Executive Summary
On 8 December 2022, the European Commission issued the package of legislative proposals on VAT
in the Digital Age that consists of: a Proposal for a Council Directive amending Directive
2006/112/EC as regards VAT rules for the digital age; a Proposal for a Council Regulation amending
Regulation (EU) No 904/2010 as regards the VAT administrative cooperation arrangements needed
for the digital age; and a Proposal fora Council Implementing Regulation amending Implementing
Regulation (EU) No 282/2011 as regards information requirements for certain VAT schemes.
The EDPS welcomes the objectives pursued by the VAT in the Digital Age package, notably the
modernisation of VAT reporting obligations, the adaptation of VAT rules applicable to platform
economy and the introduction of Single VAT Registration. Having regard to the new rules on digital
reporting envisaged by the Proposal for a Council Directive, the EDPS recalls that any processing
of personal data must fully comply with the GDPR and the EUDPR, including the principles of
purpose limitation and data minimisation. To ensure compliance with the principle of purpose
limitation, the EDPS recommends explicitly specifying in the enacting terms of the Proposal that
the information collected may only be processed for the purpose of fighting VAT fraud by the
competent tax administration.
Information contained in invoices may reveal sensitive information concerning specific natural
persons, such as information concerning, purchased goods (including, intimate products), travel
arrangements or legal services. The EDPS welcomes that the information to be provided to the tax
administration under the digital reporting requirements are an extract (a specified subset) of the
information from the invoice and not the whole invoice as such. This is a key safeguard to ensure
compliance with the principle of data minimisation under Article 5(1)(c) of the GDPR and Article
4(1)(c) of the EUDPR and to reduce the impact of the processing of personal data on the rights and
freedoms of the data subjects. In this regard, the EDPS welcomes that the Proposal for a Council
Directive excludes the name and address of the customer and the taxable person from the
information to be transmitted.
The EDPS also welcomes that the Proposal for a Council Regulation explicitly designates the roles
of the Member States and Commission under EU data protection law. At the same time, the EDPS
recalls that the designation must be aligned with the responsibilities assigned to each actor.
Moreover, any further specification of the responsibilities of the Member States and the
Commission by way of implementing acts must be fully in line with the roles established by the
legislative act.
Finally, the EDPS highlights that the safeguards laid down under Chapter XV of Regulation (EU)
No 904/2010 (Conditions governing the exchange of information) should remain applicable to the
processing of personal data laid down in the Proposal for a Council Regulation
Source: eur-lex.europa.eu
