AP (The Netherlands) - 7.04.2022

From GDPRhub
AP (The Netherlands) - Dutch Tax and Customs Administration fined €3,700,000 for six GDPR violations
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(d) GDPR
Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 32(1) GDPR
Article 35(2) GDPR
Article 38(1) GDPR
Article 10(1) Wbp
Article 11(2) Wbp
Article 13 Wbp
Article 7 Wbp
Article 8 Wbp
Type: Other
Outcome: n/a
Started:
Decided:
Published: 12.04.2022
Fine: 3,700,000 EUR
Parties: Autoriteit Persoonsgegevens
Ministry of Finance
National Case Number/Name: Dutch Tax and Customs Administration fined €3,700,000 for six GDPR violations
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Decision fine black list Dutch Tax and Customs Administration (in NL)
Initial Contributor: Eva Lu

The Dutch DPA issued a fine of €3,700,000 against the Dutch Tax and Customs Administration for keeping a fraud indicator list without a legal obligation to do so, or any other valid legal basis under GDPR. Additionally, the DPA held that the tax authority had violated several other GDPR provisions, as well as the principles of transparency, purpose limitation, accuracy and storage limitation.

English Summary

Facts

The Dutch Tax and Customs Administration kept a list to register indications of fraud, the Fraud Signaling Facility (FSV). The list contained over 270,000 entries and was maintained for more than six years. Characteristics such as nationality and appearance were often included as fraud risk factors in the FSV. People were often wrongly labeled as fraudsters, with far-reaching consequences. The Dutch DPA conducted a thorough investigation on the Tax and Customs Administration, finding several violations of the GDPR.

Holding

The DPA found that the Dutch Tax and Customs Administration had registered about 244,273 individuals and 30,000 business owners in the FSV from 4 November 2013 to 27 February 2020. The Tax and Customs Administration processed personal data (including data relating to health, nationality and criminal data). The DPA has concluded that the Tax and Customs Administration had violated several principles of data processing, including transparency, purpose limitation, accuracy and storage limitation.

First of all, the DPA concluded that there was no legal basis for processing of personal data. The Tax and Customs Administration could not successfully invoke the 'legal obligation' under Article 6(1)(c) GDPR as a basis for this processing since there was no obligation to process signals of (possible) fraud. This resulted in a breach of Article 5(1)(a) GDPR and Article 6(1) GDPR in conjunction with Article 8 of the Dutch Personal Data Protection Act (Wbp).

Secondly, the DPA also found that the purposes of personal data collection in FSV were not well-defined, breaching Article 5(1)(b) GDPR in conjunction with Article 7 Wbp.

Thirdly, the FSV contained inaccurate and non-updated personal data and no reasonable steps were taken to rectify or delete such personal data. This resulted in a breach of Article 5(1)(d) GDPR in conjunction with Article 11(2) Wbp.

Furthermore, the DPA concluded that personal data in the FSV were kept longer than the applicable retention period and hence longer than necessary, violating Article 5(1)(e) GDPR in conjunction with Article 10(1) Wbp.

In addition, the Tax and Customs Administration did not take sufficient technical and organizational measures with respect to access security, logging, and logging controls to ensure an adequate level of security for the personal data in the FSV. Thus, it violated Article 32(1) GDPR in conjunction with Article 13 Wbp.

Finally, the DPA found that the Tax and Customs Administration did not properly and timely involve the DPO in the implementation of FSV's data protection assessment. With this, the Tax and Customs Administration violated Article 35(2) GDPR and Article 38(1) GDPR.

These violations had serious implications for those who were incorrectly listed as fraudsters. For example, those who were listed in the FSV could not qualify for payment plans or debt settlements. On top of these violations, the DPA also considered the fact that the Dutch Tax and Customs Administration had committed serious violations of the GDPR before, such as in 2018. Consequently, it imposed a fine of €3,700,000 considering all of the above. The Dutch Tax and Customs Administration does, however, have the option to object to this penalty.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                         AuthorityPersonal Data
                                                         PO Box93374,2509AJ The Hague
                                                         Bezuidenhoutseweg30,2594AV The Hague

                                                         T0708888500-F0708888501
                                                         authority data.nl

Confidential/Registered
TheMinister ofFinance
Mrs.S.A.M.KaagMA,MPhil

ShortVoorhout7
2500EEDenHaag






Date Unidentified
7April2022 [CONFIDENTIAL]


                           Contact
                           [CONFIDENTIAL]




Subject
Decision to impose a fine



Dear Ms.Kaag,


The Data Protection Authority (hereinafter: AP) has decided to ask the Minister of Finance (hereinafter: the
Minister) to impose administrative fines of a total of €3,700,000.TheAP has come to the conclusion that

the Minister as controller for the processing of the Tax and Customs Administration, of 4
November2013to27February2020byprocessingpersonaldataintheapplication
FraudSignalProvision (hereinafter: FSV) has acted contrary to the principles of
legality, target specification, accuracy, and storage limitation.


