Amending Protocol to the Agreement between the European Union and the Republic of San Marino on the Automatic Exchange of financial account information to improve international tax compliance

THE EUROPEAN UNION

and

THE REPUBLIC OF SAN MARINO, hereinafter referred to as ‘San Marino’,

both hereinafter referred to, individually, as ‘Contracting Party’ and, jointly, as ‘Contracting Parties’,

WHEREAS the Contracting Parties are committed to improving their relationship and enhancing cooperation between them, as shown by the conclusion of negotiations on an association agreement in December 2023, providing for the right for San Marino to join the European Union internal market, including its four fundamental freedoms, and for cooperation in other areas,

WHEREAS the Contracting Parties have a longstanding and close relationship with respect to mutual assistance in tax matters, which consisted, initially, in the application of measures equivalent to those laid down in Council Directive 2003/48/EC (1), and which was later developed into the Agreement between the European Union and the Republic of San Marino on the automatic exchange of financial account information to improve international tax compliance (2) (‘the Agreement’), as amended by the Amending Protocol to the Agreement between the European Community and the Republic of San Marino providing for measures equivalent to those laid down in Council Directive 2003/48/EC on taxation of savings income in the form of interest payments (3) based upon the reciprocal automatic exchange of information by means of implementing the Organisation for Economic Co-operation and Development (OECD) Standard for Automatic Exchange of Financial Account Information in Tax Matters (‘the Global Standard’),

WHEREAS, following the OECD's first comprehensive review of the Global Standard, amendments to the Global Standard were approved by the OECD's Committee on Fiscal Affairs in August 2022 and were adopted by the OECD Council on 8 June 2023 by means of its revised Recommendation on the International Standards for Automatic Exchange of Information in Tax Matters (‘the update to the Global Standard’),

WHEREAS the OECD comprehensive review identified the increasing complexity of financial instruments and the emergence and use of new types of digital assets and acknowledged the necessity of adapting the Global Standard to ensure comprehensive and effective tax compliance,

WHEREAS the update to the Global Standard expanded the scope of reporting to include new digital financial products, such as Specified Electronic Money Products and Central Bank Digital Currencies, which offer credible alternatives to traditional Financial Accounts, which are already subject to reporting under the Global Standard,

WHEREAS the new OECD Crypto-Asset Reporting Framework (‘CARF’), which was introduced in parallel to the update to the Global Standard, serves as a complementary mechanism at the global level and is specifically designed to address the rapid development and growth of the Crypto-Asset market,

WHEREAS it was considered imperative to ensure an efficient interaction between those two frameworks, in particular to limit instances of duplicative reporting, by: (i) excluding Specified Electronic Money Products and Central Bank Digital Currencies from the scope of the CARF, given their coverage under the updated Global Standard; (ii) considering Crypto-Assets within the scope of the updated Global Standard to be Financial Assets for the purpose of reporting Custodial Accounts, Equity or Debt Interests in Investment Entities (except in cases of provision of services effectuating exchange transactions for or on behalf of customers, which are covered under the CARF), indirect investments in Crypto-Assets through other traditional financial products or traditional financial products issued in crypto form; and (iii) providing for an optional provision for Reporting Financial Institutions to switch off gross proceeds reporting for assets that are classified as Crypto-Assets under both frameworks, when such information is reported under the CARF, while continuing to report under the Global Standard all other information, such as account balance,

WHEREAS the CARF has been implemented within the European Union by way of Council Directive (EU) 2023/2226 (4), which amended Council Directive 2011/16/EU (5) with those provisions applying from 1 January 2026 and San Marino is committed to implementing the CARF in its domestic legislation and applying those provisions from the same date,

WHEREAS, with a view to limiting instances of duplicative reporting, the Contracting Parties should apply the delineation between the Agreement, the CARF and Directive (EU) 2023/2226 in a manner consistent with the delineation between the updated Global Standard and the CARF,

WHEREAS, with the aim of improving the reliability and use of the exchanged information, the update to the Global Standard introduces more detailed reporting requirements and strengthened due diligence procedures,

WHEREAS the update to the Global Standard adds a new ‘Excluded Account’ category for Capital Contribution Accounts and a de minimis threshold for reporting of Depository Accounts holding Specified Electronic Money Products,

