Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
Main Structure

Privacy — Data Protection and Privacy in the Tax Context

Data protection law in tension with tax transparency: GDPR, fiscal secrecy, proportionality, and fundamental rights limitations.

LinkedIn X WhatsApp

Summary

Data protection and privacy in the tax context refer to the regulatory domain governing the processing of personal tax data and the protection of taxpayers' privacy. This domain is in fundamental tension with the requirements of tax transparency: while transparency regimes strive for the most comprehensive possible data exchange, data protection laws demand that data collection, processing, and disclosure be limited to what is proportionate.

The central European instrument is the General Data Protection Regulation (GDPR), which since 2018 applies to all processing of personal data in the EU — including tax data. Alongside this exist national fiscal secrecy provisions (e.g., § 30 AO in Germany, Art. 110 DBG in Switzerland), which protect the confidentiality of tax data from third parties. The European Court of Justice (ECJ) has in several landmark decisions defined the limits of data protection in the context of tax transparency and AML registers.

Practical challenges arise in particular in connection with public beneficial ownership registers, public country-by-country reporting, the exchange of large volumes of data under the CRS framework, and the long-term retention of AML data. Taxpayers in principle hold rights of access, rectification, and, to a limited degree, erasure, which are however restricted by tax retention periods and public interest considerations.

History

Fiscal secrecy as a protection for taxpayers against data disclosure has a long legal history in many countries. With the emergence of modern data protection law — the EU Data Protection Directive of 1995, followed by the GDPR in 2016/2018 — a structured fundamental right to data protection arose that also applies vis-à-vis tax authorities. The rapid expansion of automatic information exchange and public transparency obligations from 2014 onwards created significant tensions with the new data protection framework.

A turning point was marked by the ECJ judgment in WM and Sovim SA (Joined Cases C-37/20 and C-601/20, November 2022), in which the Court held that public access to beneficial ownership registers (as provided for by the 5th EU Anti-Money Laundering Directive) constitutes a disproportionate interference with the fundamental right to data protection and is therefore incompatible with Union law. This ruling compelled member states to restrict public access to their registers and triggered a fundamental debate about the proportionality of transparency obligations. In Switzerland and other non-EU countries, the admissibility of CRS data exchange is regularly challenged before national courts.

Since 2024, the EU AML Package — comprising the Anti-Money Laundering Regulation (AMLR), the 6th Anti-Money Laundering Directive (AMLD6), and the establishment of the European Anti-Money Laundering Authority (AMLA) — has reshaped the discourse. It redefines access to transparency registers under stricter data protection requirements in line with the 2022 ECJ ruling. In parallel, the DAC8 Directive (adopted October 2023, implementation by 2026) advances automatic exchange of information on crypto-assets and raises new data protection questions.

Scope

Data protection and privacy in the tax context affect the following domains and actors:

  • Tax authorities as controllers: Tax offices and tax administrations process highly sensitive personal data; purpose limitation and data security are central obligations
  • Transparency registers: Access to beneficial ownership data must, following the ECJ ruling (Joined Cases C-37/20 and C-601/20, 2022), be restricted to persons with a legitimate interest
  • CRS/FATCA data exchange: Transmission of bank data to foreign tax authorities must comply with data protection law; data subject rights to information must be upheld
  • Public CbCR: Disclosure of aggregated group tax data is less problematic (no personal data), but issues around trade secrets arise
  • AML data retention: Retention periods for AML data (typically 5–10 years) must be compatible with the principle of storage limitation
  • Taxpayers as data subjects: Right of access, right to rectification of incorrect data, limited right to erasure
  • Intermediaries (banks, advisors): Obligation to inform taxpayers about data disclosure to tax authorities

Key Requirements

Core obligations at the intersection of data protection and tax law:

  • Legal basis for data processing: Tax data processing must be grounded in a legal obligation or public interest (Art. 6(1)(c)/(e) GDPR)
  • Purpose limitation: Exchanged tax data may only be used for tax purposes; other use (e.g., by law enforcement) is restricted to legally defined exceptions
  • Data security: Tax authorities and financial institutions must implement appropriate technical and organizational measures to protect tax data
  • Informing data subjects: Taxpayers must be informed of CRS/FATCA data exchange (privacy notices of financial institutions)
  • Legitimate access to transparency registers: Access to beneficial ownership data only for persons demonstrating a legitimate interest (per ECJ, Joined Cases C-37/20 and C-601/20)
  • Proportionality: Any expansion of transparency or exchange obligations must withstand a proportionality test
  • Data transfers to third countries: Disclosure of tax data to non-EU jurisdictions requires an adequate level of protection or appropriate safeguards

Corrections & Errata

2026-QA-122 Correction 28 February 2026
Quality Audit: Privacy — Data Protection and Privacy in the Tax Context

2 corrections:
- ECJ ruling: Joined Cases C-37/20 and C-601/20, not just C-37/20
- official_url redirects to new domain
1 update:
- Missing mention of recent developments 2024-2026
2 clarifications.

Full details on the errata page →

Content last reviewed: 25 February 2026. Found an error or need an update? [email protected]