Regulation 2020/283 - Amendment of Regulation (EU) No 904/2010 as regards measures to strengthen administrative cooperation in order to combat VAT fraud

1.

Legislative text

2.3.2020   

EN

Official Journal of the European Union

L 62/1

 

COUNCIL REGULATION (EU) 2020/283

of 18 February 2020

amending Regulation (EU) No 904/2010 as regards measures to strengthen administrative cooperation in order to combat VAT fraud

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 113 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Parliament (1),

Having regard to the opinion of the European Economic and Social Committee (2),

Acting in accordance with a special legislative procedure,

Whereas:

 

(1)

Council Regulation (EU) No 904/2010 (3) lays down rules, inter alia, on the storage and exchange through electronic means of specific information in the field of value added tax (VAT).

 

(2)

The growth of electronic commerce (‘e-commerce’) facilitates the cross-border sale of goods and services to final consumers in Member States. In that context, cross-border e-commerce refers to supplies upon which the VAT is due in a Member State, but the supplier is established in another Member State, in a third territory or in a third country. However, fraudulent businesses, established either in a Member State, in a third territory or in a third country, exploit e-commerce opportunities in order to gain unfair market advantages by evading their VAT obligations. Where the principle of taxation at destination applies, since consumers have no accounting obligations, the Member States of consumption need appropriate tools to detect and control such fraudulent businesses. It is important to combat cross-border VAT fraud caused by the fraudulent behaviour of some businesses in the area of cross-border e-commerce.

 

(3)

To date, cooperation between the tax authorities of the Member States (the ‘tax authorities’) to combat VAT fraud has been usually based on records held by the businesses which are directly involved in the taxable transaction. In cross-border business-to-consumer supplies, which are typical within the field of e-commerce, it is possible that such information is not directly available. Thus new tools are necessary to enable tax authorities to combat VAT fraud in an effective way.

 

(4)

For the vast majority of cross-border online purchases made by consumers in the Union, payments are executed through payment service providers. In order to provide payment services, a payment service provider holds specific information to identify the recipient, or payee, of the cross-border payment together with details of the date, the amount and the Member State of origin of the payment. Such information is necessary for tax authorities to carry out their basic tasks of detecting fraudulent businesses and determining VAT liabilities in relation to cross-border business-to-consumer’ supplies. It is therefore necessary and proportionate that the VAT-relevant information, held by payment service providers, is made available to the Member States and that the Member States can store it in their national electronic systems and transmit it to a central electronic system of payment information in order to detect and combat cross-border VAT fraud, particularly as regards business-to-consumer’ supplies.

 

(5)

Giving Member States the tools to collect, store and transmit the information provided by payment service providers and giving Eurofisc liaison officials access to that information when it is connected to an investigation into suspected VAT fraud or in order to detect VAT fraud is a necessary and proportionate measure to combat effectively VAT fraud. Those tools are essential as tax authorities need that information for VAT control purposes, to protect public revenues as well as legitimate businesses in the Member States which in turn protect employment and the citizens of the Union.

 

(6)

It is important that the processing by the Member States, of information relating to payments, is proportionate to the objective of combating VAT fraud. Therefore, information on consumers or payers and on payments not likely to be connected to economic activities should not be collected, stored or transmitted by the Member States.

 

(7)

In order to achieve the objective of combating VAT fraud more effectively, a central electronic system of payment information (‘CESOP’), to which Member States transmit the payment information they collect and can store at national level, should be established. CESOP should store, aggregate and analyse, in relation to individual payees, all VAT relevant information regarding payments transmitted by Member States. CESOP should allow for a full overview of payments received by payees from payers located in the Member States and make available to the Eurofisc liaison officials the result of specific analyses of information. CESOP should be able to recognise multiple records of the same payment, for example the same payment could be reported both from the bank and the card issuer of a given payer, to clean the information received from the Member States, for example by removing duplicates and correcting errors in data, and should allow Eurofisc liaison officials to cross-check payment information with the VAT information they hold, to make enquiries for the purpose of an investigation into suspected VAT fraud or in order to detect VAT fraud and to add supplementary information.

 

(8)

Taxation is an important objective of general public interest of the Union and of the Member States and this has been recognised in relation to the restrictions that can be imposed on the obligations and rights provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and in Regulation (EU) 2018/1725 of the European Parliament and of the Council (5). Limitations in relation to data protection rights are necessary due to the nature and volume of the information which originates from payment service providers and are to be based on the specific conditions laid down in Council Directive (EU) 2020/284 (6). Since payment information is particularly sensitive, clarity is needed at all stages of data handling on who is the controller or the processor in accordance with Regulations (EU) 2016/679 and (EU) No 2018/1725.