WHEREAS Regulation (EU) 2016/679 of the European Parliament and of the Council (6) lays down specific data protection rules in the European Union which also apply to the exchanges of information covered by the Agreement,

WHEREAS Law No. 171 (7) of 21 December 2018 regulates the protection of personal data in San Marino,

WHEREAS, on the date of signing of this Amending Protocol, the European Commission has, so far, not adopted a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 finding that San Marino is a country that ensures an adequate level of protection of personal data,

WHEREAS both Contracting Parties commit to implementing and observing the specific data protection safeguards as included in the Agreement, including Annex III,

WHEREAS Reporting Financial Institutions, sending Competent Authorities and receiving Competent Authorities, as data controllers, should retain information processed in accordance with the Agreement for no longer than necessary to achieve the purposes thereof and whereas, given the differences in Member States' and San Marino's legislation, the maximum retention period should be set by reference to the statute of limitations provided by each data controller's domestic tax legislation,

WHEREAS the processing of information under the Agreement is necessary for and proportionate to the purpose of enabling Member States' and San Marino's tax administrations to correctly and unequivocally identify the taxpayers concerned, to administer and enforce their tax laws in cross-border situations, to assess the likelihood of tax evasion being perpetrated and to avoid unnecessary further investigations,

HAVE AGREED AS FOLLOWS:

Article 1

The Agreement is amended as follows:

(1)

the introductory wording between the title and Article 1 is replaced by the following:

‘THE EUROPEAN UNION

and

THE REPUBLIC OF SAN MARINO, hereinafter referred to as “San Marino”,

both hereinafter referred to, individually, as “Contracting Party” and, jointly, as “Contracting Parties”,

HAVE AGREED TO CONCLUDE THE FOLLOWING AGREEMENT:’

;

(2)

in Article 1(1), the following subparagraph is added:

‘(m)	the term “Crypto-Asset Reporting Framework” means the international framework for the automatic exchange of information with respect to Crypto-Assets (which includes the Commentaries) developed by the OECD, with G20 countries and approved by the OECD on 26 August 2022.’

;

(3)

Article 2 is amended as follows:

(a)

paragraph 2 is amended as follows:

(i)

subparagraphs (a) and (b) are replaced by the following:

‘(a)

the following:

(i)	the name, address, TIN(s) and date and place of birth (in the case of an individual) of each Reportable Person that is an Account Holder of the account and whether the Account Holder has provided a valid self-certification;

(ii)

in the case of any Entity that is an Account Holder and that, after application of due diligence procedures consistent with Annexes I and II, is identified as having one or more Controlling Persons that is a Reportable Person, the name, address, and TIN(s) of the Entity and the name, address, TIN(s) and date and place of birth of each Reportable Person, as well as the role(s) by virtue of which each Reportable Person is a Controlling Person of the Entity and whether a valid self-certification has been provided for each Reportable Person; and

(iii)

whether the account is a joint account, including the number of joint Account Holders;

(b)	the account number (or functional equivalent in the absence of an account number), the type of account and whether the account is a Preexisting Account or a New Account;’

;

(ii)	the term ‘and’ at the end of subparagraph (f) is deleted;

(iii)

the following subparagraph is inserted after subparagraph (f):

‘(fa)

in the case of any Equity Interest held in an Investment Entity that is a legal arrangement, the role(s) by virtue of which the Reportable Person is an Equity Interest holder; and’

;

(b)

the following paragraph is added:

‘3. Notwithstanding paragraph 2, subparagraph (e), point (ii), and unless the Reporting Financial Institution has elected otherwise under Section I(F) of Annex I with respect to any clearly identified group of accounts, the gross proceeds from the sale or redemption of a Financial Asset are not required to be exchanged to the extent such gross proceeds from the sale or redemption of such Financial Asset are exchanged by the Competent Authority of San Marino with the Competent Authority of a Member State or by the Competent Authority of a Member State with the Competent Authority of San Marino under the Crypto-Asset Reporting Framework.’

