GDPR (Regulation EU 2016/679) & the LOPDGDD: Data Protection Rules for Tax Records
Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — together with Spain’s Organic Law 3/2018 (LOPDGDD), governs how tax authorities such as the AEAT, and any gestoría or tax advisory firm, may process taxpayers’ personal data. The LOPDGDD has been in force since 6 December 2018 and applies to every entity in the EU handling third-party fiscal data, whether or not the taxpayer has given consent.
How IgeraGestories automatically resolves RGPD i dades fiscals queries
Legal basis for tax data processing without consent
Art. 6.1.c & 6.1.e GDPR (Regulation EU 2016/679)
Tax authorities and, where applicable, advisory firms acting under a legal mandate process personal data based on compliance with a legal obligation or performance of a public-interest task. Consent from the taxpayer is not required and cannot be withdrawn to block lawful processing, as confirmed by Spanish Supreme Court case law.
Entry into force and scope of the LOPDGDD
Organic Law 3/2018 (LOPDGDD)
In force in Spain since 6 December 2018, the LOPDGDD implements and complements the GDPR at national level. It applies to the AEAT, gestorías, and any entity processing fiscal data of Spanish taxpayers, working alongside — not instead of — the directly applicable EU Regulation.
Data minimisation in fiscal document handling
Art. 5.1.c GDPR
Only personal data strictly necessary for the specific tax procedure at hand — a filing, an audit response, a payroll submission — may be collected or retained. Gestorías should periodically review client files to purge data no longer required for the declared purpose.
Purpose limitation for shared taxpayer records
Art. 5.1.b GDPR
Personal data obtained for one specific, explicit purpose cannot be repurposed for an incompatible use without a new legal basis. Data submitted for a Modelo filing, for instance, cannot later be used for unrelated commercial outreach to the same client.
Record of processing activities for advisory firms
Art. 30 GDPR
Any gestoría processing taxpayer personal data on a regular basis must maintain a written record of processing activities, documenting the categories of data, purposes, retention periods, and legal basis relied upon for each processing operation.
Jurisprudential confirmation of AEAT’s legal basis
Spanish Supreme Court case law applying Art. 6.1 GDPR
Spanish courts have consistently upheld that the AEAT’s processing of taxpayer data rests on legal obligation and public interest grounds under Article 6.1, rejecting challenges premised on the absence of individual consent.
IgeraGestories in action — RGPD i dades fiscals
User
Do I need to give my consent before my gestoría sends my income data to the tax authority?
IgeraGestories
No. Under Article 6.1.c and 6.1.e of the GDPR (Regulation EU 2016/679), the processing and submission of your fiscal data to the tax authority is grounded in a legal obligation and a public-interest task, not in your consent. Your gestoría is required to file accurate data regardless of whether you separately consent, though it must still apply data minimisation under Article 5.1.c and keep a record of processing under Article 30.
Font: Regulation (EU) 2016/679 (GDPR), Art. 6.1.c, 6.1.e & 5.1.c — Organic Law 3/2018 (LOPDGDD), in force since 6/12/2018 — boe.es/buscar/act.php?id=BOE-A-2018-16673
Frequently asked questions — RGPD i dades fiscals
Does the tax authority need my consent to process my personal data?
No. Under Article 6.1.c and 6.1.e GDPR, tax authorities such as the AEAT process personal data on the basis of a legal obligation or a task carried out in the public interest, not consent. Spain’s Supreme Court has confirmed this interpretation, meaning taxpayers cannot object to lawful fiscal data processing on consent-withdrawal grounds.
Can a gestoría or tax advisory firm rely on the same legal basis as the AEAT?
A gestoría acting under a mandate to file returns on a client’s behalf typically relies on Article 6.1.b (performance of a contract) combined with 6.1.c (compliance with a legal obligation) when it must submit data to the AEAT. It must still document this basis in its record of processing activities under Article 30 GDPR.
What does the principle of data minimisation mean in a tax context?
Data minimisation (Article 5.1.c GDPR) requires that only the personal data strictly necessary for the specific tax procedure be collected and processed. A gestoría should not request or retain identity or financial documents beyond what a given filing or audit requires.
What is purpose limitation and how does it affect shared client data?
Purpose limitation (Article 5.1.b GDPR) means personal data collected for one declared purpose — for example, filing a VAT return — cannot later be reused for an unrelated purpose, such as marketing, without a new, compatible legal basis.
Is the LOPDGDD a separate law from the GDPR, or does it replace it?
The LOPDGDD (Organic Law 3/2018) does not replace the GDPR; it complements and implements it within Spain, in force since 6 December 2018. Both instruments apply simultaneously, and the GDPR takes precedence as a directly applicable EU Regulation whenever the two overlap.
Does this data protection framework apply to gestorías outside Spain?
The GDPR applies directly across all EU member states, so any tax advisory firm processing personal data of EU residents is bound by the same principles, regardless of where it is established. National implementing laws like the LOPDGDD add detail specific to Spain but do not narrow the GDPR’s EU-wide scope.
Is this information legal advice?
No. This content is informational only and does not constitute tax or legal advice. For a specific data protection or fiscal compliance matter, consult a registered gestor or a qualified lawyer (abogado colegiado).
