Home
/
Blog
/
Biggest GDPR Fines in the Netherlands: Tax Administration Fined for Fraud Blacklist

Biggest GDPR Fines in the Netherlands: Tax Administration Fined for Fraud Blacklist

Published on:
May 3, 2024
|
Reading time:
4 min.
WRITTEN BY
Ulrika Skadhauge
Assistant attorney
TABLE OF CONTENTS

End-to-end-platform for your GDPR compliance

Do you want to simplify and automate your GDPR compliance with our end-to-end-platform?
Tell me more

Do you want to know about some of the biggest fines given in Dutch GDPR history?

Learn about GDPR no-go’s from this case about the Dutch tax administration as we take you through:

  • The case in brief: Staff were instructed to use data on the ethnic heritage of individuals
  • The (costly) decision from the Dutch DPA
  • The reasons behind the hefty penalty
  • The 4 key lessons for data controllers and processors

The case in brief: Staff were instructed to use data on ethnic heritage about individuals

The Dutch Tax Administration had a fraud identification facility (FSV) that contained a blacklist of data subjects showing indications of fraud.

The FSV staff were instructed to use characteristics about individuals, such as their ethnic heritage (i.e., Turkish, Moroccan, and Eastern European) as a selection criterion for further tax investigations.

The above breaches of the GDPR lead to these penalties:

  • The FSV contained incorrect and obsolete information: EUR 750,000 (GDPR, Article 5(1)(d)).
  • The data was stored for too long: EUR 250,000 (GDPR, Article 5(1)(e)).
  • The FSV was not adequately protected: EUR 500,000 (GDPR, Article 32(1)).
  • The tax administration waited over a year to ask its DPO for advice about assessing the risks of using the FSV: EUR 450,000 (GDPR, Article 32(2)).

The (costly) decision from the Dutch DPA

The Dutch DPA imposed a combined fine of 3,700,000 EUR on the Dutch Minister of Finances for the following violations (broken down into the corresponding fines):

  • The Tax administration had no statutory basis for processing personal data in the FSV: EUR 1,000,000 (GDPR, Article 6(1)).
  • The purpose of the FSV was not specifically described in advance: EUR 750,000 (GDPR, Article 5(1)(b)).

Understand the reasons behind the hefty penalty: Where did the data controller go wrong?

From our perspective, there are 6 major reasons for the significant fine:

Reason #1: In some cases, a data subject was labelled a ’fraudster’ without this being subject to an adequate investigation. Even if an investigation was carried out, and there appeared to be no fraud indicators, this conclusion was often not noted. For that reason, the suspicion of fraud remained.

Reason #2: Risk analyses were based on incorrect data in some cases.

Reason #3: Inclusion on this blacklist meant that the data subject suffered economic consequences such as having his/her application for care allowance rejected or being made ineligible for debt rescheduling etc.

Reason #4: The processing took place from 2013 to 2020, meaning that 270,000 people ended up on this list.

Reason #5: Information about these people was shared with other authorities and private entities.

Reason #6: Unauthorized employees of the Tax and Customs Administration were able to view personal data in FSV due to the inadequate security of FSV.

Our remarks: 4 key lessons for data controllers and processors

Here are the 4 most important things that you as a data controller and/or processor can learn from the case:

Lesson #1: The more data worthy of protection, the stronger the legal basis

If a processing activity relies on the legal basis of “necessary for a task carried out in the public interest,” the law that the controller refers to must specifically permit the processing in question.

In addition, the more detailed and invasive the processing data is (e.g. criminal offense data compared to name data), the more clearly the national legal basis must state that it’s necessary to process the data.

This means that there must be both a legal basis in the GDPR (cf. public interest) and in the national law (in this case, the Dutch law).

Lesson #2: Description of the processing of data has to be precise and clear

When you process personal data, it’s important to describe the processing as precisely as possible. Also, the purpose of the processing activity should always be clear.

This can be mapped in a Risk Assessment and eventually followed by a Data Protection Impact Assessment (also known as DPIA).

Lesson #3: Lack of reporting leads to bigger fine

If the controller has carried out illegal processing and hasn’t reported this to its DPO, it’s an aggravating circumstance when the DPA is calculating the fine.

Lesson #4: Former violation of the GDPR can mean bigger fine

If a processor has previously been found to be in violation of the GDPR, the data protection authority is inclined to issue a higher fine for the subsequent violation.

This case about the Dutch Tax Administration is a reminder of why your organization need to ensure the legal basis for processing sensitive data and to conduct a risk assessment on your processing activities.

But it’s just as important that you can show and document your GDPR compliance.


We can help you through the GDPR compliance process – from start to audit.

End-to-end-platform for your GDPR compliance

Do you want to simplify and automate your GDPR compliance with our end-to-end-platform?

Tell me more
Published:
May 3, 2024
Category:
GDPR

Compliance as it should be.

Simplified, transparent, automated.

Contact usBook a demo