;

(4)

Article 3 is amended as follows:

(a)

in paragraph 3, the following subparagraphs are added:

‘Notwithstanding the first and second subparagraphs, for accounts that are treated as a Reportable Account solely by virtue of the amendments to this Agreement made by the Amending Protocol of 13 October 2025, and, with regard to all Reportable Accounts, for the additional information to be exchanged pursuant to the changes made to Article 2(2) under that latter Amending Protocol, information is to be exchanged with respect to the first year as from the entry into force of that Amending Protocol and all subsequent years.

Notwithstanding the preceding subparagraphs, with respect to each Reportable Account that is maintained by a Reporting Financial Institution as of 31 December 2025 and for reporting periods ending by the second calendar year following such date, information with respect to the role(s) by virtue of which each Reportable Person is a Controlling Person or Equity Interest holder of the Entity is to be exchanged where reported by the Reporting Financial Institution in accordance with Section I, subparagraphs A(1)(b) and A(6a), of Annex I.’

;

(b)

paragraph 4 is replaced by the following:

‘4. The Competent Authorities will automatically exchange the information described in Article 2 in a common reporting standard schema in Extensible Markup Language using the Common Transmission System approved by the OECD or any other appropriate system for data transmission that may be agreed in the future.’

;

(c)	paragraph 5 is deleted;

(5)

Article 6 is amended as follows:

(a)

paragraph 1 is replaced by the following:

‘1. In addition to the confidentiality rules and other safeguards outlined in this Agreement, including those outlined in Annex III, the processing of personal data pursuant to this Agreement shall be subject, (i) for Member States, to Regulation (EU) 2016/679 of the European Parliament and of the Council (*1), and, (ii) for San Marino, to the provisions of Law No. 171 of 21 December 2018 (*2).

Member States shall, for the purpose of the correct application of Article 5, restrict the scope of the obligations and rights provided for in Article 13, Article 14(1) to (4) and Article 15 of Regulation (EU) 2016/679 to the extent required in order to safeguard the interests referred to in Article 23(1)(e) of that Regulation. San Marino shall take equivalent measures under its domestic law.

Each Member State and San Marino shall ensure that each Reporting Financial Institution under their jurisdiction informs each individual Reportable Person concerned that the information relating to him referred to in Article 2 will be collected and transferred in accordance with this Agreement and shall ensure that the Reporting Financial Institution provides to that individual all information that he is entitled to under its domestic data protection legislation, and at least the following:

(a)	the purpose of the processing of his personal data;

(b)	the legal basis of the processing operation;

(c)	the recipients of his personal data;

(d)	the identity of the data controllers;

(e)	the time-limits for storing the data;

(f)	the existence of the right to request access to, rectification and erasure of his personal data from the controller;

(g)	the right to seek administrative and/or judicial redress and the procedure to do so;

(h)	the right to have recourse to the competent data protection supervisory authority or authorities and the relevant contact details.

This information shall be provided in sufficient time for the individual to exercise his data protection rights and, in any case, before the Reporting Financial Institution concerned reports the information referred to in Article 2 to the competent authority of its jurisdiction of residence (being a Member State or San Marino).

Member States and San Marino shall ensure that each individual Reportable Person is notified of a breach of security with regard to his personal data when that breach is likely to adversely affect the protection of his personal data or privacy.

(*1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj)."

(*2) Bollettino Ufficiale della Repubblica di San Marino [https://www.bollettinoufficiale.sm/on-line/RicercaBU?acm_lang=it_IT&acm_session=D41C8C128609A28C2FB7110E5375A6D1.tomcat1lb&operation=getDocBU&id=1da1d6f8c775533f025aaa32a4094d865ec68fb9].’;"

(b)

paragraph 2 is replaced by the following:

‘2. Personal data processed in accordance with this Agreement shall be retained for no longer than necessary to achieve the purposes of this Agreement and, in any case, in accordance with each data controller's domestic rules on statute of limitations.

Reporting Financial Institutions and the competent authorities of each Member State and San Marino shall be considered to be data controllers, each with respect to the personal data it processes under this Agreement. The data controllers shall be responsible for ensuring compliance with the personal data protection safeguards set out in this Agreement and for the respect of the rights of the data subjects.’

