AP (The Netherlands) - 7.04.2022: Difference between revisions
No edit summary |
No edit summary |
||
Line 78: | Line 78: | ||
=== Facts === | === Facts === | ||
The Dutch Tax and Customs Administration kept a | The Dutch Tax and Customs Administration kept a list to register indications of fraud, the Fraud Signaling Facility (FSV). The list contained over 270,000 entries and was maintained for more than six years. The Dutch DPA conducted a thorough investigation on the Tax and Customs Administration, finding several violations of the GDPR. | ||
=== Holding === | === Holding === | ||
Line 95: | Line 95: | ||
Finally, the DPA found that the Tax and Customs Administration did not properly and timely involve the DPO in the implementation of FSV's data protection assessment. With this, the Tax and Customs Administration violated [[Article 35 GDPR|Article 35(2) GDPR]] and [[Article 38 GDPR|Article 38(1) GDPR]]. | Finally, the DPA found that the Tax and Customs Administration did not properly and timely involve the DPO in the implementation of FSV's data protection assessment. With this, the Tax and Customs Administration violated [[Article 35 GDPR|Article 35(2) GDPR]] and [[Article 38 GDPR|Article 38(1) GDPR]]. | ||
These violations had serious implications for those who were incorrectly listed as fraudsters. For example, those who were listed in the FSV could not qualify for payment plans or debt settlements. On top of these violations, the DPA also considered the fact that the Dutch Tax and Customs Administration had committed serious violations of the GDPR before, such as in 2018. Consequently, it imposed a fine of €3,700,000 considering all of the above. The Dutch Tax and Customs Administration does, however, have the option to object | These violations had serious implications for those who were incorrectly listed as fraudsters. For example, those who were listed in the FSV could not qualify for payment plans or debt settlements. On top of these violations, the DPA also considered the fact that the Dutch Tax and Customs Administration had committed serious violations of the GDPR before, such as in 2018. Consequently, it imposed a fine of €3,700,000 considering all of the above. The Dutch Tax and Customs Administration does, however, have the option to object this penalty. | ||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' |
Revision as of 16:34, 20 April 2022
AP (The Netherlands) - Dutch Tax and Customs Administration fined €3,700,000 for six GDPR violations | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(d) GDPR Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 32(1) GDPR Article 35(2) GDPR Article 38(1) GDPR Article 10(1) Wbp Article 11(2) Wbp Article 13 Wbp Article 7 Wbp Article 8 Wbp |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | 12.04.2022 |
Fine: | 3,700,000 EUR |
Parties: | Autoriteit Persoonsgegevens Ministry of Finance |
National Case Number/Name: | Dutch Tax and Customs Administration fined €3,700,000 for six GDPR violations |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Decision fine black list Dutch Tax and Customs Administration (in NL) |
Initial Contributor: | Eva Lu |
The Dutch DPA issued a fine of €3,700,000 to the Dutch Tax and Customs Administration based on an accumulation of six violations of the GDPR, including no legal basis for processing of personal data under Article 6(1) GDPR.
English Summary
Facts
The Dutch Tax and Customs Administration kept a list to register indications of fraud, the Fraud Signaling Facility (FSV). The list contained over 270,000 entries and was maintained for more than six years. The Dutch DPA conducted a thorough investigation on the Tax and Customs Administration, finding several violations of the GDPR.
Holding
The DPA found that the Dutch Tax and Customs Administration had registered about 244,273 individuals and 30,000 business owners in the FSV from 4 November 2013 to 27 February 2020. The Tax and Customs Administration processed personal data (including data relating to health, nationality and criminal data). The DPA has concluded that the Tax and Customs Administration had violated several principles of data processing, including transparency, purpose limitation, accuracy and storage limitation.
First of all, the DPA concluded that there was no legal basis for processing of personal data. The Tax and Customs Administration could not successfully invoke the 'legal obligation' under Article 6(1)(c) GDPR as a basis for this processing since there was no obligation to process signals of (possible) fraud. This resulted in a breach of Article 5(1)(a) GDPR and Article 6(1) GDPR in conjunction with Article 8 of the Dutch Personal Data Protection Act (Wbp).
Secondly, the DPA also found that the purposes of personal data collection in FSV were not well-defined, breaching Article 5(1)(b) GDPR in conjunction with Article 7 Wbp.
Thirdly, the FSV contained inaccurate and non-updated personal data and no reasonable steps were taken to rectify or delete such personal data. This resulted in a breach of Article 5(1)(d) GDPR in conjunction with Article 11(2) Wbp.
Furthermore, the DPA concluded that personal data in the FSV were kept longer than the applicable retention period and hence longer than necessary, violating Article 5(1)(e) GDPR in conjunction with Article 10(1) Wbp.
In addition, the Tax and Customs Administration did not take sufficient technical and organizational measures with respect to access security, logging, and logging controls to ensure an adequate level of security for the personal data in the FSV. Thus, it violated Article 32(1) GDPR in conjunction with Article 13 Wbp.
