The Dutch Data Protection Authority (DDPA) recently concluded that the Dutch Tax and Customs Administration breached fundamental General Data Protection Regulations (GDPR) rules. The infractions occurred over several years while using a fraud management system known as the Fraud Signaling Facility (FSV).

The FSV, operational from late 2013 until early 2020, acted as a sort of blacklist to pinpoint and monitor potential fraudsters by storing their personal information. However, the data often included errors, was outdated, or was irrelevant to fraud risks. This system was eventually terminated following critical media scrutiny, although its predecessor had been in place since 2001.

Investigations by the DDPA revealed that the FSV, which housed data of over 250,000 individuals—including minors—lacked a legal foundation and clear purpose for its data processing activities. The system was also accessible to numerous tax authority employees across various departments, further complicating the data privacy issues.

Aleid Wolfsen, the DDPA Chairman, emphasized the importance of the tax authority’s duty to combat fraud but criticized the methods employed: “Our findings indicate a severe misuse of fraud signals, affecting innocent individuals who, unbeknownst to them, were marked as fraudsters and could neither challenge nor remove their names from the list.”

The Ministry of Finance has been given the opportunity to respond to these findings formally. The DDPA will decide if penalties are warranted following this response. This incident marks another significant controversy for the Dutch Tax and Customs Administration, which had previously faced accusations of racial discrimination in handling childcare benefits.