;

(c)

paragraph 5 is replaced by the following:

‘5. Notwithstanding the provisions of the preceding paragraphs, information received by a jurisdiction (being a Member State or San Marino) may be used for other purposes when such information may be used for such other purposes under the laws, including those on the protection of personal data, of the supplying jurisdiction (being, respectively, San Marino or a Member State) and when the Competent Authority of that jurisdiction authorises such use. Information provided by a jurisdiction (being a Member State or San Marino) to another jurisdiction (being, respectively, San Marino or a Member State) may be transmitted by the latter to a third jurisdiction (being another Member State), subject to the safeguards provided for under this Article and in Annex III and subject to prior authorisation by the Competent Authority of the first-mentioned jurisdiction from which the information originated.

Information provided by one Member State to another Member State under its applicable law implementing Council Directive 2011/16/EU on administrative cooperation in the field of taxation may be transmitted to San Marino subject to prior authorisation by the Competent Authority of the Member State from which the information originated.’

;

(6)

in Article 7, paragraph 2 is replaced by the following:

‘2. If the consultation relates to significant non-compliance with the provisions of this Agreement, and the procedure described in paragraph 1 does not provide for an adequate settlement, the Competent Authority of a Member State or San Marino may suspend the exchange of information under this Agreement towards, respectively, San Marino or a specific Member State, by giving notice in writing to the other Competent Authority concerned. Such suspension will have immediate effect. For the purposes of this paragraph, significant non-compliance includes, but is not limited to, non-compliance with the confidentiality and data safeguard provisions of this Agreement, including Annex III, of Regulation (EU) 2016/679 and of Law No. 171 of 21 December 2018, as applicable, a failure by the Competent Authority of a Member State or San Marino to provide timely or adequate information as required under this Agreement or defining the status of Entities or accounts as Non-Reporting Financial Institutions and Excluded Accounts in a manner that frustrates the purposes of this Agreement.’

;

(7)

Article 9 is replaced by the following:

‘Article 9

Termination

Either Contracting Party may terminate this Agreement by giving notice of termination in writing to the other Contracting Party. Such termination will become effective on the first day of the month following the expiration of a period of 12 months after the date of the notice of termination. In the event of termination, all information previously received under this Agreement will remain confidential and subject, (i) for Member States, to the provisions of Regulation (EU) 2016/679 and (ii) for San Marino, to the provisions of Law No. 171 of 21 December 2018 and, in both cases, to the specific data protection safeguards set out in this Agreement, including those contained in Annex III.’

;

(8)

Annex I is amended as follows:

(a)

in Section I, paragraph A is amended as follows:

(i)

the introductory wording and subparagraphs 1 and 2 are replaced by the following:

‘Subject to paragraphs C to F, each Reporting Financial Institution must report to the Competent Authority of its jurisdiction (being a Member State or San Marino) with respect to each Reportable Account of such Reporting Financial Institution:

the following information:

(a)	the name, address, jurisdiction(s) of residence (being a Member State or San Marino), TIN(s) and date and place of birth (in the case of an individual) of each Reportable Person that is an Account Holder of the account and whether the Account Holder has provided a valid self-certification;

(b)

in the case of any Entity that is an Account Holder and that, after application of the due diligence procedures consistent with Sections V, VI and VII, is identified as having one or more Controlling Persons that is a Reportable Person, the name, address, jurisdiction(s) (being a Member State, San Marino or other jurisdiction) of residence and TIN(s) of the Entity and the name, address, jurisdiction(s) (being a Member State or San Marino of residence, TIN(s) and date and place of birth of each Reportable Person, as well as the role(s) by virtue of which each Reportable Person is a Controlling Person of the Entity and whether a valid self-certification has been provided for each Reportable Person; and

(c)	whether the account is a joint account, including the number of joint Account Holders;

2.	the account number (or functional equivalent in the absence of an account number), the type of account and whether the account is a Preexisting Account or a New Account;’

;

(ii)	the term ‘and’ at the end of subparagraph 6 is deleted;

(iii)

the following subparagraph is inserted after subparagraph 6:

‘6a.	in the case of any Equity Interest held in an Investment Entity that is a legal arrangement, the role(s) by virtue of which the Reportable Person is an Equity Interest holder; and’

;

(b)

in Section I, paragraph C is replaced by the following:

‘C.

