The Personal Data Authority (AP) is fining the Tax Authority 3.7 million euros. The Tax Authority is receiving this fine because of years of illegal processing of personal data in the Fraude Signaling Facility (FSV). That was a blacklist on which the Tax Authority kept track of signals of fraud. With often great consequences for people who were wrongly on the list.
The AP found a long list of violations of the privacy law, the General Data Protection Regulation (GDPR), during investigations into FSV.
Thus, the Inland Revenue had no legal basis (foundation) for processing the personal data on the list. Without such an AVG basis, the processing of personal data is prohibited.
Also, personal data were often incorrect. As a result, people were wrongly registered as potential fraudsters. Furthermore, the security of the list was not in order. And the Tax Administration's internal privacy supervisor was not involved in the design of the list in time.
This fine is the highest ever imposed by the AP. That's because of the severity of the violations, the impact on large numbers of people and the fact that the violations went on for so long.
AP Chairman Aleid Wolfsen: 'With FSV, the Tax Authority violated the rights of the 270,000 people who were on that list in an unprecedented way. For more than six years. People were often wrongly labeled as fraudsters, with terrible consequences. If you were on FSV, some did not receive payment arrangements or qualify for debt settlement. The IRS turned lives upside down with FSV.'
The Tax Office's own research also found that employees were instructed to base the risk of fraud in part on things like people's nationality and appearance.
Wolfsen: "Did you have Turkish, Moroccan or Eastern European nationality? Then you were investigated further without good reason because of that nationality. This discrimination is unacceptable. Also, the Tax Office mentioned, for example, donations to mosques and high medicine costs of people with Eastern European-sounding surnames in advance as a risk factor for fraud.'
In determining the amount of the fine, the AP also took into account that the Tax and Customs Administration has committed serious violations of the AVG before. In 2018, for example, the AP found that the Tax Authority had poorly secured personal data.
And in 2020, the AP imposed a processing ban on the Tax Authority for illegally using the citizen service number (BSN) in the VAT identification number of the self-employed. Moreover, in 2021, the Tax Authority was fined 2.75 million euros by the AP for discriminatory and unlawful practices in the Supplements affair.
Wolfsen: "The Tax Administration has gone wrong several times. While precisely the Tax Administration has a very great responsibility towards the people in the Netherlands. After all, they depend on the Tax Administration. You cannot decide to apply for your benefits or file your tax return somewhere else. People must be able to trust that the Tax Administration will handle their data with care. In the FSV case, that turned out not to be the case.'
The €3.7 million fine is based on multiple fines for a total of six violations:
The Inland Revenue had no legal basis (basis) for processing personal data in FSV: €1 million fine.
FSV's goal was not pre-specified: 750,000 euros fine.
FSV contained incorrect and non-updated data: 750,000 euros fine.
Signals were kept far too long: 250,000 euros fine.
FSV's security was inadequate: 500,000 euros fine.
The Inland Revenue did not ask the FG (the internal privacy regulator) for advice in assessing FSV's risks until more than a year later: 450,000 euros fine.
The Internal Revenue Service eliminated FSV in February 2020.
The Internal Revenue Service can still appeal the AP's fine.
