The importance of information in the technological advances of recent years and the challenges it entails for people's privacy have made the right to the protection of personal data one of the main protagonists of the legal conflicts that are emerging around new technologies, to the point of having been described in some forums as the fundamental right of the 21st century.

Information is, without a doubt, the main raw material that tax authorities need to function. The efficiency and effectiveness of tax systems is therefore clearly being favoured by the development of information processing systems over the last decade, systems that constitute the most important tools on which a modern tax administration relies.

Therefore, tax law is not alien to the legal importance of the right to data protection and in recent years we have been able to see how its invocation has increased in relation to the procedures followed for the application of taxes.

A recent example of this is the one that led to Judgment 5692/2023 (ECLI:ES:TS:2023:5692) of November 22, of the Contentious-Administrative Chamber of the Supreme Court.

The subject of the appeal was a resolution by the Director of the Spanish Data Protection Agency that rejected a claim filed against the AEAT for breach of its obligation to protect and maintain the confidentiality of the claimant's personal data. The claimant alleged that his personal data had been used in a VAT and Personal Income Tax verification and inspection procedure carried out against another person (his daughter-in-law). Specifically, the settlement agreements included his name and surname, ID number, family ties with third parties and financial and property data.

The Supreme Court raised (ATS 14736/2022 - ECLI:ES:TS:2022:14736), as a matter of cassation interest, " whether the actions of the State Tax Administration Agency violate article 8 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights with the inclusion of any personal data of third parties not interested in the tax procedures, and whether their processing in said procedures is considered a transfer of personal data based on compliance with a legal obligation for the purposes of current data protection regulations ”.

To resolve the issue, it starts from recognizing that the data processing carried out by a tax administration has been subject to Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, relating to the protection of individuals. with regard to the processing of personal data and the free circulation of these data (GDPR) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPD).

Consequently, it starts from affirming that art. 6 of the GDPR when it determines the cases in which the processing of personal data can be considered lawful, thus satisfying the first of the principles established in its art. 5 when it requires that personal data be processed lawfully.

Among the legal cases established in section 1 of art. 6 of the GDPR, considers that those provided for in letters c) “ may apply to the processing of personal data by a tax administration in its functions of applying the tax system: “ the processing is necessary for compliance with a legal obligation applicable to the data controller; ##1##” and e) “ the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller ”, so that the provisions of art. 8 of the LOPD would apply when, for the first case, it requires that said obligation be provided for in “ a rule of European Union Law or a rule with the rank of law ” and, for the second case, that “ derives from a competence conferred by a rule with the rank of law ”.

According to the Supreme Court, the processing of personal data by the AEAT in the files for the application of taxes is legitimate insofar as it involves both compliance with a legal obligation relating to the efficient management of tax collection and the prosecution of tax fraud, which serves an objective of general interest, in accordance with the provisions of articles 31 and 103 of the Constitution, and motivating the resolutions it adopts in accordance with the provisions of art. 102.2 c) of Law 58/2003, of December 17, General Tax Law (LGT).

It is not trivial that the basis of legitimization for the treatment is compliance with a legal obligation (art. 6.1.c of the GDPR) since this has the consequence that the exercise of the right of opposition is not possible, which art. 22 of the GDPR limits processing based on the provisions of article 6, section 1, letters e) of) .

However, the legality or legitimacy of the processing is not the only principle that the processing of personal data must respect, but rather art. 5 of the GDPR contemplates other principles at issue, which the Supreme Court considers were respected in the case prosecuted.

Thus, in the case under consideration, the principle of proportionality or data minimization was respected, since the data processed were adequate, pertinent and limited to what was necessary in relation to the purposes for which they were processed, that is, the effective application of taxes, as provided for in article 5 of the LGT, within the framework of the powers of the AEAT.

The principle of limitation of purpose was not violated either, which in the tax field has its own recognition when art. 34.1.i of the LGT recognizes the right of taxpayers to the confidential nature of their data, since said precept allows the use of the data by the tax administration for the application of taxes or resources whose management is entrusted to it and for the imposition of sanctions , as occurred in the case analyzed.

Finally, there is no possibility of considering a violation of the principle of confidentiality, which art. 95 of the LGT specifically imposes on tax authorities when they declare confidential the data, reports or background information they have obtained in the performance of their functions, since the data were used, as indicated in said precept, for the effective application of the taxes or resources whose management is entrusted to , being, therefore, an authorized and lawful treatment.

Consequently, there is no doubt that the Tax Authorities are entitled to process, in the course of processing and resolving the tax management, inspection or collection procedures for which they are competent, personal data, including those of third parties other than the taxpayer subject to the administrative file, provided, of course, that such processing in the specific case is suitable, adequate, pertinent and necessary for determining the facts and the motivation of the resolutions adopted.