Notwithstanding subparagraph A(1), with respect to each Reportable Account that is a Preexisting Account, the TIN(s) or date of birth is not required to be reported if such TIN(s) or date of birth is not in the records of the Reporting Financial Institution and is not otherwise required to be collected by such Reporting Financial Institution under domestic law or any European Union legal instrument (if applicable). However, a Reporting Financial Institution is required to use reasonable efforts to obtain the TIN(s) and date of birth with respect to Preexisting Accounts by the end of the second calendar year following the year in which Preexisting Accounts were identified as Reportable Accounts and whenever it is required to update the information relating to the Preexisting Account pursuant to domestic AML/KYC Procedures.’

;

(c)

in Section I, the following paragraph is added:

‘F.

Notwithstanding subparagraph A(5)(b), and unless the Reporting Financial Institution elects otherwise with respect to any clearly identified group of accounts, the gross proceeds from the sale or redemption of a Financial Asset are not required to be reported to the extent such gross proceeds from the sale or redemption of such Financial Asset are reported by the Reporting Financial Institution under the Crypto-Asset Reporting Framework.’

;

(d)

in Section VI, subparagraph A(2)(b) is replaced by the following:

‘(b)

Determining the Controlling Persons of an Account Holder. For the purposes of determining the Controlling Persons of an Account Holder, a Reporting Financial Institution may rely on information collected and maintained pursuant to AML/KYC Procedures, provided that such procedures are consistent with the 2012 FATF Recommendations. If the Reporting Financial Institution is not legally required to apply AML/KYC Procedures that are consistent with the 2012 FATF Recommendations, it must apply substantially similar procedures for the purpose of determining the Controlling Persons.’

;

(e)

in Section VII, the following paragraph is inserted after paragraph A:

‘Aa.

Temporary lack of self-certification. In exceptional circumstances where a self-certification cannot be obtained by a Reporting Financial Institution in respect of a New Account in time to meet its due diligence and reporting obligations with respect to the reporting period during which the account was opened, the Reporting Financial Institution must apply the due diligence procedures for Preexisting Accounts, until such self-certification is obtained and validated.’

;

(f)

in Section VIII, subparagraphs A(5) to (7) are replaced by the following:

‘5.

The term “Depository Institution” means any Entity that:

(a)	accepts deposits in the ordinary course of a banking or similar business; or

(b)	holds Specified Electronic Money Products or Central Bank Digital Currencies for the benefit of customers.

The term “Investment Entity” means any Entity:

(a)

which primarily conducts as a business one or more of the following activities or operations for or on behalf of a customer:

(i)	trading in money market instruments (cheques, bills, certificates of deposit, derivatives, etc.); foreign exchange; exchange, interest rate and index instruments; transferable securities; or commodity futures trading;

(ii)	individual and collective portfolio management; or

(iii)

otherwise investing, administering, or managing Financial Assets, money, or Relevant Crypto-Assets on behalf of other persons; or

(b)

the gross income of which is primarily attributable to investing, reinvesting, or trading in Financial Assets or Relevant Crypto-Assets, if the Entity is managed by another Entity that is a Depository Institution, a Custodial Institution, a Specified Insurance Company, or an Investment Entity described in subparagraph A(6)(a).

An Entity is treated as primarily conducting as a business one or more of the activities described in subparagraph A(6)(a), or an Entity's gross income is primarily attributable to investing, reinvesting, or trading in Financial Assets or Relevant Crypto-Assets for the purposes of subparagraph A(6)(b), if the Entity's gross income attributable to the relevant activities equals or exceeds 50 % of the Entity's gross income during the shorter of: (i) the three-year period ending on 31 December of the year preceding the year in which the determination is made; or (ii) the period during which the Entity has been in existence. For the purposes of subparagraph A(6)(a)(iii), the term “otherwise investing, administering, or managing Financial Assets, money, or Relevant Crypto-Assets on behalf of other persons” does not include the provision of services effectuating Exchange Transactions for or on behalf of customers. The term “Investment Entity” does not include an Entity that is an Active NFE because that Entity meets any of the criteria in subparagraphs D(9)(d) to (g).

This paragraph shall be interpreted in a manner consistent with similar language set forth in the definition of “financial institution” in the Financial Action Task Force Recommendations.