 

(9)

Therefore, it is necessary to apply restrictions to the data subject rights in accordance with Regulation (EU) No 904/2010. In fact, the full application of the rights and obligations of the data subjects would seriously undermine the objective of effectively combating VAT fraud and would allow the data subjects to obstruct ongoing analysis and investigations due to the massive volume of information sent by the payment service providers and the possible proliferation of requests from data subjects to the Member States, the Commission or both. This would diminish the capacity of tax authorities to pursue the objective of this Regulation by jeopardizing enquiries, analysis, investigations and procedures carried out in accordance with this Regulation. Therefore, restrictions to the data subject rights should apply when processing information in accordance with this Regulation. The objective of combating VAT fraud cannot be achieved by other less restrictive means of equal effectiveness.

 

(10)

Only the Eurofisc liaison officials should access the payment information stored in CESOP and only with the objective of combating VAT fraud. That information could be used, in addition to the assessment of VAT, also for the assessment of other levies, duties and taxes as established by Regulation (EU) No 904/2010. That information should not be used for other purposes, such as commercial purposes.

 

(11)

When processing the payment information in accordance with this Regulation, each Member State should respect the limits of what is proportionate and necessary for the purpose of investigations into suspected VAT fraud or in order to detect VAT fraud.

 

(12)

It is important, in order to safeguard the rights and obligations under Regulation (EU) 2016/679, that information in relation to payments is not used for automated individual decision-making and should therefore always be verified by reference to other tax information available to the tax authorities.

 

(13)

In order to assist Member States in combating tax fraud and detecting fraudsters, it is necessary and proportionate that payment service providers keep records of the information regarding payees and payments in relation to the payment services they provide for three calendar years. That period provides sufficient time for Member States to carry out controls effectively and to investigate suspected VAT fraud or to detect VAT fraud, and it is also proportionate considering the massive volume of the payment information and its sensitivity in terms of protection of personal data.

 

(14)

Whereas Eurofisc liaison officials should be able to access the payment information stored in CESOP with the objective of combating VAT fraud, duly accredited persons of the Commission should be able to access that information only for the purpose of developing and maintaining CESOP. All persons accessing that information are bound by the confidentiality rules laid down in Regulation (EU) No 904/2010.

 

(15)

As the implementation of the CESOP will require new technological developments, it is necessary to defer the application of this Regulation to allow Member States and the Commission to develop those technologies.

 

(16)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission in respect of the technical measures for establishing and maintaining CESOP, the tasks of the Commission for technically managing CESOP, the technical details guaranteeing the connection and overall operability between the national electronic systems and CESOP, the electronic standard forms for collecting information from the payment service providers, the technical and other details concerning the access to information by the Eurofisc liaison officials, the practical arrangements for identifying the Eurofisc liaison officials who have access to CESOP, the procedures allowing the adoption of the appropriate technical and organisational security measures for the development and operation of the CESOP, the roles and responsibilities of the Member States and the Commission when acting as controller and processor under Regulations (EU) 2016/679 and (EU) No 2018/1725 and in respect of the procedural arrangements in relation to Eurofisc. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (7).

 

(17)

VAT fraud is a common problem for all Member States. Member States alone do not have the information necessary to ensure that the VAT rules regarding cross-border e-commerce are correctly applied or to combat VAT fraud in cross-border e-commerce. Since the objective of this Regulation, namely to combat VAT fraud, cannot be sufficiently achieved by the Member States in the cases of cross-border e-commerce but can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

 

(18)

This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, in particular the right of protection of personal data. In that regard, this Regulation strictly limits the amount of personal data that is to be made available to the Member States. The processing of payment information pursuant to this Regulation should only occur for the purpose of combating VAT fraud.

 

(19)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 14 March 2019 (8).

 

(20)

Regulation (EU) No 904/2010 should therefore be amended accordingly,

HAS ADOPTED THIS REGULATION:

Article 1

Regulation (EU) No 904/2010 is amended as follows:

 

(1)

in Article 2, the following points are added:

 

‘(s)

“payment service provider” means any of the categories of payment service providers listed in points (a) to (d) of Article 1(1) of Directive (EU) 2015/2366 of the European Parliament and of the Council (*1) or a natural or legal person benefiting from an exemption in accordance with Article 32 of that Directive;

 

(t)

“payment” means, subject to the exclusions provided for in Article 3 of Directive (EU) 2015/2366, a “payment transaction” as defined in point (5) of Article 4 of that Directive or a “money remittance” as defined in point (22) of Article 4 of that Directive;

 

(u)

“payer” means “payer” as defined in point (8) of Article 4 of Directive (EU) 2015/2366;

 

(v)

“payee” means “payee” as defined in point (9) of Article 4 of Directive (EU) 2015/2366.

(*1)  Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).’;"

 

(2)

Chapter V is amended as follows:

 

(a)

the title of Chapter V is replaced by the following:

‘COLLECTION, STORAGE AND EXCHANGE OF SPECIFIC INFORMATION’;

 

(b)

the following heading is inserted before Article 17:

‘SECTION 1

Automated access to specific information stored in national electronic systems ’;

 

(c)

the following Section is inserted after Article 24:

‘SECTION 2

The central electronic system of payment information

Article 24a

The Commission shall develop, maintain, host and technically manage a central electronic system of payment information (“CESOP”) for the purpose of investigations into suspected VAT fraud or in order to detect VAT fraud.

