The Dutch GDPR authority (AP) imposed a 3.7 million euro fine on the national tax administration. The government agency stored the personal data of 270.000 people on a black list. A harsh violation of the AVG, said the AP.
“For more than 6 years, the tax administration violated the rights of the 270,000 people who were on that list”, shares AP president Aleid Wolfsen.
Until 2020, the Dutch tax administration (Belastingdienst) maintained the Fraud Signalling Facility (FSV). The FSV entailed a list of people suspected of fraud by the tax administration. The list contained personal data on 270,000 individuals.
According to the AP, the tax administration is guilty of multiple GDPR violations. The tax administration receives a fine of 3.7 million euros.
The tax administration sees the FSV as “one of the systems that allow us to process tax returns and benefits applications faster”. The AP holds a very different view. “A black list, on which the tax administration kept track of fraud signals”, shares a spokesperson. “With major consequences for people who were wrongly registered.”
Internal research by the tax administration reveals that staff were instructed to partly base the risk of fraud on people’s nationality and appearance. Those who never committed fraud could still end up on the list. They wouldn’t have known, because the tax administration didn’t inform registrants.
Consequences for 270,000 people
The consequences of the list vary. The Netherlands has systems in place to aid those in financial trouble. For example, tax debts can typically be repaid in instalments. For those on the list, payment agreements were typically denied. Additionally, registrants facing debt restructuring were required to involve a judge to make arrangements with creditors, while average citizens did not.
The FSV went out of order on 27 February 2020, following an investigation that showed the system violated the AVG in several ways.
A more recent investigation by the AP brings the violations into focus. The tax administration receives a total fine of 3.7 billion euros for six separate violations.
First, the tax administration did not have a legal basis for personal data processing. All personal data processing requires a legal basis under the AVG. The most common basis is consent, which the tax administration lacked.
In addition, the tax administration failed to describe the specifics of the FSV’s purpose. Some personal data was incorrect or outdated. Data was kept far too long, and the security proved inadequate.