The term “Financial Asset” includes a security (for example, a share of stock in a corporation; partnership or beneficial ownership interest in a widely held or publicly traded partnership or trust; note, bond, debenture, or other evidence of indebtedness), partnership interest, commodity, swap (for example, interest rate swaps, currency swaps, basis swaps, interest rate caps, interest rate floors, commodity swaps, equity swaps, equity index swaps, and similar agreements), Insurance Contract or Annuity Contract, or any interest (including a futures or forward contract or option) in a security, Relevant Crypto-Asset, partnership interest, commodity, swap, Insurance Contract, or Annuity Contract. The term “Financial Asset” does not include a non-debt, direct interest in real property.’

;

(g)

in Section VIII, the following subparagraphs are added after subparagraph A(8):

‘9.

The term “Specified Electronic Money Product” means any product that is:

(a)	a digital representation of a single Fiat Currency;

(b)	issued on receipt of funds for the purpose of making payment transactions;

(c)	represented by a claim on the issuer denominated in the same Fiat Currency;

(d)	accepted in payment by a natural or legal person other than the issuer; and

(e)	by virtue of regulatory requirements to which the issuer is subject, redeemable at any time and at par value for the same Fiat Currency upon request of the holder of the product.

The term “Specified Electronic Money Product” does not include a product created for the sole purpose of facilitating the transfer of funds from a customer to another person pursuant to instructions of the customer. A product is not created for the sole purpose of facilitating the transfer of funds if, in the ordinary course of business of the transferring Entity, either the funds connected with such product are held longer than 60 days after receipt of instructions to facilitate the transfer, or, if no instructions are received, the funds connected with such product are held longer than 60 days after receipt of the funds.

10.	The term “Central Bank Digital Currency” means any digital Fiat Currency issued by a Central Bank, or other monetary authority.

11.

The term “Fiat Currency” means the official currency of a jurisdiction, issued by a jurisdiction or by a jurisdiction's designated Central Bank or monetary authority, as represented by physical banknotes or coins or by money in different digital forms, including bank reserves and Central Bank Digital Currencies. The term also includes commercial bank money and electronic money products (including Specified Electronic Money Products).

12.	The term “Crypto-Asset” means a digital representation of value that relies on a cryptographically secured distributed ledger or a similar technology to validate and secure transactions.

13.	The term “Relevant Crypto-Asset” means any Crypto-Asset that is not a Central Bank Digital Currency, a Specified Electronic Money Product or any Crypto-Asset for which the Reporting Crypto-Asset Service Provider has adequately determined that it cannot be used for payment or investment purposes.

14.

The term “Exchange Transaction” means any:

(a)	exchange between Relevant Crypto-Assets and Fiat Currencies; and

(b)	exchange between one or more forms of Relevant Crypto-Assets’

;

(h)

in Section VIII, subparagraph B(1)(a) is replaced by the following:

‘(a)

a Governmental Entity, International Organisation or Central Bank, other than:

(i)	with respect to a payment that is derived from an obligation held in connection with a commercial financial activity of a type engaged in by a Specified Insurance Company, Custodial Institution, or Depository Institution; or

(ii)	with respect to the activity of maintaining Central Bank Digital Currencies for Account Holders which are not Financial Institutions, Governmental Entities, International Organisations or Central Banks.’

;

(i)

in Section VIII, subparagraph C(2) is replaced by the following:

‘2.

The term “Depository Account” includes any commercial, checking, savings, time, or thrift account, or an account that is evidenced by a certificate of deposit, thrift certificate, investment certificate, certificate of indebtedness, or other similar instrument maintained by a Depository Institution. A Depository Account also includes:

(a)	an amount held by an insurance company pursuant to a guaranteed investment contract or similar agreement to pay or credit interest thereon;

(b)	an account or notional account that represents all Specified Electronic Money Products held for the benefit of a customer; and

(c)	an account that holds one or more Central Bank Digital Currencies for the benefit of a customer.’

;

(j)

in Section VIII, subparagraph C(9)(a) is replaced by the following:

‘(a)	a Financial Account maintained by a Reporting Financial Institution as of 31 December 2015 or, if the account is treated as a Financial Account solely by virtue of the amendments to this Agreement made by the Amending Protocol of 13 October 2025, as of 31 December 2025.’

;

(k)

in Section VIII, subparagraph C(10) is replaced by the following:

‘10.

