110
Insofar as the plaintiff alleges false suspicions, falsification of files and embezzlement, as well as allegations of violations of regulations on file management, this cannot help the plaintiff's request in the information procedure to be successful. It is not clear what these allegations are supposed to have to do with a request for data protection information. According to the information provided by the plaintiff, the public prosecutor's office has already investigated these allegations, just not with the result desired by the plaintiff. According to the plaintiff, the facts were also examined from the point of view of service law as part of a supervisory complaint. It is not clear on what legal basis these allegations would have to be examined again within the framework of the right to information. Because the alleged violations of regulations on file management initially only affected objective administrative law. Subjective claims of citizens are fundamentally not granted by the regulations on file management. At best, reflexes could arise in the specific taxation procedure, such as the reversal of the burden of proof mentioned by the plaintiff in the event that the files were not suitable as evidence. However, the specific taxation procedures are not the subject of the present action for information.
111
Insofar as the plaintiff wishes to derive a general right of access to files that is independent of specific administrative processes from Art. 41 (2) EU Charter of Fundamental Rights (EU-GrCH) in conjunction with Art. 15 GDPR, the lawsuit is also unsuccessful. According to Art. 51 EU-GrCH, this provision only applies to the implementation of Union law, but not of the law of the member state. In the context of the dispute, the provision therefore guarantees at best access to the file on the processing of the request for information under data protection law, i.e. the request itself and its rejection, as well as the correspondence issued in this regard. However, insight into this process is clearly not the aim of the lawsuit.
112
However, as already explained, no right to inspect administrative documents can be derived from Art. 15 GDPR itself.
113
This does not mean that the plaintiff would be placed without rights. Rather, he is free to have his allegations against the tax office's handling of the matter - in particular the keeping of files - reviewed within the scope of appeals against the tax assessments, insofar as they should have an adverse effect there. According to his presentation, this has already taken place or is in progress. In accordance with the rules of procedure, he is also entitled to the right under § 364 AO and, above all, at the latest in legal proceedings against the respective tax assessment, a right to inspect the files relating to the specific dispute.
Claim for information otherwise fulfilled
114
(2) The plaintiff’s right to information was fulfilled by the tax office in compliance with the restrictions of Art. 15 GDPR and §§ 32a et seq. AO with the information by handing over the further copies of data in the oral hearing and has thus expired.
115
(2.1) The plaintiff has already received a copy of the basic data before the court by sending the "Basic data overview" and an "eData overview". In this regard, the tax office has stated unchallenged that it - like apparently every citizen - can inspect the e-data itself, i.e. the data actually transmitted to the tax office by health insurance companies, for example, in the Elster portal. This determination of the form of inspection by granting online access satisfies the requirements of § 32d Para. 1 AO. In the opinion of the adjudicating Senate, the right to a copy of the data in Art. 15 (3) GDPR does not require the copy to be embodied on paper. It is also sufficient if the person concerned is able to create a copy himself due to the granted online access.
116
The tax office submitted the "incoming monitoring of individual cases" in the course of the lawsuit, as well as the "information about electronic declarations in the area of assessment".
117
The information from the "Bp information" area was provided by the tax office in the course of the lawsuit to the effect that the plaintiff's business was stored as a "small business". The fact that it refuses to provide information about other data fields in this area is justified in view of the limitation of the right to information by Section 32c Paragraph 1 No. 1 AO in conjunction with Section 32a Paragraph 1 No. 1, Paragraph 2 AO, since this information is typically used for future audit purposes are stored and knowledge of which could enable the person concerned or third parties to conceal tax-relevant facts (1.a), to cover tax-relevant traces (1.b) or the type and scope of the fulfillment of tax cooperation obligations on the state of knowledge of the tax authorities (1.c), or allow conclusions to be drawn about the design of automated risk management systems or planned control or auditing measures (2.) and thus make it much more difficult to uncover tax-related facts. In this respect, a certain information advantage for the tax office is legally permitted for the purpose of ensuring correct taxation. The same applies to the “Risk Management System” data sheet.
118
With regard to the data field "Employer card information", the tax office provided information in the course of the lawsuit to the effect that the employer signal had been deleted since July 1, 2010.
119
At the oral hearing, the tax office presented “assessment information” (“assessment information”) from 2009, as well as an up-to-date “survey overview” (“residue information in plain text form”), as well as overviews of the contents of the “legal remedies database”.
120
In addition, the plaintiff has already received pre-trial printouts of all tax assessments since 2009 (see letter of November 5th, 2019). The further existing right to a copy of all input data used for the tax calculation was fulfilled by handing over the relevant copies ("information on notification data") in the oral hearing. In terms of time, the information on tax assessments that are not yet formally final, that are still subject to review or a provisional note, as well as those assessments for which the person concerned has presented intended legal remedies, was sufficient. With a view to the interests of both parties, it is also sufficient that only the data of the last change notices - currently on which the taxation is based - have been communicated.
