2 min

Tags in this article

, , ,

One year after the introduction of the European Privacy Act, the Tax and Customs Administration reports that GDPR has still not complied with the Act. The organization states that the storage of old personal data in particular remains problematic.

Much of this obsolete information should be deleted automatically, but it turns out to take longer than expected. For a number of old systems it is not possible to remove the obsolete data on the basis of the GDPR standards.

“Some systems are based on a database management system that does not provide for the possibility of physically deleting records,” a spokesman said to Tweakers. As a result, some data can only be marked as ‘no longer valid’.

The Tax and Customs Administration is now converting that system to another database. However, these changes are so great that it will not be possible to delete the data in the short term. In addition, the data must be assessed manually for the presence of personal data. This turns out to be a big job, as it involves hundreds of millions of documents.


The tax authorities also announced last year that they would not be ready in time for the GDPR. At the time, the organisation said it needed more time to get its systems in order. At the end of May, the organisation told the Lower House of Parliament that it would update on the situation. The State Audit Department will also investigate the extent to which the government complies with the GDPR.

In the meantime, the Tax and Customs Administration is taking measures to ensure that the old data is not accessible to every employee. The tax authorities place the data in a so-called data safe. The safe is a protected environment to which only employees with explicit permission have access.

Halfway through last year, the Tax and Customs Administration was also criticised by the Dutch Data Protection Authority for the use of the citizen service number in a VAT identification number for self-employed people who want to set up a sole proprietorship. According to the GDPR, however, this is not allowed and the practices need to be adapted.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.