Electronic invoice, excessive and disproportionate data storage in a democratic state: the Privacy Guarantor blocks the new rules on controls of the Revenue Agency and, with the provision of 9 July 2020, points the finger at the excessive retention of information from part of the tax office.
Electronic invoice, checks and excessive data storage in a “democratic state”: the Guarantor for Privacy rejects the Revenue Agency, without words.
In provision of 9 July 2020 again emerges the dissent of the Guarantor for Privacy on storage of electronic invoice data, for a period of 8 years, for the purpose of control by the Revenue Agency and the Guardia di Finanza.
A novelty introduced by Tax decree no. 124/2019, to reinforce the measures of fight against tax evasion in the VAT area. The Revenue Agency has prepared an implementing provision, subject – as required by law – to the scrutiny of the Guarantor Authority for the protection of personal data.
The rejection is total: there is a real risk of damaging taxpayers’ rights and freedoms.
Electronic invoice, checks and excessive data storage: stop of the Privacy Guarantor
The evaluation of the is far from positive Privacy Guarantor on the new ones checks on electronic invoice data. As already highlighted on previous occasions, it is defined as disproportionate data storage relating to the documents sent to the ES.
Regarding the scheme of the new provision sent by the Inland Revenue, the provision of retention, for control purposes, of the data not fiscally relevant and relating to the description of the services provided.
Are approximately 2 billion bills issued each year, also containing detailed data – such as relationships between the transferor and the transferees, description of the services, consumption habits. It’s about sensitive information and far from relevant for tax purposes.
Although it is marginal information in the context of tax controls, the new rules foreseen by the Revenue Agency provision foresee the total storage (and usage) electronic invoice data.
It is not expected no exclusion: all the data contained in electronic invoices, such as those relating to the description of the services provided, would end up in the archives of the tax office for a total of 8 years.
A choice of disproportionate storage and use of data in a democratic state, both in terms of quantity and quality of information being processed, with respect to the objective pursued to combat tax evasion.
- Privacy Guarantor – Provision 9 July 2020
- Opinion on the provision of the Director of the Revenue Agency concerning technical Rules for the issue and receipt of electronic invoices for the supplies of goods and services rendered between residents and established in the territory of the State and for the related changes – July 9, 2020 
Checks on electronic invoices, the Privacy Guarantor rejects the Inland Revenue on the storage of data
The one between the Revenue Agency and the Guarantor for Privacy is an arm wrestling that has lasted for some time. The Authority, in fact, had already invited the legislator to appropriately select the data subject to storage and control, in order not to violate the principle of proportionality of the processing envisaged by the GDPR.
Indications that, considering the contents of the draft scheme sent by the Revenue Agency, are far from respected. But what are the news being prepared by the Financial Administration?
We read in the opinion of 9 July 2020 published by the Guarantor Authority that the provision provides for the introduction of the following new elements:
- the storage of the so-called “integrated invoice data”, or additional information with respect to purely tax information, which can be used for the analysis of the risk of evasion, in order to promote spontaneous compliance and for tax checks;
- l’use of xml files of electronic invoices for the execution of refunds, for tax checks, for inspections or verification, as well as for formal checks on declarations and preventive checks on the provision of refunds from model 730;
- signing one agreement with the Guardia di Finanza for making all the electronic invoice data stored available (tax and non-tax data).
In short, a set of activities that create a total control of the taxpayer’s expenses and activities. A criticality evident in the eyes of the individual citizen, but also of the Guarantor for Privacy.
The news proposed by the Revenue Agency do not pass the stumbling block proportionality of data processing, as they appear in clear violation of:
“Articles 5, par. 1., lett. a), 6, par. 3, 9, 10, 24 and 25 of the GDPR concerning, however, without distinction between types of information or categories of data subjects and detailed personal data, even further than those necessary for tax purposes, relating to the entire population, not proportionate to the This objective of public interest, although legitimate, pursued, not identifying, in accordance with the principles of privacy by design and by default, adequate guarantee measures to ensure data protection, also in relation to those referred to in articles 9 and 10 of the Regulations. “
Criticality also for the evasion risk analysis activities, made through theinterconnection of numerous databases of the Revenue Agency and which provide for the profiling of all taxpayers, even minor ones. In this case, the Guarantor, considering the high risks for the rights and freedoms of the interested parties, intends to carry out further and specific investigations.
The game is not closed, but in the meantime it is time for the Revenue Agency to downsize its control will. Fight against evasion, yes, but without damaging the rights of a democratic state such as Italy, until proven otherwise.