OPINION OF ADVOCATE GENERAL
CAMPOS SÁNCHEZ-BORDONA
delivered on 17 October 2018 (1)
Case C‑496/17
Deutsche Post AG
v
Hauptzollamt Köln
(Request for a preliminary ruling from the Finanzgericht Düsseldorf (Finance Court, Düsseldorf, Germany))
(Reference for a preliminary ruling — Rights and obligations of persons under customs legislation — Status of authorised economic operator — Questionnaire — Protection of personal data — Tax identification number — Tax office responsible for the assessment of income tax —Data processing necessary for compliance with a legal obligation — Principle of limiting the purpose of processing personal data)
1. The German tax authority requires certain personal data relating to the senior managers and employees of undertakings that seek to obtain or retain the status of authorised economic operator (‘AEO’), a status that entitles them to more favourable treatment than that enjoyed by other importers or exporters.
2. This reference for a preliminary ruling concerns the limits which EU law imposes on those requirements, whether strictly within the context of customs matters or within the context of the protection of personal data.
I. Legal framework
A. EU law
1. Customs legislation
(a) The Customs Code
3. Article 38 of Regulation (EU) No 952/2013 (2) provides:
‘1. An economic operator who is established in the customs territory of the Union and who meets the criteria set out in Article 39 may apply for the status of authorised economic operator.
…
2. The status of authorised economic operator shall consist in the following types of authorisations:
(a) that of an authorised economic operator for customs simplifications, which shall enable the holder to benefit from certain simplifications in accordance with the customs legislation; or
(b) that of an authorised economic operator for security and safety that shall entitle the holder to facilitations relating to security and safety.
…’
4. Article 39(a) provides:
‘The criteria for the granting of the status of authorised economic operator shall be the following:
(a) the absence of any serious infringement or repeated infringements of customs legislation and taxation rules, including no record of serious criminal offences relating to the economic activity of the applicant;
…’
(b) Implementing Regulation (EU) 2015/2447 (3)
5. In accordance with Article 24(1):
‘…
Where the applicant is not a natural person, the criterion laid down in Article 39(a) of the Code shall be considered to be fulfilled where, over the last 3 years, none of the following persons has committed a serious infringement or repeated infringements of customs legislation and taxation rules or has had a record of serious criminal offences relating to his economic activity:
(a) the applicant;
(b) the person in charge of the applicant or exercising control over its management;
(c) the employee in charge of the applicant’s customs matters.’
(c) Delegated Regulation (EU) 2016/341 (4)
6. In accordance with Article 1:
‘1. This Regulation lays down transitional measures on the means for the exchange and storage of data referred to in Article 278 of the Code until the electronic systems which are necessary for the application of the provisions of the Code are operational.
2. Data requirements, formats, and codes, which are to be applied for the transitional periods set out in this Regulation, Delegated Regulation (EU) 2015/2446 and Implementing Regulation (EU) 2015/2447 are laid down in the Annexes to this Regulation.’
7. Article 5 stipulates:
‘1. Until the date of the upgrading of the AEO system referred to in the Annex to Implementing Decision 2014/255/EU, customs authorities may allow for means other than electronic data-processing techniques to be used for applications and decisions relating to AEO or for any subsequent event which may affect the original application or decision.
2. In the cases referred to in paragraph 1 of this Article, the following shall apply:
(a) applications for the status of AEO shall be lodged using the format of the form set out in Annex 6; and
(b) authorisations granting the status of AEO shall be issued using the form set out in Annex 7.’
8. Point 19 of the explanatory notes in Annex 6 is devoted to the content of the application form for AEO status:
‘Name, date and signature of the applicant:
Signature: the signatory should add his capacity. The signatory should always be the person who represents the applicant as a whole.
Name: name of the applicant and stamp of the applicant.
…
8. The names of the key office-holders (managing directors, divisional heads, accounting managers, head of customs division etc.). Description of the adopted routines in situation when the competent employee is not present, temporarily or permanently.
9. The names and the position within the organisation of the applicant who have specific customs expertise. Assessment of the level of knowledge of these persons in regards of the use of IT technology in customs and commercial processes and general commercial matters.
