Council Regulation (EU) No 904/2010 (3) lays down rules, inter alia, on the storage and exchange through electronic means of specific information in the field of value added tax (VAT).
(2)
The growth of electronic commerce (‘e-commerce’) facilitates the cross-border sale of goods and services to final consumers in Member States. In that context, cross-border e-commerce refers to supplies upon which the VAT is due in a Member State, but the supplier is established in another Member State, in a third territory or in a third country. However, fraudulent businesses, established either in a Member State, in a third territory or in a third country, exploit e-commerce opportunities in order to gain unfair market advantages by evading their VAT obligations. Where the principle of taxation at destination applies, since consumers have no accounting obligations, the Member States of consumption need appropriate tools to detect and control such fraudulent businesses. It is important to combat cross-border VAT fraud caused by the fraudulent behaviour of some businesses in the area of cross-border e-commerce.
(3)
To date, cooperation between the tax authorities of the Member States (the ‘tax authorities’) to combat VAT fraud has been usually based on records held by the businesses which are directly involved in the taxable transaction. In cross-border business-to-consumer supplies, which are typical within the field of e-commerce, it is possible that such information is not directly available. Thus new tools are necessary to enable tax authorities to combat VAT fraud in an effective way.
(4)
For the vast majority of cross-border online purchases made by consumers in the Union, payments are executed through payment service providers. In order to provide payment services, a payment service provider holds specific information to identify the recipient, or payee, of the cross-border payment together with details of the date, the amount and the Member State of origin of the payment. Such information is necessary for tax authorities to carry out their basic tasks of detecting fraudulent businesses and determining VAT liabilities in relation to cross-border business-to-consumer’ supplies. It is therefore necessary and proportionate that the VAT-relevant information, held by payment service providers, is made available to the Member States and that the Member States can store it in their national electronic systems and transmit it to a central electronic system of payment information in order to detect and combat cross-border VAT fraud, particularly as regards business-to-consumer’ supplies.
(5)
Giving Member States the tools to collect, store and transmit the information provided by payment service providers and giving Eurofisc liaison officials access to that information when it is connected to an investigation into suspected VAT fraud or in order to detect VAT fraud is a necessary and proportionate measure to combat effectively VAT fraud. Those tools are essential as tax authorities need that information for VAT control purposes, to protect public revenues as well as legitimate businesses in the Member States which in turn protect employment and the citizens of the Union.
(6)
It is important that the processing by the Member States, of information relating to payments, is proportionate to the objective of combating VAT fraud. Therefore, information on consumers or payers and on payments not likely to be connected to economic activities should not be collected, stored or transmitted by the Member States.
(7)
In order to achieve the objective of combating VAT fraud more effectively, a central electronic system of payment information (‘CESOP’), to which Member States transmit the payment information they collect and can store at national level, should be established. CESOP should store, aggregate and analyse, in relation to individual payees, all VAT relevant information regarding payments transmitted by Member States. CESOP should allow for a full overview of payments received by payees from payers located in the Member States and make available to the Eurofisc liaison officials the result of specific analyses of information. CESOP should be able to recognise multiple records of the same payment, for example the same payment could be reported both from the bank and the card issuer of a given payer, to clean the information received from the Member States, for example by removing duplicates and correcting errors in data, and should allow Eurofisc liaison officials to cross-check payment information with the VAT information they hold, to make enquiries for the purpose of an investigation into suspected VAT fraud or in order to detect VAT fraud and to add supplementary information.
(8)
Taxation is an important objective of general public interest of the Union and of the Member States and this has been recognised in relation to the restrictions that can be imposed on the obligations and rights provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and in Regulation (EU) 2018/1725 of the European Parliament and of the Council (5). Limitations in relation to data protection rights are necessary due to the nature and volume of the information which originates from payment service providers and are to be based on the specific conditions laid down in Council Directive (EU) 2020/284 (6). Since payment information is particularly sensitive, clarity is needed at all stages of data handling on who is the controller or the processor in accordance with Regulations (EU) 2016/679 and (EU) No 2018/1725.
