Dutch DPA fines government tax authority $3.1M under GDPR

By Jaclyn Jaeger2021-12-09T17:57:00+00:00

No comments

The Dutch Data Protection Authority (DPA) on Tuesday announced a fine of €2.75 million (U.S. $3.1 million) against the government’s Tax and Customs Administration for violations of the EU’s General Data Protection Regulation (GDPR).

The Tax and Customs Administration, part of the Ministry of Finance, for years “processed the (dual) nationality of applicants for childcare allowance in an unlawful, discriminatory, and therefore improper manner,” the Dutch DPA stated in a translated press release. The government agency should have deleted this data in January 2014 but instead kept and used it. In May 2018, the month the GDPR took effect, the tax authorities’ system still contained the dual nationality information of 1.4 million people, according to the DPA.

Additionally, the DPA stated tax authorities unnecessarily processed the nationality of applicants to combat organized fraud. In a report issued in October (in Dutch), the DPA found tax authorities processed personal data in a fraud management system called the “Fraud Signaling Facility,” which the data regulator said served as a blacklist to identify potential fraudsters. Often, however, the data was inaccurate or out of date.

“More than a quarter of a million people were—often unjustly—on this fraud list for far too long without their knowledge,” said DPA Chairman Aleid Wolfsen in a translated statement on Oct. 29. “As a result, they could not defend themselves and they could not be removed from the list.”

Further, the DPA found tax authorities also unnecessarily processed and “used the nationality of applicants as an indicator (Dutch or not Dutch) in a system that automatically designated certain applications as high-risk.”

Citizens do not have a freedom of choice regarding the processing of their data by the government, Wolfsen said. Rather, they must “blindly trust” the government is handling their data properly and fairly. In this case, tax authorities violated that trust, he said.

Discriminatory processing

The right to childcare allowance is not dependent on nationality, the DPA stated. Under the GDPR, data processing may not infringe fundamental rights.

“By unnecessarily including data about nationality in all kinds of systems, the Tax and Customs Administration acted in a discriminatory way,” the DPA stated.

In this case, the unlawful processing of data using an algorithm went “terribly wrong,” resulting in the violation of citizens’ rights, Wolfsen said. He added the DPA “will continue to warn about the serious dangers of processing personal data with algorithms and AI.”

The Tax and Customs Administration has addressed the violations, according to the DPA. The agency completely removed from its internal systems the dual nationalities of Dutch people.

Since October 2018, tax authorities no longer use the nationality of applicants in the risk system, and since February 2019, no longer use the nationality of applicants to fight fraud.

The Tax and Customs Administration can appeal the fine, which was imposed on the Minister of Finance, who is responsible for the processing of personal data at the agency. The fine notice (in Dutch) addressed to the Minister of Finance is dated Nov. 25.

Jaclyn JaegerJaclyn Jaeger is a freelance contributor to Compliance Week after working for the company for 15 years. She writes on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.View full Profile

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

Article
GDPR fines worth appealing? Factors to consider

2021-08-19T13:03:00Z By Neil Hodge

Experts weigh in on the results of a report from the European Data Protection Board showing which countries have seen the most GDPR fines annulled or modified following court appeal.
Article
TikTok fined $883K under GDPR for children’s privacy violations

2021-07-23T18:25:00Z By Neil Hodge

The Dutch Data Protection Authority imposed a €750,000 (U.S. $883,000) fine on TikTok for violating the privacy of young children following a wide-scale investigation launched last year.
Article
Booking.com fined $557K under GDPR for reporting data breach late

2021-04-01T20:55:00Z By Neil Hodge

Online reservation Website Booking.com has been fined €475,000 (U.S. $557,000) by the Dutch Data Protection Authority for reporting a data breach 22 days later than the 72 hours required under the GDPR.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from Regulatory Enforcement

News Brief
Proterial Cable America earns DOJ declination in apparent fraud case

2024-04-16T19:30:00Z By Kyle Brasseur

Proterial Cable America received a declination notice from the Department of Justice related to its voluntary self-disclosure and remediation of apparent fraud committed by its employees.
Premium
SEC’s Grewal: General compliance principles for avoiding AI washing

2024-04-16T19:09:00Z By Aaron Nicodemus

Gurbir Grewal, director of the Securities and Exchange Commission’s Division of Enforcement, laid out general principles for “proactive compliance” to avoid making false or misleading claims about the capabilities of artificial intelligence products and services.
News Brief
FINRA orders Barclays unit to pay $700K over conflicts of interest

2024-04-15T16:26:00Z By Aaron Nicodemus

A Barclays unit agreed to pay $700,000 to settle allegations levied by the Financial Industry Regulatory Authority that its research analysts violated conflict-of-interest rules and the firm failed to sufficiently supervise their trades.