…’
2. Legislation on data protection: Regulation (EU) 2016/679 (5)
9. According to Article 4:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…’
10. Article 5 provides:
‘Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for achieving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).
…’
11. Article 6 states:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
…
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
…
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
…
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of the Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. … The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further proceedings for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.’
12. Article 23(1)(e) provides:
‘Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as in Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard
…
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security.’
B. National law
1. Abgabenordnung (Tax Code)
13. In the version applicable at the material time, Paragraph 139a(1) states:
‘For the purposes of unambiguous identification in taxation procedures, the Bundeszentralamt für Steuern (Federal Central Tax Office) shall issue each taxpayer a uniform and permanent means of recognition (identifier); the taxpayer, or third parties who must submit the taxpayer’s data to the revenue authorities, shall provide this identifier on applications, declarations or notifications addressed to the revenue authorities. The identifier shall consist of a series of digits that may not be constructed or derived from other data relating to the taxpayer; the final digit shall be a check digit …’
14. According to Paragraph 139b:
‘(1) A natural person may not receive more than one identification number …
(2) The revenue authorities may collect and use the identification number only to the extent that this is necessary in order for them to fulfil their legal duties or a legal provision expressly allows or orders the collection or use of the identification number. Other public or non-public offices may:
1. collect or use the identification number only to the extent that this is necessary to allow data to be transmitted between them and the revenue authorities, or a legal provision expressly allows or orders the collection and use of the identification number;
…
3. use the legally collected identification number of a taxpayer to fulfil all of their reporting requirements vis-à-vis revenue authorities, as long as the respective reporting requirements relate to the same taxpayer and the collection and use of the identification number are permissible under point 1 …
(3) The Bundeszentralamt für Steuern shall store with regard to natural persons the following data:
1. identification number;
…
3. surname;
4. previous names;
5. forenames;
6. doctoral title;
…
8. date and place of birth;
9. sex;
10. current or last-known address;
11. competent tax authorities;
12. bans on disclosing information pursuant to the Bundesmeldegsetz (Federal Act on Registration);
13. date of death;
14. date of moving in and moving out.
(4) The data listed in subparagraph 3 above shall be stored in order to:
1. ensure that a person has been issued with only one identification number, and that an identification number is not issued more than once;
2. determine the identification number of a taxpayer;
3. distinguish which revenue authorities are responsible for a taxpayer;
4. be able to transfer to the competent offices data which, pursuant to supranational or international law, is to be obtained;
5. enable the revenue authorities to discharge their statutory responsibilities.’
2. Einkommensteuergesetz (Law on income tax)
15. Paragraph 38(1) and (3), in the version applicable at the material time, provides:
‘(1) In the case of income from work other than as a self-employed person, income tax shall be levied by way of deduction from pay (tax on pay), in so far as the pay is paid by an employer …
…
(3) The employer shall deduct the tax on pay from the employee’s pay, on the latter’s behalf, every time the employee is paid …’
16. Paragraph 39(1) and (4) provide:
‘(1) For the purposes of deducting tax on pay, particulars of deduction of tax on pay shall be generated at the behest of the employee …
…
(4) Particulars of deduction of tax on pay shall consist of:
1. the tax bracket;
2. the number of tax-free allowances for dependent children in the case of tax brackets I to IV,
…’
17. According to Paragraph 39e:
‘(1) For every employee, the Bundeszentralamt für Steuern shall generate, in principle in automated form, the tax bracket applicable and, in relation to the children to be taken into account in the case of tax brackets I to IV, the number of tax-free allowances for dependent children as particulars of deduction of tax on pay as provided for in Paragraph 39(4), first sentence, points 1 and 2 … Where the tax office generates particulars of deduction of tax on pay pursuant to Paragraph 39, it shall share this with the Bundeszentralamt für Steuern for the purpose of facilitating automated retrieval by the employer …
(2) The Bundeszentralamt für Steuern shall store, in relation to the employer, on provision of the corresponding identification number, the particulars of deduction of tax on pay, for the purposes of making available automatically retrievable particulars of deduction of tax on pay, and, in relation to each taxpayer, the following data additional to that referred to in Paragraph 139b(3) of the Abgabenordnung:
1. legal membership of a religious community entitled to charge tax and the date of joining and leaving;
2. officially registered marital status and the date on which marital status was established or dissolved and, in the case of a married couple, the spouse’s identification number;
3. children and their identification numbers;
…
(4) For the purposes of the retrieval of particulars of deduction of tax on pay, the employee shall inform each employer, on entering into an employment relationship with the latter, of:
1. his identification number and date of birth;
…
At the start of the employment relationship, the employer shall retrieve the electronic particulars of deduction of tax on pay relating to the employee from the Bundeszentralamt für Steuern by remote data transmission and save them to the employee’s pay account. …
…’
II. Dispute in the main proceedings and question referred
18. Deutsche Post was the holder of customs authorisations granted under Regulation (EEC) No 2913/92 (6) and Regulation (EEC) No 2454/93, (7) in particular as authorised consignee and authorised consignor. It also benefits from a comprehensive guarantee to facilitate Union and common transit procedures and, since the new Customs Code came into full effect, has been authorised to operate a temporary storage facility.