Finally, the DPA found that the Tax and Customs Administration did not properly and timely involve the DPO in the implementation of FSV's data protection assessment. With this, the Tax and Customs Administration violated Article 35(2) GDPR and Article 38(1) GDPR.
These violations had serious implications for those who were incorrectly listed as fraudsters. For example, those who were listed in the FSV could not qualify for payment plans or debt settlements. On top of these violations, the DPA also considered the fact that the Dutch Tax and Customs Administration had committed serious violations of the GDPR before, such as in 2018. Consequently, it imposed a fine of €3,700,000 considering all of the above. The Dutch Tax and Customs Administration does, however, have the option to object this penalty.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
AuthorityPersonal Data PO Box93374,2509AJ The Hague Bezuidenhoutseweg30,2594AV The Hague T0708888500-F0708888501 authority data.nl Confidential/Registered TheMinister ofFinance Mrs.S.A.M.KaagMA,MPhil ShortVoorhout7 2500EEDenHaag Date Unidentified 7April2022 [CONFIDENTIAL] Contact [CONFIDENTIAL] Subject Decision to impose a fine Dear Ms.Kaag, The Data Protection Authority (hereinafter: AP) has decided to ask the Minister of Finance (hereinafter: the Minister) to impose administrative fines of a total of €3,700,000.TheAP has come to the conclusion that the Minister as controller for the processing of the Tax and Customs Administration, of 4 November2013to27February2020byprocessingpersonaldataintheapplication FraudSignalProvision (hereinafter: FSV) has acted contrary to the principles of legality, target specification, accuracy, and storage limitation. In addition to violating the four principles mentioned above, the AP concludes that the tax authorities has taken insufficient appropriate technical and organizational measures with regard to the access protection, logging and control of the logging for an appropriate level of security for the to safeguard personal data in FSV. Finally, the AP has concluded that the tax authorities data protection officer (hereafter: DPO) did not properly and in time involved in 3 the implementation of the data protection impact assessment (hereinafter: DEB) of FSV. The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the findings. Chapter 3 elaborates on (amount of) administrative fines and chapter 4 contains finally, the operative part and the remedies clause. 1See article 5, first paragraph, preamble, undera, of the AVG and article 6 of the Wbp (lawfulness), article 5, first paragraph, preamble b, of the AVG and article 7 of the Wbp (target specification), article 5, first paragraph, opening words, of the AVG and article 11, second paragraph, of the Wbp (correctness) and article 5, first paragraph, opening words below, of the AVG and article 10, first paragraph, of the Wbp (storage limitation). 2See article 32, first paragraph, of the AVG and article 13 of the Wbp. 3See article38, first paragraph, of the GDPRjo.article35, second paragraph, of the AVG. 1,Date Unidentified 7April2022 [CONFIDENTIAL] 1 Introduction 1.1 Investigation of the AP The AP has carried out research into the FSV application that the Tax and Customs Administration has until February 27, 2020 used.FSVwasanapplicationthatrecordedsignalsaboutdetectedfraudandsignals which could indicate an increased risk of tax and benefit fraud. The AP has in this research concluded that the way in which the Tax and Customs Administration has deployed FSV to several and has resulted in serious violations of the General Data Protection Regulation (hereinafter: AVG) and the Personal Data Protection Act (hereinafter: Wbp), the law that was applicable until the entry into force of the AVG. The AP has included these findings in a report (hereinafter: the research report) and this report made public on 29 October 2021. 4 1.2Process flow For a view of the investigation procedure, the AP refers to chapter 1 of the research report. In a letter dated 12 November 2021, the AP notified the Minister of the intention to to impose administrative sanctions on the Minister provided the opportunity and point of view before interest bring. By letter dated 14 January 2022 on behalf of the Minister by the deputy director general of the Tax authorities have submitted a written opinion, in which the aforementioned violations have been acknowledged in which we are approaching the measures taken and measures to be taken. 5 2.Findings The AP explains the investigation report and the findings contained in it as the basis for this decision facts find support in the evidence. The Minister has not laid down the facts in the investigation report contradicted and furthermore the Minister has acknowledged the violations based on those facts. In Section 2.1, the AP briefly discusses the violations found. For a complete overview of all relevant actual behaviors and findings–insofar as they are not mentioned here– the AP refers to chapters 3 and 4 of the research report. Then the AP in paragraph 2.2the Minister's view. 4https://autoriteitpersoonsgegevens.nl/nl/nieuws/zwarte-lijst-fsv-van-belastingdienst-schijn-met-de-wet. 5The deputy director-general of the Tax and Customs Administration has noted in his written opinion that – having regard to the division of tasks within the Ministry of Finance – has submitted the view. hereinafter the designation “Minister” is used. 2/16,Date Unidentified 7April2022 [CONFIDENTIAL] 2.1Summary Findings The tax authorities took in FSV mainly persons who committed fraud persons suspected of having committed tax or allowance fraud. FSV was used within the tax authorities in the assessment of tax returns and applications for surcharges and was used for the registration of information requests from other governments. FSV was also consulted for drawing up risk models and in determining whether a fine should be imposed are imposed in the context of the