DAC6: Germany’s unique approach to legal professional privilege (LPP)

Register for our DAC6 email updates

Bundestag

No reporting delay in Germany

Germany recently made the shock announcement that it would not be deferring DAC6 implementation, despite an optional 6 months delay awarded to EU member states by the EU Commission. As a result of this announcement, intermediaries, including accounting firms, law firms, and other tax advisors in multiple industries have begun the process of identifying DAC6 reportable arrangements.

German XML schema released

Many tax authorities, including HMRC, have already produced xml schemas stipulating their DAC6 reporting requirements, and the German schema is closely aligned to these. The German Federal Ministry of Finance (Bundeszentralamt für Steuern) have decided on a unique approach to legal professional privilege.

Legal professional privilege and DAC6

Under DAC6, each EU Member State is empowered to provide an exemption from the reporting obligation where the advice of an intermediary is protected by professional secrecy rules otherwise known as legal professional privilege.

Legal professional privilege primarily applies to law firms. However, in some jurisdictions legal professional privilege may also apply to accountants, tax advisors, auditors, notaries and banks. This means that intermediaries may be exempt from disclosing all or some information about arrangements they are involved in to third parties, including the tax authorities.

Legal professional privilege in Germany

Unlike other EU member states, Germany is offering a three-pronged approach to legal professional privilege depending on the circumstances of the specific DAC6 reportable arrangement and the decision of the taxpayer to waive legal professional privilege.

Approach 1: Intermediary makes a full report

In this situation, the taxpayer will release the intermediary from any legal professional privilege rights that may have existed. In such a situation, the intermediary would be required to make a full DAC6 report to the German Federal Ministry of Finance.

Approach 2: Taxpayer makes a full report

In this situation, the taxpayer chooses not to waive their legal  professional privilege, and as a result of this, the taxpayer decides that they want to make the full DAC6 report (this is in additional to any other annual reports that the taxpayer is liable to make to the German Federal Ministry of Finance).

Approach 3: Intermediary and taxpayer both make partial reports

In this situation, the taxpayer does not waive legal professional privilege, however they also decide not to make a full report themselves. This means that the intermediary must make a partial report of anonymized data about the arrangement (primarily information about the design of the arrangement). Following this, the taxpayer must submit a second partial report containing the personal information relating to the arrangement. 

Conclusion

If you are a German intermediary or taxpayer that is affected by DAC6, time is not on your side. The first reports are due at the end of July 2020. VinciWorks has consulted tax experts across Europe and brought together over 100 international law and accounting firms to develop best practice for DAC6.

Screenshot of VinciWorks' DAC6 reporting tool
Our DAC6 reporting tool features built-in XML schemas for a growing number of jurisdictions

The result is an end-to-end DAC6 compliance solution for DAC6 that not only fulfils firms’ reporting and training needs but includes guides, webinars and regular DAC6-focussed newsletters. Our reporting tool already produces XML reports for Germany.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.