The key role personal data processing plays in online administration necessitates Spanish Tax Authorities (STA) to improve the protection of personal electronic data in Spain. The STA has unprecedented access to citizens data, however safeguards against abuse of personal data exist.
Personal data rights
The right to personal data is protected under article eight of the European Union’s Charter of Fundament Rights which ensures lawful, fair and transparent processing of personal data. Article eight gives data subjects the right to access, rectify, erase and oppose the processing of their personal data. The right to access requires the STA to disclose the origin, use and communications regarding personal electronic data. The right to access is reinforced by article 15 of the EU Directive 95/46/EC, General Data Protection Regulation (GDPR) which commenced on 25 May 2018.
The Spanish Constitutional Court established criteria mandating the STA to provide data subjects with information regarding their personal data. Upon request from a data subject, the STA must provide information regarding: the origin and purpose of all personal data being used and processed; data obtained via profiling or automatic processing; foreseen future use and duration of storage of data. When data information is requested, the data controller have one month to provide the requested information. The STA should ensure data is accessible, concise and transparent.
Storage – personal electronic data in Spain
Storage of personal data raises concerns regarding the duration and location of storage, and whether administrative bodies can exchange personal data. The duration of storage depends on purpose and use of data, once data is no longer needed, it should be deleted. The explanatory memorandum of the GDPR mandates storage periods should be kept to a minimum.
Scope of personal data
The right to access applies to personal data, but the scope of “personal data” is very broad, encompassing all data identifying an individual. Thus, it provides flexibility, but also ambiguity. For example, it is unclear when the STA can deny access. A case in the Spanish Supreme Court of Justice (Administrative Appeal Number 5672/2005) considered the scope of personal data, where the Plaintiff requested extensive information from the STA. The Court ordered the STA to provide the Plaintiff with all the requested information save for the identity of the data official managing the Plaintiff’s data.
There is a lack of efficient deterrence for STAs to make infringements. In practice, when a tax administration violates their data obligations, the Data Protection Agency usually allows the STA to rectify the infringement without punishment. One way to improve deterrence, would be to introduce a data compensation system.
There are uncertainties around the STA’s use of personal electronic data in Spain, but safeguards exist to protect the right to personal data.