In a new decision in the matter of C-175/20, the European Court of Justice considered the Latvian tax authorities’ very broad requests for information from private undertakings. The European Court of Justice interpreted the data minimisation principle in Article 5 of the GDPR.
On 28 August 2018, an Internet portal for car sales in Latvia received an inquiry from the national tax authorities. The tax authorities asked the portal to restore the authorities’ access to information about all vehicle identification numbers on the portal and requested information about all adverts inserted in the period 14 July - 31 August 2018 in the box “Passenger cars”. The tax authorities set the time limit to comply with the request at 3 September 2018.
The requested information was i.a. a link to the actual advert, the text of the advert, the make of the car, the model, the vehicle identification number and the price of the car and the seller's telephone number. This information was to be submitted in a format enabling the authority to filter or select the information. The purpose was tax control.
If access to the information in adverts published on the Internet portal had been deleted and could not be restored, the company was requested to state the reason and no later than the third day of each month forward the information regarding the adverts inserted the preceding month.
The company behind the Internet portal complained about the request to the management of the tax authority which decided on the matter to its own advantage as there was authority in legislation to request the information. Thereafter, the company brought the matter before an administrative tribunal which also found in favour of the tax authority, and in the appeal court of the administrative tribunal, a number of preliminary questions were submitted to the European Court of Justice
The European Court of Justice has now decided on the matter and has stated that the tax authority's collection of information is covered by the GDPR, including Article 5 on data minimisation and proportionality, even though there is authority in tax legislation to request the collection.
The European Court of Justice found that the authority may not collect personal data in general and undifferentiated, and that the authority shall refrain from collecting information which is not strictly necessary for safeguarding the purposes of the processing. The tax authorities may also only collect information for a period that does not exceed a duration which is strictly necessary for safeguarding the purpose.
Finally, the European Court of Justice found that authority in tax legislation could not involve a departure from the principle in Article 5 if not separately adopted in accordance with the possibilities of making an exemption under Article 23 of the GDPR.
The European Court of Justice thereafter left it to the national administrative tribunal in Latvia to review whether the collection is delimited correctly by the local tax authorities based on these guidelines.
Would you like to know more?
The full judgment can be read in Danish here.