UOOU (Slovakia) - Opinion of 24 August 2021 - FATCA

From GDPRhub
UOOU - Opinion of 24 August 2021 - FATCA
LogoSK.png
Authority: UOOU (Slovakia)
Jurisdiction: Slovakia
Relevant Law: Article 45 GDPR
Article 46 GDPR
Agreement between the United States of America and the Slovak Republic to Improve International Tax Compliance and to Implement FATCA
Type: Advisory Opinion
Outcome: n/a
Started: 22.07.2021
Decided: 24.08.2021
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Opinion of 24 August 2021 - FATCA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovak
Original Source: UOOU (in SK)
Initial Contributor: n/a

The Slovak DPA issued an Opinion condemning a Slovak-US tax information exchange Agreement, related to the implementation of FATCA, for not complying with the GDPR data transfer requirements.

English Summary

Facts

In 2021, the Slovak DPA was requested by the Ministry of Finance (the controller) to carry out an assessment on the GDPR compliance of the Agreement between the Slovak Republic and the United States of America (US) on the implementation of the Foreign Account Tax Compliance Act (FATCA). As a tax information exchange system, FATCA requires foreign financial institutions, such as banks, to report to the US tax authorities the data of persons located outside the US who are considered to be subject to taxation in the US, for example, due to dual nationality.

The Opinion makes reference to the EDPB Statement No 04/2021.

Holding

First, the DPA identified provisions of the Agreement, which relate to personal data processing. In this regard, Annex 1 sets out the categories of personal data to be processed, including name, address, nationality and account balance, but there are no provisions on the protection of personal data.

Second, the DPA looked closely at the data transfer system under the Agreement. It recalled that in order for a personal data transfer to a third country to be lawful, it needs to have a valid legal basis under Chapter V of the GDPR. It pointed out that there was a discrepancy between the intended objective of the legislator to legalise transfers to the US, as stated in the Agreement, and the conditions laid down in the GDPR. A mere declaration in the law is not sufficient to make the transfer comply with the GDPR. In this regard, the DPA noted that, specifically for transfers to the US, there is no adequacy decision within the meaning of Article 45 GDPR since the Court of Justice of the EU invalidated the Privacy Shield in its judgement C-311/18. Therefore, other transfer mechanisms should be used, for example, under Article 46 GDPR. These, however, also should offer an adequate level of data protection. In this regard, the Slovak DPA referred to the EDPB Guidelines No 2/2020, which contain minimum safegaurds for a transfer of personal data to be lawful. These safeguards include, among others, compliance with data processing principles and data subject rights as well as ensuring that there are independet supervision mechanisms in the third country.

The DPA concluded, in light of the case law and the EDPB Guidelines, that the Slovak-US Agreement does not contain even the minimum safeguards to transfer personal data to third countries. It further noted that the issue of transferring tax data to the US is not a matter exclusively concerning the Slovak Republic. Considering that similar agreements exist between the US and other Member States, the DPA reserved the right to propose to the controller a consultation with other countries and the possibility of setting up a pan-European working group or submitting the matter to the EDPB.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovak original. Please refer to the Slovak original for more details.

                                                                         DOWNLOADED

                                                                                DNA:

                                                                             2 I 08, 2021

                                                                                                           Dear Madam


                                                                                                                director

                                                                                                   Department of Direct

                                                                                              Taxes Ministry of Finance
                                                                                     Stefanovicova 5 817 82 Bratislava







                  Your letter number/bottomOur   number                    Equipped by/line             Bratislava
                                               MF/0117/2021-                            /40             23.08.2021
                  72400390/21-OP-l


             Thing

Request for an assessment of the sufficiency of the legal framework of international treaties on the exchange of tax
information in terms of the requirements for the protection of personal data under the GDPR Regulation, with

reference to the European Data Protection Board's Statement No 04/2021


           Madam Director,


                   The Department of Legal Services of the Office for the Protection of Personal Data of the Slovak Republic

           (hereinafter referred to as the Office) received on 22.07.2021 a request for an assessment of the sufficiency of the

           legal regulation of international treaties in the field of exchange of tax information in terms of the requirements for
           the protection of personal data under the GDPR Regulation with reference to the European Data Protection

           Board's Declaration No. 04/2021.