The term “New Account” means a Financial Account maintained by a Reporting Financial Institution opened on or after 1 January 2016, or, if the account is treated as a Financial Account solely by virtue of the amendments to this Agreement made by the Amending Protocol of 13 October 2025, on or after 1 January 2026 unless it is treated as a Preexisting Account under the extended definition of Preexisting Account in subparagraph C(9).’

;

(l)

in Section VIII, the following subparagraph is inserted after subparagraph C(17)(e)(iv):

‘(v)

a foundation or capital increase of a company provided that the account satisfies the following requirements:

—	the account is used exclusively to deposit capital that is to be used for the purpose of the foundation or capital increase of a company, as prescribed by law;

—	any amounts held in the account are blocked until the Reporting Financial Institution obtains an independent confirmation regarding the foundation or capital increase;

—	the account is closed or transformed into an account in the name of the company after the foundation or capital increase;

—	any repayments resulting from a failed foundation or capital increase, net of service provider and similar fees, are made solely to the persons who contributed the amounts; and

—	the account has not been established more than 12 months ago.’

;

(m)

in Section VIII, the following subparagraph is inserted after subparagraph C(17)(e):

‘(ea)

A Depository Account that represents all Specified Electronic Money Products held for the benefit of a customer, if the rolling average 90 day end-of-day aggregate account balance or value during any period of 90 consecutive days did not exceed USD 10 000 or an equivalent amount denominated in the domestic currency of each Member State or San Marino at any day during the calendar year or other appropriate reporting period.’

;

(n)

in Section VIII, subparagraph D(2) is replaced by the following:

‘2.

The term “Reportable Person” means a Reportable Jurisdiction Person other than: (i) an Entity the stock of which is regularly traded on one or more established securities markets; (ii) any Entity that is a Related Entity of an Entity described in clause (i); (iii) a Governmental Entity; (iv) an International Organisation; (v) a Central Bank; or (vi) a Financial Institution.’

;

(o)

in Section VIII, subparagraph D(5)(c) is replaced by the following:

‘(c)

any other jurisdiction (i) with which the relevant Member State or San Marino, as the context requires, has an agreement in place pursuant to which that other jurisdiction will provide the information specified in Section I; and (ii) which is identified in a list published by that Member State or San Marino.’

;

(p)

in Section VIII, the following subparagraph is added after subparagraph E(6):

‘7.	The term “Government Verification Service” is an electronic process made available by a Reportable Jurisdiction to a Reporting Financial Institution for the purposes of ascertaining the identity and tax residence of an Account Holder or Controlling Person.’

;

(q)

the following section is added after Section X:

‘SECTION XI

TRANSITIONAL MEASURES

Notwithstanding subparagraph a(1)(b) and a(6a) of Section I, with respect to each Reportable Account that is maintained by a Reporting Financial Institution as of 31 December 2025 and for reporting periods ending by the second calendar year following such date, information with respect to the role(s) by virtue of which each Reportable Person is a Controlling Person or Equity Interest holder of the Entity is only required to be reported if such information is available in the electronically searchable data maintained by the Reporting Financial Institution.’

;

(9)

Annex III is amended as follows:

(a)	the heading is replaced by the following: ‘ADDITIONAL DATA PROTECTION SAFEGUARDS REGARDING THE TREATMENT OF THE DATA PROCESSED UNDER THIS AGREEMENT’ ;

(b)

paragraphs 3 and 4 are replaced by the following:

‘3. Data minimisation

The personal data processed by the Contracting Parties under this Agreement shall be relevant and limited to what is necessary and proportionate to the purposes set out in this Agreement.

The Contracting Parties shall not exchange personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning the health or sex life of the individual.

4. Transparency, right of access, rectification and erasure of data

Where personal data received from another jurisdiction under this Agreement is, in accordance with the conditions set out in Article 6(5) of this Agreement, used for other purposes within the receiving jurisdiction, or is transmitted by the receiving jurisdiction to a third jurisdiction (being another Member State or San Marino), the Competent Authority of the receiving jurisdiction using the personal data for other purposes or transmitting it to a third jurisdiction shall inform the individual Reportable Person concerned. This information shall be provided in sufficient time for the individual to exercise his data protection rights and, in any case, before the receiving jurisdiction has used the personal data for the other purposes or transmitted it to the third jurisdiction.