recovery of tax or allowances debts. In the period from November 4, 2013 to February 27, 2020, the Tax and Customs Administration has received signals from alleged and established fraud and requests for information in FSV registered, modified, consulted, used,combinedandoutdoorFSVspreadoveratleast244,273personsand30,000 entrepreneurs. nationalities and criminal data) processed within the meaning of article 4, opening words under 1, 2 and 15, of the AVG, article 10 of the AVG and article 1, preamble below and b, of the Wb and article 16 of the Wbp. The AP establishes that the Minister is the controller for the processing of personal data in FSV by the tax authorities, as referred to in article 4, opening words under 7, of the GDPR and article 1, preamble, of the Wbp. In this decree the tax authorities are referred to the AP sets this equal to the Minister. The AP then establishes that the Tax and Customs Administration from November 4, 2013 to February 27, 2020 by the processing of personal data in FSV has contravened the principles of legality, target specification, accuracy, and storage limitation. The AP explains these violations below. Personal data must be processed in accordance with the principle of lawfulness, as referred to in article 5, first paragraph, opening words, under a, of the AVG and article 6 of the Wbp. This means that there must be a basis for the processing and processing of personal data as stated in article 6, first paragraph, oftheAVGenarticle8Wbp.TheAPconcludesthatfortheprocessingofpersonaldatain FSV was not a basis. The Tax and Customs Administration was unable to obtain a successful appeal for these processings do on the "legal obligation" as a basis, because there was no obligation to signals from Process (possible) fraud and information requests as counter-information. The appeal of the tax authorities on the basis 'necessary for the fulfillment of a task of public interest or of a task in the context of the exercise of public authority is also unsuccessful. The system of the General Act on State Taxes, the General Act on the Income Dependent regulations, title 5.2 of the Awbendematerial legislation gives the Tax and Customs Administration a welfare value authority to collect (in specific cases) data for supervisory purposes. But this legislation is insufficient exactly to serve as a basis for a separate, structural, extensivea segment-transcending collection of many,(too)detailed(specialone criminal) personal data in FSV. In addition, the processing in FSV was not necessary 3/16,Date Unidentified 7April2022 [CONFIDENTIAL] for the fulfillment of the public task of the tax authorities to supervise compliance with it determined by or under the tax and allowances legislation principle of proportionality because the infringement of the interests of the data subjects was disproportionate in proportion to the purpose to be used for the processing, provided that the purposes of FSV are not determined and therefore unclear. The AP is furthermore of the opinion that it is not subsidiarity principle is satisfied because the aim pursued can be achieved in a different, less far-reaching way be served, i.e. without FSV or with the design of another more limited application. Personal data must also be processed in accordance with the principle of target specification, as laid down in article 5, first paragraph, preambles under b, of the AVG and article 7 of the Wbp. This means that personal data only for certain and expressly described purposes may be collected. The AP, after examination, concludes that the pre-formulated purposes of the collection of data in FSV were not well defined. Personal data must be further processed in accordance with the principle of accuracy, as contained in article 5, first paragraph, opening lines, of the AVG and article 11, second paragraph, of the Wbp. This means that data must be correct and updated if necessary AP finds that incorrectly non-updated data in FSV were in the The tax authorities have not taken reasonable measures to rectify this data or to erase. Personal data must also be processed in accordance with the principle of storage limitation, as laid down in article 5, first paragraph, preamble at the bottom of the AVG and article 10, first paragraph, of the Wbp. This means that personal data may not be stored any longer than necessary.From the investigation of the AP it follows that the data were stored in FSVlanger thentheretentionperiodapplicabletothedatainFSV Belastingdienst (therefore) for longer than necessary. In addition to violating the four above-mentioned standards and underlying them principles, the AP concludes that the tax authorities are insufficiently appropriate technical and has taken organizational measures with regard to access security, logging and control on the logging to ensure an appropriate level of security for the data in FSV. As a result, the Tax and Customs Administration acted in conflict with . from November 4, 2013 to February 27, 2020 article 32, first paragraph, of the AVG and article 13 of the Wbp. Finally, the AP concludes that the Tax and Customs Administration did not properly and timely involved the FG in the implementation of the GEB of FSV. With this behaviour, the tax authorities acted in conflict with article38, first paragraph, of the GDPRjo.article35, second paragraph, of the AVG. 4/16,Date Unidentified 7April2022 [CONFIDENTIAL] 2.2View of the Minister The Minister endorses the facts and conclusions in the investigation report of the AP. FSV was not on may be used in this way, the Minister has recognized. The conclusions of the AP are in line with previous conclusions of the tax authorities that have led to the deactivation of FSV. The Minister declares that the tax authorities concerned citizens who were included in FSV informs them about their registration and the reason why they were registered in FSV. If the If the tax authorities do not know the reason for a registration in