This page was last updated in April 2025.

Library | GDPR rights vs. information reporting

Data privacy image to set scene for discussion about GDPR versus AEOI and data privacy in tax

The General Data Protection Regulation (GDPR) provides individuals in the EU with robust rights over their personal data, focusing on privacy, consent, and control. However, these rights can sometimes come into tension with global financial transparency and automatic exchange of information (AEOI) initiatives such as the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS), which require financial institutions to share personal and financial data with tax authorities.

Quick reference:

GDPR rights

EU General Data Protection Regulation image to set scene for discussion about GDPR versus AEOI and data privacy in tax

Under GDPR, individuals are granted a range of rights aimed at ensuring their personal data is handled responsibly.

Key rights include: 

  • Individuals have the right to know what personal data is collected, how it is used, and with whom it is shared. 

  • Individuals can request that inaccurate or unnecessary data be corrected or deleted. 

  • People can limit how their data is used, particularly if they object to certain uses or if data is processed unlawfully. 

  • Individuals can request that their data be transferred to another entity. 

  • People can object to how their personal data is used, especially for marketing purposes or other forms of profiling. 

Transparency and Information Reporting (FATCA/CRS) 

FATCA (U.S.-driven) and CRS (OECD-driven) are global initiatives designed to prevent tax evasion by promoting transparency in financial accounts held abroad. Financial institutions must report details about account holders’ personal and financial data to their home country’s tax authority, which then exchanges this data with other jurisdictions. 

Key elements of these regimes include: 

  • Financial institutions are required to disclose information about account holders, including identifying details, account balances, and transaction data. 

  • Information is shared between tax authorities globally under automatic exchange agreements. 

  • Unlike GDPR, FATCA/CRS does not require explicit consent from individuals for data collection and sharing, as it is mandated by law for tax compliance purposes. 

Tension between GDPR and FATCA/CRS

The tension between GDPR rights and transparency under FATCA/CRS arises from the clash between data protection and the legal obligations of financial institutions: 

1. Consent and Transparency: Under GDPR, individuals must be informed about how their data is processed and, in many cases, must provide consent. In contrast, FATCA/CRS obligates financial institutions to report certain data without seeking explicit consent, which can create a perceived conflict with GDPR’s emphasis on individual rights. 

2. Data Minimization vs. Mandatory Reporting: GDPR requires that only necessary data be collected and processed. However, FATCA/CRS reporting involves the automatic exchange of a broad set of financial data, raising questions about compliance with GDPR’s principle of data minimization. 

3. Cross-Border Data Transfers: GDPR restricts the transfer of personal data outside the EU unless adequate safeguards are in place. FATCA/CRS, by design, involves international data sharing, which can lead to concerns about whether non-EU countries offer adequate protection under GDPR standards. 

Navigating the conflict

Despite the potential conflicts, FATCA/CRS and GDPR can coexist within legal frameworks. Key to resolving this tension is recognizing that GDPR allows for exceptions where data processing is necessary for compliance with legal obligations. Financial institutions and tax authorities must implement adequate safeguards, ensuring that transparency obligations do not erode fundamental privacy rights. 

Legal Basis

FATCA/CRS reporting is justified under GDPR’s legal obligation provisions. Financial institutions must inform clients about the legal grounds for the processing of their data, even if consent is not required. 

Data Protection Impact Assessments (DPIAs)

To address privacy concerns, institutions can perform DPIAs to assess risks related to data sharing and implement measures that reduce exposure to potential GDPR violations.

By balancing legal compliance and individual rights, organizations can meet the demands of both regimes while upholding the principles of privacy and transparency.