Extending Tax Secrecy Obligations to Information Technology Contractors Servicing the National Revenue Administration
The proposed amendment to Poland’s Tax Ordinance Act, which would impose tax secrecy obligations upon employees of information technology firms servicing the National Revenue Administration (Krajowa Administracja Skarbowa, hereinafter “KAS”), represents a significant enhancement of taxpayer data protection in an era of comprehensive fiscal digitalization. This regulatory intervention is not merely justified from an information security perspective; it also comports fully with international standards promulgated by the Organisation for Economic Co-operation and Development (OECD) concerning the protection of confidential tax data.
External IT service providers frequently possess broader access to sensitive data than traditional civil servants, and the risk of confidentiality breaches by such contractors is comparable to – if not greater than – that posed by permanent government employees. The absence of adequate regulatory safeguards governing external vendors would constitute a substantial lacuna in the data protection framework. The risk profile associated with the National Electronic Invoicing System (Krajowy System e-Faktur, hereinafter “KSeF”) merits particular attention. Within the KSeF context, vast volumes of commercially sensitive transactional data flow through the system in real time, encompassing information that enables reconstruction of enterprise business strategies and access to competitively sensitive intelligence. External IT contractors may access this entire spectrum of data, rendering them potential vulnerabilities in the system architecture.
Substantive Provisions of the Proposed Regulatory Framework
Statutory Mechanism
The new Article 294 § 1(9) of the Tax Ordinance Act will expand the catalog of persons subject to tax secrecy obligations to encompass employees of information technology firms servicing KAS. This amendment was incorporated into the most recent draft dated October 2, 2025, which has been referred to the Standing Committee of the Council of Ministers for consideration. Under the proposed framework, such persons will be required to execute a written undertaking stating: “I pledge to maintain tax secrecy. I declare that I am aware of the provisions concerning criminal liability for disclosure of tax secrets.” Disclosure of tax secrets will carry criminal sanctions of up to five years’ imprisonment for intentional violations, or up to two years’ imprisonment for negligent breaches, pursuant to Article 306 of the Tax Ordinance Act. Significantly, the duty to maintain tax secrecy will persist following termination of employment, conclusion of internships or apprenticeships, and dissolution of any relationship connecting the relevant party with the administration.
Conformity with OECD International Standards
Expansion of Subjective Scope
The central feature of the proposed amendment is the extension of tax secrecy obligations beyond civil servants to encompass external IT service providers. This approach aligns with OECD guidance, which expressly emphasizes in the context of information security management that security controls throughout the employment lifecycle should apply to all personnel, including both permanent and temporary employees as well as external service providers and contractors. The OECD’s “Confidentiality and Information Security Management Toolkit” unequivocally states that tax administrations should account for all categories of their personnel when evaluating the various processes applicable to them throughout the employment cycle.
Governance of IT Service Provider Relationships
The management of IT service provider relationships receives particular attention in OECD standards. The Toolkit dedicates a discrete subsection (Sub-requirement 3.2.4.4) to this matter, emphasizing that ensuring security in the utilization of outsourcing and supply chains through careful management of tax administration relationships with suppliers constitutes a critical requirement, given that several high-profile security breaches have been traced to deficiencies in supplier networks. The document states explicitly: “This is a very important requirement, as there have been several high profile security breaches traced back to deficiencies in the supplier network.”
Adequacy and Proportionality of Sanctions
The question of sanction adequacy is likewise addressed in OECD standards. The Toolkit requires that sanctions be clear and sufficiently severe to deter violations, effectively enforced in practice, and proportionate to the gravity of the offense. Consistent with Sub-requirement 3.3.1, “the law should impose sanctions that are clear and severe enough to discourage breaches and violations.” The proposed penalty of up to five years’ imprisonment for disclosure of tax secrets by IT personnel is consistent with sanctions applicable to civil servants, sufficiently severe to constitute an effective deterrent, and comports with international proportionality standards.