121
With this information in its entirety, the tax office has fulfilled the plaintiff's right to information, whereby in the case of dispute it can be left open whether, according to the above, each individual date communicated was covered by the plaintiff's right to information. The information and also the explanations of the tax office on the structure of the data corresponded to the transparency requirement of the GDPR in any case after the supplements in the oral hearing.
122
(2.2) With regard to the "assessment-related data", the tax office has presented a field overview and thus satisfies the transparency requirement. If the tax office refuses to provide individual information from this area, this is justified in view of the restrictions on the right to information. In the corresponding balancing of interests, the fact that the plaintiff had not submitted any tax returns for years and that there is therefore a particular risk that he based his declaration behavior on the state of knowledge of the tax office had to be added to the detriment of the plaintiff.
123
Insofar as the plaintiff pursues the goal of "discovering discrepancies in the cash management" in his request for information, he can apply for a settlement notice for this purpose. In this respect, the plaintiff is not complained because, as the tax office has stated without being contradicted, the tax office inquired about the plaintiff's application and sent an account statement to the plaintiff from 2009 onwards. After the plaintiff had not reacted further to the contact attempts by the tax office, the latter could assume that the plaintiff's interest in information had thus been fulfilled. In the oral hearing, the plaintiff no longer complained about any deficits in this regard.
124
Insofar as the plaintiff requests information about the files and data of the penalty and fine office in his last brief, the application is in vain, since the defendant tax office does not have such an office. He also no longer explicitly maintained this request in the oral hearing.
125
Insofar as the tax office has not provided any specific information regarding the information pursuant to Art. 15 Para. 1 g and c GDPR, the court considers the abstract information in the information letter from the tax authorities entitled "General information on the implementation of the data protection requirements of Art. 12 to 14 DSGVO in the tax administration" in the version of October 20, 2020, which was left to the plaintiff and is published on the website of the tax office, as sufficient. Information about the origin of the data is not systematically noted in the databases, as evidenced by the printouts provided, so that specific information on this is not possible in individual cases. In this case, the abstract information in the information letter must suffice. Disclosures to third parties are not evident.
126
7. The revision is allowed according to § 115 Abs. 2 Nr. 1 und 2 FGO, (...).
127
After its decision (FG Munich, court order dated July 23, 2021, 15 K 81/21, EFG 2021, 1789), the Senate again affirmed the applicability of the GDPR in the area of direct tax administration (unlike FG Lower Saxony, judgment of January 28, 2020 12 K 213/19, EFG 2020, 665, revision pending at the BFH under II R 15/20).
128
In the case of a dispute, it was then necessary to determine which data from the taxation procedure constitutes "personal data" and to what extent these fall within the scope of the GDPR with regard to their manual and automated processing. With a view to the restrictions in the AO, the specific scope of the right to information had to be determined, especially whether it includes a right to inspect files.
II. Decision of the Court
129
In its landmark decision, the court clarified essential questions regarding the data protection right to information from the tax office.
130
After it again affirmed the applicability of the GDPR in the area of tax administration in the administration of all taxes (cf. FG Munich, court decision of July 23, 2021 15 K 81/21, EFG 2021, 1789), the question of the specific scope had to be addressed of the right to information. It adopts the ECJ's broad interpretation that almost any piece of information is "personal data", whether contained in a full-text document in a paper file or in a database. In order to create a personal reference, it is sufficient to include it in the file or data set maintained for the taxpayer.
131
For the first time, the court has expressed its opinion on the question of whether data contained in a document or full text (in the file) also fulfill the characteristic of the at least intended "storage in a file system". It denies this with differentiated application of the case law of the ECJ to the special features of an extensive file system and an interpretation of the GDPR based on the materials of the EU legislator. Accordingly, the right to information does not include inspection of the file or a copy of the letter contained in the file.
132
With regard to the extensive information contained in databases, the court affirmed the right to information. It determined the scope of this bound claim, which was not subject to the discretion of the administration, using the restrictions standardized in §§ 32a to 32c AO, differentiated for the various contents of the databases.
III. Classification and appreciation of the decision
133
In its landmark decision, the court has taken a position, in some cases for the first time, on crucial aspects of the right to information under the GDPR in the area of tax administration. This is to be welcomed because the transparency requirement under data protection law on the one hand and the knowledge advantage that the legislator grants tax supervision on the other represent opposing principles that are difficult to reconcile. As a result, there is a great deal of uncertainty in this area. Accordingly, it is to be expected that other courts will deal with the decision, which is reasoned in detail, and may also come to different conclusions. A final clarification should only bring a decision by the BFH. Until then, the tax offices will at least have an orientation with the judgment as to how requests for information can be answered under the validity of the GDPR. Those affected can more easily assess whether a request for information promises to be successful.
IV. Notes for practice
134
As long as the BFH has not made a decision, the question of the applicability of the GDPR to the administration of direct taxes must be regarded as open even after the report decision has been made. With regard to the other decided questions, the judgment offers an initial orientation. At the same time, in view of the fact that the case law on individual questions is also different with regard to the other questions, it cannot be ruled out that other courts will answer them differently.
