Dutch DPA Fines Tax and Customs Administration €2.75 Million for GDPR Violations
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AP), has announced it has imposed a financial penalty of €2.75 million ($3.1 million / £2.34 million) on the Dutch Tax and Customs Administration for violations of the EU’s General Data Protection Regulation (GDPR).
The Tax and Customs Administration had processed the dual nationality data of individuals who applied for childcare allowance. According to AP, the data should have been deleted in January 2014, but was retained and used by the Dutch Tax and Customs Administration for many years, when the dual nationality status of Dutch nationals should not have played any role in assessments of childcare benefits applications.
AP’s investigation determined that in May 2018, when the GDPR took effect, there were 1.4 million individuals in its systems who were registered as dual nationals. Dual nationality status was used as part of its efforts to combat organized fraud, with that information retained in its fraud management system – the Fraud Signaling Facility – that acted as a blacklist to identify potential fraudsters.
The information stored in the Fraud Signaling Facility was found, in many cases, to be out of date and inaccurate, and Dutch nationals that were added to the blacklist were added without their knowledge and were unable to defend themselves and could not have themselves removed from the blacklist. Individuals with dual nationality were classed as non-Dutch and, as such, their applications for childcare benefits were deemed to be high-risk. AP said the inclusion and processing of dual nationality data were unlawful and discriminatory. Under the GDPR, processing nationality data in a discriminatory manner is not permitted and infringed on individuals’ fundamental rights, which include the right to equality and non-discrimination.
“The government has exclusive responsibility for lots of things. Members of the public don’t have a choice; they are forced to allow the government to process their personal data,’ said AP chair Aleid Wolfsen. “That’s why it’s crucial that everyone can have absolute confidence that this processing is done properly. That the government doesn’t keep and process unnecessary data about individuals. And that there is never any element of discrimination involved in an individual’s contact with the government.”
The Tax and Customs Administration retired its Fraud Signaling Facility in February 2019 and, in the summer of 2020, cleared up its internal systems and deleted the dual nationalities of Dutch nationals. The Tax and Customs Administration said it has not used dual nationality data for determining risk since October 2018.