               The Office has carried out an analysis, assessed the contracts submitted and wishes to submit the following:b) Opinion on the Agreement between the Slovak Republic and the United States of America

    on the improvement of the implementation of international regulations in the area of? dans'

    and for the implementation of the FATCA Act (published in the Collection of Laws under the

    number of Announcement 48/2016 Coll.)


            The Office has identified several provisions related to personal data in that agreement. The
    scope of the data to be processed is contained in the agreement, incl. 2, which lists the personal

    data to be transferred to the USA. The personal data to be processed are also set out, for example,

    in Annex 1. However, despite the large number of data processed, the Office has not identified any
    provisions in the agreement that address the protection of personal data.



            In the case of transfers to this country, the persons concerned are most likely to be
    monitored by public authorities and the Office therefore considers it relevant to refer also to the

    EDPS's recommendations for additional measures.


            For   now,    we    bring   to  your    attention  the   EDPB's     position   on   FATCA:

    https://edpb.europa.eu/sites/default/files/files/filel/edpb-2019-02-12-25-

   fatca statement en.pdf and also a letter from the EDPB to Sophie in 't Veld: .
   https://edpb.europa.eu/svstem/files/2021-07/edpb letter out2021-

    6119 intveld igas.pdf, which mentions FATCA.


            Act No. 359/2015 Coll. on automatic exchange of information on financial accounts for the

    purposes of tax administration and on amendment and supplementation of certain acts contains
    §19, according to which:



            (1) The reporting financial institution, the Slovak reporting financial institution and the
            competent authority of the Slovak Republic shall be regarded for the purposes of this Act

            as the predddzkovatel'd, whose rights, duties and responsibilities in the processing of

            personal data are laid down by a special regulation.


            (2) Personal data shall be processed for the purpose of providing information on financial

            accounts to the Member State of tax residence of the natural person, the Contracting State
            of tax residence of the natural person and the United States of America for the purpose of

            making an appropriate assessment of tax liability. The scope of the personal data to be

            processed is set out in § 8a 13.            (3) The reporting financial institution and the Slovak reporting financial institution shall process

            the data referred to in §§ 8 and 13 for the purposes of this Act and the FATCA Agreement for
            ten years from the end of the calendar year in which the data were collected pursuant to §§ 9

            and 14.


            Notwithstanding the express mention of the United States of America in paragraph 2 of that

   provision, the Office considers that it is necessary for the lawful transfer of personal data to the United

   States of America to fulfil one of the conditions of Chapter V of the General Data Protection Regulation.
   The Office wishes to point out the discrepancy between the intended objective of the legislator (to

   legalise the transfer to the USA as stated in the law) and the conditions laid down in Chapter V of the

   General Data Protection Regulation. The mere declaration in the law is not sufficient to make the transfer

   valid under the requirements of the secondary law of the European Union.


            In this connection, we refer to the judgment of the Court of Justice of the European Union in
   Case C-378/17, paragraph 38, according to which "the obligation to maintain national provisions which

   are contrary to the EU law, is applicable not only to the domestic courts but also to all the national

   authorities, including the judicial authorities, whose task it is to apply, in the exercise of their respective
   powers, the European Union's farthest right. In the light of that judgment, an administrative authority may

   also refrain from applying a national law which is contrary to European law, irrespective of whether or

   not there is a decision on the invalidity of the national provision given by the competent authority.


c) Requirements for the lawfulness of transfers to third countries under the General Data

    Protection Regulation


            In order for the transfer of personal data to third countries to be lawful, some of the conditions

   set out in Chapter V of the General Data Protection Regulation must be fulfilled. One of the possibilities
   is the adequacy decision according to Art. 45 of the General Data Protection Regulation. Such a decision

   was also the Privacy Shield decision, which was declared invalid by the Court of Justice of the European

   Union in its decision C-311/18, also known as Schrems II. Another possibility is the fulfilment of certain
   other conditions, e.g. the conclusion of a legally binding and enforceable contract between public

   authorities or public law bodies under Art. 46(2)(a) of the General Data Protection Regulation.


