An investigation conducted by the Dutch Data Protection Authority (DDPA) – Autoriteit Persoonsgegevens – into the data processing activities of the Dutch Tax and Customs Administration has uncovered violations of the core principles of the General Data Protection Regulation (GDPR).
The Dutch Tax and Customs Administration conducts activities to tackle fraud, which involve collecting and storing the personal details of Dutch taxpayers in its Fraud Signaling Facility (FSV). The FSV includes a blacklist of individuals that was used to identify potential fraudsters with the individuals on the blacklist subjected to intense supervision by the tax authority.
The DDPA analyzed the data stored in the FSV and found that in many cases the information was inaccurate and out-of-date, and included information unrelated to fraudulent activities. In 2020, following several negative media reports about the FSV, the Dutch Tax and Customs Administration retired the system; however, it had been used since 2013, with the system it replaced having been used since 2001.
The investigation concerned the data processing activities conducted since May 25, 2021, when the GDPR took effect. The DDPA investigation revealed the FSV contained the personal data of more than 250,000 Dutch nationals, many of whom were minors when their personal data were added to the system. The FSV included information about proven cases of fraud and alleged but unproven fraud. The DDPA determined personal data were being processed without legal basis or a defined purpose, in violation of the GDPR.
“Our investigation shows that the Tax and Customs Administration registered and used fraud signals in a way that is absolutely not allowed [Under the GDPR],” said Aleid Wolfsen, Chairman of the DDPA. “More than a quarter of a million people have been on this fraud list – often unjustly – for far too long without their knowledge. As a result, they could not defend themselves and they could not be removed from the list.”
The DDPA has not yet determined if a financial penalty will be imposed to resolve the GDPR violations. The Dutch Tax and Customs Administration has been given the opportunity to respond to the findings of the investigation, after which a decision will be made about whether a financial penalty is appropriate.
This is not the first time that the Dutch Tax and Customs Administration has been discovered to have engaged in the unlawful processing of the personal data of Dutch citizens. A previous DDPA investigation into the data processing activities of the Benefits Office of the Dutch Tax and Customs Administration identified unlawful and discriminatory practices that violated the GDPR.
The DDPA discovered the Benefits Office of the Dutch Tax and Customs Administration had processed the dual nationality information of childcare benefit applicants and retained that information in its system, when it should have been deleted in January 2014. In May 2018, when the GDPR took effect, the data of 1.4 million individuals registered as dual nationals was still stored in its systems and that information was used in the assessment of childcare benefit applications to combat organized fraud, even though the information was not necessary for that purpose and should not have been used.
The nationality of applicants was also used as an indicator in a system that designated certain applications as risky when nationality data was not necessary for that purpose. A decision has yet to be made in that case about whether a financial penalty is appropriate.