On April 12, 2022, the Dutch Data Protection Authority (AP) announced its decision to impose a €3.7 million fine on the Tax and Customs Administration for the violation of the General Data Protection Regulation (GDPR).
The highest fine the Dutch DPA has imposed so far was issued for non-compliance with general data processing principles, and a total of six violations of the GDPR, including no legal basis for personal data processing, keeping information for longer than necessary and keeping out of date and incorrect data.
The fine was issued after years of illegal processing of personal data in the Fraud Signaling Facility (FSV), a blacklist on which the Tax and Customs Administration kept records of fraud.
FSV Background
FSV was accessible to thousands of employees from various departments of the Tax and Customs Administration from the end of 2013 to the beginning of 2020.
The tax authorities could consult FSV when assessing tax returns or when collecting debts. The list consisted of data on more than a quarter of a million people, including minors.
Blacklisted individuals suffered serious consequences as they were labeled as potential fraudsters and were under intense supervision by the tax authorities, with far-reaching financial consequences for them.
The AP investigation
During the investigation into FSV, the DPA found the Tax and Customs Administration committed serious violations of the GDPR, including violations of the principles of lawfulness, purpose specification, accuracy, and storage limitation.
1. No legal basis for personal data processing
The AP concluded that Tax and Customs Administration had no legal basis for processing personal data, not under the GDPR nor the Personal Data Protection Act that was applied before GDPR enforcement.
Tax and Customs Administration could rely on neither legal obligation nor on the processing necessary for performing a task in the public interest since there was no legal obligation to process signals, and processing was not necessary for the fulfillment of the public task of the Tax and Customs Administration.
2. Lack of purpose specification
The AP concluded that the purpose of the FSV was not clearly defined. Therefore the purpose of the processing could have been achieved in a less far-reaching way, without FSV.
3. Keeping out of date and wrong information
Additionally, the Tax and Customs Administration violated the principle of accuracy since the personal data that was processed was often incorrect, registering wrong individuals as possible fraudsters, and the Administration did not take reasonable measures to rectify or delete that data.
4. No appropriate security measures
The AP also found that the Tax and Customs Administration did not secure personal data properly and did not implement appropriate technical and organizational measures regarding access security and security of personal data in the FSV.
5. Personal data kept for longer than necessary
The personal data in FSV were kept longer than the retention period applicable to the personal data in FSV by the Tax and Customs Administration.
6. Not advising with the DPO
Finally, the Tax and Customs Administration did not properly and timely involve a data protection officer when conducting the Data Protection Impact Assessment of FSV. The Tax and Customs Administration has only asked the DPO for advice after more than a year when assessing the risks of FSV.
Tax and Customs Administration Violations
The fine of 3.7 million euros is based on several fines for a total of six violations:
- €1 million – No legal basis for the processing of personal data in FSV
- €750,000 – The goal of FSV was not specifically defined in advance
- €750,000 – FSV contained incorrect and non-updated data
- €250,000 – personal data was kept for far too long
- €500,000 – FSV ‘s security was insufficient
- €450,000 – The Tax and Customs Administration did not properly and timely involve DPO
The final amount of the fine
The final amount of the fine was influenced by the duration of the violations, the number of affected individuals, and the seriousness of the violations, since Tax and Customs Administration has violated the rights of 270,000 people for over six years and caused serious financial damages to the individuals.
