UOOU (Slovakia) - Opinion of 24 August 2021 - FATCA
| UOOU - Opinion of 24 August 2021 - FATCA | |
|---|---|
 | |
| Authority: | UOOU (Slovakia) |
| Jurisdiction: | Slovakia |
| Relevant Law: | Article 45 GDPR Article 46 GDPR Agreement between the United States of America and the Slovak Republic to Improve International Tax Compliance and to Implement FATCA |
| Type: | Advisory Opinion |
| Outcome: | n/a |
| Started: | 22.07.2021 |
| Decided: | 24.08.2021 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Opinion of 24 August 2021 - FATCA |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Slovak |
| Original Source: | UOOU (in SK) |
| Initial Contributor: | n/a |
The Slovak DPA issued an Opinion condemning a Slovak-US tax information exchange Agreement, related to the implementation of FATCA, for not complying with the GDPR data transfer requirements.
English Summary
Facts
In 2021, the Slovak DPA was requested by the Ministry of Finance (the controller) to carry out an assessment on the GDPR compliance of the Agreement between the Slovak Republic and the United States of America (US) on the implementation of the Foreign Account Tax Compliance Act (FATCA). As a tax information exchange system, FATCA requires foreign financial institutions, such as banks, to report to the US tax authorities the data of persons located outside the US who are considered to be subject to taxation in the US, for example, due to dual nationality.
The Opinion makes reference to the EDPB Statement No 04/2021.
Holding
First, the DPA identified provisions of the Agreement, which relate to personal data processing. In this regard, Annex 1 sets out the categories of personal data to be processed, including name, address, nationality and account balance, but there are no provisions on the protection of personal data.
Second, the DPA looked closely at the data transfer system under the Agreement. It recalled that in order for a personal data transfer to a third country to be lawful, it needs to have a valid legal basis under Chapter V of the GDPR. It pointed out that there was a discrepancy between the intended objective of the legislator to legalise transfers to the US, as stated in the Agreement, and the conditions laid down in the GDPR. A mere declaration in the law is not sufficient to make the transfer comply with the GDPR. In this regard, the DPA noted that, specifically for transfers to the US, there is no adequacy decision within the meaning of Article 45 GDPR since the Court of Justice of the EU invalidated the Privacy Shield in its judgement C-311/18. Therefore, other transfer mechanisms should be used, for example, under Article 46 GDPR. These, however, also should offer an adequate level of data protection. In this regard, the Slovak DPA referred to the EDPB Guidelines No 2/2020, which contain minimum safegaurds for a transfer of personal data to be lawful. These safeguards include, among others, compliance with data processing principles and data subject rights as well as ensuring that there are independet supervision mechanisms in the third country.
The DPA concluded, in light of the case law and the EDPB Guidelines, that the Slovak-US Agreement does not contain even the minimum safeguards to transfer personal data to third countries. It further noted that the issue of transferring tax data to the US is not a matter exclusively concerning the Slovak Republic. Considering that similar agreements exist between the US and other Member States, the DPA reserved the right to propose to the controller a consultation with other countries and the possibility of setting up a pan-European working group or submitting the matter to the EDPB.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovak original. Please refer to the Slovak original for more details.
DOWNLOADED
DNA:
2 I 08, 2021
Dear Madam
director
Department of Direct
Taxes Ministry of Finance
Stefanovicova 5 817 82 Bratislava
Your letter number/bottomOur number Equipped by/line Bratislava
MF/0117/2021- /40 23.08.2021
72400390/21-OP-l
Thing
Request for an assessment of the sufficiency of the legal framework of international treaties on the exchange of tax
information in terms of the requirements for the protection of personal data under the GDPR Regulation, with
reference to the European Data Protection Board's Statement No 04/2021
Madam Director,
The Department of Legal Services of the Office for the Protection of Personal Data of the Slovak Republic
(hereinafter referred to as the Office) received on 22.07.2021 a request for an assessment of the sufficiency of the
legal regulation of international treaties in the field of exchange of tax information in terms of the requirements for
the protection of personal data under the GDPR Regulation with reference to the European Data Protection
Board's Declaration No. 04/2021.