Nevertheless, legal provisions alone prove insufficient; they must be supported by appropriate processes and resources ensuring effective implementation. The Toolkit emphasizes in Sub-requirement 3.3.2 that sanction provisions should be buttressed by necessary processes and resources to ensure their effective application. Consequently, it will be essential to establish procedures for reporting suspected breaches of secrecy, allocate resources for conducting investigations, and ensure effective imposition of sanctions in practice.
The Outsourcing Context in Tax Administration
Current Practices
The amendment addresses the increasingly prevalent practice of outsourcing information technology services by KAS. Within the scope of such services, employees of external firms access KAS information systems, including sensitive taxpayer data subject to tax secrecy protections. The OECD Toolkit indicates that many tax administrations endeavor to ensure that all taxpayer data remain on their premises at all times, operated and controlled by them or other governmental agencies with strict oversight over third-party access. Nevertheless, tax administrations increasingly permit external IT vendors remote access to their data centers to provide remote support for development, maintenance, and modernization activities.
Empirical Context of Digital Transformation
According to data from the OECD publication “Tax Administration Digitalisation and Digital Transformation Initiatives,” more than eighty percent of tax administrations currently receive data directly from taxpayer business systems, extending beyond traditional payroll systems, while seventy-seven percent of administrations utilize automatic machine-to-machine data transmission without human intervention. This expanding digitalization of tax processes signifies that tax administrations increasingly rely upon external technology vendors to maintain and develop their information systems, which in turn necessitates guaranteeing the highest level of protection for sensitive commercial and financial taxpayer data.
Accordingly, it is crucial to precisely delineate the types of access permitted for external vendors, implement appropriate security controls, and ensure that agreements with vendors contain detailed requirements concerning information protection. OECD Box 28 of the Toolkit indicates that agreements with vendors should formally specify: the description of information made available or accessible to the vendor and methods of provision or access; information classification; legal and regulatory requirements concerning confidentiality and security; commitments of each party to implement appropriate security controls; and principles governing permissible and impermissible uses of information.
Implementation Challenges
Scope of Personal Application
Implementation of the proposed regulation will entail certain practical challenges. First, it will be crucial to precisely determine which IT firm employees specifically will be required to execute the undertaking. Will this apply only to those having direct access to tax data, or also to system administrators who could potentially obtain access? How should subcontractors of IT firms be treated? The OECD Toolkit suggests application of the “need to know” principle, according to which taxpayer information should be accessible only to personnel having a legitimate business reason to access it. This principle should constitute the foundation for determining the personal scope of the new regulation.
Verification and Training Protocols
Second, appropriate verification and training procedures will prove essential. According to OECD standards contained in Sub-requirement 3.2.2.3, employees, including external contractors, should regularly receive current training on security and awareness, while those performing sensitive functions should receive additional guidance concerning handling of more sensitive materials. Training should be conducted regularly to ensure personnel remain updated on recent developments. Prior to authorization to work with taxpayer data, verifications should be conducted, including criminal background checks and, in cases involving access to particularly sensitive data, advanced security clearance.
Monitoring and Enforcement Mechanisms
Third, effective monitoring and enforcement of compliance will be necessary. The Toolkit requires in Sub-requirement 3.2.2.4 that tax administrations ensure employees apply security policies and procedures, and clearly demonstrate willingness to impose sanctions when conduct falls below required standards, particularly concerning information protection. Regular audits of contractors’ compliance with security principles, effective procedures for reporting and investigating breaches, and consistent application of sanctions will be necessary. According to Sub-requirement 3.2.6.2, all access to systems containing data should be logged, and such logs should be regularly reviewed to detect unauthorized access.
Benefits of Regulatory Implementation
Standardization of Protection Measures
The proposed regulation yields several significant benefits. Foremost, it equalizes protection standards by subjecting all persons having access to tax data to tax secrecy obligations, regardless of employment form, thereby eliminating a substantial lacuna in the data protection system. This comports with the OECD principle expressed in Sub-requirement 3.2.4.4 that regardless of the type of agreement employed with vendors, it should contain express requirements concerning protection of confidentiality and information security.
