Data protection wins against bureaucracy - a board of directors prevails
Anyone who wants to know what data the tax office has stored about them has the right to know - without any ifs or buts. This is according to the General Data Protection Regulation (GDPR). A recent ruling by the Federal Fiscal Court (case reference: IX R 25/22) has now clarified this position once again - and drawn the line against overly cautious authorities.
The focus was on a case in which a board member demanded more transparency regarding the stored data relating to his stock corporation and other shareholdings. The tax office initially only provided basic data and a few e-documents - that was not enough for the man. He wanted everything: documents, processing purposes, storage duration, categories, deletion rights. So he went to court.
Tax office: "Too much effort" - Federal Fiscal Court: "Doesn't count!"
The tax authorities defended themselves with the argument that this would be too time-consuming, that the request was practically the same as inspecting the files - and that would only be possible on site. This was not an option for the Executive Board. So he continued to sue - and was ultimately proved right.
The Federal Fiscal Court ruled clearly: A high processing effort alone is not a reason to refuse to provide information. The GDPR has no "effort limit" - it gives every data subject the right to comprehensive information about stored data. And this is precisely what the lower court had wrongly refused, according to the highest tax court.
Particularly interesting: the man had refused to appear on site to inspect the files - but the court did not consider this to be an abuse of his right to information either. Information and access to files are not the same thing, according to the judges. A real statement - and a clear reminder to all authorities to take requests more seriously.
Where is the limit? GDPR only allows rare exceptions
One thing is clear: the right to information also has its limits. If someone constantly asks for the same information without cause, the authorities may classify such requests as "excessive". They could then be refused or charged for - but only with justification and proof!
In practice, however, this is rarely the case. So if you want to view your data once a year or for a specific reason, you have a good chance - even with authorities such as the tax office.
What does the information actually include?
According to Article 15 GDPR, the right of access includes all personal data stored by a public authority - i.e:
- Tax assessments and basic data
- Notes and internal notes
- E-mails, minutes of meetings, notes
- Information on data processing, storage duration, recipients and deletion periods
But be careful: the GDPR also protects the rights of third parties - for example, in the case of email histories with multiple parties. Authorities must then weigh up what may be disclosed.
No office is above the GDPR.
The Federal Fiscal Court has sent a clear signal for civil rights and data protection. Anyone who thinks data protection is only for nerds or tech companies is wrong. It's about transparency towards the state - and this is more important than ever in times of increasing digital surveillance.
Anyone who collects data must also be prepared to disclose it - even if it becomes inconvenient. The ruling is a victory for all those who not only want to be taxpayers, but also responsible citizens.
