SPF Finances – Complaint Upheld (Belgium, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Belgium's Data Protection Authority upheld a complaint against the Belgian tax authority for sharing personal data with the US under the FATCA agreement. The complaint argued that this data sharing violated several GDPR principles, including transparency and data minimization. This decision highlights the tension between international tax agreements and privacy rights.
What happened
The Belgian tax authority shared personal data of US citizens in Belgium with the US under the FATCA agreement.
Who was affected
US citizens living in Belgium whose banking information was shared with US tax authorities.
What the authority found
The Belgian DPA found that the data sharing under FATCA conflicted with GDPR principles like transparency and data minimization.
Why this matters
This case underscores the challenges of balancing international agreements with GDPR compliance. Companies and authorities should carefully assess how international data sharing agreements align with GDPR requirements.
GDPR Articles Cited
The data subject holds both Belgian and US nationality. Under US tax regulation, he was subject to the US tax system because of his nationality. To collect information and tax from Americans living abroad, the US signed agreements with other countries under the Foreign Account Tax Compliance Act (FATCA). In Belgium this implied that banks were obliged to inform the tax authorities if a US citizen had an account in Belgium. In May 2020, the bank where the data subject had an account informed him that it was legally obliged to inform the tax authorities that the data subject had an account, as well as his name, address, jurisdiction of residence, tax identification number, date of birth, account balance, account number and other information relating to his bank assets. On 22 December 2022, the data subject and the Association Accidental Americans of Belgium filed a complaint with the Belgian DPA. The DPA joined the cases. Under Article 17(1)(d) GDPR the data subject requested that the tax authority delete his data obtained on the basis of the FATCA agreement and under Article 18(1)(b) GDPR to limit the processing thereof. The complainants also requested to stop the exchange of information between the Belgian and US administrations on the basis of the FATCA agreement. They considered that this processing, based on the FATCA agreement, violated Articles 45, 46 and 49 GDPR, the principle of purpose limitation (Article 5(1)(b) GDPR), proportionality and data limitation (5(1)(c) GDPR), storage limitation (5(1)(e) GDPR), transparency (Articles 12 to 14 GDPR) and that an impact assessment should have been carried out (Article 35 GDPR). The Belgian administration argued that under Article 96 GDPR, the FATCA agreement (and therefore the transfer) was valid. This article states that international agreements existing before the GDPR remain in force provided that they comply with applicable legislation at the time they were concluded. Following the complaint, the DPA's inv
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for SPF Finances in BE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. SPF Finances - Belgium (2023). Retrieved from cookiefines.eu
Last updated: