Date of final decision: April 7 2022
Cross-border case or national case: no
Controller: Minister of Finance – Tax Administration
Legal Reference: lawfulness - article 5(1) point a icw 6(1), purpose limitation - article 5(1) point b, accuracy - article 5(1) point d, storage limitation - article 5(1) point e, security - article 32(1), advice DPO when carrying out a DPIA - article 35(2) icw 38(1)
Decision: infringement of the GDPR, administrative fines
Key words: illegally processing personal data in ‘fraud identification facility’, access control, logging, involvement DPO
Summary of the Decision
Origin of the case
The investigated Fraude Signalering Voorziening (FSV) was a black list which the Tax Administration used to register indications of fraud, often with major repercussions for people who had been wrongly included on the list.
The Dutch Supervisory Authority (SA) uncovered numerous violations of the General Data Protection Regulation (GDPR). For example, the Tax Administration had no statutory basis for processing the personal data on the list. In many cases the personal data was not even correct, and as a result people were wrongly registered as possible tax frauds. Furthermore, the list was not properly protected, and the Tax Administration’s internal privacy supervisor was not involved at an early stage in the creation of the list.
The Dutch SA has imposed a €3.7 million fine on the Tax Administration for illegally processing personal data over a period of years in its ‘fraud identification facility’ (FSV). The €3.7 million fine comprises multiple fines for six violations in total:
- The Tax Administration had no statutory basis for processing personal data in the FSV: €1 million.
- The purpose of the FSV was not specifically described in advance: €750,000.
- The FSV contained incorrect and obsolete information: €750,000.
- This particular data was stored for far too long: €250,000.
- The FSV was not adequately protected: €500,000.
- The Tax Administration waited over a year to ask its internal privacy supervisor for advice about assessing the risks of using the FSV: €450,000.
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.