Deutsche Post AG v. Hauptzollamt Köln, C‑496/17

An applicant, when applies for the Customs’ AEO status, shall provide to the authority a significant range of personal information. The applicant wondered, aside from the high workload, the matter of violation the individual’s privacy and personal data. CJEU held that this particular process of the customs authorities is granted on the basis that the data collection is adequate, relevant, and not excessive in relation to the achieving a functioning tax system.

Facts

The German Customs Authority, through a self-evaluation questionnaire, requested of Deutsch Post AG, all those natural persons whom are in charge of managing customs matters (or those responsible for dealing with such matters) to sent, among other things, the tax identification numbers and the details of the tax offices responsible for their taxation.

The German Customs Authority stated that, if there were no cooperation, it would be impossible to determine whether the requirements laid down in the German Customs Code, as well as in the Commission Implementing Regulation (2015/2447/EU), were satisfied. If it would be impossible that determination, then the German Customs Authority is obliged to revoke any Customs authorisations held by Deutsche Post.

Deutsche Post AG was concerning the nature and extent of the personal data of third parties that must be submitted so that an undertaking can qualify for the customs status of an authorised economic operator (AEO).

Dispute

According to the EU Regulation 2015/2447, Customs authorities shall, after the recognition of the status of AEO, provide to the customs user some simplifications. For example, Customs authorities shall not re-examine those criteria which have already been examined when granting the status of AEO.

Deutsche Post AG claims that the individuals who are undertaking affected by the fulfilment requirements raised by the German Customs Authority, are numerous. Also claims that some of those individuals are unwilling to agree to the transmission of their personal data. The third claim of Deutsche Post AG was that the collection of tax identification numbers is neither necessary nor appropriate for determining the reliability of entity, in term of customs law, and the verification of the individual tax situation of all the individuals affected is disproportionate in relation to the objective.

The main argument of the German Customs Authority is that the exchange of these data is necessary to ensure unmistakeable identification of the persons in charge of customs duties, as well as that the exchange of these informations is provided only if the entity has evidence of serious or repeated infringements of the tax legislation and only on a case-by-case basis.

Holding

The CJEU held that the reading of the provisions of the German Customs Code, or the provisions of the Commission Implementing Regulation (2015/2447/EU) indicates a list of affected individuals, which list is exhaustive. The persons specified are solely the applicant, the person in charge of the applicant or exercising control over its management, and the employee in charge of the applicant’s customs matters.

Furthermore is delegated that an applicant for AEO status should provide, annexed to the prescribed form for an application for that status, the names and positions within the applicant’s organisation of a more extended list of natural persons than that to be found in the second subparagraph of Article 24(1) of Implementing Regulation 2015/2447. In order the customs authorities may respond to an application for AEO status, the provision implies that the applicant should be permitted access to data that makes it possible to establish that none of the natural persons specified have committed any serious infringements or repeated infringements of customs legislation and taxation rules and/or have any record of serious criminal offences relating to his economic activity. So, the question is if the practice of those authorities involves the processing of personal data, within the meaning of Article 4(2) of Regulation 2016/679, EU legislation on the protection of that data must be respected.

More particularly, the personal data must, under Article 5(1)(b) or 5(1)(c) of Regulation 2016/679, be collected for specified, explicit and legitimate purposes and must be adequate, relevant and not excessive in relation to those purposes, the processing of that data being lawful, under Article 6(1)(c) of that regulation, only if it is necessary for compliance with a legal obligation to which the controller is subject. Inter alia, that entails an obligation to inform the data subjects of the transfer of that data.

The CJEU considered the subsequent collection of that personal data by the customs authorities in order to make a decision on an application for AEO status is clearly necessary to comply with a legal obligation. To that extent, that data is collected, and therefore processed, for specified, explicit and legitimate purposes. Also, these data collection is adequate, relevant, and not excessive in relation to the purposes for which that data is collected.

Under the CJEU’s view the fact of the customs authorities granting AEO status to an operator is the equivalent, in reality, of delegating to that operator some of the customs legislation control functions. Consequently, it is important that, before that status is granted, those authorities can obtain information on the reliability of the applicant for that status.

Finally, having regard to the level of responsibility of the persons in charge of managing customs matters, or those responsible for dealing with such matters, it seems right that Customs Authorities require the questionable process of tax data collection, before the grant of the AEO status to an applicant.

Comment

Finally, having regard to the level of responsibility of the persons in charge of managing customs matters, or those responsible for dealing with such matters, it seems right that Customs Authorities require the questionable process of tax data collection, before the grant of the AEO status to an applicant.

Σχετικά άρθρα:

Article 4(2) of GDPR | Article 5(1)(b) οf GDPR | Article 5(1)(c) of GDPR | Article 6(1)(c) of GDPR | Article 24(1) of Regulation 2015/2447/EU

This case summary was first published on GDPRHub