Time to read – * min

DAC7: 5 Lessons Learned From GDPR

Here are the lessons from GDPR that matter most for DAC7 compliance and how to apply them before the next 31 January deadline.

Author
David Hansson
Published
24
July 2023
Topic
DAC7 Guide

Do you remember what it was like when GDPR was enacted? Companies had to redo their processes on how they treat data. Although the intentions were good, it wasn’t without some hiccups.

DAC7 has been active since January 2023, requiring digital platforms across the EU to collect, verify, and report seller data to tax authorities by 31 January each year. The compliance lessons that emerged from GDPR are directly applicable and worth revisiting.

Although GDPR sounds like a basic concept, its execution has left many organizations rethinking the way they operate to stay compliant. As new laws are implemented, companies have to adapt too. 

In this blog post we will dive into the different lessons that GDPR has taught us that we should remember when preparing to become DAC7 compliant. If your digital platform is affected by the new DAC7 Directive, you also can’t overlook complying with GDPR.

Because DAC7 requires your platform to share seller data with tax authorities, your privacy policy must reflect this. Sellers need to be informed - in plain language - that their data will be reported to the relevant national tax authority each January.

1. Prepare and implement your processes and systems in time

You need to prepare and establish processes that help your platform stay compliant. For most organizations, these new rules mean new challenges since they also have to collect new data that may previously have been overlooked as they were irrelevant to their business. To get things right it is important to do an oversight of different systems and how they work today to understand what needs to be added, removed or rationalized.

Having this understanding and some time for implementation means that you can test and improve the efficiency of the processes and systems on beforehand. Maybe you don’t need to muddle with more administrative work when you can automate the process through a trusted third party. You don’t need to start from scratch when there are solutions you can use. Having the time allows you to efficiently find solutions and overcome the problems imposed by the new requirements.

2. Continuously increase and update the knowledge base

When GDPR came into effect, there was a lot of fear, primarily due to the lack of information regarding the requirements and obligations. However, over time, businesses have grown to understand the role of GDPR, including the best way to stay compliant.

Have in mind that the actual interpretation of the law is determined over time e.g. through court cases. And it's important to regularly update and refine the processes to adjust for changes.

To avoid your users panicking, invest more in the knowledge base. If you already have resources, you must ensure they are updated to reflect the new changes. That way, your platform users can easily comply without making a fuss.

3. Meet DAC7 deadlines and avoid sanctions

Failure to comply with GDPR attracts sanctions and fines that may disrupt your platform’s operation. So far, the most significant GDPR fine is the Amazon GDPR fine - a whopping £636m. The fine proved how costly it can be not to meet the requirements and deadlines.

DAC7, on the other hand, is not without some serious penalties. They may vary on each EU member state, but they must be carried out ‘effectively, proportionate, and dissuasive.’ 

For example, in the Netherlands, reportable platform operators can be fined a maximum penalty of €900,000. They even risk criminal prosecution for failing to comply with the new directive.

4. Document your processes and decisions

For example, under DAC7, you’re asked to report the seller’s data, such as full name, address, and perhaps earnings. When doing that, it’s essential to document your decisions and processes, while also collecting and verifying only relevant information.

When you start early, you avoid the mistakes that come with the last-minute rush. While DAC7 forces companies to collect, verify and report certain data, GDPR urges you to protect your users’ fundamental rights and freedoms, particularly their right to protection of their data.

Please note that the data requirements that need to be handled may vary from country to country and are also prone to modification. Therefore, ensure you’re updated with the latest requirements to make informed decisions and stay compliant.

5. You don’t need to reinvent the wheel

There are a lot of skilled organizations that are ready to assist in all aspects of compliance, be it GDPR or DAC7. You don’t need to reinvent the wheel when solutions are already available. That way you save yourself the headaches and money of inventing something new.

The clearest takeaway from both GDPR and DAC7 is that compliance is much cheaper when you start early and use the right tools. Gigapay automates DAC7 data collection, seller verification, and annual reporting - so your platform can stay compliant without building it from scratch. See how it works.

FAQ

Q: How is DAC7 similar to GDPR for digital platforms?

A: Both DAC7 and GDPR require platforms to build new data collection and verification processes, document decisions, meet strict deadlines, and face significant fines for non-compliance. The key difference is purpose: GDPR protects personal data rights, while DAC7 mandates that seller data is reported to tax authorities for transparency. Platforms must comply with both simultaneously.

Q: What are the fines for DAC7 non-compliance?

A: DAC7 penalties vary by EU member state but must be effective, proportionate, and dissuasive. In the Netherlands, platforms can be fined up to €900,000 and face criminal prosecution. In Ireland, a fine of €19,045 may be imposed for non-compliance plus an additional €2,535 per day for each day the failure continues. Starting your compliance process early is the most effective way to avoid these.

Q: Do I need to update my privacy policy for DAC7?

A: Yes. Because DAC7 requires platforms to collect, verify, and report seller data to tax authorities, your privacy policy must be updated to inform sellers that their data will be shared with the relevant national tax authority. This also brings your policy into alignment with GDPR transparency requirements.

Q: How often do I need to update my DAC7 compliance processes?

A: DAC7 compliance is not a one-time exercise. The interpretation of the law evolves over time through court cases and regulatory guidance. You should review and refine your processes at least annually - before each 31 January reporting deadline - and whenever your national tax authority issues new guidance.

Q: Can I use a third-party solution to handle DAC7 compliance?

A: Yes, and this is one of the key lessons from GDPR: you don't need to build everything in-house. There are platforms, including Gigapay, that automate DAC7 data collection, TIN verification, and annual reporting. Using a trusted third-party solution reduces internal administrative burden and lowers the risk of errors or missed deadlines.

Read also

More blog posts
Tax Implications for UK Creators: HMRC’s Wake Up Call and How Gigapay Can Help
Learn about the tax implications for online content creators and marketplace traders. HMRC's latest crackdown could affect those unaware of their tax obligations. Find out more here.
ATO's Influencer Hunt: Influencers under Tax Spotlight in Australia
The Australian Tax Office is cracking down on influencers' tax obligations. Uncover the impact of the "TikTok scam” on tax compliance.
The Role of Regulation In Influencer Marketing
The call for regulations to ensure transparency & protect consumers in influencer marketing is getting louder. Find out what you should be doing here.

Ready to finally
own your flow?

Batch. Payout. Flow.
Get more than creator payouts, get freedom to own your process.

See it in Action
Talk to sales