19. By letter of 19 April 2017, the Hauptzollamt (Principal Customs Office) asked Deutsche Post to complete Part I (Information on the Company) of the online Self-Assessment Form by 19 May 2017. That form contained, inter alia, the following questions:
‘1.1.2. To the extent applicable to the legal form of your company, please provide details of:
…
(c) the members of the advisory and supervisory boards, in the form of their first name, surname, date of birth, tax identification number and competent tax office.
1.1.6. Name the senior management positions in the company (managing directors, divisional heads, head of accounts, head of the customs department, etc.) and describe the deputising rules. As a minimum, the information provided must include first name, surname, date of birth, tax identification number and competent tax office.
…
1.3.1. Identify the individuals in your organisation who are responsible for customs matters or the individuals who deal with customs matters (e.g. customs clerks, the head of the customs department), in the form of their first name, surname, date of birth, tax identification number, competent tax office and position within the organisation.’
20. The Hauptzollamt informed Deutsche Post that, if it did not cooperate as necessary, it would be impossible to determine whether it met the authorisation requirements applicable under the Customs Code. It also advised Deutsche Post that it would revoke any permanent authorisations if Deutsche Post failed to cooperate or no longer met the aforementioned requirements.
21. Deutsche Post brought before the referring court an action challenging the obligation to provide the Hauptzollamt with the tax identification numbers of the persons listed on the self-assessment form and the details of their competent tax offices. It sought from the court a declaration to the effect that it is not obliged to complete that part of the form.
22. Deutsche Post claimed, in support of its action, that:
– the number of persons in its undertaking who are affected by those questions was very large and it was unable to answer them on data protection grounds, since some of its employees were not willing to have their data passed on. Furthermore, the group of persons affected by points 1.1.2(c), 1.1.6 and 1.3.1 was larger than the group mentioned in Article 24(1), second subparagraph, points (b) and (c), of Implementing Regulation 2015/2447; and
– the income tax position of its employees was irrelevant to the assessment of whether a serious infringement or repeated infringements of customs legislation or taxation rules had been committed or whether there was any record of serious criminal offences relating to their economic activities. It was neither necessary nor appropriate to disclose their tax identification numbers in order to be able to assess their reliability for customs purposes.
23. The Hauptzollamt , in response to the arguments put forward by Deutsche Post contended that it has to ask for tax identification numbers so that it can properly identify the persons concerned when consulting tax offices. An exchange of information is provided for only in circumstances where the tax offices have knowledge of a serious infringement or repeated infringements of taxation rules. Criminal or administrative penalty proceedings which have been closed are irrelevant in this regard. Repeated infringements of taxation rules are taken into account if their frequency is disproportionate to the nature and scale of the applicant’s business activity.
24. According to the Hauptzollamt, the group of persons referred to in the questions is consistent with the second subparagraph of Article 24(1) of Implementing Regulation 2015/2447 and with the Commission’s Guidelines for Authorised Economic Operators. In each case, the Hauptzollamt decides on the basis of risk exactly which persons should be the subject of an exchange of information with the tax offices. As regards the persons dealing with customs matters, the request is confined to managers and senior staff in the case of large customs departments.