The Office has carried out an analysis, assessed the contracts submitted and wishes to submit the following:b) Opinion on the Agreement between the Slovak Republic and the United States of America
on the improvement of the implementation of international regulations in the area of? dans'
and for the implementation of the FATCA Act (published in the Collection of Laws under the
number of Announcement 48/2016 Coll.)
The Office has identified several provisions related to personal data in that agreement. The
scope of the data to be processed is contained in the agreement, incl. 2, which lists the personal
data to be transferred to the USA. The personal data to be processed are also set out, for example,
in Annex 1. However, despite the large number of data processed, the Office has not identified any
provisions in the agreement that address the protection of personal data.
In the case of transfers to this country, the persons concerned are most likely to be
monitored by public authorities and the Office therefore considers it relevant to refer also to the
EDPS's recommendations for additional measures.
For now, we bring to your attention the EDPB's position on FATCA:
https://edpb.europa.eu/sites/default/files/files/filel/edpb-2019-02-12-25-
fatca statement en.pdf and also a letter from the EDPB to Sophie in 't Veld: .
https://edpb.europa.eu/svstem/files/2021-07/edpb letter out2021-
6119 intveld igas.pdf, which mentions FATCA.
Act No. 359/2015 Coll. on automatic exchange of information on financial accounts for the
purposes of tax administration and on amendment and supplementation of certain acts contains
§19, according to which:
(1) The reporting financial institution, the Slovak reporting financial institution and the
competent authority of the Slovak Republic shall be regarded for the purposes of this Act
as the predddzkovatel'd, whose rights, duties and responsibilities in the processing of
personal data are laid down by a special regulation.
(2) Personal data shall be processed for the purpose of providing information on financial
accounts to the Member State of tax residence of the natural person, the Contracting State
of tax residence of the natural person and the United States of America for the purpose of
making an appropriate assessment of tax liability. The scope of the personal data to be
processed is set out in § 8a 13. (3) The reporting financial institution and the Slovak reporting financial institution shall process
the data referred to in §§ 8 and 13 for the purposes of this Act and the FATCA Agreement for
ten years from the end of the calendar year in which the data were collected pursuant to §§ 9
and 14.
Notwithstanding the express mention of the United States of America in paragraph 2 of that
provision, the Office considers that it is necessary for the lawful transfer of personal data to the United
States of America to fulfil one of the conditions of Chapter V of the General Data Protection Regulation.
The Office wishes to point out the discrepancy between the intended objective of the legislator (to
legalise the transfer to the USA as stated in the law) and the conditions laid down in Chapter V of the
General Data Protection Regulation. The mere declaration in the law is not sufficient to make the transfer
valid under the requirements of the secondary law of the European Union.
In this connection, we refer to the judgment of the Court of Justice of the European Union in
Case C-378/17, paragraph 38, according to which "the obligation to maintain national provisions which
are contrary to the EU law, is applicable not only to the domestic courts but also to all the national
authorities, including the judicial authorities, whose task it is to apply, in the exercise of their respective
powers, the European Union's farthest right. In the light of that judgment, an administrative authority may
also refrain from applying a national law which is contrary to European law, irrespective of whether or
not there is a decision on the invalidity of the national provision given by the competent authority.
c) Requirements for the lawfulness of transfers to third countries under the General Data
Protection Regulation
In order for the transfer of personal data to third countries to be lawful, some of the conditions
set out in Chapter V of the General Data Protection Regulation must be fulfilled. One of the possibilities
is the adequacy decision according to Art. 45 of the General Data Protection Regulation. Such a decision
was also the Privacy Shield decision, which was declared invalid by the Court of Justice of the European
Union in its decision C-311/18, also known as Schrems II. Another possibility is the fulfilment of certain
other conditions, e.g. the conclusion of a legally binding and enforceable contract between public
authorities or public law bodies under Art. 46(2)(a) of the General Data Protection Regulation.