Article 24b

  • 1. 
    Each Member State shall collect the information on the payees and the payments referred to in Article 243b of Directive 2006/112/EC.

Each Member State shall collect the information referred to in the first subparagraph from payment service providers:

 

(a)

no later than by the end of the month following the calendar quarter to which the information relates;

 

(b)

by means of an electronic standard form.

  • 2. 
    Each Member State may store the information collected in accordance with paragraph 1 in a national electronic system.
  • 3. 
    The central liaison office, or the liaison departments or competent officials designated by the competent authority of each Member State, shall transmit to CESOP the information collected in accordance with paragraph 1 no later than the tenth day of the second month following the calendar quarter to which the information relates.

Article 24c

  • 1. 
    The CESOP shall have the following capabilities with regard to information transmitted in accordance with Article 24b(3):
 

(a)

to store the information;

 

(b)

to aggregate the information in respect of each individual payee;

 

(c)

to analyse the information stored, together with the relevant targeted information communicated or collected pursuant to this Regulation;

 

(d)

to make the information referred to in points (a), (b) and (c) of this paragraph accessible to Eurofisc liaison officials, as referred to in Article 36(1).

  • 2. 
    CESOP shall retain the information referred to in paragraph 1 for a maximum period of five years from the end of the year in which the information was transmitted to it.

Article 24d

The access to CESOP shall only be granted to Eurofisc liaison officials, as referred to in Article 36(1), who hold a personal user identification for CESOP and where that access is in connection with an investigation into suspected VAT fraud or is to detect VAT fraud.

Article 24e

The Commission shall adopt by means of implementing acts the following:

 

(a)

the technical measures for establishing and maintaining CESOP;

 

(b)

the tasks of the Commission for technically managing CESOP;

 

(c)

the technical details of the infrastructure and tools required to guarantee the connection and overall operability between the national electronic systems referred to in Article 24b and CESOP;

 

(d)

the electronic standard forms referred to in point (b) of the second subparagraph of Article 24b(1);

 

(e)

the technical and other details concerning the access to the information referred to in point (d) of Article 24c(1);

 

(f)

the practical arrangements to identify the Eurofisc liaison officials, as referred to in Article 36(1), who will have access to CESOP in accordance with Article 24d;

 

(g)

the procedures to be used by the Commission at all times which ensure that the appropriate technical and organisational security measures for the development and operation of CESOP are applied;

 

(h)

the roles and responsibilities of the Member States and the Commission as regards the functions of controller and processor under Regulation (EU) 2016/679 of the European Parliament and of the Council (*2) and Regulation (EU) 2018/1725 of the European Parliament and of the Council (*3).

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 58(2).

Article 24f

  • 1. 
    The costs of establishing, operating and maintaining CESOP shall be borne by the general budget of the Union. These costs shall include those of the secure connection between CESOP and the national electronic systems referred to in Article 24b(2), and those of the services necessary to carry out the capabilities which are listed in Article 24c(1).
  • 2. 
    Each Member State shall bear the costs of and shall be responsible for all necessary developments to its national electronic system referred to in Article 24b(2).’;

(*2)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1)."

(*3)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39)."

 

(3)

Article 37 is replaced by the following:

‘Article 37

  • 1. 
    The Eurofisc chairperson shall submit an annual report on the activities of all of the working fields to the Committee referred to in Article 58(1). The annual report shall at least contain:
 

(a)

the total number of accesses to CESOP;

 

(b)

the operational results based on the information accessed and processed pursuant to Article 24d, as identified by Eurofisc liaison officials;

 

(c)

a quality assessment of the data processed in CESOP.

  • 2. 
    The Commission shall adopt by means of implementing acts the procedural arrangements in relation to Eurofisc. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 58(2).’;
 

(4)

in Article 55, the following paragraph is inserted:

‘1a.   The information referred to in Section 2 of Chapter V shall only be used for the purposes referred to in paragraph 1 and where it has been verified by reference to other tax information available to the competent authorities of the Member States.’.

Article 2

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 1 January 2024.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 18 February 2020.

For the Council

The President

  • Z. 
    MARIĆ
 

  • (1) 
    Opinion of 17 December 2019 (not yet published in the Official Journal).
  • (3) 
    Council Regulation (EU) No 904/2010 of 7 October 2010 on administrative cooperation and combating fraud in the field of value added tax (OJ L 268, 12.10.2010, p. 1).
  • (4) 
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
  • (5) 
    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
  • (6) 
    Council Directive (EU) 2020/284 of 18 February 2020 amending Directive 2006/112/EC as regards introducing certain requirements for payment service providers (see page 7 of this Official Journal).
  • (7) 
    Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
 

This summary has been adopted from EUR-Lex.