THIS ARTICLE IS WRITTEN BY JUAN DOSAL AND NICKY GOES. JUAN ([email protected]) AND NICKY ([email protected]) ARE CONSULTANTS FOCUSSING ON TECHNOLOGY AND INTERNATIONAL TRADE REGULATIONS WITHIN RSM BUSINESS CONSULTING SERVICES OF RSM NETHERLANDS.

With the introduction of the EU Directive 2021/514 (DAC7), most digital platform operators must comply with new reporting requirements involving the transfer of personal data to the (local) authorities (DAC7).  

DAC7 extends the tax transparency rules to digital platforms by requiring them to report certain information about the “reportable” clients active on their platforms and undertaking certain commercial activities. This information will be used by tax authorities for assessment of income tax and Value Added Tax (VAT). Furthermore, this information will also be exchanged among the EU Member States as has been the case for DAC6.

Under DAC7, the digital platform operators will be obliged not only to collect information about the reportable clients (basic identification data such as name, primary address, date of birth, all assigned TIN-s in Union, VAT number, company registry code, information on permanent establishments, real estate information, if relevant), but also verify the data received from the reportable clients. To do so digital platform operators must verify before the end of the reportable period (December 31), the data collected using all information and documents available in their records as well as any electronic interface made available free of charge by a Member State or the Union to ascertain the validity of the TIN or VAT identification number.

To minimize the administrative burden for digital platforms, DAC7 provides reporting digital platform operators with the opportunity to file all information in one specific EU member state.

GDPR requirements

To comply with DAC7, personal data of sellers will be collected, transferred, and shared by the reporting digital platform operators, who will be the controller when processing the required information. Although the transposed member state rules will provide a clear legal basis for processing this personal data, digital platform operators should assess the privacy impact of this new data processing and ensure compliance with the relevant requirements of the EU General Data Protection Regulation (GDPR).

Amongst other things, this means adherence to the processing principles of the GDPR to ensure that the data is processed in a transparent manner, lawfully, securely and to limit the period that the data is being stored. Platform operators should inform individuals about the fact that their data is being processed and transferred to the relevant tax authorities. Under DAC7 it is made explicit that this should be done before the information is reported.

Intercompany sharing of personal data

DAC7 provides digital platforms with the opportunity to file all information in one specific EU member state. As a result, digital platforms will collect the personal data from all their EU subsidiaries and file that data in that specific country. The respective tax authority will exchange this information automatically to all involved local tax authorities.

Although the GDPR does not limit data transfers to companies in another EU country, the data transfer, as well as the processing by receiving entity, should comply with GDPR requirements. For example, to ensure that the data is stored, transferred and processed in secure manner, to document the data processing activity, as well as registering data breaches within a data breach register and perhaps even notifying the local Data Protection Authority (DPA). Recent publications have shown that local DPAs will act more actively and issue higher fines.

Therefore, it is important that on governance level, the roles between the different parties are clearly established, i.e.does the entity collecting all data across the different subsidiaries of the platform operator act as processor or (joint)controller?

Practical arrangements, such as having a data processor agreement in place, as well as documenting responsibilities of joint-controllers, need to be considered. .

Key-takeaways

As non-compliance with both DAC7 and GDPR can lead to serious fines, it is important that the tax and privacy departments of companies come together and ensure compliance with both regulations.

We see an important role for board members to ensure that privacy and security is addressed at governance level. Not only should privacy and security be incorporated into the company’s governance, policies and procedures, but also roles between the different parties should clearly be established. A well thought data management strategy is therefore crucial.