25. The Finanzgericht Düsseldorf (Finance Court, Düsseldorf, Germany) is uncertain whether viewing the personal data requested (the tax identification numbers of, and tax offices responsible for collecting income tax from, the persons referred to in points 1.1.2(c), 1.1.6 and 1.3.1 of the form) constitutes an unlawful processing of that data under Regulation 2016/679 and Article 8(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’).
26. It is also uncertain whether there is any need to access the personal data of the applicant’s employees and supervisory board members which is compiled in connection with the collection of income tax, since that data bears no direct relation either to the assessment of their reliability for customs purposes or to the economic activities of Deutsche Post.
27. In that context, that court has decided to refer the following question to the Court of Justice for a preliminary ruling:
‘Is the second paragraph of Article 24(1) of Commission Implementing Regulation (EU) 2015/2447 of 24 November 2015 laying down detailed rules for implementing certain provisions of Regulation (EU) No 952/2013 of the European Parliament and of the Council laying down the Union Customs Code to be interpreted as meaning that this provision permits the customs authority to request the applicant to inform it of the tax identification numbers issued by the German Bundeszentralamt für Steuern (Federal Central Tax Office) for the purpose of income tax collection and the tax offices responsible for the income tax assessment of the members of the applicant’s supervisory board, its managing directors, heads of department, head of accounts, head of the customs department as well as those individuals responsible for customs matters and those dealing with customs matters employed by the applicant?’
28. Written observations have been lodged by Deutsche Post, the Hauptzollamt, the Spanish, Hungarian and Italian Governments and the Commission. The hearing, held on 5 July 2018, was attended by Deutsche Post, the Hauptzollamt and the Commission.
III. Answer to the question referred
29. Before analysing the substance of the case, it is important to clarify which provisions of EU law on the protection of personal data are applicable in this case.
30. The request for the disclosure of data was made to Deutsche Post on 19 April 2017 and, therefore, before the date of the entry into force (25 May 2018) of Regulation 2016/679. The legislation applicable at that time was Directive 95/46/EC, (8) despite the fact that both the referring court and the parties to the preliminary ruling proceedings, other than the Commission, take it for granted that the aforementioned regulation is applicable.
31. The explanation for this apparent anomaly can be found in the nature of the originating national proceedings. As was explained at the hearing, Deutsche Post did not bring an action for annulment (Anfechtungsklage), which the court must consider from the point of view of the legislation in force at the time of the facts, but an action for a declaration (Feststellungsklage), (9) which must be settled by reference to the legal position obtaining at the time of the hearing and the judgment.
32. It is for the national court to interpret its national procedural law, on which the Court of Justice will not give a ruling. Consequently, if it is of the view that the domestic rules require the dispute to be resolved, ratione temporis, in accordance with Regulation 2016/679 rather than Directive 95/46, the Court of Justice must provide it with an interpretation of the former rather than the latter. (10)
33. By the question referred, the national court seeks an interpretation — rather than a declaration, if appropriate, of invalidity — of Article 24(1) of Implementing Regulation 2015/2447, to which end it will be necessary to take into account Regulation 2016/679 and Articles 7 and 8 of the Charter. (11) I repeat, the referring court’s question is not concerned with the possible invalidity of that article, which is confined to laying down the conditions for the grant of AEO status and does not itself require the transmission or processing of personal data by a third party.
A. The interpretation of Article 24 of Implementing Regulation 2015/2447
34. AEO status confers advantages (12) on economic operators, who, in the context of their customs operations, are considered reliable throughout EU territory (Article 5(5) of the Customs Code). According to Article 38(6) of the Customs Code, those advantages include enjoying more favourable treatment than other economic operators in respect of customs controls. Depending on the type of authorisation granted, an AEO will be subject to fewer physical and document‑based controls.
