An international perspective: tax transparency v data protection

Author: Ernest Marais

Service: Andersen Tax


The General Data Protection Privacy Regulation (“GDPR”) came into effect on the 25th of May 2018. The implementation thereof was a non-event for most South Africans other than being requested by social media networks and apps to consent to your data being used or processed. However, the GDPR has broad burdensome implications and the lack of giving effect thereto may expose financial institutions to risk.

The GDPR not only applies to organisations within the European Union (”EU”) but it applies to any organisation outside of the EU if they offer goods or services to, or monitor the behaviour, of EU citizens.

Breach of the GDPR may result in a penalty of 4% of the annual global turnover (or €20 million) or a fine of up to 2% of their turnover for not having their records in order. Failure to comply with the GDPR is clearly not an inconsequential fine and compliance can become intricate when balancing its provisions against the provisions of the Organisation for Economic Development’s and Cooperation’s Common Reporting Standard (“CRS”).

The CRS imposes obligations on financial institutions to exchange tax and financial information on a global level with other countries which has signed up for CRS. In theory this should not be an area of concern as a legal obligation is one of the legal grounds to process personal information without the need to obtain explicit consent. Any organisation will be in breach of the GDPR if they exchange or release personal information which is not under a legal obligation to disclose under the CRS. The obligation to report information in terms of the CRS can be complex and continuously be subject to change.

By means of an example, there is an obligation on a financial institution to report any controlling persons (usually <25% ownership) of a Passive NFE, but no obligation to report the controlling person of an Active NFE.

A Passive NFE is defined in the negative as an entity that is not an Active NFE. An entity is an Active NFE if less than 50% of its income is passive income. The result being that the reporting obligations of a financial institution on an entity may differ from year to year depending on the financial performance of the relevant entity during that relevant financial year.

Financial institutions, such as banks, can’t take a catch-all approach and report all information as they risk breaching the GDPR. The tax liability of a taxpayer should not depend on its tax affairs being reported or not; however incorrect reporting may incite the wrath of the data regulator.