In addition to violating the four principles mentioned above, the AP concludes that the tax authorities
has taken insufficient appropriate technical and organizational measures with regard to the

access protection, logging and control of the logging for an appropriate level of security for the
to safeguard personal data in FSV. Finally, the AP has concluded that the tax authorities
data protection officer (hereafter: DPO) did not properly and in time involved in
                                                                            3
the implementation of the data protection impact assessment (hereinafter: DEB) of FSV.

The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the

findings. Chapter 3 elaborates on (amount of) administrative fines and chapter 4 contains
finally, the operative part and the remedies clause.


1See article 5, first paragraph, preamble, undera, of the AVG and article 6 of the Wbp (lawfulness), article 5, first paragraph, preamble
b, of the AVG and article 7 of the Wbp (target specification), article 5, first paragraph, opening words, of the AVG and article 11, second paragraph,
of the Wbp (correctness) and article 5, first paragraph, opening words below, of the AVG and article 10, first paragraph, of the Wbp (storage limitation).
2See article 32, first paragraph, of the AVG and article 13 of the Wbp.
3See article38, first paragraph, of the GDPRjo.article35, second paragraph, of the AVG.




                                                                                              1,Date Unidentified
7April2022 [CONFIDENTIAL]




1 Introduction

1.1 Investigation of the AP

The AP has carried out research into the FSV application that the Tax and Customs Administration has until February 27, 2020

used.FSVwasanapplicationthatrecordedsignalsaboutdetectedfraudandsignals
which could indicate an increased risk of tax and benefit fraud. The AP has in this
research concluded that the way in which the Tax and Customs Administration has deployed FSV to several and
has resulted in serious violations of the General Data Protection Regulation (hereinafter: AVG) and

the Personal Data Protection Act (hereinafter: Wbp), the law that was applicable until the
entry into force of the AVG. The AP has included these findings in a report (hereinafter: the
research report) and this report made public on 29 October 2021. 4


1.2Process flow

For a view of the investigation procedure, the AP refers to chapter 1 of the
research report.


In a letter dated 12 November 2021, the AP notified the Minister of the intention to
to impose administrative sanctions on the Minister provided the opportunity and point of view before interest
bring.


By letter dated 14 January 2022 on behalf of the Minister by the deputy director general of the
Tax authorities have submitted a written opinion, in which the aforementioned violations have been
acknowledged in which we are approaching the measures taken and measures to be taken. 5



2.Findings

The AP explains the investigation report and the findings contained in it as the basis for this decision
facts find support in the evidence. The Minister has not laid down the facts in the investigation report
contradicted and furthermore the Minister has acknowledged the violations based on those facts.


In Section 2.1, the AP briefly discusses the violations found. For a complete overview
of all relevant actual behaviors and findings–insofar as they are not mentioned here–
the AP refers to chapters 3 and 4 of the research report. Then the AP in paragraph

2.2the Minister's view.


4https://autoriteitpersoonsgegevens.nl/nl/nieuws/zwarte-lijst-fsv-van-belastingdienst-schijn-met-de-wet.
5The deputy director-general of the Tax and Customs Administration has noted in his written opinion that – having regard to the
division of tasks within the Ministry of Finance – has submitted the view.
hereinafter the designation “Minister” is used.



                                                                                         2/16,Date Unidentified
7April2022 [CONFIDENTIAL]



2.1Summary Findings

The tax authorities took in FSV mainly persons who committed fraud persons
suspected of having committed tax or allowance fraud.
FSV was used within the tax authorities in the assessment of tax returns and applications for

surcharges and was used for the registration of information requests from other governments. FSV
was also consulted for drawing up risk models and in determining whether a fine should be imposed
are imposed in the context of the recovery of tax or allowances debts.


In the period from November 4, 2013 to February 27, 2020, the Tax and Customs Administration has received signals from
alleged and established fraud and requests for information in FSV registered, modified, consulted,
used,combinedandoutdoorFSVspreadoveratleast244,273personsand30,000
entrepreneurs.
nationalities and criminal data) processed within the meaning of article 4, opening words under 1, 2 and

15, of the AVG, article 10 of the AVG and article 1, preamble below and b, of the Wb and article 16 of the
Wbp.

The AP establishes that the Minister is the controller for the processing of

personal data in FSV by the tax authorities, as referred to in article 4, opening words under 7, of the
GDPR and article 1, preamble, of the Wbp. In this decree the tax authorities are referred to
the AP sets this equal to the Minister.


The AP then establishes that the Tax and Customs Administration from November 4, 2013 to February 27, 2020 by
the processing of personal data in FSV has contravened the principles of
legality, target specification, accuracy, and storage limitation. The AP explains these violations below.

