Last Updated on May 31, 2021 by LawEuro
The Fiscal Code of Germany
Fifth Chapter
Limited liability of public officials
Section 32
Limited liability of public officials
Where a breach of official duty by a public official results in
1. a tax or ancillary tax payment not being assessed, levied or recovered at all or on time, or the amount assessed, levied or recovered being too low, or
2. a tax refund or tax rebate being incorrectly granted, or
3. a tax base or a tax share not being assessed at all or on time or the amount assessed being too low,
the public official may be held liable only if the breach of official duty is punishable by law.
Section 32a
Revenue authorities’ obligation to provide information where data are collected from the data subject
(1) In addition to the exception specified in Article 13(4) of Regulation (EU) 2016/679, the obligation of revenue authorities to inform the data subject in accordance with Article 13(3) of Regulation (EU) 2016/679 shall not apply if the provision of information regarding the intended further processing or disclosure
1. would jeopardise the effective performance of the functions, as described in Article 23(1)(d) to (h) of Regulation (EU) 2016/679, that lie within the jurisdiction of revenue authorities and the revenue authorities’ interest in not providing the information overrides the interests of the data subject,
2. would endanger public security or order or would be detrimental to the welfare of the Federation or a Land and the revenue authorities’ interest in not providing the information overrides the interests of the data subject,
3. impede the ability of the Federation, a Land or a municipality – as the legal representative of a revenue authority – to establish, exercise or defend civil law claims or to defend itself against civil law claims within the meaning of Article 23(1)(j) of Regulation (EU) 2016/679 and the revenue authority is not required under civil law to provide information, or
4. would jeopardise the confidential disclosure of protected data to public entities.
(2) The effective performance of the functions, as described in Article 23(1)(d) to (h) of Regulation (EU) 2016/679, that lie within the jurisdiction of revenue authorities shall be deemed jeopardised in particular if the provision of information
1. could enable the data subject or third parties
a) to conceal facts or circumstances that are relevant for tax purposes,
b) to cover up leads that are relevant for tax purposes,
c) to tailor the manner and extent of their cooperation with revenue authorities to the level of information held by the revenue authorities,
or
2. makes it possible to draw inferences about the design of automated risk management systems or planned control/auditing measures
and would thereby seriously hinder the detection of facts or circumstances that are relevant for tax purposes.
(3) In cases where a data subject is not provided with information in accordance with subsection (1) above, the revenue authorities shall take suitable measures to protect the data subject’s legitimate interests.
(4) If, in cases where subsection (1) applies, no notification is provided because of a reason that is temporary in nature, revenue authorities shall fulfil their obligation to provide information, taking into account the specific circumstances of the case, within a reasonable period, but no later than two weeks, after this reason ceases to apply.
(5) If the provision of information relates to the transmission of personal data by revenue authorities to authorities responsible for the protection of the constitution, the Federal Intelligence Service, the Military Counterintelligence Service or, insofar as the security of the Federation is affected, other Federal Defence Ministry authorities, such provision of information shall be permissible only with the consent of these entities.
Section 32b
Revenue authorities’ obligation to provide information where personal data have not been obtained from the data subject
(1) In addition to the exceptions specified in Article 14(5) of Regulation (EU) 2016/679 and section 31c(2), the obligation of revenue authorities to inform the data subject in accordance with Article 14(1), (2) and (4) of Regulation (EU) 2016/679 shall not apply
1. insofar as the provision of information
a) would jeopardise the effective performance of the functions, as described in Article 23(1)(d) to (h) of Regulation (EU) 2016/679, that lie within the jurisdiction of revenue authorities or other public entities or
b) would endanger public security or order or would be otherwise detrimental to the welfare of the Federation or a Land
or
2. if the data, their source, their recipients, or the fact that they have been processed in accordance with section 30 or another legislative provision, or if the data by their very nature, must be kept secret, in particular due to the overriding legitimate interests of a third party in accordance with Article 23(1)(i) of Regulation (EU) 2016/679
and the data subject’s interest in the provision of information is overridden as a result. Section 32a(2) shall apply accordingly.
(2) If the provision of information relates to the transmission of personal data by revenue authorities to authorities responsible for the protection of the constitution, the Federal Intelligence Service, the Military Counterintelligence Service or, insofar as the security of the Federation is affected, other Federal Defence Ministry authorities, such provision of information shall be permissible only with the consent of these entities.
(3) In cases where a data subject is not provided with information in accordance with subsection (1) or (2) above, the revenue authorities shall take suitable measures to protect the data subject’s legitimate interests.
Section 32c
Right of access by the data subject
(1) In their dealings with revenue authorities, data subjects shall not have a right of access as provided in Article 15 of Regulation (EU) 2016/679 insofar as
1. information is not to be provided to the data subject in accordance with section 32b(1) or (2),
2. the granting of access would impede the Federation, a Land or a municipality – as the legal representative of a revenue authority – in its ability to establish, exercise or defend civil law claims or to defend itself against civil law claims within the meaning of Article 23(1)(j) of Regulation (EU) 2016/679; revenue authorities’ obligations to provide information under civil law shall remain unaffected,
3. personal data
a) are stored only because, on the basis of legal provisions, their erasure is not permitted, or
b) exclusively serve the purposes of backing up data or monitoring data protection
and the granting of access would require a disproportionate effort, and suitable technical and organisational measures rule out the possibility of processing for other purposes.
