EDPS = European Data Protection Supervisor
On March 3, 2023, the EDPA issued its opinion on the package of legislative proposals on VAT in the Digital Age.
- The EDPS welcomes the objectives pursued by the VAT in the Digital Age package, notably the modernisation of VAT reporting obligations, the adaptation of VAT rules applicable to platform economy and the introduction of Single VAT Registration. Having regard to the new rules on digital reporting envisaged by the Proposal for a Council Directive, the EDPS recalls that any processing of personal data must fully comply with the GDPR and the EUDPR, including the principles of purpose limitation and data minimisation. To ensure compliance with the principle of purpose limitation, the EDPS recommends explicitly specifying in the enacting terms of the Proposal that the information collected may only be processed for the purpose of fighting VAT fraud by the competent tax administration.
- Information contained in invoices may reveal sensitive information concerning specific natural persons, such as information concerning purchased goods (including intimate products), travel arrangements or legal services. The EDPS welcomes that the information to be provided to the tax administration under the digital reporting requirements are an extract (a specified subset) of the information from the invoice and not the whole invoice as such. This is a key safeguard to ensure compliance with the principle of data minimisation under Article 5(1)(c) of the GDPR and Article 4(1)(c) of the EUDPR and to reduce the impact of the processing of personal data on the rights and freedoms of the data subjects. In this regard, the EDPS welcomes that the Proposal for a Council Directive excludes the name and address of the customer and the taxable person from the information to be transmitted.
- The EDPS also welcomes that the Proposal for a Council Regulation explicitly designates the roles of the Member States and Commission under EU data protection law. At the same time, the EDPS recalls that the designation must be aligned with the responsibilities assigned to each actor. Moreover, any further specification of the responsibilities of the Member States and the Commission by way of implementing acts must be fully in line with the roles established by the legislative act.
- Finally, the EDPS highlights that the safeguards laid down under Chapter XV of Regulation (EU) No 904/2010 (Conditions governing the exchange of information) should remain applicable to the processing of personal data laid down in the Proposal for a Council Regulation.
- The Library of VAT in the Digital Age (VIDA)
- Join the LinkedIn Group on ”VAT in the Digital Age” (VIDA), click HERE