35. As AEOs must be verifiably reliable and of good standing, the grant of that status is subject to compliance with the conditions laid down in Article 39 of the Customs Code, (13) that is to say:
– compliance with customs legislation and taxation rules, in particular the absence of any record of serious criminal offences relating to the economic activity of the applicant;
– demonstration by the applicant of a high level of control of his or her operations and of the flow of goods, by means of a system of managing commercial and, where appropriate, transport records, which allows appropriate customs controls;
– proven financial solvency; and
– depending on the type of AEO status, an appropriate standard of competence or professional qualifications directly related to the activity carried out (AEOC) or appropriate security and safety standards (AEOS).
36. Those conditions are applicable to all operators seeking AEO status, whether they are legal or natural persons. In this case, as Deutsche Post is a legal person, the requirement not to have committed any serious infringement or repeated infringements of customs legislation or taxation rules, nor to have any record of serious criminal offences relating to its economic activity, also extends to some of its employees (those in the most senior roles, as listed). (14) This is the purport of Article 24 of Implementing Regulation 2015/2447, which was adopted in order to give effect to Article 39(a) of the Customs Code. (15)
37. The persons who must be free from accusations of such conduct are, according to Article 24 of Implementing Regulation 2015/2447, ‘the person in charge of the applicant or exercising control over its management’ and ‘the employee in charge of the applicant’s customs matters’. (16)
38. Article 24 of Implementing Regulation 2015/2447 defines the limits which customs authorities must not exceed when requesting information about the group of persons that may be investigated. Those authorities must also comply with that provision in relation to the purpose that must inform the gathering of data relating to such persons.
1. Natural persons who may be investigated prior to the grant of AEO status to a legal person
39. The rationale behind Article 24 of Implementing Regulation 2015/2447 is that, in order to be able to grant (17) AEO status, customs authorities must have certain items of data relating to an organisation’s senior staff and the natural persons in charge of its customs activities. (18)
40. The wording of Article 24 of Implementing Regulation 2015/2447 is restrictive: it refers exclusively to the person in charge (of the operator applying for AEO status) or exercising control over its management, and the person responsible for customs matters. The use of the singular in that article calls for the latter to be interpreted strictly, a proposition further supported by the fact that the information to be communicated is personal data. A provision of secondary law that is hierarchically subordinate to Article 24 of Implementing Regulation 2015/2447, such as Annex 6 to Delegated Regulation 2016/341, cannot extend its scope ratione personae.
41. Customs authorities may thus gather personal data relating only to:
– the senior staff member of the undertaking applying for AEO status, who will usually be the person with executive management powers; (19)
– the person in charge of customs matters within that undertaking. The same strict interpretation is applicable here and presupposes that customs authorities may demand personal data only in relation to the person with ultimate responsibility for the undertaking’s customs activities.
42. Proceeding on that premiss, I share the referring court’s view that requests for the personal data of members of an undertaking’s supervisory or advisory board are not provided for in Article 24 of Implementing Regulation 2015/2447. By the same token, that provision also provides no basis for requesting personal data in relation to divisional heads or heads of accounts, unless those persons also have final decision-making powers within the organisation or deal with its customs affairs.
2. Information and data that may be demanded by customs authorities
43. Article 24 of Implementing Regulation 2015/2447 provides, as I have already stated, that customs authorities may only gather information that is essential to enable them to verify the absence of ‘any serious infringement or repeated infringements of customs legislation and taxation rules’ or any record of ‘serious criminal offences relating to … economic activity’.
44. That, then, is the only purpose that may inform the collection of information by the customs authorities. Article 24 does not specify, however, what type of data is appropriate to the attainment of that objective: it falls to the Member States to make that determination, it being clearly understood that such data must be exclusively confined to that which is essential to enable the customs authorities to satisfy themselves as to the (non-)existence of any conduct adversely affecting the reliability of the undertaking’s senior staff.
45. As criteria for establishing whether the aforementioned employees of an undertaking applying for AEO status lack the integrity necessary to enjoy the customs authorities’ trust, Article 24 of Implementing Regulation 2015/2447 uses three categories of infringement:
– ‘[a]ny serious infringement or repeated infringements of customs legislation and taxation rules’. ‘[C]ustoms legislation’ is that defined in Article 5(2) of the Customs Code. (20) Since it is the customs authority itself which manages the application of that body of legislation, it should in principle already have sufficient data in its own right. The Hauptzollamt recognises that it has direct access to the federal databases containing information on customs infringements or infringements relating to the economic activity of the undertaking.
