Data Protection

General information on the implementation of the data protection provisions of Articles 12 to 14 of the General Data Protection Regulation within the tax administration

Foreword

Almost all citizens and companies sooner or later come into contact with the tax administration – particularly their local tax offices – because they need to submit tax returns and pay taxes, as well as claiming tax refunds or child benefit. To perform these procedures, it is necessary to process taxpayers’ personal data.

The following information relates to the processing of personal data for tax purposes in situations where the German Fiscal Code (Abgabenordnung) is directly or indirectly applicable. It does not cover the processing of personal data by customs authorities (e.g. in relation to customs duties, import VAT and motor vehicle tax).

In the context of the taxation procedure, data is regarded as personal data if it can be attributed to a natural person, an entity such as a corporation, an association or a pool of assets. Anonymised or pseudonymised data is not classified as personal data.

The processing of personal data by the revenue authorities includes collecting, storing, using, transferring, making available for retrieval, or deleting this data.

In the following sections, you can find more information about which personal data we collect, who we collect it from, and what we do with this data. We also inform you about your rights when it comes to data protection issues and who you can contact in this regard.

Who are we?

“We” are the revenue authorities of the Federation and the Länder (federal states). We are responsible for processing personal data for tax purposes.

Who can you contact if you have questions?

If you have questions relating to data protection issues, you can contact the competent revenue authority, which is represented by the authority’s management.

Generally, the tax offices are responsible for processing personal data. In the case of child benefit, the family benefits offices (Familienkassen) are responsible. The other revenue authorities (e.g. the Federal Ministry of Finance, the Federal Central Tax Office (Bundeszentralamt für Steuern), the regional finance offices, tax offices of each Land (state)) are only responsible for processing personal data to the extent that they need to process this data in order to perform their statutory tasks.

Additionally, you can contact the data protection officer of the respective competent revenue authority.

You can find the contact details for the state-level revenue authorities at www.finanzamt.de (under the respective overview for the Land in question), for the Federal Ministry of Finance at www.bundesfinanzministerium.de and for the Federal Central Tax Office and the family benefit offices at https://www.bzst.de/EN/Home/home_node.html.

For what purposes do we process your personal data?

We need personal data in order to fulfil our task of assessing and collecting taxes in a uniform manner in accordance with the provisions of the Fiscal Code and Germany’s tax laws (section 85 of the Fiscal Code).

Your personal data is processed within the taxation procedure for which it has been collected (section 29b of the Fiscal Code). If we wish to process personal data that was collected for a taxation procedure for other tax-related or non-tax related purposes, this is only allowed in the cases that are explicitly permitted under the law (further processing in accordance with section 29c (1) of the Fiscal Code).

Example of processing:
The data collected by the revenue authority with the income tax return is processed as part of the assessment of income tax.

Example of further processing:
In certain cases, individual tax bases are determined separately (e.g. income from a holding in a partnership). For these purposes, the information from the respective section of the tax return is processed in a separate procedure, known as the determination procedure. The tax bases that are determined in this way are communicated, together with other data that is necessary, to the revenue authorities that are responsible for the taxation of the parties involved. These authorities subject the received data to further processing, by taking this data into account in tax assessment procedures, e.g. with regard to income tax.

The tax offices (Finanzämter) administer the following taxes in particular:

• income tax (including wages tax and capital income tax),
• corporation tax,
• solidarity surcharge,
• church tax (Exception: Free State of Bavaria),
• trade tax,
• inheritance and gift tax,
• real property tax,
• value added tax (excluding import VAT),
• real property transfer tax,
• betting and lottery tax.

Pursuant to section 5 of the Fiscal Administration Act (Finanzverwaltungsgesetz), the Federal Central Tax Office is responsible for the following tasks in particular:

• issuing tax identification numbers (IdNr.),
• generating electronic parameters for withholding wages tax (ELStAM),
• participating in field audits,
• granting refunds of and exemptions from German withholding taxes,
• the centralised compilation and evaluation of documents on external tax relations,
• refunding input tax to companies,
• issuing VAT identification numbers (USt-ID),
• processing applications for child benefits, where the Federal Central Tax Office supports the family benefit agencies.