(9)
Therefore, it is necessary to apply restrictions to the data subject rights in accordance with Regulation (EU) No 904/2010. In fact, the full application of the rights and obligations of the data subjects would seriously undermine the objective of effectively combating VAT fraud and would allow the data subjects to obstruct ongoing analysis and investigations due to the massive volume of information sent by the payment service providers and the possible proliferation of requests from data subjects to the Member States, the Commission or both. This would diminish the capacity of tax authorities to pursue the objective of this Regulation by jeopardizing enquiries, analysis, investigations and procedures carried out in accordance with this Regulation. Therefore, restrictions to the data subject rights should apply when processing information in accordance with this Regulation. The objective of combating VAT fraud cannot be achieved by other less restrictive means of equal effectiveness.
(10)
Only the Eurofisc liaison officials should access the payment information stored in CESOP and only with the objective of combating VAT fraud. That information could be used, in addition to the assessment of VAT, also for the assessment of other levies, duties and taxes as established by Regulation (EU) No 904/2010. That information should not be used for other purposes, such as commercial purposes.
(11)
When processing the payment information in accordance with this Regulation, each Member State should respect the limits of what is proportionate and necessary for the purpose of investigations into suspected VAT fraud or in order to detect VAT fraud.
(12)
It is important, in order to safeguard the rights and obligations under Regulation (EU) 2016/679, that information in relation to payments is not used for automated individual decision-making and should therefore always be verified by reference to other tax information available to the tax authorities.
(13)
In order to assist Member States in combating tax fraud and detecting fraudsters, it is necessary and proportionate that payment service providers keep records of the information regarding payees and payments in relation to the payment services they provide for three calendar years. That period provides sufficient time for Member States to carry out controls effectively and to investigate suspected VAT fraud or to detect VAT fraud, and it is also proportionate considering the massive volume of the payment information and its sensitivity in terms of protection of personal data.
(14)
Whereas Eurofisc liaison officials should be able to access the payment information stored in CESOP with the objective of combating VAT fraud, duly accredited persons of the Commission should be able to access that information only for the purpose of developing and maintaining CESOP. All persons accessing that information are bound by the confidentiality rules laid down in Regulation (EU) No 904/2010.
(15)
As the implementation of the CESOP will require new technological developments, it is necessary to defer the application of this Regulation to allow Member States and the Commission to develop those technologies.
(16)
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission in respect of the technical measures for establishing and maintaining CESOP, the tasks of the Commission for technically managing CESOP, the technical details guaranteeing the connection and overall operability between the national electronic systems and CESOP, the electronic standard forms for collecting information from the payment service providers, the technical and other details concerning the access to information by the Eurofisc liaison officials, the practical arrangements for identifying the Eurofisc liaison officials who have access to CESOP, the procedures allowing the adoption of the appropriate technical and organisational security measures for the development and operation of the CESOP, the roles and responsibilities of the Member States and the Commission when acting as controller and processor under Regulations (EU) 2016/679 and (EU) No 2018/1725 and in respect of the procedural arrangements in relation to Eurofisc. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (7).
(17)
VAT fraud is a common problem for all Member States. Member States alone do not have the information necessary to ensure that the VAT rules regarding cross-border e-commerce are correctly applied or to combat VAT fraud in cross-border e-commerce. Since the objective of this Regulation, namely to combat VAT fraud, cannot be sufficiently achieved by the Member States in the cases of cross-border e-commerce but can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
(18)
This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, in particular the right of protection of personal data. In that regard, this Regulation strictly limits the amount of personal data that is to be made available to the Member States. The processing of payment information pursuant to this Regulation should only occur for the purpose of combating VAT fraud.
(19)
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 14 March 2019 (8).
(20)
Regulation (EU) No 904/2010 should therefore be amended accordingly,