CJEU Rules on Scope of GDPR for Tax Authority Requests
The provisions of the General Data Protection Regulation (GDPR) do not in principle prevent the tax administration from requiring a service provider on the internet to provide it with information on taxpayers, the CJEU ruled on 24 February 2022 in Case C-175/20. However, such data must comply with the data protection principles laid down in Art. 5(1) GDPR, in particular the data requests and transfers must be necessary in view of the specific purposes for which they are collected and the period of time to which the collection of such data relates does not exceed the duration strictly necessary to achieve the objective. Beyond the specific context at issue (requests by the Latvian tax authority to an online advertisement service regarding second hand sales of cars), the ruling is of general relevance for the scope of data protection vis-à-vis requests by public authorities.