Personal data must be processed in accordance with the principle of lawfulness,

as referred to in article 5, first paragraph, opening words, under a, of the AVG and article 6 of the Wbp. This means that
there must be a basis for the processing and processing of personal data as stated in article 6, first paragraph,
oftheAVGenarticle8Wbp.TheAPconcludesthatfortheprocessingofpersonaldatain
FSV was not a basis. The Tax and Customs Administration was unable to obtain a successful appeal for these processings

do on the "legal obligation" as a basis, because there was no obligation to signals from
Process (possible) fraud and information requests as counter-information.

The appeal of the tax authorities on the basis 'necessary for the fulfillment of a task of

public interest or of a task in the context of the exercise of public authority is also unsuccessful.
The system of the General Act on State Taxes, the General Act on the Income Dependent
regulations, title 5.2 of the Awbendematerial legislation gives the Tax and Customs Administration a welfare value
authority to collect (in specific cases) data for supervisory purposes.
But this legislation is insufficient exactly to serve as a basis for a separate, structural,

extensivea segment-transcending collection of many,(too)detailed(specialone
criminal) personal data in FSV. In addition, the processing in FSV was not necessary




                                                                                         3/16,Date Unidentified
7April2022 [CONFIDENTIAL]


for the fulfillment of the public task of the tax authorities to supervise compliance with

it determined by or under the tax and allowances legislation
principle of proportionality because the infringement of the interests of the data subjects was disproportionate in
proportion to the purpose to be used for the processing, provided that the purposes of FSV are not
determined and therefore unclear. The AP is furthermore of the opinion that it is not

subsidiarity principle is satisfied because the aim pursued can be achieved in a different, less far-reaching way
be served, i.e. without FSV or with the design of another more limited application.

Personal data must also be processed in accordance with the principle of

target specification, as laid down in article 5, first paragraph, preambles under b, of the AVG and article 7 of the
Wbp. This means that personal data only for certain and expressly described purposes
may be collected. The AP, after examination, concludes that the pre-formulated purposes of
the collection of data in FSV were not well defined.


Personal data must be further processed in accordance with the principle of accuracy,
as contained in article 5, first paragraph, opening lines, of the AVG and article 11, second paragraph, of the
Wbp. This means that data must be correct and updated if necessary
AP finds that incorrectly non-updated data in FSV were in the

The tax authorities have not taken reasonable measures to rectify this data or
to erase.

Personal data must also be processed in accordance with the principle of

storage limitation, as laid down in article 5, first paragraph, preamble at the bottom of the AVG and article 10,
first paragraph, of the Wbp. This means that personal data may not be stored any longer than
necessary.From the investigation of the AP it follows that the data were stored in FSVlanger
thentheretentionperiodapplicabletothedatainFSV
Belastingdienst (therefore) for longer than necessary.


In addition to violating the four above-mentioned standards and underlying them
principles, the AP concludes that the tax authorities are insufficiently appropriate technical and
has taken organizational measures with regard to access security, logging and control

on the logging to ensure an appropriate level of security for the data in FSV.
As a result, the Tax and Customs Administration acted in conflict with . from November 4, 2013 to February 27, 2020
article 32, first paragraph, of the AVG and article 13 of the Wbp.


Finally, the AP concludes that the Tax and Customs Administration did not properly and timely involved the FG in
the implementation of the GEB of FSV. With this behaviour, the tax authorities acted in conflict with
article38, first paragraph, of the GDPRjo.article35, second paragraph, of the AVG.









                                                                                        4/16,Date Unidentified
7April2022 [CONFIDENTIAL]



2.2View of the Minister

The Minister endorses the facts and conclusions in the investigation report of the AP. FSV was not on
may be used in this way, the Minister has recognized. The conclusions of the AP are in line with
previous conclusions of the tax authorities that have led to the deactivation of FSV.


The Minister declares that the tax authorities concerned citizens who were included in FSV
informs them about their registration and the reason why they were registered in FSV. If the
If the tax authorities do not know the reason for a registration in FSV, the tax authorities will let the

those involved also know
them that they can contact the tax authorities by telephone and that they also have more information
can be found on the web page FSV. There is a hotline for FSV, intended for citizens who suspect that they
have had unjustified consequences of their registration in FSV. If there is more clarity about the answer

to the question with which organizations the Tax and Customs Administration has shared data from FSV, the
those involved have also been informed about it.At the moment, about 200,000 people involved have a letter
received from the tax authorities about their registration in FSV. About 100,000 of these have the reason
heard of that registration in FSV.


The Tax and Customs Administration will have further research carried out into the effects of a registration in FSV, on the external
data sharing fromFSVentotheusedqueries.Ahead oftheresultsofthis
investigations, an compensation scheme is worked out for the wrongfully affected citizens.


Partly as a result of the problem with FSVis the Tax and Customs Administration started with the
program 'Repair, improve and secure' (hereafter: HVB). HVB contains actions that have been
used to solve the problems in the way the tax authorities have dealt with
(personal) registrations, risk models and the use of personal data such as nationality.