Which personal data do we process?

We process the following personal data in particular:

Personal information and contact details,

• e.g. given and family names, address, date of birth, place of birth, tax number, identification number, e-mail address, telephone number.

Information that is necessary for determining and collecting taxes, e.g.

• income (e.g. wages/salary, business income, income from renting and leasing, capital income, pensions),
• expenditure (e.g. work-related expenses, business expenses, special expenses and extraordinary financial burdens),
• taxes withheld by third parties (e.g. wages tax, capital income tax, solidarity surcharge, church tax),
• marital status and number of children, if applicable,
• wages tax class,
• profession,
• bank details,
• information about taxes paid or refunded,
• information about tax returns submitted, applications submitted and appeals lodged.

Similarly, we only collect certain categories of personal data, known as "sensitive data", if this data is necessary for the taxation procedure. For example, we need details about a taxpayer’s religious affiliation in order to deduct payments of church tax as a special expense, or we need information about medical conditions or disabilities in order to deduct related expenses as extraordinary financial burdens. We mainly collect your personal data directly from you, e.g. from your tax returns and any correspondence or applications you have submitted.

Additionally, we collect personal data concerning you from third parties, to the extent that these parties are legally obliged to share information with us.

Examples:

• In the wages tax statements that they provide, employers share data about items such as wages, withheld taxes and remitted social security contributions,
• In the pension payment notifications that they provide, pension providers share data about items such as pension payments and contributions to health insurance and long-term care insurance,
• Private health insurance companies share data about items such as contributions to health insurance and long-term care insurance that have been paid and (if applicable) refunded,
• Social security authorities share data about wage-replacement benefits,
• Banks share data on capital income that is exempt from the withholding of capital income tax,
• Local authorities share data on business registrations and registration data relating to individuals’ place of residence,
• Notaries share data on property sales, partnership contracts, inheritance contracts and gift/donation contracts,
• Authorities share data about payments and administrative acts,
• Public service broadcasters share data about fees.

In addition to this, we receive information that is relevant to taxation from other revenue authorities or as part of international exchanges of information.

If it is not possible for us to clarify facts and circumstances that are relevant for taxation with your assistance, we are permitted to also obtain personal data relating to you by requesting it from third parties (e.g. requests for information from employers). During enforcement proceedings, we can obtain data from third party debtors (e.g. banks or employers).

In addition, we may process information that is publicly available (e.g. from the media, public registers or public announcements).

How do we process this data?

As part of the taxation procedure, which is largely computer-based, your personal data is stored and then used as a basis for the (generally automated) tax assessment and collection procedure. We employ technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, or alteration as well as unauthorised disclosure or unauthorised access. Our security standards always conform to the most recent technological developments.

We only make legally binding decisions on the basis of “fully automated” processing of personal data where this is legally permissible (e.g. fully automated tax assessment notices pursuant to section 155 (4) of the Fiscal Code).

Under which conditions are we allowed to share your data with third parties?

Any personal data that becomes known to us as part of a taxation procedure may only be shared with other individuals or entities (e.g. tax courts, health insurers, pension providers or other authorities) if you have provided your consent or if it is legally permissible to share this data.

Examples:

• Notifications of the base amounts of property tax and trade tax to the local authorities that are responsible for the assessment and collection of property tax and trade tax,
• Notifications to public-law entities (e.g. chambers of trade and commerce, guilds) for the purposes of determining certain charges that are linked to tax bases, base amounts of non-personal taxes, or tax amounts,
• Notifications to the statutory social security system, to the Federal Labour Agency and to the Artists’ Social Security Fund, insofar as knowledge of personal data is necessary to determine insurance requirements or to assess contributions, including artists’ social security contributions,
• Notifications to the social security authorities for the purposes of combating illegal employment and benefit fraud,
• Notifications from the family benefit agencies to public-sector payroll offices for the purposes of determining salary components that are linked to child benefit.

How long do we store your data?

We are required to store personal data for as long as it is necessary for the tax procedure. The statutory limitation periods for taxes (Sections 169 to 171 of the Tax Code and Sections 228 to 232 of the Tax Code) serve as a guideline.

