The processing of personal data carried out under electronic invoicing, as currently described by the Revenue Agency, may violate the provisions of GDP. Therefore, the Revenue Agency is sent to inform the Data Protection Authority of the initiatives taken to process the data contained in the accounts in accordance with the privacy provisions. This is a summary of the provision dated 15 November 2018 sent by the Guarantor to the Revenue Agency.
Thunder clouds are collected on the horizon of an electronic account. This time to tackle the field is not the category of association on the turn, but Privacy guarantee.
And it does with a measurement (first issued since the entry into force of the GDP) addressed to the Revenue Agency, but also addressed to intermediaries, which presents a serious and difficult obstacle to the processing of an e-bill 2019 on 1 January.
We know that the subject of privacy is very sensitive and especially attentive at European level, but it is that in some electronic accounts at such an e-bill level, this was expected.
In the date setting November 15, 2016, followed by a Kominike The next day, it is important to note that electronic invoicing, as originated by the Revenue Agency, it needs to be changed since the processing of data may violate data protection legislation as of 1 January 2019.
In particular, the collection of information appears to be disproportionate and the risk that such information may be very high is incorrectly used from third parties.
Therefore, the Agency is invited to inform people necessarily how it intends to carry out the processing of data to be carried out for electronic invoicing in accordance with the Italian and European regulatory frameworks.
We are trying to understand more by analyzing the findings of the guarantor and trying to imagine what the consequences of all this will be.
Electronic account and GDP: critical aspects
The guarantor in its provision starts from the fact: the electronic invoicing procedure includes "tsystematic, general and detailed treatment of personal data on a large scale, potentially linked to every aspect of everyday life of the entire population, disproportionate to the aim of the public interest, although legitimate, is pursued. "
Translated, this means that accounts are transmitted with a range of information that is outside the fiscal field and that in some cases they can affect sensitive data items.
Someone thinks for example one medical account which in the description of the service contains a reference to the health aspect of the client.
Or, one more account for the supply of electricity which shows a warning that previous payments are not regular.
Not to mention the invoices issued by experts they are operating in the judicial field (CTU, experts and court experts).
Examples can be countless, as there are innumerable data that the Revenue Agency has provided with electronic invoices.
Because of this, the guarantor finds that the Agency does not have any revenue in the previous measures there is no special guarantee measure in order to ensure compliance with the principles of purpose limitation, minimization and confidentiality.
Finally, as a guarantor, as part of the e-invoicing process, mandatory, general and detailed treatment of personal data, even more than those required for tax purposes, relating to every aspect of everyday life of the entire population, does not appear to be proportionate to the public interest objective, although is legitimate (see, in particular, the reference to Article 6, paragraph 3, letter b) and 9, para. 2, lett. g) of Regulation No. 2016/679).
It further states that 'the general treatment of personal data carried out in the field of electronic invoicing requires the adoption of appropriate measures by the Revenue Agency as well as by economic operators in order to provide interested parties with all the information referred to in Articles 13 and 14 of the Rules. This, in particular as regards the possible inclusion of detailed information that is not relevant for tax purposes, invoices and related annexes, which must in any case be carried out in strict compliance with the principle of the minimization of personal data. "
Other critical aspects
However, the criticisms made by the guarantor are not limited to what has been said so far.
There are additional problems with:
– the invoices are available in Portal Accounts and Fees;
– the role brokers;
– ai Software and the services provided by the Revenue Agency.
Regarding the first aspect, it should be noted that the choice of making all electronic XML-based bills available to the consumer on the Agency's portal, if they are not requested in due time, despite the right to a copy that is digital or analogous directly by the controller, she does not do anything else increase risk for the rights and freedoms of all private individuals associated with the mass and computer treatment of data accessed through the web application.
As far as mediators are concerned, the issue is even more sensitive.
They need to be identified for them appropriate technical and organizational measures in order to ensure compliance with the law on the protection of personal data throughout the entire processing chain for personal data carried out for the purposes of electronic invoicing.
This is likely to result additional costs for intermediaries taking into account the fact that, in the present case, it is unclear what role they take in relation to the processing of personal data, including the details contained in and received by electronic invoices, by reading the management report of 5 November.
What about objects that work in the direction of a large number of economic operators?
They will gain a lot of information that will also belong to individual categories of personal information, and will therefore have huge databases that could lend themselves to higher risks for additional information. improper use, not only in relation to illicit treatments, but also because of the spread of possible links and comparisons between the accounts of thousands of economic operators, thereby violating the principles governing the processing of personal data.
Last but not least, it is a criticism of the technical and software set by the Revenue Agency.
In particular, it should be noted that:
– use FTP protocol this is not a safe channel;
– application Fatturae allows saving some of the data that are not specified more precisely in the cloud, but it is not clear in the information for which purposes the agency is maintained and controlled by the data collected with this application;
– conservation agreement is not consistent with GDP, in particular where it is stated that the Agency can not be held liable against the taxable person or other parties directly or indirectly related to it or related to it for damage, direct or indirect loss of information, infringement of third party rights persons, delays, failures, complete or partial interruptions that may occur during the performance of the storage service.
The consequences of the guarantor's position
It is clear from these few lines that the guarantee of the guarantor, a few weeks before the official championship of the law, could have been disturbed and difficult to predict.
There will be one correction in running IT procedures, and not just from here to the end of the year?
And if so, at what price, in terms of further obligations (and consequently complications) for taxpayers and their intermediaries?
Will this fix one? Getting, if not (temporary) provision for the entire operation?
Questions that are difficult to answer.
However, the number seems convinced: now the revenue agency will be responsible for the findings and will try to put in place all measures to ensure compliance with the privacy rules.
Of course, the time available is very tight, which causes the last and much more serious doubt: will an electronic bill that will open a bottle of sparkling wine midnight for the New Year 2018?
Copyright © – Playback is reserved