(2) In their requests for access under Article 15 of Regulation (EU) 2016/679, data subjects should specify the type of data for which access is to be granted.
(3) If the personal data are neither automated nor stored in automated filing systems, access shall be granted only to the extent that the data subject provides information that makes it possible to locate the data, and the effort required to grant access is not disproportionate to the data subject’s stated interest in the information.
(4) If access is refused, the reason(s) for such refusal must be communicated to the data subject, as long as the disclosure of the factual and legal reasons underlying the decision does not jeopardise the purpose being pursued by refusing access. The data stored for the purpose of preparing and granting access to the data subject may be processed only for this purpose and for purposes of monitoring data protection; processing for other purposes shall be restricted in accordance with Article 18 of Regulation (EU) 2016/679.
(5) If a data subject is not granted access by a revenue authority, such access shall be granted to the Federal Commissioner for Data Protection and Freedom of Information upon request by the data subject, as long as the competent highest revenue authority does not find that, for the specific case in question, granting such access would endanger the security of the Federation or a Land. When the Federal Commissioner for Data Protection and Freedom of Information notifies the data subject of the findings of the data protection review, such notification shall not permit any inferences to be drawn about what the revenue authorities know, insofar as the revenue authorities have not consented to the granting of more extensive access.
Section 32d
Form of information or access
(1) To the extent that rules are not stipulated in Articles 12 to 15 of Regulation (EU) 2016/679, the revenue authorities shall determine at their discretion which procedures, and in particular which form, shall be used to provide information and grant access.
(2) Revenue authorities may also fulfil their obligation to provide information to data subjects in accordance with Article 13 or 14 of Regulation (EU) 2016/679 by making the information available to the public, as long as no personal data are published as a result.
(3) If revenue authorities use electronic means to provide data subjects with information on the collection or processing of personal data in accordance with Article 13 or 14 of Regulation (EU) 2016/679, or if they use electronic means to grant data subjects access in accordance with Article 15 of Regulation (EU) 2016/679, section 87a(7) or (8) shall apply accordingly.
Section 32e
Relation to other access and information rights
Insofar as a data subject or third party has a right of access to information from a revenue authority pursuant to the Freedom of Information Act of 5 September 2005 (Federal Law Gazette I, p. 2272), as amended, or pursuant to relevant Land legislation, Articles 12 to 15 of Regulation (EU) 2016/679 in conjunction with sections 32a to 32d shall apply accordingly. More extensive rights to information on tax data are thus ruled out. Section 30(4) number two shall not apply in this case.
Section 32f
Right to rectification and erasure, right to object
(1) As a supplement to the provision laid down in Article 18(1)(a) of Regulation (EU) 2016/679, if the accuracy of personal data is contested by the data subject and it cannot be determined whether the data are accurate or inaccurate, this shall not cause processing to be restricted if the data serve as the basis for an administrative act that can no longer be cancelled, amended or corrected. The unresolved matter shall be documented in a suitable manner. The contested data may be processed only with reference to the fact that the matter remains unresolved.
(2) If, in cases of non-automated data processing, erasure is impossible or would require disproportionate effort due to a particular manner of storage and the data subject’s interest in such erasure is deemed low, then the data subject’s right to obtain erasure and the revenue authorities’ obligation to conduct erasure in accordance with Article 17(1) of Regulation (EU) 2016/679 shall not apply, in addition to the exceptions specified in Article 17(3) of Regulation (EU) 2016/679. In such cases, a processing restriction in accordance with Article 18 of Regulation (EU) 2016/679 shall apply in lieu of an erasure. The first and second sentences above shall not apply if the personal data were processed unlawfully.
(3) As a supplement to the provisions laid down in Article 18(1)(b) and (c) of Regulation (EU) 2016/679, the first and second sentences of subsection (1) above shall apply in the cases referred to in Article 17(1)(a) and (d) of Regulation (EU) 2016/679 as long as and to the extent that the revenue authorities have reason to believe that an erasure would be detrimental to the legitimate interests of the data subject. Revenue authorities shall notify the data subject of the processing restriction unless such notification is impossible or would require disproportionate effort.
(4) As a supplement to Article 17(3)(b) of Regulation (EU) 2016/679, subsection (1) above shall apply in the cases referred to in Article (17)(1)(a) of Regulation (EU) 2016/679 if erasure stands in conflict with contractual retention periods.
(5) The right to file an objection with financial authorities in accordance with Article 21(1) of Regulation (EU) 2016/679 shall not apply insofar as a compelling public interest in the processing of data overrides the interests of the data subject or insofar as such processing is required by law.