With respect to any personal data which is processed under this Agreement, any individual shall have the right to obtain access to his personal data concerning him or her and to obtain rectification of inaccurate personal data concerning him or her. Where the personal data has been unlawfully processed the individual may obtain its erasure.

To facilitate the exercise of this right, each individual shall be enabled to make requests for access to, rectification and/or erasure of his data which are addressed to the other Competent Authority via the individual's own Competent Authority.

The requested Competent Authority shall provide access to the relevant data and, where appropriate, update and/or correct any inaccurate or incomplete data.’

;

(c)

paragraphs 6 and 7 are replaced by the following:

‘6. Automated processing

The Competent Authorities shall not take any decision which produces legal effects concerning an individual or significantly affects him or her and which is based solely on automated processing of data.

7. Transfers to authorities of third countries

A Competent Authority may occasionally transfer personal data received pursuant to this Agreement to public authorities in third countries, other than the Member States and San Marino, if all of the following circumstances apply:

(a)	the transfer is necessary for the purposes specified in Article 6(4) in the receiving third country and the personal data will be used by the receiving third country only for such purposes;

(b)	the personal data is relevant and proportionate to the purposes for which it is transferred;

(c)	the competences of the third country authority are directly related to the purposes referred to in Article 6(4);

(d)	the receiving third country ensures a level of protection of the personal data equivalent to the one established by this Agreement, as well as undertakes not to transfer the received data to any third parties;

(e)	the Competent Authority from which the information was received has provided prior agreement; and

(f)	the data subject has been informed of the transfer.

Any other transfers of information received pursuant to this Agreement to third parties shall be prohibited.’

;

(d)

paragraph 10 is replaced by the following:

‘10. Oversight

The processing of personal data by Reporting Financial Institutions and Competent Authorities under this Agreement shall be subject to the independent supervision of (i) the national data protection supervisory authorities established under Regulation (EU) 2016/679 in the Member States, and (ii) the Guarantor for the Confidentiality of Personal Data, established by Law No. 171 of 21 December 2018, in San Marino.

These authorities in the Member States and San Marino shall have effective powers of oversight, investigation, intervention and review, and shall have power to refer violations of law for legal action, where appropriate. They shall in particular ensure that complaints relating to non-compliance are received, investigated, responded to, and appropriately redressed.’

;

(10)	in Annex IV, subparagraph (ac) is deleted.

Article 2

Entry into force

This Amending Protocol requires ratification or approval by the Contracting Parties in accordance with their own procedures. The Contracting Parties shall notify each other of the completion of these procedures. The Amending Protocol shall enter into force on the first day of January following the last notification.

Article 3

Languages

This Amending Protocol shall be drawn up in duplicate in the Bulgarian, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish and Swedish languages, each text being equally authentic.

IN WITNESS WHEREOF, the undersigned Plenipotentiaries have hereunto set their hands.

(1) Council Directive 2003/48/EC of 3 June 2003 on taxation of savings income in the form of interest payments (OJ L 157, 26.6.2003, p. 38, ELI: http://data.europa.eu/eli/dir/2003/48/oj).

(2) OJ L 381, 28.12.2004, p. 33, ELI: http://data.europa.eu/eli/agree_internation/2004/903/oj.

(3) OJ L 346, 31.12.2015, p. 3, ELI: http://data.europa.eu/eli/prot/2015/2469/oj.

(4) Council Directive (EU) 2023/2226 of 17 October 2023 amending Directive 2011/16/EU on administrative cooperation in the field of taxation (OJ L, 2023/2226, 24.10.2023, ELI: http://data.europa.eu/eli/dir/2023/2226/oj).

(5) Council Directive 2011/16/EU of 15 February 2011 on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC (OJ L 64, 11.3.2011, p. 1, ELI: http://data.europa.eu/eli/dir/2011/16/oj).

(6) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(7) Bollettino Ufficiale della Repubblica di San Marino [https://www.bollettinoufficiale.sm/on-line/RicercaBU?acm_lang=it_IT&acm_session=D41C8C128609A28C2FB7110E5375A6D1.tomcat1lb&operation=getDocBU&id=1da1d6f8c775533f025aaa32a4094d865ec68fb9].