Fine in the amount of 3,7 million euros applied by the Dutch Supervisory Authority to Tax Administration for the illegally processing personal of personal data
The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about fine in the amount of 3,7 million euros applied by the Dutch Supervisory Authority (DPA) to Tax Administration for illegally processing personal data over a period of years in its ‘fraud identification facility’ (FSV). This was a blacklist which the Tax Administration used to register indications of fraud, often with major repercussions for people who had been wrongly included on the list.
Over the course of its investigation into the FSV the DPA uncovered numerous violations of the General Data Protection Regulation. For example, the Tax Administration had no statutory basis for processing the personal data on the list. In many cases the personal data was not even correct, and as a result people were wrongly registered as possible tax frauds. Furthermore, the list was not properly protected, and the Tax Administration’s internal privacy supervisor was not involved at an early stage in the creation of the list.
The fine applied to Tax Administration is the highest ever imposed by the DPA. This is due to the seriousness of the violations, the large number of people impacted and the fact that the violations persisted for such a long period of time.
The 3.7 million euros fine comprises multiple fines for 6 violations:
· The Tax Administration had no statutory basis for processing personal data in the FSV: €1 million.
· The purpose of the FSV was not specifically described in advance: €750,000.
· The FSV contained incorrect and obsolete information: €750,000.
· This particular data was stored for far too long: €250,000.
· The FSV was not adequately protected: €500,000.
· The Tax Administration waited over a year to ask its internal privacy supervisor for advice about assessing the risks of using the FSV: €450,000.
The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.