FSV, the tax authorities will let the those involved also know them that they can contact the tax authorities by telephone and that they also have more information can be found on the web page FSV. There is a hotline for FSV, intended for citizens who suspect that they have had unjustified consequences of their registration in FSV. If there is more clarity about the answer to the question with which organizations the Tax and Customs Administration has shared data from FSV, the those involved have also been informed about it.At the moment, about 200,000 people involved have a letter received from the tax authorities about their registration in FSV. About 100,000 of these have the reason heard of that registration in FSV. The Tax and Customs Administration will have further research carried out into the effects of a registration in FSV, on the external data sharing fromFSVentotheusedqueries.Ahead oftheresultsofthis investigations, an compensation scheme is worked out for the wrongfully affected citizens. Partly as a result of the problem with FSVis the Tax and Customs Administration started with the program 'Repair, improve and secure' (hereafter: HVB). HVB contains actions that have been used to solve the problems in the way the tax authorities have dealt with (personal) registrations, risk models and the use of personal data such as nationality. The executive directorates-general (Tax authorities, Allowances, Customs) work together with the Ministry of Finance (policy department) on action plans for improving the privacy organization from a central and central point of view. In the action plans, including that of the Tax authorities, among other things, the current and additional measures to be taken for the (structural) compliance with these laws and regulations. About the follow-up of the action plans, periodic report to the Governing Council of the Ministry of Finance. In addition, the Tax and Customs Administration is working on a new process for handling signals immediately temporary technical provision. The conclusions from the research report of the AP have been used in the drafting the adjusted GEB for this process to the FG for advice. After that, the GEB for advice is offered to the AP. Furthermore, the Minister declares that work is being done on the bill Safeguarding the law data processing Tax authorities, Allowances and Customs. The bill aims to provide the foundations for to strengthen and strengthen the processing of personal data by the Tax and Customs Administration, Allowances and Customs 5/16,Date Unidentified 7April2022 [CONFIDENTIAL] In addition, the bill aims to create a legal framework for the guarantee of lawful, proper and transparent data processing by these three implementing organizations. Finally, the Tax and Customs Administration realizes that fundamental improvements are needed in dealing with personal data and the Tax and Customs Administration will commit itself fully to repetition in the future prevent, according to the Minister. 3. Fines 3.1Introduction The AP has established that the Minister, as controller for processing in FSV by the tax authorities, has acted contrary to the principles of lawfulness, target specification, correctness and storage limitation. The AP also determined that the Minister is not an appropriate security level for the data in FSV has furthermore ensured that the FG does not go to belong and have not been involved in time in the implementation of the GEB of FSV. The AP makes use of its powers to order the Minister to impose fines, because of the aforementioned violations. Because of the seriousness of the violations and the extent to which they can inform the Minister be blamed, the AP deems the imposition of fines appropriate. ongoing violations that have occurred under both the PDPA and the AVG (with exception of the involvement of the FG), the AP has tested against the substantive law as it applied at the time when the conduct took place. These provisions are intended to have the same legal interests guarantees. There is no (substantial) material change in the regulations on this point. The AP motivates the imposition of the fines in the following. The AP first briefly sets the fine system This is followed by the justification of the fines for the violations of the basic principles of the GDPR. After that comes the violation of the obligation to guarantee a appropriatesecuritylevelforpersonaldatainFSVofferedandsubsequentlytherequirementof propertimelyinvolvementoftheFGintheimplementationoftheGEB.Finally,theAPassessessof the application of the fine policy leads to a proportionate outcome. 3.2Finance Policy RulesPersonal Data Authority2019 Pursuant to article 58, second paragraph, opening words and article 83, fourth paragraph, of the AVG, read in in connection with article 14, third paragraph, of the UAVG, the AP is competent in the event of a violation of Article 32 of the AVG and Article 35, paragraph 2, of the AVG Not to impose an administrative fine until $10,000,000. 6/16,Date Unidentified 7April2022 [CONFIDENTIAL] Pursuant to article 58, second paragraph, opening words and article 83, fifth paragraph, of the GDPR, read in in connection with article 14, third paragraph, of the UAVG, the AP is competent in the event of a violation of article 5 of the AVG Not to impose an administrative fine up to € 20,000,000. The AP has established Penalty Policy Rules regarding the fulfillment of the above-mentioned authority to the imposing an administrative fine, including determining the amount thereof. In the Penalty policy rules has been chosen for a category classifications bandwidth system. Violation of article 5, first paragraph, under the AVG is made dependent on the underlying provision, being article 6, first paragraph, of the GDPR. Category III applies here, with a penalty bandwidth between €300,000 and €750,000 and a basic fine of €525,000. Violations of article 5, first paragraph, subparagraph of the GDPR are also classified in category III, with a fine bandwidth between €300,000 and €750,000 and a basic fine of €525,000. Violations of article 32 of the AVG and article 35, paragraph two, of the AVG are classified in category II.CategoryII has a finebandwidth between €120,000 and €500,000 and a basic fine of €310,000. 