We are also allowed to store personal data relating to you for processing in future tax procedures (Section 88a of the Tax Code).

What rights do you have (right of access, right to object, etc.)?

You have various rights under the General Data Protection Regulation. Details of these rights can be found mainly in Articles 15 to 18 and Article 21 of the General Data Protection Regulation.

• Right of access
  You can obtain information from us about your personal data that we process. In your application for information, you should explain your query in detail, to make it easier for us to collate the necessary data. If possible, you should provide details in your application about the specific administrative procedure (e.g. type of tax and year) and the stage of the procedure (e.g. assessment, enforcement) in question.
• Right to rectification
  If the data concerning you is not accurate, or is no longer accurate, you have the right to demand that the data be rectified. If your data is not complete, you have the right to have it completed.
• Right to erasure
  You have the right to demand that your personal data be erased. Your right to erasure is dependent on, among other things, whether we still require data concerning you in order to fulfil our statutory tasks (see point 7 above).
• Right to restriction of processing
  You have the right to demand a restriction of processing of personal data concerning you. The restriction does not preclude processing of the data if there is an important public interest (e.g. lawful and uniform taxation) connected to the processing.
• Right to object
  You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you. However, we are not able to comply with this objection if there is an overriding public interest in the processing of your data or a legal provision obliges us to perform the processing (e.g. carrying out taxation).
• Right to lodge a complaint
  If you feel that we have not complied with your request, or have not complied with it fully, you can lodge a complaint with the competent data protection supervisory authority. You can find the contact details for Germany’s federal and state-level data protection supervisory authorities here: www.datenschutz.de/projektpartner(only in German).

General notes on these rights
In certain cases, we cannot, or may not, comply with your requests (sections 32c to 32f of the Fiscal Code). To the extent that this is legally permissible, we will in these cases always inform you about the reason for the refusal.

We will generally respond within a month of receiving your request. In the event that we need longer than a month to definitively clarify the matter, you will receive an interim response.

Where can you obtain further information?

You can find further information here:

• Finance Ministry circular regarding data protection in tax administration procedures (only in German) of 12 January 2018 (see Federal Tax Gazette 2018 Part I p. 183, or the Federal Ministry of Finance’s website www.bundesfinanzministerium.de under “Themen” > “Steuern” > “Steuerverwaltung & Steuerrecht” > “Abgabenordnung” > “BMF-Schreiben / Allgemeines”) and
• the Finance Ministry brochure "An ABC of Taxes" (available at www.bundesfinanzministerium.de under “Resources” > “Publications” > “Our Brochures”).

Download this general information as a PDF document

Here you can download the information above on implementing the data protection guidelines of Articles 12 through 14 of the General Data Protection Regulation in tax administration (PDF, 605KB, File does not meet accessibility standards)

Data protection at My BOP

General

Data protection and data security for citizens have the highest priority for the tax administration. That's why protecting your personal information while you use our websites is very important to us. This privacy statement explains what information we collect on our servers during your visit to our websites and how this information is used.
Operator of this website is the Federal Central Tax Office (BZSt), An der Küppe 1, 53225 Bonn.

Records

When you visit our website, our web server temporarily logs the following data for system security purposes: The domain name or IP address of the requesting computer as well as the access date, the client's file request (file name and URL), the date and time of the request, the number of bytes transferred during the connection and the HTTP response code. The temporarily stored data will not be evaluated for usage profiles and will not be passed on to third parties. The stored data is evaluated exclusively for security purposes and for troubleshooting purposes. The IP addresses of the requesting computers are automatically deleted after seven days at the latest. Any additional personal data such as name, address, telephone number, tax number or Email address will only be recorded if you for example voluntarily provide this information during registration with My BOP.
To protect your personal data against unauthorized access and misuse by third parties, we have taken extensive technical security precautions. Our security procedures are checked regularly and meet the state of the art specifications.
Active components such as Javascript or Java Applets are used in our information services. These functions can be deactivated in the settings of your Internet browser. You can check the authenticity of our website with our certificate. The certificate was issued by www.elsteronline.de, as My BOP is operated jointly with My ELSTER (Bavarian State Office for Taxation, Division IuK 12, Meiserstraße 8, 80333 Munich).