Privacy of tax payers after GDPR

The GDPR rules (General Data Protection Regulation) are European rules protecting the privacy of citizens. Companies should comply with a number of rules in order to ensure that data are not misused. But also the government falls within this scope. So how about the tax authorities and your privacy?


Since 25 May 2018 the GDPR rules apply in the entire European Union. This European Regulation states how and why data can be collected, kept and processed. Every company, association or authority which processes personal data is subject to these rules. In practice this means that everyone is concerned. After all, everybody is somehow engaged in the processing of personal data of others. It only doesn't apply to private individuals.

Also the tax authorities

As a general rule, also the tax authorities are subject to the GDPR rules. The tax authorities should respect the privacy of the tax payers and cautiously use the data they collect on tax payers.

The tax payer has:

Right to be informed

Right to inspect

Right to know why his personal data are gathered and processed

Right to know how long his data will be kept

Right to file a complaint with the data protection authority in case his rights are not respected.

Exceptions which can be used by the tax authorities

On the other hand, it seems logical that the tax authorities have some more possibilities than e.g. a private company. The tax authorities should be able to do their job. In a modern digitalized world, this means that a number of exceptions are laid down in the law, such as:

Profiling: automatized processing of personal data on the basis of which characteristics of a person can be evaluated, in order to analyze and predict his professional performances, behavior, location or movements.

Datamining: technique to predict behavior of a certain person based on enormous amounts of data. The tax authorities can use this technique to e.g. assess with which tax payers it is likely that certain irregularities will occur.

It is clearly a difficult balance between the rights of the tax payer and the modern techniques such as profiling. On the one hand a tax payer has the right not to be taxed based merely on profiling. The tax authorities cannot send an assessment which fully originates from automatic data processing. However, in case there are appropriate measures to protect the rights and liberties and legitimate interests of the tax payer there is no problem. How far the tax authorities can go and when they can base themselves on datamining indicators is still unclear and will show in practice.

GDPR gives a person the right to ask that his data will be deleted. From a tax perspective, this is more difficult. The government (here the tax authorities) needs these data to perform tasks of public interest or public power. The right to be forgotten which a tax payer has towards e.g. Google is not applicable towards the tax authorities.

Also, certain rights which a tax payer has, such as the right to insight, are limited in fiscalibus. The precise limitations are listed in detail in the law. So is the right to insight excluded during certain phases of the tax investigation.

Does something really change? The tax payer now has a better base to protect his rights and to require that these rights are respected by the tax authorities.