– ‘[a]ny serious infringement or repeated infringements of taxation rules’, an expression which, as the Commission points out, covers a broad range of taxes. (21) In the context of this second category, the customs authorities will have to obtain from third parties the information they need to be sure that the employees of the undertaking applying for AEO status have not been penalised for such unlawful acts.
– ‘serious criminal offences relating to their economic activity’, an expression which, as the Commission states, includes offences which, having been committed by members of its senior management, cause serious damage to the undertaking’s reputation and good standing in relation to customs administration. (22) Once again, these are infringements which the customs authorities will not usually have on record in their own files.
46. What data may the customs authorities gather, under Article 24 of Implementing Regulation 2015/2447, in order to detect the existence of any of those infringements as part of the process of granting AEO status?
47. The Hauptzollamt submits that it must have the tax identification numbers and tax office details of those members of Deutsche Post’s senior management and staff who exercise control over its administration of customs matters. Only in this way, it says, can it establish whether those individuals have committed a serious infringement or repeated infringements of taxation rules, since many taxes in Germany are administered by regional authorities. The tax identification number is the basic item of data it needs in order to be able to submit to those authorities a precise request for the information required on the persons concerned.
48. Deutsche Post, on the other hand, maintains that the income tax position of its employees is irrelevant to an assessment of whether they have committed a serious infringement or repeated infringements of taxation rules. The disclosure of their tax identification numbers is therefore neither essential nor appropriate for the purposes of assessing their reliability in relation to customs administration.
49. From the written observations lodged and the explanations provided at the hearing, it can be inferred that the tax identification number is a personal identifier used in the relationship of natural persons and the German tax authority in a variety of contexts. It is common ground that its principal use lies in the context of the administration of income tax, which explains its connection, in the dispute in the main proceedings, with the details of the tax offices responsible for the assessment of that tax.
50. The interpretation of German law falls not to the Court of Justice but to the referring court. The latter court states that the tax identification numbers assigned by the Bundeszentralamt für Steuern to Deutsche Post’s employees (first sentence of Paragraph 139a(1) of the Abgabenordnung) can be gathered and stored only for the purposes of collecting income tax by deducting it from pay (Paragraph 39e(4), first sentence, point 1, of the Einkommensteuergesetz).
51. According to the referring court, the personal data of Deutsche Post’s employees, which are collected for the purpose set out above, bear no direct relation to the economic activity of that undertaking and are for that reason not relevant to the assessment of the reliability of those employees for customs purposes. (23)
52. I take the view, however, that, from the point of view of customs legislation, there is nothing to stop the German customs authority asking for the tax identification numbers (and income tax assessment office details) of the senior manager and person in charge of customs matters within an undertaking seeking AEO status. Without prejudice to what I shall go on to say about the protection of such personal data, the availability of that information may serve to verify that those individuals have not committed any infringements.
53. The referring court’s argument might be relevant if there were a dissociation (as that court appears to suggest) between the information, necessarily specific to each natural person, obtainable from the tax identification number, on the one hand, and the activity of the undertaking, on the other. The whole purpose of the present analysis, however, is to establish whether the two natural persons performing relevant roles within the undertaking applying for AEO status have engaged, over the course of the last three years, in conduct of their own (that is to say, not attributable to the undertaking) which detracts from their reliability, their lack of integrity — assuming that they were penalised for their past conduct — having infected, so to speak, the undertaking for whose general running or customs administration they are responsible.
B. Article 24 of Implementing Regulation 2015/2447 and the EU legislation on the protection of personal data
54. Like other, similar data of a fiscal nature which has been classified as such by the Court of Justice, (24) the tax identification number constitutes personal data within the meaning of Article 4(1) of Regulation 2016/679, inasmuch as it is information relating to an identified or identifiable person. (25)
55. It would appear from the order for reference that, on account of the federal structure of the German tax system, the details of the tax offices responsible for the assessment of income tax appear to be closely linked to the tax identification number. In that context, those details may be classified, incidentally, as fiscal data relating to an identified or identifiable person.