The executive directorates-general (Tax authorities, Allowances, Customs) work together with the
Ministry of Finance (policy department) on action plans for improving the
privacy organization from a central and central point of view. In the action plans, including that of the
Tax authorities, among other things, the current and additional measures to be taken for the

(structural) compliance with these laws and regulations. About the follow-up of the action plans,
periodic report to the Governing Council of the Ministry of Finance.

In addition, the Tax and Customs Administration is working on a new process for handling signals immediately

temporary technical provision. The conclusions from the research report of the AP have been used in the
drafting the adjusted GEB for this process
to the FG for advice. After that, the GEB for advice is offered to the AP.


Furthermore, the Minister declares that work is being done on the bill Safeguarding the law
data processing Tax authorities, Allowances and Customs. The bill aims to provide the foundations for
to strengthen and strengthen the processing of personal data by the Tax and Customs Administration, Allowances and Customs




                                                                                         5/16,Date Unidentified
7April2022 [CONFIDENTIAL]



In addition, the bill aims to create a legal framework for the
guarantee of lawful, proper and transparent data processing by these three
implementing organizations.


Finally, the Tax and Customs Administration realizes that fundamental improvements are needed in dealing with
personal data and the Tax and Customs Administration will commit itself fully to repetition in the future
prevent, according to the Minister.


3. Fines


3.1Introduction

The AP has established that the Minister, as controller for processing in FSV
by the tax authorities, has acted contrary to the principles of lawfulness, target specification,
correctness and storage limitation. The AP also determined that the Minister is not an appropriate

security level for the data in FSV has furthermore ensured that the FG does not go to
belong and have not been involved in time in the implementation of the GEB of FSV.

The AP makes use of its powers to order the Minister to impose fines, because of the aforementioned
violations. Because of the seriousness of the violations and the extent to which they can inform the Minister
be blamed, the AP deems the imposition of fines appropriate.

ongoing violations that have occurred under both the PDPA and the AVG (with
exception of the involvement of the FG), the AP has tested against the substantive law as it applied
at the time when the conduct took place. These provisions are intended to have the same legal interests
guarantees. There is no (substantial) material change in the regulations on this point.

The AP motivates the imposition of the fines in the following. The AP first briefly sets the fine system

This is followed by the justification of the fines for the violations of the
basic principles of the GDPR. After that comes the violation of the obligation to guarantee a
appropriatesecuritylevelforpersonaldatainFSVofferedandsubsequentlytherequirementof
propertimelyinvolvementoftheFGintheimplementationoftheGEB.Finally,theAPassessessof
the application of the fine policy leads to a proportionate outcome.


3.2Finance Policy RulesPersonal Data Authority2019

Pursuant to article 58, second paragraph, opening words and article 83, fourth paragraph, of the AVG, read in
in connection with article 14, third paragraph, of the UAVG, the AP is competent in the event of a violation of
Article 32 of the AVG and Article 35, paragraph 2, of the AVG Not to impose an administrative fine until

$10,000,000.






                                                                                        6/16,Date Unidentified
7April2022 [CONFIDENTIAL]



Pursuant to article 58, second paragraph, opening words and article 83, fifth paragraph, of the GDPR, read in
in connection with article 14, third paragraph, of the UAVG, the AP is competent in the event of a violation of
article 5 of the AVG Not to impose an administrative fine up to € 20,000,000.


The AP has established Penalty Policy Rules regarding the fulfillment of the above-mentioned authority to the
imposing an administrative fine, including determining the amount thereof. In the
Penalty policy rules has been chosen for a category classifications bandwidth system.

Violation of article 5, first paragraph, under the AVG is made dependent on the underlying

provision, being article 6, first paragraph, of the GDPR. Category III applies here, with a penalty bandwidth
between €300,000 and €750,000 and a basic fine of €525,000.

Violations of article 5, first paragraph, subparagraph of the GDPR are also classified in category III,

with a fine bandwidth between €300,000 and €750,000 and a basic fine of €525,000.

Violations of article 32 of the AVG and article 35, paragraph two, of the AVG are classified in category

II.CategoryII has a finebandwidth between €120,000 and €500,000 and a basic fine of
€310,000.

3.3Amount of fines for the general principles of the AVG and security of

processing of personal data

Lawfulnessisoneofthebasicprinciplesofdataprotection.Aprocessingof
personal data is lawful if it takes place on the basis of a legal basis. Interference on the

upright respect for the private life of the citizen is particularly important that the tax authorities as
government agency must be able to base its actions on a sufficiently clear, accurate
predictable statutory regulation. The Tax and Customs Administration has failed in this regard. Because the Tax and Customs Administration
has processed in FSV without basic data, is the core of the right to protection of

personal data of many citizens was violated.