3.3Amount of fines for the general principles of the AVG and security of processing of personal data Lawfulnessisoneofthebasicprinciplesofdataprotection.Aprocessingof personal data is lawful if it takes place on the basis of a legal basis. Interference on the upright respect for the private life of the citizen is particularly important that the tax authorities as government agency must be able to base its actions on a sufficiently clear, accurate predictable statutory regulation. The Tax and Customs Administration has failed in this regard. Because the Tax and Customs Administration has processed in FSV without basic data, is the core of the right to protection of personal data of many citizens was violated. In addition, personal data may only be processed if it is explicite the legitimate purpose of the processing cannot reasonably be stated in any other way achieved. The controller must also take all reasonable steps to ensure that to ensure that incorrectly proven data are corrected or erased that data are not kept any longer than necessary.The AP has determined that incorrect data are included in FSV and that this data is also kept longer than necessary. To prevent organizations from infringing data processing oncitizensprivacy, the AP furthermore considers it of great importance that organizations are geared to risk apply a security level. When determining the risk to the data subject, among other things, of the personal data and the extent of the processing important: these factors determine the 6Stcrt.2019,14586,March 14,2019. 7/16,Date Unidentified 7April2022 [CONFIDENTIAL] potential damage for the individual data subject in the event of, for example, loss, alteration or unlawful processing of the data. The more sensitive the data is, or the context in which they are used pose a greater threat to privacy, stricter requirements are placed on the security of personal data. The AP is of the opinion that the The tax authorities have taken insufficient measures with regard to access security, logging and checking on the logging for an appropriate level of security for the data in FSVte guarantee. The AP has concluded that the Tax and Customs Administration regards the abovementioned principles has insufficiently complied with.Theseprinciplesensuretheintegrityofpersonaldataandensure citizens are able to retain control over their own data. That is of great importance, because a unlawful processing of data can have far-reaching consequences for the personal life. The AP explains the victory according to the seriousness of the violations below. 3.3.1 The nature, the seriousness of the infringements Given the nature and scope of the unlawful processing of data in FSV, the AP is of the opinion that the violations by the Tax and Customs Administration are very serious. The Tax and Customs Administration has in FSV more than 540,000 signals processed unlawfully relating to more than 270,000 data subjects. This very large group of citizens, including hundreds of minors, have been badly affected in their rights on the protection of personal data. In doing so, the AP takes into account that the citizens involved in relation to of the tax authorities are in a dependent and unequal position.After all, a citizen has with the The tax authorities only have the obligation to file a tax return or the possibility to to apply for allowances. After submitting the opinion of the tax authorities, it appeared that the The Tax and Customs Administration has yet again shared data from FSV with other government agencies and private parties. The AP finds it objectionable that the Tax and Customs Administration – in view of its ample powers and unequal position that they occupies with regard to the citizen - in this case extraordinary careless handling of its powers. With regard to the duration of the violations, the AP has established that the tax authorities during a period of more than six years, namely from November 4, 2013 to February 27 2020 has committed. The fact that the violations thus in a structural manner for a longer period 8 have persisted, the AP considers very serious. The consequences for citizens who were included as (potential) fraud in FSV could be very serious. In in some cases no citizen received the stamp 'fraud' without this following from a thorough investigation. And if there was an investigation and there was no evidence of fraud, then this was conclusion often not listed in FSV, so the suspicion of fraud remained in FSV.A 7 8Parliamentary PapersII2021/22,31066,no.957. Since the APpass since January 1, 2016, has the power to fine the above-mentioned violations, and in the within the framework of the (increase of the) fine and the duration of January 1, 2016 in view. Also, that there is a case of long-term violations. 