56. As the referring court points out, the automated tax identification number search facility provides access to particularly sensitive information. (26) It is thus a tool for identifying the holder of that number and for obtaining certain information about his or her private and family life which is in the possession of the administrative authorities.
57. The activity that takes place in connection with tax identification numbers in relations between the customs authority and persons applying for AEO status can be classified as information gathering or as disclosure by transmission. In both scenarios, there is a processing of data within the meaning of Article 4(2) of Regulation 2016/679. The German customs authority asks for the applicants’ tax identification numbers and then structures and uses them in order to ask the competent tax offices for information about any serious infringement or repeated infringements of taxation rules which may have been committed by those persons. The mere acquisition of such data itself constitutes processing, as does, to a greater extent, the later structuring and use of that data to obtain information on the persons concerned. (27)
58. The Court of Justice has also held that that there is a processing of data where data is transferred from one public body to another (28) and also where an employer passes on personal data to a national authority. (29) Consequently, the transmission of the personal data of senior managers and employees by Deutsche Post to the Hauptzollamt constitutes the ‘processing of [personal] data’ for the purposes of Regulation 2016/679.
59. Article 5(1)(b) of Regulation 2016/679 establishes as one of the guiding principles applicable to the processing of personal data the principle of purpose limitation, according to which ‘[p]ersonal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’. (30)
60. It must be decided, therefore, whether the use by the German customs authorities of the tax identification numbers of the senior managers and persons in charge of customs matters at Deutsche Post, which the latter undertaking is required to provide, is compatible with the objective which the domestic legislation assigns to the collection of that personal data.
61. The national court expresses doubts in this regard (31) and takes the view that there is no direct relationship between the tax identification numbers and tax offices responsible for the income tax assessment of senior managers and employees, on the one hand, and the customs activities of Deutsche Post, on the other. As became apparent at the hearing and as I explained earlier, German law provides for that fiscal data to be used, largely but not exclusively, in the employment relationship between the employer and the worker for the purposes of the collection of income tax.
62. The tax identification numbers (and, incidentally, the details of the tax offices responsible for the assessment of income tax) are, therefore, personal data not intended to be used in the course of dealings between an undertaking and the German customs authority in connection with the acquisition or retention of AEO status. Consequently, what we appear to have here is a processing of personal data which, in principle, is not consistent with the purpose for which that data was collected, contrary to the rule laid down in Article 5(1) (b) of Regulation 2016/679.
63. Such a processing of personal data could, however, be justified. It would be sufficient in this regard, for example, for the natural persons concerned to give their consent, in accordance with Article 6(1)(a) of Regulation 2016/679. It is apparent from the documents before the Court, however, that Deutsche Post’s employees object to the processing of their data, which rules out this solution.
64. Other possible justifications can be found in Article 6(1), (32) according to which the processing of data is lawful where it is necessary ‘for compliance with a legal obligation to which the controller is subject’ [point (c)] or ‘for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ [point (e)]. (33) In both cases, Article 6(3) of Regulation 2016/679 provides that the basis for the processing must be laid down by Union law or Member State law to which the controller is subject.
65. The lawfulness of the request for the processing of personal data which the customs authority makes to Deutsche Post has its basis in the legal obligation (34) incumbent on that authority to verify that AEO status is granted only to undertakings whose senior managers and staff responsible for customs matters have not committed the aforementioned infringements. That legal obligation derives ultimately from Article 24 of Implementing Regulation 2015/2447. I therefore take the view that the justification set out in Article 6(1)(c) of Regulation 2016/679 is present here.
66. The lawfulness of processing the tax identification numbers of the senior manager and person responsible for customs matters within an undertaking as part of the process of granting AEO status may also have a basis in ‘the exercise of official authority vested in the controller’ (Article 6(1)(e) of Regulation 2016/679), (35) since this is unavoidable if the tax authority is to exercise the official authority it has been given to monitor undertakings with AEO status. That status presupposes some delegation of customs control functions to AEOs which is offset by a broad discretion on the part of the administrative authorities to verify and monitor their reliability.