In addition, personal data may only be processed if it is explicite
the legitimate purpose of the processing cannot reasonably be stated in any other way

achieved. The controller must also take all reasonable steps to ensure that
to ensure that incorrectly proven data are corrected or erased that data
are not kept any longer than necessary.The AP has determined that incorrect data

are included in FSV and that this data is also kept longer than necessary.

To prevent organizations from infringing data processing
oncitizensprivacy, the AP furthermore considers it of great importance that organizations are geared to risk

apply a security level. When determining the risk to the data subject, among other things,
of the personal data and the extent of the processing important: these factors determine the


6Stcrt.2019,14586,March 14,2019.



                                                                                         7/16,Date Unidentified
7April2022 [CONFIDENTIAL]



potential damage for the individual data subject in the event of, for example, loss, alteration or unlawful

processing of the data. The more sensitive the data is, or the
context in which they are used pose a greater threat to privacy,
stricter requirements are placed on the security of personal data. The AP is of the opinion that the
The tax authorities have taken insufficient measures with regard to access security,

logging and checking on the logging for an appropriate level of security for the data in FSVte
guarantee.


The AP has concluded that the Tax and Customs Administration regards the abovementioned principles
has insufficiently complied with.Theseprinciplesensuretheintegrityofpersonaldataandensure
citizens are able to retain control over their own data. That is of great importance, because a

unlawful processing of data can have far-reaching consequences for the personal
life. The AP explains the victory according to the seriousness of the violations below.


3.3.1 The nature, the seriousness of the infringements
Given the nature and scope of the unlawful processing of data in FSV, the AP
is of the opinion that the violations by the Tax and Customs Administration are very serious. The Tax and Customs Administration has in FSV
more than 540,000 signals processed unlawfully relating to more than 270,000 data subjects.

This very large group of citizens, including hundreds of minors, have been badly affected in their rights
on the protection of personal data. In doing so, the AP takes into account that the citizens involved in relation to
of the tax authorities are in a dependent and unequal position.After all, a citizen has with the

The tax authorities only have the obligation to file a tax return or the possibility to
to apply for allowances. After submitting the opinion of the tax authorities, it appeared that the
The Tax and Customs Administration has yet again shared data from FSV with other government agencies and private
parties. The AP finds it objectionable that the Tax and Customs Administration – in view of its ample powers and

unequal position that they occupies with regard to the citizen - in this case extraordinary
careless handling of its powers.


With regard to the duration of the violations, the AP has established that the tax authorities
during a period of more than six years, namely from November 4, 2013 to February 27
2020 has committed. The fact that the violations thus in a structural manner for a longer period
                                         8
have persisted, the AP considers very serious.

The consequences for citizens who were included as (potential) fraud in FSV could be very serious. In
in some cases no citizen received the stamp 'fraud' without this following from a thorough

investigation. And if there was an investigation and there was no evidence of fraud, then this was
conclusion often not listed in FSV, so the suspicion of fraud remained in FSV.A



7
8Parliamentary PapersII2021/22,31066,no.957.
 Since the APpass since January 1, 2016, has the power to fine the above-mentioned violations, and in the
within the framework of the (increase of the) fine and the duration of January 1, 2016 in view. Also, that there is a case of long-term
violations.



                                                                                          8/16,Date Unidentified
7April2022 [CONFIDENTIAL]



registration in FSV (if any combination with other indications), could then lead for that citizen
stigmatization, intensified surveillance/or had negative financial consequences.


For example, the intensification of supervision could result in the income tax return to the detriment of
vandieburgerwascorrectedordateanapplicationtoqualifyforcare,rentor
childcare allowance was rejected.A request for a personal payment scheme was also made
allowancesdebt or amicable debt rescheduling with a tax or allowancesdebt are automatic

rejected, because of the FSV registration of that citizen. Because of this, citizens have been in uncertainty for a long time
wrong about their financial situation. Those involved were further not informed about the fact that they were in
FSV arose, not even after an aim to see the request. This resulted in

those involved do not dispute that they were mentioned in FSV and that they were unable to exercise their rights.

Investigation by the Tax and Customs Administration has also shown that examples have been found in
communication within the tax authorities between the tax authorities and other government institutions

overdesignalisation of risks, in which a fraud risk was indicated on personal characteristics such as
nationalities appear outwardly. In (instruction) documents, for example, the foreign
nationality(such as Turkish,Moroccan andEastern Europe)used as selection criterion for further tax
research. But also gifts to mosques and high deductions related to medicine use by

taxpayers with surnames ending in”–ić”were used as risk indicators for
fraud. This unequal treatment in the fraud risk selection gives a high risk stigmatization.
In addition, it has not been shown that the Tax and Customs Administration is inappropriate for this discriminatory
way of data processing had a reasonable and objective justification.


With regard to the consequences of the insufficient security of the data, the AP notices
nextup.The lack of security of FSV allowed unauthorized employees of the
BelastingdienstdatainFSVinsee.SignalsfromFSVareregularlyexportedforthe

creating a so-called subset outside FSV, so that persons who did not have access to FSV
could search in it. Due to the shortcomings in the access protections and in the (checking on) logging
the data could be misused. The tax authorities therefore also had no insight into

the further processing of the (exported) data.