8/16,Date Unidentified 7April2022 [CONFIDENTIAL] registration in FSV (if any combination with other indications), could then lead for that citizen stigmatization, intensified surveillance/or had negative financial consequences. For example, the intensification of supervision could result in the income tax return to the detriment of vandieburgerwascorrectedordateanapplicationtoqualifyforcare,rentor childcare allowance was rejected.A request for a personal payment scheme was also made allowancesdebt or amicable debt rescheduling with a tax or allowancesdebt are automatic rejected, because of the FSV registration of that citizen. Because of this, citizens have been in uncertainty for a long time wrong about their financial situation. Those involved were further not informed about the fact that they were in FSV arose, not even after an aim to see the request. This resulted in those involved do not dispute that they were mentioned in FSV and that they were unable to exercise their rights. Investigation by the Tax and Customs Administration has also shown that examples have been found in communication within the tax authorities between the tax authorities and other government institutions overdesignalisation of risks, in which a fraud risk was indicated on personal characteristics such as nationalities appear outwardly. In (instruction) documents, for example, the foreign nationality(such as Turkish,Moroccan andEastern Europe)used as selection criterion for further tax research. But also gifts to mosques and high deductions related to medicine use by taxpayers with surnames ending in”–ić”were used as risk indicators for fraud. This unequal treatment in the fraud risk selection gives a high risk stigmatization. In addition, it has not been shown that the Tax and Customs Administration is inappropriate for this discriminatory way of data processing had a reasonable and objective justification. With regard to the consequences of the insufficient security of the data, the AP notices nextup.The lack of security of FSV allowed unauthorized employees of the BelastingdienstdatainFSVinsee.SignalsfromFSVareregularlyexportedforthe creating a so-called subset outside FSV, so that persons who did not have access to FSV could search in it. Due to the shortcomings in the access protections and in the (checking on) logging the data could be misused. The tax authorities therefore also had no insight into the further processing of the (exported) data. 3.3.2Categories of personal data The Tax and Customs Administration processes too much (different) personal data in FSV. A signal in FSV existed in in any case from a citizen service number, and a number of completed fields, including name and address data,accountnumberandIPaddress.Sometimesasignalcontainsthenationalityofpersonsand documents about the criminal offenses committed and criminal convictions.The Tax Authorities furthermore, in appropriate cases, also processes data about the physical or mental health of citizens. This is a special category of personal data that enjoys extra protection under the AVG AP also found that signals could contain data about persons on whom the signal did not (directly) saw, such as family members, tax service providers and host parents. Given the size of the sensitive 9Parliamentary PapersII2021/22,31066,no.977. 9/16,Date Unidentified 7April2022 [CONFIDENTIAL] characterofthe-also–special data, the AP considers the violations also on the basis of this particularly serious. 3.3.3 Blame and serious negligence Since this concerns violations, is for the imposition of an administrative fine in accordance with fixed case law does not require that it is shown that there is intent. The AP may culpability presume if the perpetrator is established. The Minister, as controller, must under the GDPR, in the processing of personal data, the above-mentioned basic principles are observed The AP has determined that the Minister as controller under the GDPR intheprocessingofpersonaldatainFSVhascommittedtotheprinciplesof legality, target specification, accuracy and storage limitation. In addition, the Minister does not have a appropriate level of security for the personal data guaranteed in FSV. The AP considers this culpable. In addition, according to the AP, there is serious negligence on the part of the Minister Belastingdienst.Citizens who are obliged to provide personal data to the Tax and Customs Administration must be able to assume that the Tax and Customs Administration-as a government agency– will take the necessary measures has taken steps to process data lawfully and securely The tax authorities have had data for years, including special personal data such as medical data, processed in FSVo in a lawful manner was also in some cases discriminatory by nature and led to stigmatization, more intensive supervision/or resulted in negative financial consequences. Also after its own internal conclusionfromJanuary2019thatdataprocessinginFSVdidnotcomplywiththeGDPR,have Tax authorities also omitted to integrate immediately. The AP therefore comes to the conclusion that the Tax and Customs Administration - under the responsibility of the Minister - is seriously culpably negligent acted. 3.3.4Previous relevant infringements The AP can help determine the amount of the fine for earlier relevant infringements by the take into account the controller. This is the case in this case. The AP has the Minister charged the following violations in the period of 2018–2021. On 3 July 2018, the AP concluded that the Tax and Customs Administration with regard to the logging, the control on the logging and access security at the department Data foundations & analytics acted contrary to article 13 Wbpen 32AVG.The AP has imposed a processing ban on the Minister as of January 1, 2020 because of the unlawful processing of the BSN in the VAT identification number. And on November 25, 2021, the AP imposed fines on the Minister of Administration in the so-called Childcare Allowance Affair, because the For years, the tax authorities have maintained the (dual) nationality of applicants for childcare allowance on unlawfully processed. Now the AP has once again established that the Minister has personal data without a legal basis processed and has insufficiently secured, the AP considers these previously identified violations relevant previous infringements. The AP determines that this indicates persistent problems of a structural nature which can lead to no other conclusion and that at the tax authorities, the official management of the 10/16,Date Unidentified 7April2022 [CONFIDENTIAL] departments andMinisters have been/have been for years of a broad negligence, negligence and self-discriminate and act improperly in the application of legal rules regarding data protection. 