Enhancement of Taxpayer Confidence
Second, the regulation strengthens taxpayer confidence in the system. Knowledge that all persons having access to data are subject to severe sanctions for disclosure may enhance taxpayer confidence in the KSeF system and propensity for voluntary tax compliance. This proves particularly significant in the context of expanding digitalization, where nearly forty percent of tax administrations currently offer pre-filling of VAT returns, and approximately thirty percent can provide certain taxpayers with completely pre-filled returns requiring no taxpayer modifications.
International Standards Compliance
Third, the regulation fully comports with OECD international standards concerning data protection in the context of tax information exchange (Core Requirement 3.1), information security management (Core Requirement 3.2), and enforcement of confidentiality provisions (Core Requirement 3.3). Satisfaction of international data protection standards facilitates information exchange with other tax administrations, builds foreign partners’ confidence in the security of data transmitted to Poland, and constitutes a prerequisite for effective participation in international information exchange systems such as the Common Reporting Standard, Automatic Exchange of Information, and exchange of Country-by-Country Reports.
Legislative Status and Anticipated Effective Date
The draft amendment has traversed several stages of the legislative process. The initial draft was published on March 26, 2025, followed by an updated version on August 4, 2025, following the first consultation phase, with the most recent version dated October 2, 2025, referred to the Standing Committee of the Council of Ministers. The anticipated effective date of the amendment is July 1, 2026, providing sufficient time for preparation of appropriate implementation procedures by both KAS and IT firms providing services to it.
Expert Commentary and Professional Opinion
The National Council of Tax Advisors advocated for introduction of this provision, indicating that it constitutes an important step for taxpayer data security. The Ministry of Finance accommodated this recommendation, recognizing the need to extend tax secrecy obligations to employees of external firms providing IT services to the tax administration. Tomasz Rolewicz of Ernst & Young evaluated positively the introduction of tax secrecy provisions for IT firm employees as a significant element of taxpayer data protection, though simultaneously observing that the Ministry of Finance rejected the majority of recommendations submitted during consultations, potentially indicating certain limitations in the scope of dialogue between the ministry and the professional tax advisory community.
Conclusion and Recommendations
In conclusion, the proposed extension of tax secrecy obligations to IT personnel servicing KSeF constitutes a necessary element of a comprehensive tax data protection system in the digital era. This regulation fully comports with OECD international standards concerning protection of confidential tax information, fills a legal lacuna by extending protection to all categories of personnel having access to sensitive data, and responds to genuine threats associated with IT services outsourcing in tax administration. It strengthens taxpayer and foreign partner confidence in system security and facilitates international cooperation through satisfaction of data protection requirements.
For complete effectiveness, the regulation should be supplemented by: detailed verification and training procedures for IT firm employees prior to authorization to work with taxpayer data; clear agreements with IT vendors precisely specifying scope of access and obligations; effective mechanisms for monitoring and enforcing compliance, including logging of all system access and regular review of such logs; and regular review and refinement of the protection system based upon incident analysis and internal and external audits. Implementation of these additional elements, consistent with best practices described in OECD documents, will ensure that the new regulation produces intended effects in the form of genuine enhancement of tax data security in the KSeF system and broader digital infrastructure of the tax administration.
Founder and Managing Partner of Skarbiec Law Firm, recognized by Dziennik Gazeta Prawna as one of the best tax advisory firms in Poland (2023, 2024). Legal advisor with 19 years of experience, serving Forbes-listed entrepreneurs and innovative start-ups. One of the most frequently quoted experts on commercial and tax law in the Polish media, regularly publishing in Rzeczpospolita, Gazeta Wyborcza, and Dziennik Gazeta Prawna. Author of the publication “AI Decoding Satoshi Nakamoto. Artificial Intelligence on the Trail of Bitcoin’s Creator” and co-author of the award-winning book “Bezpieczeństwo współczesnej firmy” (Security of a Modern Company). LinkedIn profile: 18 500 followers, 4 million views per year. Awards: 4-time winner of the European Medal, Golden Statuette of the Polish Business Leader, title of “International Tax Planning Law Firm of the Year in Poland.” He specializes in strategic legal consulting, tax planning, and crisis management for business.
