CJEU Rules on Scope of GDPR for Tax Authority Requests
20 April 2022
2018-Max_Planck_Herr_Wahl_1355_black white_Zuschnitt.jpg Thomas Wahl

The provisions of the General Data Protection Regulation (GDPR) do not in principle prevent the tax administration from requiring a service provider on the internet to provide it with information on taxpayers, the CJEU ruled on 24 February 2022 in Case C-175/20. However, such data must comply with the data protection principles laid down in Art. 5(1) GDPR, in particular the data requests and transfers must be necessary in view of the specific purposes for which they are collected and the period of time to which the collection of such data relates does not exceed the duration strictly necessary to achieve the objective. Beyond the specific context at issue (requests by the Latvian tax authority to an online advertisement service regarding second hand sales of cars), the ruling is of general relevance for the scope of data protection vis-à-vis requests by public authorities.

News Guide

EU Tax Evasion Data Protection


2018-Max_Planck_Herr_Wahl_1355_black white_Zuschnitt.jpg
Thomas Wahl

Max Planck Institute for the Study of Crime, Security and Law (MPI CSL)

Public Law Department

Senior Researcher