According to cl. 46 of the General Data Protection Regulation. 1. In the absence of a decision pursuant to Article 45(3), the transferor or processor may not carry
out the transfer of personal data to a third country or an international organisation unless the
transferor or processor has provided adequate safeguards and provided that the persons
concerned have available to them an adequate and effective remedy.
2. The appropriate associations referred to in paragraph 1 may be established, without the
supervisory authority having to seek any special authorisation, by means of:
а) the transfer of the official and executable instrument between public authorities or public law
bodies
Since the above-mentioned international treaties have been submitted to the Office, we consider
that the supplier intended to transfer personal data on the basis of this provision.
The European Data Protection Board has issued Guidelines No 2/2020 on Articles 46(2)(a) &
46(3)(b) of the General Data Protection Regulation on the transfer of personal data between the authorities
of the Member States of the European Economic Area and non-member States of the European Economic
Area (hereinafter referred to as Guidelines No 2/2020). The Guidelines No 2/2020 contain minimum
safeguards which the transfer of personal data must meet in order to be lawful.
The minimum guarantees according to Guideline No. 2/2020 include:
1) Determination of the purpose and scope of the processing of personal data
2) Giving basic definitions
3) Compliance with the conditions for the protection of personal data (purpose limitation, data
privacy, data minimisation, data storage minimisation, data security and data confidentiality)
4) Indication of the rights of the data subjects (right to transparency of processing, access,
rectification, erasure, restriction of processing, existence of automated decision-making, right
to a remedy, restrictions on the rights of the data subjects)
5) Placing restrictions on transfers (restricting access to public bodies)
(b) Citlive data
7) Remedy mechanism
8) Mechanism of supervision 9) Termination clause
Are the above minimum guarantees an indication of the provisions? on the protection of
personal data
the particulars which should be contained in the contract pursuant to cl. 46(2)(a) of the General
Data Protection Regulation. Incorporation of the provisions! with warranties directly into the text of
the contract is considered to be the best solution. If this is not possible, the guidelines also allow
for the option of including a general clause in the contract itself, with the specific warranties being
set out in an addendum to the contract.
jl
d) Summary
The Office concludes that the translated international treaties do not contain such a modification.
As we have stated above, the contracts submitted to the Office do not contain even the minimum safeguards
for the transfer of personal data to third countries, or the Office has not identified in the documents submitted
the minimum safeguards which are necessary for the lawfulness of the transfer of personal data to third
countries under Chapter V of the General Data Protection Regulation.
However, the transferor may also make use of other conditions for the lawfulness of the transfer
under Chapter V of the General Data Protection Regulation. It is up to the transferor to choose these and
to demonstrate their suitability. When setting up the processes for processing personal data, we suggest
that the controller works closely with a responsible person who is familiar with the controller's processing
operations. The Office, as a supervisory authority, provides only general assistance, since, with the
exception of the control of the processing of personal data and the administrative proceedings against the
controller, the Office does not have access to the detailed processes of the processing of personal data by
the controller.
In conclusion, we would like to point out that the issue of the transfer of tax data to the USA is
certainly not a matter exclusively for the Slovak Republic. This issue is relevant and topical in all countries
where the General Data Protection Regulation is in force, following the invalidation of the Privacy Shield
adequacy decision. As this is a complex matter concerning a number of countries, the Office reserves the
right to propose to the controller to consult with other controllers in the framework of a pan-Europeanworking group, where the controller is represented, or to submit the matter to the European Data Protection
Board via the Pan-European working group, where the controller is represented.
The aforementioned pan-European co-ordination could, in the matter of the discussion of the above
ropes, in the course of the efforts to supplement the provisions! meeting the conditions of Chapter V of the
General-the data protection regulation to harmonise the established procedure with a uniform result for all states
where the general data protection regulation applies.
Sincerel
y
Mgr. Katarina Vydarena
Director | Department of Primary
Services