3.3.2Categories of personal data
The Tax and Customs Administration processes too much (different) personal data in FSV. A signal in FSV existed in

in any case from a citizen service number, and a number of completed fields, including name and address
data,accountnumberandIPaddress.Sometimesasignalcontainsthenationalityofpersonsand
documents about the criminal offenses committed and criminal convictions.The Tax Authorities
furthermore, in appropriate cases, also processes data about the physical or mental health of

citizens. This is a special category of personal data that enjoys extra protection under the AVG
AP also found that signals could contain data about persons on whom the signal did not
(directly) saw, such as family members, tax service providers and host parents. Given the size of the sensitive



9Parliamentary PapersII2021/22,31066,no.977.



                                                                                           9/16,Date Unidentified
7April2022 [CONFIDENTIAL]


characterofthe-also–special data, the AP considers the violations also on the basis of this

particularly serious.

3.3.3 Blame and serious negligence
Since this concerns violations, is for the imposition of an administrative fine in accordance with fixed

case law does not require that it is shown that there is intent. The AP may culpability
presume if the perpetrator is established. The Minister, as controller, must
under the GDPR, in the processing of personal data, the above-mentioned basic principles are observed
The AP has determined that the Minister as controller under the GDPR

intheprocessingofpersonaldatainFSVhascommittedtotheprinciplesof
legality, target specification, accuracy and storage limitation. In addition, the Minister does not have a
appropriate level of security for the personal data guaranteed in FSV. The AP considers this culpable.

In addition, according to the AP, there is serious negligence on the part of the Minister

Belastingdienst.Citizens who are obliged to provide personal data to the Tax and Customs Administration
must be able to assume that the Tax and Customs Administration-as a government agency– will take the necessary measures
has taken steps to process data lawfully and securely
The tax authorities have had data for years, including special personal data

such as medical data, processed in FSVo in a lawful manner
was also in some cases discriminatory by nature and led to stigmatization,
more intensive supervision/or resulted in negative financial consequences. Also after its own internal
conclusionfromJanuary2019thatdataprocessinginFSVdidnotcomplywiththeGDPR,have

Tax authorities also omitted to integrate immediately. The AP therefore comes to the conclusion
that the Tax and Customs Administration - under the responsibility of the Minister - is seriously culpably negligent
acted.


3.3.4Previous relevant infringements
The AP can help determine the amount of the fine for earlier relevant infringements by the
take into account the controller. This is the case in this case. The AP has the
Minister charged the following violations in the period of 2018–2021. On 3 July 2018, the AP
concluded that the Tax and Customs Administration with regard to the logging, the control on the logging and

access security at the department Data foundations & analytics acted contrary to article 13 Wbpen
32AVG.The AP has imposed a processing ban on the Minister as of January 1, 2020 because of the
unlawful processing of the BSN in the VAT identification number. And on November 25, 2021, the
AP imposed fines on the Minister of Administration in the so-called Childcare Allowance Affair, because the

For years, the tax authorities have maintained the (dual) nationality of applicants for childcare allowance on
unlawfully processed.

Now the AP has once again established that the Minister has personal data without a legal basis
processed and has insufficiently secured, the AP considers these previously identified violations

relevant previous infringements. The AP determines that this indicates persistent problems of a structural nature
which can lead to no other conclusion and that at the tax authorities, the official management of the




                                                                                         10/16,Date Unidentified
7April2022 [CONFIDENTIAL]


departments andMinisters have been/have been for years of a broad negligence, negligence and

self-discriminate and act improperly in the application of legal rules regarding
data protection.

3.3.5Amount of fines

Based on the above considerations, the AP determines the amount of the fines as follows.

Legal basis
Because of the serious consequences of the lack of legal bases because there is

previous relevant infringements as referred to in paragraph 3.3.4, the AP is of the opinion that the
violation linked fine category does not lead to an appropriate punishment
application of article 8.1 of the fine policy rules when determining the amount of the fine the next higher
apply category.


For violation of article 5, first paragraph, under ajo. article 6, first paragraph, of the AVG and having regard to the
the aforementioned considerations give cause to the AP to impose a fine. The AP
increases the base amount of €725,000:
    - with €155,000 due to the nature, seriousness and duration of the infringement (article 7 suba

       fine policy rules) and circumstances as stated in paragraph 3.3.1 with;
    - with €90,000 due to the accidental nature of the infringement (article 7 sub b Fine policy rules) and
       the circumstances as stated in paragraph 3.3.3; and
    - with €30,000 based on the categories of personal data (article 7 subg

       fine policy rules) and circumstances as stated in paragraph 3.3.2.

This fine amounts to a total of €1,000,000.