Section 32g
Data protection officers for revenue authorities
Section 5(2) to (5) and sections 6 and 7 of the Federal Data Protection Act shall apply accordingly to the data protection officers who are to be designated by revenue authorities in accordance with Article 37 of Regulation (EU) 2016/679.
Section 32h
Data protection supervision, data protection impact assessments
(1) The Federal Commissioner for Data Protection and Freedom of Information under section 8 of the Federal Data Protection Act shall be responsible for the supervision of revenue authorities as regards the processing of personal data within the scope of this Code. Sections 13 to 16 of the Federal Data Protection Act shall apply accordingly.
(2) If any revenue authority develops an automated procedure for the revenue authorities of other Länder or of the Federation for the purpose of processing personal data within the scope of this Code, it shall be incumbent upon that revenue authority to conduct a data protection impact assessment in accordance with Article 35 of Regulation (EU) 2016/679. Insofar as such procedures are adopted by Land and federal financial authorities without alteration to functions that are relevant for purposes of data protection, the data protection impact assessment shall likewise apply to the adopting revenue authorities.
(3) Land legislation may stipulate that the Federal Commissioner for Data Protection and Freedom of Information shall be responsible for supervising the processing of personal data within the framework of Land or municipal tax legislation, as long as (a) such data processing pertains to tax bases regulated by federal law or is based on specifications that are uniform nationwide and (b) the administrative costs incurred by the Federal Commissioner for Data Protection and Freedom of Information as a result of this conferral of responsibility are borne by the respective Land.
Section 32i
Judicial protection
(1) Recourse to fiscal courts shall be possible in disputes over rights under Article 78(1) and (2) of Regulation (EU) 2016/679 between (a) an affected public entity under section 6(1) to (1c) and (2) or its legal representative, an affected non-public entity under section 6(1d) and (1e) or a data subject and (b) the competent federal or Land supervisory authority. The first sentence above shall not apply in cases where section 2a(4) applies.
(2) Data subjects shall be permitted to take recourse to fiscal courts for the purpose of bringing actions against revenue authorities or revenue authorities’ processors regarding infringements of data protection provisions that fall within the scope of Regulation (EU) 2016/679 or regarding infringements of data subjects’ rights specified therein.
(3) In cases where a supervisory authority responsible for supervising other public entities or non-public entities pursuant to the Federal Data Protection Act or Land legislation issues a legally binding decision that negates, in full or in part, the obligation of a non-public entity or other public entity to cooperate with revenue authorities under this Code or other tax legislation, the competent revenue authority may bring an action to determine whether an obligation to cooperate exists. The entity that the revenue authority claims has an obligation to cooperate shall be summoned.
(4) In cases where subsections (1) to (3) above apply, the Code of Procedure for Fiscal Courts shall apply in accordance with subsections (5) to (10) below.
(5) For proceedings under subsection (1), first sentence, and subsection (3) above, the fiscal court in whose district the relevant competent supervisory authority’s head office is located shall have local jurisdiction. For proceedings under subsection (2) above, the fiscal court in whose district the respondent revenue authority or respondent processor is located shall have local jurisdiction.
(6) In proceedings under the first sentence of subsection (1) above, the participating parties shall include:
1. the public entity, non-public entity or data subject as plaintiff or claimant,
2. the competent federal or Land supervisory authority as defendant or respondent,
3. parties summoned in accordance with section 60 of the Code of Procedure for Fiscal Courts and
4. the highest federal or Land revenue authority that has joined the proceedings in accordance with section 122(2) of the Code of Procedure for Fiscal Courts.
(7) In proceedings under subsection (2) above, the participating parties shall include:
1. the data subject as plaintiff or claimant,
2. the revenue authority or processor as defendant or respondent,
3. parties summoned in accordance with section 60 of the Code of Procedure for Fiscal Courts and
4. the highest federal or Land revenue authority that has joined the proceedings in accordance with section 122(2) of the Code of Procedure for Fiscal Courts.
(8) In proceedings under subsection (3) above, the participating parties shall include:
1. the competent revenue authority as plaintiff or claimant,
2. the federal or Land supervisory authority that issued the legally binding decision, as defendant or respondent,
3. the entity that the revenue authority claims has an obligation to cooperate, as summoned party, and
4. the highest federal or Land revenue authority that has joined the proceedings in accordance with section 122(2) of the Code of Procedure for Fiscal Courts.
(9) No preliminary proceedings shall take place.
(10) Actions or claims brought in proceedings under the first sentence of subsection (1) above shall have a suspensive effect. The competent supervisory authority may not issue an order of immediate enforcement to a revenue authority, its legal representative or its processor.
Section 32j
Request for court judgement in cases where an adequacy decision by the European Commission is presumed to be contrary to law
If the Federal Commissioner for Data Protection and Freedom of Information or an entity responsible for monitoring data protection under Land law believes that a European Commission adequacy decision, the validity of which will determine the decision over a data subject’s complaint concerning the processing of personal data, is contrary to law, then section 21 of the Federal Data Protection Act shall apply.
Leave a Reply