67. The request for, and the processing of, the data at issue in the dispute in the main proceedings, which are lawful inasmuch as they are based on Article 6(1)(c) and (e) of Regulation 2016/679, may impose certain limitations on the rights which Articles 12 to 22 of that regulation confer on the holders of such personal data. It is for the referring court to determine whether the Hauptzollamt, in processing that data, limits any of the rights of the persons concerned, such as, for example, rights of access, rectification, deletion or objection.
68. Any such limitations might be justified by one of the ‘important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security’ (Article 23(1)([e]) of Regulation 2016/679). Any measure imposing such limitations would also have to respect ‘the essence of the fundamental rights and freedoms’ and be ‘necessary and proportionate … in a democratic society’. (36)
69. To my mind, the objective of ensuring the reliability for customs purposes of the senior manager and person responsible for customs matters within an undertaking as part of the process of granting AEO status is an objective of general public interest of the Union and of the German State, from an economic, fiscal and budgetary perspective. Monitoring the reliability of AEOs will benefit the collection of customs duties, which are an EU own resource contributed by the Member States and transferred by them to the EU budget after deduction of a percentage for administration.
70. Any lack of integrity on the part of the senior manager and person responsible for customs matters within an undertaking is something which may compromise that undertaking’s reliability for customs purposes and directly affect the grant of AEO status. (37) As I noted in my Opinion in Impresa di Costruzioni Ing. E. Mantovani and Guerrato, (38) it is perfectly reasonable for any lack of credibility on the part of an undertaking to be assessed through the prism of the unlawful acts carried out by those responsible for its management.
71. The foregoing is the justification for the customs authority being able to investigate the taxation history of those senior managers, including their income tax records. If the senior manager or person responsible for customs matters within an undertaking has committed infringements in connection with the collection of that tax or any other tax, it is my view that the customs authority must be able to obtain information about those infringements.
72. By the same token, the gathering and use of such data are proportionate means of attaining the objective served by Article 24(1) of Implementing Regulation 2015/2447. (39) According to what the Hauptzollamt said at the hearing, there are no other less restrictive alternative means available in German law, since the federal structure of the German State means that some taxes, like income tax, are administered by the regional authorities. The tax identification number is the most appropriate way for the (federal) customs authority to seek and obtain taxation information held by a number of regional authorities. (40)
73. Two final points must be made:
– The customs authority is required by Articles 13 and 14 of Regulation 2016/679 to provide the senior manager and person responsible for customs matters within an undertaking having AEO status with information on how it intends to process their personal data (tax identification number and tax office), so as to enable them to exercise the rights they enjoy under Articles 15 to 22 of Regulation 2016/679.
– The Court of Justice has taken the view that the requirement that personal data must be processed fairly imposes an obligation on a public authority to inform the persons concerned that their data is being transmitted to another public authority so that it can be processed by the latter in its capacity as recipient of that data. (41)
IV. Conclusion
74. In the light of the foregoing, I propose that the Court of Justice reply to the Finanzgericht Düsseldorf (Finance Court, Düsseldorf, Germany) as follows:
(1) The second subparagraph of Article 24(1) of Commission Implementing Regulation (EU) 2015/2447 of 24 November 2015 laying down detailed rules for implementing certain provisions of Regulation (EU) No 952/2013 of the European Parliament and of the Council laying down the Union Customs Code is to be interpreted as meaning that:
– it permits a customs authority to request an undertaking seeking the status of authorised economic operator to disclose the tax identification number and details of the tax office responsible for the assessment of income tax only of ‘the person in charge of the applicant or exercising control over its management and the employee in charge of the applicant’s customs matters’; and
– does not permit the request for that data to be extended to the members of the applicant’s supervisory board or to its other senior managers and employees.
(2) Article 6(1)(c) and (e) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC empowers a customs authority to collect and process personal data, such as tax identification numbers and details of the tax office responsible for the assessment of income tax, relating to the senior manager and person in charge of customers matters within an undertaking seeking the status of authorised economic operator, even if the latter have not consented thereto, with a view to complying with the legal obligation to verify the reliability of that undertaking for customs purposes, laid down in the second subparagraph of Article 24(1) of Implementing Regulation 2015/2447.