Biggest GDPR Fines in the Netherlands: Tax Administration Fined for Fraud Blacklist
- March 10, 2024
Do you want to know about some of the biggest fines given in the Netherlands in GDPR history?
Learn about the no-go’s in GDPR from this case of a Dutch tax administration when we take you through:
The case in brief: Staff were instructed to use data on ethnic heritage about individuals
The Dutch Tax Administration had a fraud identification facility (FSV) that contained a blacklist of data subjects registering indications of fraud.
The FSV staff were instructed to use characteristics about individuals, such as their ethnic heritage (i.e., Turkish, Moroccan, and Eastern European) as a selection criterion for further tax investigations.
The above breaches of the GDPR lead to these penalties:
- The FSV contained incorrect and obsolete information: EUR 750,000 (GDPR, Article 5(1)(d)).
- The data was stored for too long: EUR 250,000 (GDPR, Article 5(1)(e)).
- The FSV was not adequately protected: EUR 500,000 (GDPR, Article 32(1)).
- The tax administration waited over a year to ask its DPO for advice about assessing the risks of using the FSV: EUR 450,000 (GDPR, Article 32(2)).
The (costly) decision from the Dutch DPA
The Dutch DPA imposed a combined fine of 3,700,000 EUR on the Dutch Minister of Finances for the following violations (broken down into the corresponding fines):
- The Tax administration had no statutory basis for processing personal data in the FSV: EUR 1,000,000 (GDPR, Article 6(1)).
- The purpose of the FSV was not specifically described in advance: 750,000 EUR (GDPR, Article 5(1)(b)).
Get our EU GDPR Casebook 2023
Want to dive into more GDPR fines and other interesting cases from the EU?
Our remarks
- If a processing activity relies on the legal basis of “necessary for a task carried out in the public interest,” the law that the controller refers to must specifically permit the processing in question. This is also the case when the processing is within the general scope of the law. When a processing activity becomes more detailed and invasive (for example, by processing special or criminal data) the requirement for clarity of the law is raised.
- When one is processing personal data, it’s important to describe the processing as precisely as possible. Also, the purpose of the processing activity should always be clear. This can be mapped in a risk assessment and eventually followed by a data protection impact assessment (DPA).
- If the controller has carried out illegal processing and is not referred to its DPO, it’s an aggravating circumstance when the DPA is calculating the fine.
- If a processor has previously been found to be in violation of the GDPR, the data protection authority is inclined to issue a higher fine for the subsequent violation.
In some cases, a data subject was labelled a ’fraudster’ without this being subject to an adequate investigation. Even if an investigation was carried out, and there appeared to be no fraud indicators, this conclusion was often not noted. For that reason, the suspicion of fraud remained.
Furthermore, risk analyses were based on incorrect data in some cases.
Inclusion on this blacklist meant that the data subject suffered economic consequences such as having his/her application for care allowance rejected or being made ineligible for debt rescheduling etc.
The processing took place from 2013 to 2020, meaning that 270,000 people ended up on this list.
Information about these people was shared with other authorities and private entities.
Furthermore, unauthorized employees of the Tax and Customs Administration were able to view personal data in FSV due to the inadequate security of FSV.
This case about the Dutch Tax Administration is a reminder of why your organization need to ensure the legal basis for processing sensitive data and to conduct a risk assessment on your processing activities.
But it’s just as important that you can show and document your GDPR compliance.
We can help you through the GDPR compliance process – from start to audit.
End-to-end-platform for your GDPR compliance
Do you want to simplify and automate your GDPR compliance with our end-to-end-platform?
