DAC8 requires CASPs to collect, process, and transmit significant volumes of personal data. This creates a tension with the EU's General Data Protection Regulation (GDPR), which imposes strict requirements on the processing of personal data. Navigating this tension is a key compliance challenge.
The Fundamental Tension
GDPR's core principles — data minimization, purpose limitation, storage limitation, and individual rights — exist in tension with DAC8's requirement for comprehensive data collection, long-term retention, and transmission to tax authorities. CASPs must find the balance between collecting everything DAC8 requires and processing only what GDPR permits.
Legal Basis for Processing
The primary legal basis for processing personal data under DAC8 is Article 6(1)(c) of GDPR — compliance with a legal obligation. This means CASPs do not need user consent to collect and report the data required by DAC8. The reporting obligation itself provides the legal basis.
However, the legal obligation basis only covers data processing that is necessary for DAC8 compliance. Processing personal data beyond what DAC8 requires — for example, using DAC8 data for marketing purposes — would require a separate legal basis.
GDPR Principles Applied to DAC8
Data minimization. CASPs should collect only the data fields required by DAC8 and should not use the directive as justification for collecting additional personal data beyond what is necessary for reporting.
Purpose limitation. Data collected for DAC8 purposes should be used only for DAC8 compliance and should not be repurposed for unrelated business activities without a separate legal basis.
Accuracy. GDPR requires that personal data be accurate and kept up to date. This aligns with DAC8's requirement for accurate reporting and supports the need for regular validation of user data.
Storage limitation. Personal data should be retained only for as long as necessary. For DAC8, the retention period is determined by national transposition legislation, typically five to ten years. After this period, the data must be deleted.
Conclusion
DAC8 and GDPR can coexist when CASPs implement clear data governance policies that distinguish between DAC8-mandated processing and other data activities. The legal obligation basis under GDPR provides a solid foundation for DAC8 compliance, but CASPs must respect GDPR's boundaries.
Preparing for DAC8?
Our team helps CASPs with gap analysis, transposition tracking, TIN validation, and XML report generation.