Record fine imposed by the Dutch DPA

A record fine was imposed on the Tax and Customs Administration by the Dutch DPA for multiple GDPR violations. 


The Dutch Data Protection Authority has imposed a fine of 3.7 million euros on the Tax and Customs Administration due to years of unlawful processing of personal data in their Fraud Signalling Facility. According to this report from the Dutch DPA this operation involved a blacklist on which the Tax and Customs Administration kept records of fraud. These records often led to major consequences for people who were included (sometimes innocently). During an investigation into the Fraud Signalling Facility, the Dutch DPA found a long list of GDPR violations. This resulted in the DPA’s highest fine to date. The DPA found this necessary due to the seriousness of the violations, the impact on large numbers of people, and the length of time over which violations continued.


The Dutch DPA’s investigation revealed several serious GDPR violations. 


The investigation revealed, for starters, that the Tax and Customs Administration had no legal basis for processing the personal data on the list. Without a legal basis, the processing of personal data is prohibited under the GDPR. Another major issue with the fraud list is that the personal data was, in several cases, incorrect. As a result, people were wrongly registered as possible fraudsters, facing serious consequences as a result. In addition, According to the Dutch DPA, the security of the data on this list was considered insufficient, and the internal data protection officer of the Tax and Customs Administration did not have early enough involvement in the setting up of the list. The Tax and Customs Administration’s investigation also revealed that employees were instructed to base the risk of fraud partly on discriminatory factors such as nationality and people’s appearance.


 When determining the amount of the fine, the Dutch DPA took into account each of the GDPR violations committed by the Tax and Customs Administration, resulting in its highest overall fine to date.


When determining the amount of the fine, the AP also took into account the fact that the Tax and Customs Administration has committed serious violations of the GDPR. The record fine of €3.7 million included a €1 million fine for the processing of personal data without a legal basis, €750,000 for a failure to define the Fraud Signalling facility (or FSV) in advance. There was an additional €750,000 for the incorrect data included in the FSV blacklist and €250,000 for the length of time this data was kept. The insufficient security of this data landed the Tax and Customs Administration another €500,000. The Dutch DPA also applied a fine of €450,000 for the Tax and Customs Administration taking over a year before having risk assessed by their internal DPO. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Leave a Comment


Your email address will not be published.