Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 72 | 2020-02-14


Tax advisers are not processors
Dr. Philip Kempermann, LL.M.


Many companies take advantage of the services of tax advisers. In addition to classical tax consultancy, tax advisers often take on other tasks, such as a company’s payroll accounting. For these tasks to be performed, the personal data of the employees has to be transferred to the tax advisor. Until recently, there has been a debate around how to classify such transfers under data protection law. German lawmakers have sought to create clarity on this issue with an amendment of Section 11 of the German Tax Consulting Act (Steuerberatungsgesetz, StBerG) that came into force at the start of 2020.

Background

If external service providers are used and they need to process personal data in the course of their duties, a processing agreement pursuant to Art. 28 GDPR may be required. GDPR defines a processor as someone who acts in accordance with the controller’s instructions. This means a processing agreement is not required if the service provider performs their duties autonomously. In these cases, the “agent” is not a processor, but rather a controller itself. It is undisputed that tax advisors performing their core task of tax consultancy represent such a case of autonomy. They perform these tasks independently and at their own responsibility (Section 57 StBerG) and thus are considered a controller.

Previous legal position

However, to date there have been different positions on how, from a data protection point of view, to assess a tax advisor’s activities that go beyond this core duty. Specifically, there has been a debate around how to classify the ancillary tasks set out in Section 6 no. 4 StBerG, which state that tasks including the posting of current transactions, current payroll accounting and the production of wage tax returns are not exclusively reserved to tax advisers and the other persons set out in Sections 3, 3a, 4 StBerG. Some data protection authorities took this as a justification to exclude these activities from the core area of a tax advisor’s activities (e.g. www.baden-wuerttemberg.datenschutz.de/steuerberater-und-lohnbuchhaltung/). These activities were thus not deemed to be performed at the tax advisors’ own responsibility – in other words, autonomously. According to this view, a tax adviser’s ancillary tasks would consequently require a processing agreement.

Conversely, other supervisory authorities and the tax advisers’ professional associations were of the opinion that these ancillary activities do indeed constitute the autonomous fulfillment of tasks. Accordingly, a processing agreement was not required.

New legal position

The amendment of Section 11 StBerG has brought clarity on this controversial issue. According to Section 11 (2) sentence 1 StBerG (new version), acts covered under Section 3 StBerG are performed autonomously. Under Section 11 (2) sentence 2 StBerG (new version), persons performing the acts are data controllers within the meaning of GDPR. Section 3 StBerG focuses on ancillary commercial activities related to tax matters, i.e. the full spectrum of tasks performed by a tax adviser. Section 5 StBerG also applies to the ancillary tasks set out in Section 6 (4) StBerG. Overall, then, a processing agreement is not required in cases where a tax adviser acts for a client, provided the tax adviser is performing the tasks covered by the StBerG. He or she is always acting autonomously. According to the explanatory memorandum, the reason for the rule is that, when performing the ancillary activities set out in Section 6 (4) StBerG, a tax adviser is involved in fiscal assessments, as a consequence is subject to the relevant professional obligations and is thus working independently and autonomously.

Finally, Section 11 (2) sentence 3 StBerG states that the processing of especially sensitive data as defined in Art. 9 GDPR, such as health data, is permissible in order to perform the tasks. This, too, is a clarification.

Conclusion and practical consequences

In terms of legal clarity, the amendments are to be welcomed: they remove the inconsistent views of the regulatory authorities. Anyone who hires a tax adviser no longer needs to ensure a processing agreement is in place for ancillary activities because the tax adviser is an independent data controller. That notwithstanding, as with any processing of personal data, there must be a legal basis for processing under Art. 6 GDPR for the data transfer.

Conversely, the amendment means that as data controllers, tax advisers bear sole responsibility for complying with all duties under GDPR. In certain special constellations, joint responsibility pursuant to Art. 26 GDPR between the tax adviser and the client may come into question. However, this depends on how the individual contractual relationship is managed.

The lawmakers’ decision to classify payroll accounting as part of a tax adviser’s autonomous activity equivalent to tax consultancy can be criticized. Payroll accounting is more of a bookkeeping exercise and, due to its nature, is subject to much stricter instructions than tax consultancy services. This thus gives the tax adviser a preferential status compared to other service providers operating in the same field.

Further, there is some doubt as to whether the national legislation can indeed make rules concerning data controllers and order processing at all. This modifies provisions of GDPR which, as higher-ranking EU law, can in principle only be amended by the EU legislator. Although the last part of Art. 4 no. 7 GDPR, which deals with issues around controllers, can be understood to mean that national legislators can make more specific determinations about controllers, Art. 28 GDPR does not contain an exemption clause. Indirectly, however, the German legislator influences Art. 28 GDPR by removing activities from the scope of application of the norm via the feature of the freedom of instructions. However, the question of the regulatory competence of the German legislation in this context requires judicial clarification. Until then Section 11 StBerG in its existing form applies.

Author


Dr. Philip Kempermann, LL.M., is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.

Contact

T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke, LL.M.
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf





I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2020 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de