UOOU (Slovakia) - Opinion of 24 August 2021 - FATCA
|UOOU - Opinion of 24 August 2021 - FATCA|
|Relevant Law:||Article 45 GDPR|
Article 46 GDPR
Agreement between the United States of America and the Slovak Republic to Improve International Tax Compliance and to Implement FATCA
|National Case Number/Name:||Opinion of 24 August 2021 - FATCA|
|European Case Law Identifier:||n/a|
|Original Source:||UOOU (in SK)|
The Slovak DPA issued an Opinion condemning a Slovak-US tax information exchange Agreement, related to the implementation of FATCA, for not complying with the GDPR data transfer requirements.
English Summary[edit | edit source]
Facts[edit | edit source]
In 2021, the Slovak DPA was requested by the Ministry of Finance (the controller) to carry out an assessment on the GDPR compliance of the Agreement between the Slovak Republic and the United States of America (US) on the implementation of the Foreign Account Tax Compliance Act (FATCA). As a tax information exchange system, FATCA requires foreign financial institutions, such as banks, to report to the US tax authorities the data of persons located outside the US who are considered to be subject to taxation in the US, for example, due to dual nationality.
The Opinion makes reference to the EDPB Statement No 04/2021.
Holding[edit | edit source]
First, the DPA identified provisions of the Agreement, which relate to personal data processing. In this regard, Annex 1 sets out the categories of personal data to be processed, including name, address, nationality and account balance, but there are no provisions on the protection of personal data.
Second, the DPA looked closely at the data transfer system under the Agreement. It recalled that in order for a personal data transfer to a third country to be lawful, it needs to have a valid legal basis under Chapter V of the GDPR. It pointed out that there was a discrepancy between the intended objective of the legislator to legalise transfers to the US, as stated in the Agreement, and the conditions laid down in the GDPR. A mere declaration in the law is not sufficient to make the transfer comply with the GDPR. In this regard, the DPA noted that, specifically for transfers to the US, there is no adequacy decision within the meaning of Article 45 GDPR since the Court of Justice of the EU invalidated the Privacy Shield in its judgement C-311/18. Therefore, other transfer mechanisms should be used, for example, under Article 46 GDPR. These, however, also should offer an adequate level of data protection. In this regard, the Slovak DPA referred to the EDPB Guidelines No 2/2020, which contain minimum safegaurds for a transfer of personal data to be lawful. These safeguards include, among others, compliance with data processing principles and data subject rights as well as ensuring that there are independet supervision mechanisms in the third country.
The DPA concluded, in light of the case law and the EDPB Guidelines, that the Slovak-US Agreement does not contain even the minimum safeguards to transfer personal data to third countries. It further noted that the issue of transferring tax data to the US is not a matter exclusively concerning the Slovak Republic. Considering that similar agreements exist between the US and other Member States, the DPA reserved the right to propose to the controller a consultation with other countries and the possibility of setting up a pan-European working group or submitting the matter to the EDPB.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Slovak original. Please refer to the Slovak original for more details.
DOWNLOADED DNA: 2 I 08, 2021 Dear Madam director Department of Direct Taxes Ministry of Finance Stefanovicova 5 817 82 Bratislava Your letter number/bottomOur number Equipped by/line Bratislava MF/0117/2021- /40 23.08.2021 72400390/21-OP-l Thing Request for an assessment of the sufficiency of the legal framework of international treaties on the exchange of tax information in terms of the requirements for the protection of personal data under the GDPR Regulation, with reference to the European Data Protection Board's Statement No 04/2021 Madam Director, The Department of Legal Services of the Office for the Protection of Personal Data of the Slovak Republic (hereinafter referred to as the Office) received on 22.07.2021 a request for an assessment of the sufficiency of the legal regulation of international treaties in the field of exchange of tax information in terms of the requirements for the protection of personal data under the GDPR Regulation with reference to the European Data Protection Board's Declaration No. 04/2021. The Office has carried out an analysis, assessed the contracts submitted and wishes to submit the following:b) Opinion on the Agreement between the Slovak Republic and the United States of America on the improvement of the implementation of international regulations in the area of? dans' and for the implementation of the FATCA Act (published in the Collection of Laws under the number of Announcement 48/2016 Coll.) The Office has identified several provisions related to personal data in that agreement. The scope of the data to be processed is contained in the agreement, incl. 2, which lists the personal data to be transferred to the USA. The personal data to be processed are also set out, for example, in Annex 1. However, despite the large number of data processed, the Office has not identified any provisions in the agreement that address the protection of personal data. In the case of transfers to this country, the persons concerned are most likely to be monitored by public authorities and the Office therefore considers it relevant to refer also to the EDPS's recommendations for additional measures. For now, we bring to your attention the EDPB's position on FATCA: https://edpb.europa.eu/sites/default/files/files/filel/edpb-2019-02-12-25- fatca statement en.pdf and also a letter from the EDPB to Sophie in 't Veld: . https://edpb.europa.eu/svstem/files/2021-07/edpb letter out2021- 6119 intveld igas.pdf, which mentions FATCA. Act No. 359/2015 Coll. on automatic exchange of information on financial accounts for the purposes of tax administration and on amendment and supplementation of certain acts contains §19, according to which: (1) The reporting financial institution, the Slovak reporting financial institution and the competent authority of the Slovak Republic shall be regarded for the purposes of this Act as the predddzkovatel'd, whose rights, duties and responsibilities in the processing of personal data are laid down by a special regulation. (2) Personal data shall be processed for the purpose of providing information on financial accounts to the Member State of tax residence of the natural person, the Contracting State of tax residence of the natural person and the United States of America for the purpose of making an appropriate assessment of tax liability. The scope of the personal data to be processed is set out in § 8a 13. (3) The reporting financial institution and the Slovak reporting financial institution shall process the data referred to in §§ 8 and 13 for the purposes of this Act and the FATCA Agreement for ten years from the end of the calendar year in which the data were collected pursuant to §§ 9 and 14. Notwithstanding