            According to cl. 46 of the General Data Protection Regulation.         1.  In the absence of a decision pursuant to Article 45(3), the transferor or processor may not carry
         out the transfer of personal data to a third country or an international organisation unless the

         transferor or processor has provided adequate safeguards and provided that the persons

         concerned have available to them an adequate and effective remedy.


         2.  The appropriate associations referred to in paragraph 1 may be established, without the
         supervisory authority having to seek any special authorisation, by means of:

         а) the transfer of the official and executable instrument between public authorities or public law

             bodies


         Since the above-mentioned international treaties have been submitted to the Office, we consider

that the supplier intended to transfer personal data on the basis of this provision.


         The European Data Protection Board has issued Guidelines No 2/2020 on Articles 46(2)(a) &

46(3)(b) of the General Data Protection Regulation on the transfer of personal data between the authorities
of the Member States of the European Economic Area and non-member States of the European Economic

Area (hereinafter referred to as Guidelines No 2/2020). The Guidelines No 2/2020 contain minimum

safeguards which the transfer of personal data must meet in order to be lawful.


The minimum guarantees according to Guideline No. 2/2020 include:


         1)  Determination of the purpose and scope of the processing of personal data

         2)  Giving basic definitions
         3) Compliance with the conditions for the protection of personal data (purpose limitation, data

             privacy, data minimisation, data storage minimisation, data security and data confidentiality)

         4) Indication of the rights of the data subjects (right to transparency of processing, access,
             rectification, erasure, restriction of processing, existence of automated decision-making, right

             to a remedy, restrictions on the rights of the data subjects)

         5)  Placing restrictions on transfers (restricting access to public bodies)
         (b) Citlive data

         7)  Remedy mechanism

         8)  Mechanism of supervision                 9) Termination clause



                 Are the above minimum guarantees an indication of the provisions? on the protection of
                 personal data
        the particulars which should be contained in the contract pursuant to cl. 46(2)(a) of the General

        Data Protection Regulation. Incorporation of the provisions! with warranties directly into the text of

        the contract is considered to be the best solution. If this is not possible, the guidelines also allow
        for the option of including a general clause in the contract itself, with the specific warranties being

        set out in an addendum to the contract.

                                                                                                                             jl
     d) Summary



        The Office concludes that the translated international treaties do not contain such a modification.
As we have stated above, the contracts submitted to the Office do not contain even the minimum safeguards

for the transfer of personal data to third countries, or the Office has not identified in the documents submitted

the minimum safeguards which are necessary for the lawfulness of the transfer of personal data to third
countries under Chapter V of the General Data Protection Regulation.


        However, the transferor may also make use of other conditions for the lawfulness of the transfer

under Chapter V of the General Data Protection Regulation. It is up to the transferor to choose these and

to demonstrate their suitability. When setting up the processes for processing personal data, we suggest
that the controller works closely with a responsible person who is familiar with the controller's processing

operations. The Office, as a supervisory authority, provides only general assistance, since, with the

exception of the control of the processing of personal data and the administrative proceedings against the
controller, the Office does not have access to the detailed processes of the processing of personal data by

the controller.


        In conclusion, we would like to point out that the issue of the transfer of tax data to the USA is

certainly not a matter exclusively for the Slovak Republic. This issue is relevant and topical in all countries

where the General Data Protection Regulation is in force, following the invalidation of the Privacy Shield
adequacy decision. As this is a complex matter concerning a number of countries, the Office reserves the

right to propose to the controller to consult with other controllers in the framework of a pan-Europeanworking group, where the controller is represented, or to submit the matter to the European Data Protection

Board via the Pan-European working group, where the controller is represented.


        The aforementioned pan-European co-ordination could, in the matter of the discussion of the above

ropes, in the course of the efforts to supplement the provisions! meeting the conditions of Chapter V of the
General-the data protection regulation to harmonise the established procedure with a uniform result for all states

where the general data protection regulation applies.






     Sincerel
     y




                                                              Mgr. Katarina Vydarena
                                                        Director | Department of Primary
                                                        Services