Swedish Tax Authority – Court Ruling (Luxembourg, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Luxembourgish Tax Authority's request for tax information from a company regarding Swedish residents led to a court ruling. The court upheld the authority's demand for data, emphasizing the importance of compliance with tax regulations. Businesses must be prepared to provide information when requested by tax authorities, while still adhering to data protection laws.
What happened
The Luxembourgish Tax Authority requested tax-related information from a company about Swedish data subjects, which was upheld by the court.
Who was affected
Swedish residents whose tax information was requested by the Luxembourgish Tax Authority.
What the authority found
The court ruled that the company must comply with the authority's request for information, affirming the legality of the request under national law.
Why this matters
This case illustrates the balance between tax compliance and data protection. Companies should be aware of their obligations to provide information to tax authorities while ensuring they protect personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2025, the Luxembourgish Tax Authority (the controller) requested a Luxembourgish company to provide it with tax related information from several Swedish data subjects, following a request for assistance from the Swedish Tax Authority. The controller requested information related to one specific data subject, but also requested a complete list of data subjects who held a specific type of loan with the company (including Swedish residents). The purpose was to verify data subjects’ tax situation. The company filed a case with the Administrative Court in September 2025, seeking to appeal the request. The court dismissed this decision, and the company provided the controller with the information. The company anonymised the data that was not related to the specific data subject and Swedish residents in order to comply with data minimisation requirements under the GDPR (Article 5(1)(c) GDPR). The controller requested the complete information, and fined the company €79,000 for refusing to provide it. The company filed a claim with the Administrative Court, who dismissed it and upheld the fine. The decision was then appealed by the company to the court, seeking to overturn the fine. The company argued that it had complied with the controller’s request while complying with the GDPR, and that information of data subjects that were not tax residents in Sweden would likely not be relevant for the controller. The controller argued that the request was justified under national law. The court dismissed the company’s appeal regarding data minimisation, but partly upheld the appeal regarding the fine. The court considered that the company did not comply with the controller’s decision, as it did not provide a complete list of data subjects holding a specific loan type with the company. The court dismissed the company’s data minimisation argument; according to the court, the company did not substantiate its argument as it did not refer to specific articles of the GDPR. Finally, t
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Swedish Tax Authority in LU
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Swedish Tax Authority - Luxembourg (2026). Retrieved from cookiefines.eu
Last updated: