Tax administration fined for discriminatory processing Summary Our remarks Between 2013 and 2019, around 26,000 parents were • Governmental bodies have a heightened wrongly accused of making fraudulent childcare benefit responsibility to perform lawful processing due to claims, requiring them to pay back the allowances they the power imbalance between the government had received in their entirety. The amount was up to ten and its citizens as the data subjects do not have a thousand euros. choice to have their personal data processed by the given authority. From January 2014, national legislation stipulated that if a person was of Dutch nationality, dual nationality was • The less far-reaching form of processing should no longer to be recorded. always be used when possible. For example, instead of using dual nationality as an indication of The Dutch Tax Administration continued storing data fraud, the Tax Administration should only check a about individuals with dual nationality after the change person’s nationality when there are other concrete in legislation in January 2014. In May 2018, approximately indications of fraud. 1.4 million Dutch citizens with dual nationalities were registered in a database used by the authority. • As a controller or processor, you should always be aware of national legislation that either prohibits In addition, the Administration processed the nationality or restricts certain types of processing or the of applicants to combat organized fraud. Applications processing of certain types of personal data. submitted by dual nationals were automatically marked as a ‘high risk-application’ by an algorithm and • The DPA will impose a higher fine if the data would be further investigated. subjects have suffered economic damages due to illegal processing. Furthermore, certain nationalities were used to detect organized fraud. Data subjects with certain nationalities were more likely to be checked for fraud. The decision of the Dutch DPA The Dutch DPA imposed a total fine of 2,750,000 EUR on the Dutch Ministry of Finances for the following violations (with corresponding fines): • Unlawful retention of data on dual nationality: 750,000 EUR (GDPR, Articles 6(1) and 5(1)(a)). • Unnecessary use of dual nationality as an indicator of the risk of fraud: 1,000,000 EUR (GDPR, Articles 6(1) and 5(1)(a)). • Inappropriate use of dual nationality to detect organized fraud: 1,000,000 EUR (GDPR, Articles 6(1) and 5(1)(a)). Published: 25-11-2021 Journal number: N/A Tags: 01 Legal basis and principles of processing 17