News

GDPR and Tax Office Requests for Document Submission – Limits of Obligation and Personal Data Protection in Taxpayer Practice

There is growing uncertainty as to whether providing documents containing personal data to a tax authority upon its request is compliant with GDPR. This concern is particularly relevant in situations where the authority requests contracts, invoices, statements, or correspondence containing data of contractors, employees, or board members.

Legal Basis for Personal Data Processing by Tax Authorities

Pursuant to Article 45 of the Act of 16 November 2016 on the National Revenue Administration (KAS Act), KAS authorities, including tax offices, have the right to request the provision of documents containing personal data for the purpose of performing statutory tasks and to process such information, including personal data. Entities obliged to provide these documents may be subject to penalties in case of refusal.

Providing personal data in response to a proper request from the authority does not violate GDPR. Data processing in this context is based on:

  • Article 6(1)(c) GDPR – processing is necessary for compliance with a legal obligation to which the data controller is subject;
  • Article 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest.

In practice, this means that submitting documents upon a formal request from a tax authority is lawful when it is related to the taxpayer’s statutory obligations. GDPR does not limit the powers of authorities derived from national law, including the Tax Ordinance.

Scope of Data Requests and the Principle of Minimization

Lawful data provision does not imply unlimited authority in requesting information. Under the principle of data minimization (Article 5(1)(c) GDPR), the authority should request only information necessary for the specific purpose of the proceeding.

If the request encompasses data beyond the scope of the proceeding, the taxpayer is entitled to request clarification of the legal basis and the purpose of processing. The obligation to cooperate with the authority does not eliminate the taxpayer’s duty to protect the personal data of third parties.

Information Duty and Transparency

Tax authorities, as data controllers, are obliged to comply with the information duties under GDPR. In practice, this means that communications addressed to taxpayers should include information on:

  • the data controller,
  • the legal basis and purpose of processing,
  • the rights of data subjects.

At the same time, pursuant to Article 14(5)(c) GDPR, the information duty towards data subjects does not apply if processing is explicitly provided for by EU or national law and includes measures safeguarding the interests of data subjects.

Third-Party Data in Documents

Special attention should be given to third-party data – contractors, employees, or board members – contained in documents. Providing such data to the tax authority is lawful if the documents are relevant to the proceeding and the processing is based on a legal obligation.

Obtaining additional consent from third parties is not required; however, the data controller should limit the transmitted data to what is adequate and necessary for the purpose of the proceeding.

Summary

  • Providing documents containing personal data to a tax office upon its request is GDPR-compliant if it arises from a legal obligation.
  • The legal basis is provided by specific provisions, including the KAS Act.
  • Consent of the data subjects or compliance with the information duty under Articles 14(1)-(4) GDPR is not required.
  • A GDPR breach may occur only if there is no legal basis, the scope of data exceeds necessity, or the principles of minimization and purpose limitation are violated.

GDPR does not shield entities from public-law obligations but ensures that the execution of such obligations respects legality, proportionality, and transparency. Taxpayers should consciously reconcile their tax obligations with personal data protection duties, limiting transmitted information to the minimum necessary and documenting the purpose of processing.

 

Attorney-at-law Ewa Lejman

Legal Assistant Julia Sośniak

Author

Ewa Lejman

Partner, Attorney at Law, Tax Advisor

Ewa Lejman

related posts

New powers for the Financial Ombudsman – draft amendments aimed at protecting customers of financial market entities
9 March 2026

New powers for the Financial Ombudsman – draft amendments aimed at protecting customers of financial market entities

New powers for the Financial Ombudsman – draft amendments aimed at protecting customers of financial market entities
How Does the Ministry of Health’s Communication Affect the Beauty Industry?
23 February 2026

How Does the Ministry of Health’s Communication Affect the Beauty Industry?

How Does the Ministry of Health’s Communication Affect the Beauty Industry?
Mandatory PKD (Polish Classification of Activities) in Company Agreements/Articles of Association
9 February 2026

Mandatory PKD (Polish Classification of Activities) in Company Agreements/Articles of Association

Mandatory PKD (Polish Classification of Activities) in Company Agreements/Articles of Association
A new chapter for Poland’s investment fund market — ETFs, QIF and regulatory reform
2 February 2026

A new chapter for Poland’s investment fund market — ETFs, QIF and regulatory reform

A new chapter for Poland’s investment fund market — ETFs, QIF and regulatory reform
All