Understanding the legal basis for personal data processing is fundamental to DAC8 compliance. This article examines the specific GDPR provisions that authorize the collection and transmission of user data for tax reporting purposes.

Article 6(1)(c) GDPR: Legal Obligation

The primary legal basis for DAC8 data processing is Article 6(1)(c) of GDPR, which permits processing that is necessary for compliance with a legal obligation to which the controller is subject. DAC8 — once transposed into national law — constitutes such a legal obligation.

This basis authorizes the collection of identification data (name, address, date of birth), tax-specific data (TINs, self-certifications, tax residency), transaction data required for reporting, and the transmission of this data to the competent tax authority.

Article 9 GDPR: Special Categories

DAC8 does not generally require the processing of special category data (such as health data, political opinions, or biometric data). However, CASPs should be aware that identity documents collected for due diligence may contain photographs (biometric data), and in some jurisdictions, TINs may encode information about ethnicity or religion. Where special category data is unavoidable, additional GDPR safeguards may apply.

Article 6(1)(e): Public Interest

Tax authorities processing DAC8 data rely on Article 6(1)(e) — processing necessary for the performance of a task carried out in the public interest. Tax collection and the prevention of tax evasion are recognized as legitimate public interest objectives under EU law.

Data Protection Impact Assessment

Given the scale and sensitivity of DAC8 data processing, CASPs should consider conducting a Data Protection Impact Assessment (DPIA) under Article 35 of GDPR. A DPIA is likely required when processing involves systematic and extensive evaluation of personal aspects of individuals, processing of sensitive data on a large scale, or systematic monitoring of publicly accessible areas.

The large-scale processing of financial transaction data for DAC8 purposes may trigger the DPIA requirement, particularly for major exchanges with millions of users.

Conclusion

The legal basis for DAC8 data processing is well-established under GDPR, but CASPs must implement appropriate safeguards and document their processing activities thoroughly. A DPIA is recommended for CASPs with significant user bases.

Preparing for DAC8?

Our team helps CASPs with gap analysis, transposition tracking, TIN validation, and XML report generation.

Expert Consulting