Taxation | The taxman made a gigantic request for information to the banks, received reprimands from the authority

Data protection officer has given the Tax Administration a notice about too extensive requests for information. The note is related to the fact that the Tax Administration has submitted information requests to banks operating in Finland about cross-border account transfers.

In addition to the notice, the data protection commissioner ordered the Tax Administration to delete personal data processed in violation of the data protection regulation and to stop submitting excessively extensive information requests to banks.

The decision is not yet legally binding. It can be appealed to the administrative court.

The investigation by the Office of the Data Protection Commissioner revealed that the Tax Administration had requested information from banks on all account transfers that cross the borders of Finland in the years 2015–2021. The information requests covered, among other things, purchases paid by bank card in foreign stores and online stores.

The tax authority asked the banks to tell, among other things, the amount of payments made by their customers, the date and their customers’ contact information. The tax inspector told the banks that he needed information for the tax audit.

Data protection officer considers that the Tax Administration has not sufficiently considered the risks related to the processing of personal data.

Instead, the Tax Administration’s information requests have covered a significant part of the banks’ customer registers based on the number of account holders. According to the authorized person, the Tax Administration did not limit requests for information based on the size of account transactions, for example, or did not consider children as a group in need of special protection.

For example, for 2018, the three largest datasets submitted by banks to the Tax Administration contained a total of almost 18 million account transactions.

“In terms of the number of account holders, the three largest materials concerned approximately 880,000 account holders, of which approximately 85 percent have been private individuals,” the data protection commissioner writes in the announcement.

The authorized representative emphasizes that nowadays a more detailed picture of a person’s private life can be obtained based on account transactions than before, when the use of cash has increasingly shifted to payment transactions via a bank account.

“Even though the goal of the Tax Administration has been important, the authority’s authority must be strictly limited in matters concerning people’s privacy,” says the Data Protection Commissioner Anu Talus.

According to him, the delimitation of jurisdiction is one of the central cornerstones of the rule of law.

“Its importance has only been emphasized in the midst of world political crises.”

The Data Protection Commissioner reminds that personal data may not be collected or processed more widely than is necessary to fulfill the purpose of use, in this case tax control.

Talus states that, after receiving the materials from the banks, the Tax Administration has limited the account transactions to be examined based on more precise criteria. However, according to the commissioner, the taxman could have limited the information he requested in advance.

From the tax administration STT was told on Tuesday that the tax authority intends to act in accordance with the data protection commissioner’s decision.

“This is where we received a notice and an obligation to change the procedure (for information requests) and to delete the information that we have obtained through the comparative data checks covered by the decision made by the Data Protection Commissioner,” said the leading expert Skill von Konow From the tax administration.

According to von Konow, the fact that the taxpayer has the opportunity to appeal against Talus’s decision does not delay the taxpayer’s reaction to the changes demanded by the commissioner.

“The Data Protection Commissioner has carefully evaluated this matter. The tax assessor makes the changes required by the authorized person in his opinion. It is too early to assess whether the Tax Administration will file a complaint with the Administrative Court or not.”

And does the Tax Administration have a place for self-criticism, when the data protection commissioner now received both a notice and an order?

“It is very clear from the data protection commissioner’s statement that he understands that the taxman has a supervisory need. So it is not a question of the processing of this data being necessary in itself. But the taxman’s means have been too broad from the point of view of the data protection legislation,” commented the leading expert.

According to von Konow, the decision made by the authorized person now means that from now on more resources will be needed both in the Tax Administration and in the banks to process information requests.