Target binding

Due to the violation of the rules regarding purpose limitation (article 5, first paragraph, under b of the
GDPR) and the aforementioned considerations, the AP sees a reason to impose a fine on the Minister
The AP increases the base amount of €525,000:
    - with €125,000 due to the nature, seriousness and duration of the infringement (article 7 suba

       fine policy rules) and circumstances as stated in paragraph 3.3.1;
    - with €75,000 based on the accidental nature of the infringement (article 7 sub b Fine policy rules) and
       the circumstances as stated in paragraph 3.3.3; and
    - with €25,000 based on the categories of personal data (article 7 subg

       fine policy rules) and circumstances as stated in paragraph 3.3.2.

This fine amounts to a total of €750,000.









                                                                                         11/16,Date Unidentified
7April2022 [CONFIDENTIAL]



Accuracy
Because of the incorrectly not updated data in FSV (article 5, first paragraph, part of the
GDPR) and the aforementioned considerations, the AP sees a reason to impose a fine on the Minister
The AP increases the base amount of €525,000:

    - with €125,000 due to the nature, seriousness and duration of the infringement (article 7 suba
       fine policy rules) and circumstances as stated in paragraph 3.3.1;
    - with €75,000 based on the accidental nature of the infringement (article 7 sub b Fine policy rules) and
       the circumstances as stated in paragraph 3.3.3; and

    - 2 with € 25,000 based on the categories of personal data (article 7 subg
       fine policy rules) and circumstances as stated in paragraph 3.3.2.

This fine amounts to a total of €750,000.


Storage limitation
Due to violation of the rules regarding storage limitation (article 5, first paragraph, under one of the AVG) and
the aforementioned considerations give cause to the AP to impose a fine on the Minister

APincreases the base amount from €525,000:
    - with €125,000 due to the nature, seriousness and duration of the infringement (article 7 suba
       fine policy rules) and circumstances as stated in paragraph 3.3.1;
    - with €75,000 based on the accidental nature of the infringement (article 7 sub b Fine policy rules) and

       the circumstances as stated in paragraph 3.3.3; and
    - with €25,000, based on the categories of personal data (article 7 subg
       Fine policy rules) and circumstances as mentioned in paragraph 3.3.2


This fine amounts to a total of €750,000.

Security
Due to violation of the rules regarding security (article 32, first paragraph, of the AVG) and

the aforementioned considerations give cause to the AP to impose a fine on the Minister
APincreases the base amount from €310,000
    - with €90,000, due to the nature, seriousness and duration of the infringement (article 7 suba
       fine policy rules) and circumstances as stated in paragraph 3.3.1;

    - with €50,000, based on the negligent nature of the infringement (article 7 sub b Fine policy rules) and
       the circumstances as stated in paragraph 3.3.3;
    - by €30,000, based on the earlier more relevant infringement from 2018, as stated in paragraph 3.3.4
       (article 7subeFinance Policy Rules);

    - with €20,000, based on the categories of personal data (article 7 subg
       Fine policy rules) and circumstances as mentioned in paragraph 3.3.2

This fine amounts to a total of €500,000.







                                                                                         12/16,Date Unidentified
7April2022 [CONFIDENTIAL]



3.4Amount of fines for data protection officer involvement

TheFGsupportsthecontroller, among other things, in the monitoring of internal compliance
of the AVG. It is important that the controller ensures that the FG to
belong and be involved in a timely manner in all matters related to the protection of

personal data.The AP has established that the Tax and Customs Administration does not properly and in time
has been involved in the implementation of the data protection impact assessment (DIA) of FSV.

The Tax and Customs Administration has carried out the GEB from November 6, 2018 to January 21, 2019.

year after this period, the FG was only asked to advise on the GEB
not asked for advice during the execution of GEBo. The consequence of this is that the FG are not tasks
has been able to implement properly and the Tax and Customs Administration has therefore not been able to advise on compliance in time
of the AVG. In a timely consultation, the FG could have warned the tax authorities earlier on the
risks associated with the unlawful processing of personal data in FSV.


As described earlier, the Tax and Customs Administration has processed a great deal of (sensitive) data in FSV
of hundreds of thousands of citizens. Especially in the case of large-scale processing of personal data that
can lead to adverse consequences for a large number of involved parties, the Tax and Customs Administration must timely

to carry out and ask for advice on the matter. The AP is of the opinion that there is a serious
violation by the tax authorities, valueMinisteras controller responsible
in advance.


Finally, in the case of this violation, the AP also concludes that the tax authorities, under
responsibility of the Minister, has acted seriously culpably negligently. That the tax authorities
well over a year after the implementation of the GEB and in response to questions from the media about FSV,
asked the FG for advice, the AP deems it very negligent.


