Tax administration fined for fraud blacklist Summary The Dutch Tax Administration had a fraud identification • The FSV contained incorrect and obsolete facility (FSV) that contained a blacklist of data subjects information: 750,000 EUR (GDPR, Article 5(1)(d)). registering indications of fraud. • This particular data was stored for far too long: The FSV staff were instructed to use characteristics 250,000 EUR (GDPR, Article 5(1)(e)). about individuals, such as their ethnic heritage (i.e., Turkish, Moroccan, and Eastern European) as a • The FSV was not adequately protected: 500,000 EUR selection criterion for further tax investigations. (GDPR, Article 32(1)). In some cases, a data subject was labeled a ’fraudster’ • The Tax Administration waited over a year to ask its without this being subject to an adequate investigation. DPO for advice about assessing the risks of using Even if an investigation was carried out, and there the FSV: 450,000 EUR (GDPR, Article 32(2)). appeared to be no fraud indicators, this conclusion was often not noted, and so the suspicion of fraud remained. Our remarks Furthermore, risk analyses were based on incorrect • If a processing activity relies on the legal basis data in some cases. of “necessary for a task carried out in the public Inclusion on this blacklist meant that the data subject interest”, the law that the controller refers to must suffered economic consequences such as having his/ specifically permit the processing in question. her application for care allowance rejected or being This is also the case when the processing is within made ineligible for debt rescheduling etc. Around the general scope of the law. When a processing 270.000 people were on this list, and the processing activity becomes more detailed and invasive took place from 2013 to 2020. Information about (for example by processing special or criminal individuals on this list was shared with other authorities data) the requirement for clarity of the law is raised. and private entities. • When one is processing personal data, it is Furthermore, unauthorized employees of the Tax and important to describe the processing as precisely Customs Administration were able to view personal as possible. Furthermore, the purpose of the data in FSV due to the inadequate security of FSV. processing activity should always be clear. This can be mapped in a Risk Assessment and eventually The decision of the Dutch DPA followed by a Data Protection Impact Assessment. The Dutch DPA imposed a combined fine of 3,700,000 • If the controller has carried out illegal processing EUR on the Dutch Minister of Finances for the following and is not referred to its DPO, it is an aggravating violations (broken down into the corresponding fines): circumstance when the DPA is calculating the fine. • The Tax administration had no statutory basis for processing personal data in the FSV: EUR 1,000,000 • If a processor has previously been found to be in (GDPR, Article 6(1)). violation of the GDPR, the data protection authority • The purpose of the FSV was not specifically is inclined to issue a higher fine for the subsequent described in advance: 750,000 EUR (GDPR, Article violation. 5(1)(b)). Published: 07-04-2022 Journal number: N/A Tags: 01 Legal basis and principles of processing 16