No access to files under the General Data Protection Regulation

Section 2a (5) no. 2 of the German Fiscal Code states that the provisions of the General Data Protection Regulation (GDPR) apply accordingly to information relating to identified or identifiable corporations. The GDPR does not contain a right to the inspection of files, the Supreme Tax Court said in a most recent decision.

Legal background

Section 2a Fiscal Code deals with the scope of provisions on the processing of personal data. Section 2 a (5) no. 2 Fiscal Code states „that, unless otherwise required by law, the provisions in Regulation (EU) 2016/679, this Code and other tax legislation that pertain to the processing of natural persons’ personal data shall apply accordingly to information relating to identified or identifiable corporations, associations with or without legal capacity, and pools of assets.“

Case of dispute

The plaintiff applied for inspection of the files kept with the defendant, a supreme state authority, by reference to Art. 15 GDPR in conjunction with Section 2a Fiscal Code. The defendant is of the opinion that there is no right to inspect files under either the GDPR or the Fiscal Code. The action brought before the tax court of first instance was rejected.

Decision

The Supreme Tax Court granted the appeal, and for the following reasons.

The taxpayer or his representative requesting access to the files during an administrative procedure is entitled to a discretionary decision (Section 5 Fiscal Code) by the authority. In this respect, the defendant has not exercised the discretion conferred by law. The  defendant is therefore ordered to exercise the discretion in an orderly and appropriate manner regarding the request of the plaintiff.

In the following, the Supreme Tax Court provides comments as to the legal questions raised.

In effect, the lower tax court rightly denied the plaintiff's claim against the defendant for access to files under Art. 15 GDPR. The GDPR equally applies to the processing of personal data by the defendant. The claim under Art. 15 GDPR also relates to internal notes, file notes, processing notes and internal communication because these documents may also contain personal data. 

However, the GDPR does not provide for a right of access to files. This provision only contains a right to information vis-à-vis the controller responsible for processing the personal data. Article 15 (1) states that „The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information (…)“

The plaintiff also has no right to inspect the files based on the German Fiscal Code, as it does not contain provisions to that effect. As the Supreme Tax Court has consistently ruled in the past, the right of inspection cannot be derived either from Section 91 (1) Fiscal Code (dealing with the opportunity to comment on the facts relevant to the administrative decision) or from Section 364 Fiscal Code (on the disclosure of the taxation documents), or for that matter from the Fiscal Code Application Ordinance.

Equally, the right to effective legal protection within the meaning of Article 19 (4) of the German Basic Law and the principle of the rule of law pursuant to Article 20 (3) GG also do not give rise to a right for the inspection of files.

On the other hand, as stated above, the Supreme Tax Court has consistently held that the taxpayer or their representative requesting access to the files during administrative proceedings is entitled to a discretionary decision (Section 5 Fiscal Code) by the authority in accordance with its duties. In this respect, the defendant did not exercise the discretion to which it was entitled.

Source:

Supreme Tax Court, decision of 20 September 2024 (IX R 24/23) – published on 19 December 2024.

Note: In a further judgment (IX R 20/22), the Supreme Tax Court decided that an action for disclosure of information pursuant to Art. 15 para. 1 of the General Data Protection Regulation (GDPR) is generally inadmissible (for want of being adversely affected or burdened) if there has been no out-of-court request for disclosure prior to the action. The right to information pursuant to Art. 15 GDPR is not identical with the entitlement to have access to files or documents.

The plaintiff, who had been engaged in extensive legal proceedings against the tax office in the past, brought an action to commit the tax office „to provide the requested information” by invoking Article 15 (1) and (3) GDPR. The tax court of first instance rejected the action as inadmissible because there was no out-of-court application. The Supreme Tax Court ultimately confirmed this view in its recent judgment.