To what extent must tax authorities comply with the General Data Protection Regulation? Preliminary ruling pending before Court of Justice
In SIA SS v Valsts ieņēmumu dienests (C-175/20) the Latvian Administrative Court of Appeal has referred nine questions seeking clarification on the application of the General Data Protection Regulation (GDPR) 2016/679 in the context of tax authorities requesting information.
It asks if the GDPR must be complied with when a tax authority makes a request for information containing a considerable amount of personal data, and more specific questions such as if there is an exemption to the former, namely under Article 5(1) of the GDPR (if national law does not provide such an exemption), as well as whether there are legitimate objectives justifying the obligation to provide all the data requested:
- when there is no limit to how much data should be provided, nor for how long, and where there is no expiry date for the fulfilment of the request;
- even if the request for information does not (fully) specify the purpose for that disclosure;
- where the request relates to ‘absolutely all data subjects who have published advertisements’ in a specific section of a portal.
The referring court also asks what criteria to apply to a tax authority acting as controller to ensure that data processing carried out complies with the GDPR, what criteria applies to verify whether the request for information is ‘duly reasoned and occasional’, the criteria that should be applied to verify that personal data are being processed ‘to the extent necessary’ and ‘in a manner compatible with’ the GDPR, in particular in accordance with the requirements laid down in Article 5(1) of the GDPR.
Read the questions in full, as published in the Official Journal, here.