the express mention of the United States of America in paragraph 2 of that provision, the Office considers that it is necessary for the lawful transfer of personal data to the United States of America to fulfil one of the conditions of Chapter V of the General Data Protection Regulation. The Office wishes to point out the discrepancy between the intended objective of the legislator (to legalise the transfer to the USA as stated in the law) and the conditions laid down in Chapter V of the General Data Protection Regulation. The mere declaration in the law is not sufficient to make the transfer valid under the requirements of the secondary law of the European Union. In this connection, we refer to the judgment of the Court of Justice of the European Union in Case C-378/17, paragraph 38, according to which "the obligation to maintain national provisions which are contrary to the EU law, is applicable not only to the domestic courts but also to all the national authorities, including the judicial authorities, whose task it is to apply, in the exercise of their respective powers, the European Union's farthest right. In the light of that judgment, an administrative authority may also refrain from applying a national law which is contrary to European law, irrespective of whether or not there is a decision on the invalidity of the national provision given by the competent authority. c) Requirements for the lawfulness of transfers to third countries under the General Data Protection Regulation In order for the transfer of personal data to third countries to be lawful, some of the conditions set out in Chapter V of the General Data Protection Regulation must be fulfilled. One of the possibilities is the adequacy decision according to Art. 45 of the General Data Protection Regulation. Such a decision was also the Privacy Shield decision, which was declared invalid by the Court of Justice of the European Union in its decision C-311/18, also known as Schrems II. Another possibility is the fulfilment of certain other conditions, e.g. the conclusion of a legally binding and enforceable contract between public authorities or public law bodies under Art. 46(2)(a) of the General Data Protection Regulation. According to cl. 46 of the General Data Protection Regulation. 1. In the absence of a decision pursuant to Article 45(3), the transferor or processor may not carry out the transfer of personal data to a third country or an international organisation unless the transferor or processor has provided adequate safeguards and provided that the persons concerned have available to them an adequate and effective remedy. 2. The appropriate associations referred to in paragraph 1 may be established, without the supervisory authority having to seek any special authorisation, by means of: а) the transfer of the official and executable instrument between public authorities or public law bodies Since the above-mentioned international treaties have been submitted to the Office, we consider that the supplier intended to transfer personal data on the basis of this provision. The European Data Protection Board has issued Guidelines No 2/2020 on Articles 46(2)(a) & 46(3)(b) of the General Data Protection Regulation on the transfer of personal data between the authorities of the Member States of the European Economic Area and non-member States of the European Economic Area (hereinafter referred to as Guidelines No 2/2020). The Guidelines No 2/2020 contain minimum safeguards which the transfer of personal data must meet in order to be lawful. The minimum guarantees according to Guideline No. 2/2020 include: 1) Determination of the purpose and scope of the processing of personal data 2) Giving basic definitions 3) Compliance with the conditions for the protection of personal data (purpose limitation, data privacy, data minimisation, data storage minimisation, data security and data confidentiality) 4) Indication of the rights of the data subjects (right to transparency of processing, access, rectification, erasure, restriction of processing, existence of automated decision-making, right to a remedy, restrictions on the rights of the data subjects) 5) Placing restrictions on transfers (restricting access to public bodies) (b) Citlive data 7) Remedy mechanism 8) Mechanism of supervision 9) Termination clause Are the above minimum guarantees an indication of the provisions? on the protection of personal data the particulars which should be contained in the contract pursuant to cl. 46(2)(a) of the General Data Protection Regulation. Incorporation of the provisions! with warranties directly into the text of the contract is considered to be the best solution. If this is not possible, the guidelines also allow for the option of including a general clause in the contract itself, with the specific warranties being set out in an addendum to the contract. jl d) Summary The Office concludes that the translated international treaties do not contain such a modification. As we have stated above, the contracts submitted to the Office do not contain even the minimum safeguards for the transfer of personal data to third countries, or the Office has not identified in the documents submitted the minimum safeguards which are necessary for the lawfulness of the transfer of personal data to third countries under Chapter V of the General Data Protection Regulation. However, the transferor may also make use of other conditions for the lawfulness of the transfer under Chapter V of the General Data Protection Regulation. It is up to the transferor to choose these and to demonstrate their suitability. When setting up the processes for processing personal data, we suggest that the controller works closely with a responsible person who is familiar with the controller's processing operations. The Office, as a supervisory authority, provides only general assistance, since, with the exception of the control of the processing of personal data and the administrative proceedings against the controller, the Office does not have access to the detailed processes of the processing of personal data by the controller. In conclusion, we would like to point out that the issue of the transfer of tax data to the USA is certainly not a matter exclusively for the Slovak Republic. This issue is relevant and topical in all countries where the General Data Protection Regulation is in force, following the invalidation of the Privacy Shield adequacy decision. As this is a complex matter concerning a number of countries, the Office reserves the right to propose to the controller to consult with other controllers in the framework of a pan-Europeanworking group, where the controller is represented, or to submit the matter to the European Data Protection Board via the Pan-European working group, where the controller is represented. The aforementioned pan-European co-ordination could, in the matter of the discussion of the above ropes, in the course of the efforts to supplement the provisions! meeting the conditions of Chapter V of the General-the data protection regulation to harmonise the established procedure with a uniform result for all states where the general data protection regulation applies. Sincerel y Mgr. Katarina Vydarena Director | Department of Primary Services