3.3.5Amount of fines Based on the above considerations, the AP determines the amount of the fines as follows. Legal basis Because of the serious consequences of the lack of legal bases because there is previous relevant infringements as referred to in paragraph 3.3.4, the AP is of the opinion that the violation linked fine category does not lead to an appropriate punishment application of article 8.1 of the fine policy rules when determining the amount of the fine the next higher apply category. For violation of article 5, first paragraph, under ajo. article 6, first paragraph, of the AVG and having regard to the the aforementioned considerations give cause to the AP to impose a fine. The AP increases the base amount of €725,000: - with €155,000 due to the nature, seriousness and duration of the infringement (article 7 suba fine policy rules) and circumstances as stated in paragraph 3.3.1 with; - with €90,000 due to the accidental nature of the infringement (article 7 sub b Fine policy rules) and the circumstances as stated in paragraph 3.3.3; and - with €30,000 based on the categories of personal data (article 7 subg fine policy rules) and circumstances as stated in paragraph 3.3.2. This fine amounts to a total of €1,000,000. Target binding Due to the violation of the rules regarding purpose limitation (article 5, first paragraph, under b of the GDPR) and the aforementioned considerations, the AP sees a reason to impose a fine on the Minister The AP increases the base amount of €525,000: - with €125,000 due to the nature, seriousness and duration of the infringement (article 7 suba fine policy rules) and circumstances as stated in paragraph 3.3.1; - with €75,000 based on the accidental nature of the infringement (article 7 sub b Fine policy rules) and the circumstances as stated in paragraph 3.3.3; and - with €25,000 based on the categories of personal data (article 7 subg fine policy rules) and circumstances as stated in paragraph 3.3.2. This fine amounts to a total of €750,000. 11/16,Date Unidentified 7April2022 [CONFIDENTIAL] Accuracy Because of the incorrectly not updated data in FSV (article 5, first paragraph, part of the GDPR) and the aforementioned considerations, the AP sees a reason to impose a fine on the Minister The AP increases the base amount of €525,000: - with €125,000 due to the nature, seriousness and duration of the infringement (article 7 suba fine policy rules) and circumstances as stated in paragraph 3.3.1; - with €75,000 based on the accidental nature of the infringement (article 7 sub b Fine policy rules) and the circumstances as stated in paragraph 3.3.3; and - 2 with € 25,000 based on the categories of personal data (article 7 subg fine policy rules) and circumstances as stated in paragraph 3.3.2. This fine amounts to a total of €750,000. Storage limitation Due to violation of the rules regarding storage limitation (article 5, first paragraph, under one of the AVG) and the aforementioned considerations give cause to the AP to impose a fine on the Minister APincreases the base amount from €525,000: - with €125,000 due to the nature, seriousness and duration of the infringement (article 7 suba fine policy rules) and circumstances as stated in paragraph 3.3.1; - with €75,000 based on the accidental nature of the infringement (article 7 sub b Fine policy rules) and the circumstances as stated in paragraph 3.3.3; and - with €25,000, based on the categories of personal data (article 7 subg Fine policy rules) and circumstances as mentioned in paragraph 3.3.2 This fine amounts to a total of €750,000. Security Due to violation of the rules regarding security (article 32, first paragraph, of the AVG) and the aforementioned considerations give cause to the AP to impose a fine on the Minister APincreases the base amount from €310,000 - with €90,000, due to the nature, seriousness and duration of the infringement (article 7 suba fine policy rules) and circumstances as stated in paragraph 3.3.1; - with €50,000, based on the negligent nature of the infringement (article 7 sub b Fine policy rules) and the circumstances as stated in paragraph 3.3.3; - by €30,000, based on the earlier more relevant infringement from 2018, as stated in paragraph 3.3.4 (article 7subeFinance Policy Rules); - with €20,000, based on the categories of personal data (article 7 subg Fine policy rules) and circumstances as mentioned in paragraph 3.3.2 This fine amounts to a total of €500,000. 12/16,Date Unidentified 7April2022 [CONFIDENTIAL] 3.4Amount of fines for data protection officer involvement TheFGsupportsthecontroller, among other things, in the monitoring of internal compliance of the AVG. It is important that the controller ensures that the FG to belong and be involved in a timely manner in all matters related to the protection of personal data.The AP has established that the Tax and Customs Administration does not properly and in time has been involved in the implementation of the data protection impact assessment (DIA) of FSV. The Tax and Customs Administration has carried out the GEB from November 6, 2018 to January 21, 2019. year after this period, the FG was only asked to advise on the GEB not asked for advice during the execution of GEBo. The consequence of this is that the FG are not tasks has been able to implement properly and the Tax and Customs Administration has therefore not been able to advise on compliance in time of the AVG. In a timely consultation, the FG could have warned the tax authorities earlier on the risks associated with the unlawful processing of personal data in FSV. As described earlier, the Tax and Customs Administration has processed a great deal of (sensitive) data in FSV of hundreds of thousands of citizens. Especially in the case of large-scale processing of personal data that can lead to adverse consequences for a large number of involved parties, the Tax and Customs Administration must timely to carry out and ask for advice on the matter. The AP is of the opinion that there is a serious violation