Background information

Date of final decision: April 7 2022
Cross-border case or national case: no
Controller: Minister of Finance – Tax Administration
Legal Reference: lawfulness - article 5(1) point a icw 6(1), purpose limitation - article 5(1) point b, accuracy - article 5(1) point d, storage limitation - article 5(1) point e, security - article 32(1), advice DPO when carrying out a DPIA - article 35(2) icw 38(1)
Decision: infringement of the GDPR, administrative fines
Key words: illegally processing personal data in ‘fraud identification facility’, access control, logging, involvement DPO

Summary of the Decision

Origin of the case

The investigated Fraude Signalering Voorziening (FSV) was a black list which the Tax Administration used to register indications of fraud, often with major repercussions for people who had been wrongly included on the list.

Key Findings

The Dutch Supervisory Authority (SA) uncovered numerous violations of the General Data Protection Regulation (GDPR). For example, the Tax Administration had no statutory basis for processing the personal data on the list. In many cases the personal data was not even correct, and as a result people were wrongly registered as possible tax frauds. Furthermore, the list was not properly protected, and the Tax Administration’s internal privacy supervisor was not involved at an early stage in the creation of the list.

Decision

The Dutch SA has imposed a €3.7 million fine on the Tax Administration for illegally processing personal data over a period of years in its ‘fraud identification facility’ (FSV). The €3.7 million fine comprises multiple fines for six violations in total:

The Tax Administration had no statutory basis for processing personal data in the FSV: €1 million.
The purpose of the FSV was not specifically described in advance: €750,000.
The FSV contained incorrect and obsolete information: €750,000.
This particular data was stored for far too long: €250,000.
The FSV was not adequately protected: €500,000.
The Tax Administration waited over a year to ask its internal privacy supervisor for advice about assessing the risks of using the FSV: €450,000.

For further information: link to decision in national language Boete Belastingdienst voor zwarte lijst FSV (NL), Tax Administration fined for fraud blacklist (EN).

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Tax Administration fined for fraud ‘black list’

Background information

Summary of the Decision

Origin of the case

Key Findings

Decision

Zdravko Vukić elected new Deputy Chair of the European Data Protection Board

Ansigtsgenkendelse i lufthavne: personer bør have størst mulig kontrol over biometriske data

EDPB launches French and German versions of its Data Protection Guide for small business

Finnish SA: Administrative fine of € 856,000 for failing to define storage period of customer data

Hellenic SA: fine on a company for failure to implement technical and organisational measures resulting in unauthorised access by third parties