The importance of information in the technological advances of recent years and the challenges it entails for people's privacy have made the right to the protection of personal data one of the main protagonists of the legal conflicts that are emerging around new technologies, to the point of having been described in some forums as the fundamental right of the 21st century.

Information is, without a doubt, the main raw material that tax authorities need to function. The efficiency and effectiveness of tax systems is therefore clearly being favoured by the development of information processing systems over the last decade, systems that constitute the most important tools on which a modern tax administration relies.

Therefore, tax law is not alien to the legal importance of the right to data protection and in recent years we have been able to see how its invocation has increased in relation to the procedures followed for the application of taxes.

A recent example of this is the one that led to Judgment 5692/2023 (ECLI:ES:TS:2023:5692) of November 22, of the Contentious-Administrative Chamber of the Supreme Court.

The subject of the appeal was a resolution by the Director of the Spanish Data Protection Agency that rejected a claim filed against the AEAT for breach of its obligation to protect and maintain the confidentiality of the claimant's personal data. The complainant alleged that his personal data had been used in a VAT and personal income tax audit and inspection procedure carried out against another person (his daughter-in-law). Specifically, the settlement agreements included his name and surname, ID number, family ties with third parties and financial and property data.

The Supreme Court raised (ATS 14736/2022 - ECLI:ES:TS:2022:14736), as a matter of cassation interest, " whether the actions of the State Tax Administration Agency violate article 8 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights with the inclusion of any personal data of third parties not interested in the tax procedures, and whether their processing in said procedures is considered a transfer of personal data based on compliance with a legal obligation for the purposes of current data protection regulations ”.

To resolve the issue, it is necessary to recognize that the data processing carried out by a tax administration is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and to Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPD).

Consequently, part of the argument is that art. 6 of the GDPR is applicable to such processing when it determines the cases in which the processing of personal data may be deemed lawful, thus satisfying the first of the principles established in art. 5 when it requires that personal data be processed lawfully.

Among the assumptions of legality established in section 1 of art. 6 of the GDPR, it is considered that those provided for in letters c) “ the treatment is necessary for compliance with a legal obligation applicable to the data controller; ” and e) “ the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller ”, so that the provisions of art. 8 of the LOPD would apply when, for the first case, it requires that said obligation be provided for in “ a rule of European Union Law or a rule with the rank of law ” and, for the second case, that “ derives from a competence conferred by a rule with the rank of law ”.

According to the Supreme Court, the processing of personal data by the AEAT in the files for the application of taxes is legitimate insofar as it involves both compliance with a legal obligation relating to the efficient management of tax collection and the prosecution of tax fraud, which serves an objective of general interest, in accordance with the provisions of articles 31 and 103 of the Constitution, and motivating the resolutions it adopts in accordance with the provisions of art. 102.2 c) of Law 58/2003, of December 17, General Tax Law (LGT).

It is not trivial that the basis of legitimacy for the treatment is the fulfillment of a legal obligation (art. 6.1.c of the GDPR) since this has the consequence that the exercise of the right of opposition is not possible, which art. 22 of the GDPR limits to treatments based on the provisions of article , section 1, letters e) or f) .

However, the lawfulness or legitimacy of the processing is not the only principle that must be respected in the processing of personal data, but art. 5 of the GDPR contemplates other principles called into question, which the Supreme Court considers were respected in the case under trial.

Thus, in the case under consideration, the principle of proportionality or data minimization was respected, since the data processed were adequate, pertinent and limited to what was necessary in relation to the purposes for which they were processed, that is, the effective application of taxes, as provided for in article 5 of the LGT, within the framework of the powers of the AEAT.

The principle of limitation of purpose was not violated either, which in the tax field has its own recognition when art. 34.1.i of the LGT recognizes the right of taxpayers to the confidential nature of their data, since said precept allows the use of the data by the tax administration for the application of taxes or resources whose management is entrusted to it and for the imposition of sanctions , as occurred in the case analyzed.

Finally, there is no possibility of considering a violation of the principle of confidentiality, which art. 95 of the LGT specifically imposes on tax authorities when they declare confidential the data, reports or background information they have obtained in the performance of their functions, since the data were used, as indicated in said precept, for the effective application of the taxes or resources whose management is entrusted to , being, therefore, an authorized and lawful treatment.

Consequently, there is no doubt that the Tax Authorities are entitled to process, in the course of processing and resolving the tax management, inspection or collection procedures for which they are competent, personal data, including those of third parties other than the taxpayer subject to the administrative file, provided, of course, that such processing in the specific case is suitable, adequate, pertinent and necessary for determining the facts and the motivation of the resolutions adopted.