Now that the Tax and Customs Administration did not obtain the advice of the FG in time when carrying out the GEB,iser
there is a violation of article 35, second paragraph, of the GDPR
circumstances, the AP sees reason to impose a fine on the Minister. The AP increases the
base amount of €310,000 due to 1) the nature, seriousness, duration of the infringement with € 70,000, due to (2) the

negligence with € 50,000 and because of (3) the categories of data with € 20,000
this fine amounts to a total of €450,000.

3.5Proportionality


Finally, the AP assesses on the basis of articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality) whether the
application of its policy for determining the amount of the fine in view of the circumstances of the
concrete case, does not lead to a disproportionate result. Application of the principle of proportionality can
inter alia play in the cumulation of sanctions. In addition, under article 83, third paragraph, of

the AVG the total money fines are not higher than those for the heaviness fracture, if the





                                                                                       13/16,Date Unidentified
7April2022 [CONFIDENTIAL]



controller in respect of the same or related
processing activities infringe several provisions of the GDPR.


In this case, the AP imposes an administrative fine for violation of article 5, first paragraph, under a (jo.
article6, first paragraph),b,deneoftheGDPR,article32,firstparagraph,oftheGDPRandarticle35,secondparagraph,ofthe
AVG.Although the violations committed violate different interests and because of them separately
fine, in this case the AP sees the connection between the lack of legal bases

the storage limitation as a relevant factor for the fine for the violation of the storage limitation
moderate by €500,000.


The AP sets the total amount of the fines imposed at an amount of €3,700,000.
article 10 of the fine policy rules, the AP determines that the total fines are not higher than the legal
maximum fine (€20,000,000) for the most serious violation.

                                                                         10
The AP is of the opinion that (the amount of) the total fine is not disproportionate. The AP has in this
judge, among other things, the first of the infringements to be weighed up and the extent to which they are to the Minister
can be blamed. Due to the nature of the duration of the violations, the far-reaching consequences
for the involved and earlier relevant infringements, the AP qualifies the relevant infringements on

theAVGsserious.

3.6Conclusion


The AP sets the total amount of the fines imposed at €3,700,000.
























1For the justification, see also paragraph 3.3 and 3.4.



                                                                                        14/16,Date Unidentified
7April2022 [CONFIDENTIAL]




4.Dictum



    I. The AP imposes a fine on the Minister of Finance in the amount of €1,000,000 (in words: one
       million euros), because there is no legal requirement for the processing of personal data in FSV
       As a result, the Minister of Finance has article 5, first paragraph, opening words under ajo.
       Article 6, first paragraph, of the AVG has been violated.


    II. The AP imposed a fine of €750,000 on the Minister of Finance (in words:
       seven hundred and fifty thousand euros), because the data in FSV conflicts with the principle
       of the target specification have been processed. As a result, the Minister of Finance has Article 5, first paragraph,
       preambles under the AVG violated.


    III. The AP imposed a fine of €750,000 on the Minister of Finance (in words:
       seven hundred and fifty thousand euros), because the data in FSV conflict with the principle
       have been processed correctly. As a result, the Minister of Finance has introduced article 5, first paragraph, preamble
       Violated under the AVG.


    IV. The AP imposed a fine of €250,000 on the Minister of Finance (in words:
       two hundred and fifty thousand euros), because the data in FSV conflicts with the principle
       of storage limitation have been processed. As a result, the Minister of Finance has Article 5, first paragraph,
       preambles under the AVG violated.


    V. The AP imposes a fine of €500,000 on the Minister of Finance (in words:
       five hundred thousand euros), because the data in FSV is insufficiently appropriate
       security level is guaranteed. As a result, the Minister of Finance has article 32, first paragraph,
       oftheAVGviolated.


    VI. The AP imposed a fine of €450,000 on the Minister of Finance (in words:
       four hundred and fifty thousand euros), because the advice of the FG is not during the implementation of the
       GEBisinge won. As a result, the Minister of Finance has article 35, second paragraph, of the AVG
       violate.


Yours faithfully,
AuthorityPersonal Data,

w.g.



mr.A.Wolfsen
Chair




                                                                                       15/16,Date Unidentified

7April2022 [CONFIDENTIAL]


Remedies Clause
If you do not agree with this decision, you can within six weeks of the date of shipment of the

decide to submit an objection digitally or on paper to the Data Protection Authority
article 38 of the UAVG suspends the submission of an objection to the effect of the decision
imposition of the administrative fine. For submitting a digital objection, see
www.autoriteitpersoonsgegevens.nl,onderhetkopjeBezwaarmakentegeneenbesluit,bottom

page under the heading Contact with the Data Authority. The address for submission on paper
is:Authority Personal Data, PO Box93374,2509AJDenHaag.
Mention 'Awb-objection' on the envelope and put 'objection' in the title of your letter.
Write in your letter of objection at least:
- your name and address;

- the date of your notice of objection;
- the reference (case number) mentioned in this letter; or attach a copy of this decision;
- the reason(s) why you do not agree with this decision;
-your signature.





































                                                                                      16/16