by the tax authorities, valueMinisteras controller responsible in advance. Finally, in the case of this violation, the AP also concludes that the tax authorities, under responsibility of the Minister, has acted seriously culpably negligently. That the tax authorities well over a year after the implementation of the GEB and in response to questions from the media about FSV, asked the FG for advice, the AP deems it very negligent. Now that the Tax and Customs Administration did not obtain the advice of the FG in time when carrying out the GEB,iser there is a violation of article 35, second paragraph, of the GDPR circumstances, the AP sees reason to impose a fine on the Minister. The AP increases the base amount of €310,000 due to 1) the nature, seriousness, duration of the infringement with € 70,000, due to (2) the negligence with € 50,000 and because of (3) the categories of data with € 20,000 this fine amounts to a total of €450,000. 3.5Proportionality Finally, the AP assesses on the basis of articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality) whether the application of its policy for determining the amount of the fine in view of the circumstances of the concrete case, does not lead to a disproportionate result. Application of the principle of proportionality can inter alia play in the cumulation of sanctions. In addition, under article 83, third paragraph, of the AVG the total money fines are not higher than those for the heaviness fracture, if the 13/16,Date Unidentified 7April2022 [CONFIDENTIAL] controller in respect of the same or related processing activities infringe several provisions of the GDPR. In this case, the AP imposes an administrative fine for violation of article 5, first paragraph, under a (jo. article6, first paragraph),b,deneoftheGDPR,article32,firstparagraph,oftheGDPRandarticle35,secondparagraph,ofthe AVG.Although the violations committed violate different interests and because of them separately fine, in this case the AP sees the connection between the lack of legal bases the storage limitation as a relevant factor for the fine for the violation of the storage limitation moderate by €500,000. The AP sets the total amount of the fines imposed at an amount of €3,700,000. article 10 of the fine policy rules, the AP determines that the total fines are not higher than the legal maximum fine (€20,000,000) for the most serious violation. 10 The AP is of the opinion that (the amount of) the total fine is not disproportionate. The AP has in this judge, among other things, the first of the infringements to be weighed up and the extent to which they are to the Minister can be blamed. Due to the nature of the duration of the violations, the far-reaching consequences for the involved and earlier relevant infringements, the AP qualifies the relevant infringements on theAVGsserious. 3.6Conclusion The AP sets the total amount of the fines imposed at €3,700,000. 1For the justification, see also paragraph 3.3 and 3.4. 14/16,Date Unidentified 7April2022 [CONFIDENTIAL] 4.Dictum I. The AP imposes a fine on the Minister of Finance in the amount of €1,000,000 (in words: one million euros), because there is no legal requirement for the processing of personal data in FSV As a result, the Minister of Finance has article 5, first paragraph, opening words under ajo. Article 6, first paragraph, of the AVG has been violated. II. The AP imposed a fine of €750,000 on the Minister of Finance (in words: seven hundred and fifty thousand euros), because the data in FSV conflicts with the principle of the target specification have been processed. As a result, the Minister of Finance has Article 5, first paragraph, preambles under the AVG violated. III. The AP imposed a fine of €750,000 on the Minister of Finance (in words: seven hundred and fifty thousand euros), because the data in FSV conflict with the principle have been processed correctly. As a result, the Minister of Finance has introduced article 5, first paragraph, preamble Violated under the AVG. IV. The AP imposed a fine of €250,000 on the Minister of Finance (in words: two hundred and fifty thousand euros), because the data in FSV conflicts with the principle of storage limitation have been processed. As a result, the Minister of Finance has Article 5, first paragraph, preambles under the AVG violated. V. The AP imposes a fine of €500,000 on the Minister of Finance (in words: five hundred thousand euros), because the data in FSV is insufficiently appropriate security level is guaranteed. As a result, the Minister of Finance has article 32, first paragraph, oftheAVGviolated. VI. The AP imposed a fine of €450,000 on the Minister of Finance (in words: four hundred and fifty thousand euros), because the advice of the FG is not during the implementation of the GEBisinge won. As a result, the Minister of Finance has article 35, second paragraph, of the AVG violate. Yours faithfully, AuthorityPersonal Data, w.g. mr.A.Wolfsen Chair 15/16,Date Unidentified 7April2022 [CONFIDENTIAL] Remedies Clause If you do not agree with this decision, you can within six weeks of the date of shipment of the decide to submit an objection digitally or on paper to the Data Protection Authority article 38 of the UAVG suspends the submission of an objection to the effect of the decision imposition of the administrative fine. For submitting a digital objection, see www.autoriteitpersoonsgegevens.nl,onderhetkopjeBezwaarmakentegeneenbesluit,bottom page under the heading Contact with the Data Authority. The address for submission on paper is:Authority Personal Data, PO Box93374,2509AJDenHaag. Mention 'Awb-objection' on the envelope and put 'objection' in the title of your letter. Write in your letter of objection at least: - your name and address; - the date of your notice of objection; - the reference (case number) mentioned in this letter; or attach a copy of this decision; - the reason(s) why you do not agree with this decision; -your signature. 16/16