NETHERLANDS TAX AUTHORITY FINED FOR DATA BREACH

Autoriteit Persoonsgegevens, the Dutch Data Protection Authority (DDPA), found on Friday that the Dutch Tax and Customs Administration violated core principles of the General Data Protection Regulations (GDPR) for several years through processing personal data in a fraud management system.

The Fraud Signaling Facility (FSV) was used to store taxpayers’ personal details. The FSV served as a blacklist to identify potential fraudsters. Those who were blacklisted as “potential fraudsters” faced intense supervision from the tax authority. Often the data was inaccurate, out-of-date or unrelated to possible fraud.

The FSV was used by the tax authority from late 2013 to early 2020, after which it was discontinued due to several media reports discrediting the system. The predecessor of the FSV has existed since 2001.

The DDPA found that the FSV system was accessible to thousands of employees working at various divisions of the tax authority. It processed the data of more than a quarter of a million citizens, including minors, for several years without legal basis and a defined purpose. It contained a variety of alleged or proven data, both from within and outside the tax authority.

The Chairman of the DDPA, Aleid Wolfsen said:

Obviously, the Tax and Customs Administration must tackle fraud. But our investigation shows that the Tax and Customs Administration registered and used fraud signals in a way that is absolutely not allowed. Innocent people have been duped … More than a quarter of a million people have been on this fraud list – often unjustly – for far too long without their knowledge. As a result, they could not defend themselves and they could not be removed from the list.

The Minister of Finance has a right to officially respond to the DDPA’s investigation. Following this, the DDPA will assess whether the Tax and Customs Administration will be fined. This is the second scandal to beset the tax authority in recent years after a previous investigation by the DDPA found it guilty of discriminating against childcare benefit applicants with dual nationality.

courtesy of Ananaya Agrawal

Related Posts