As several other European countries, The Netherlands has implemented the possibility not only to impose a penalty on private companies under the GDPR, but on governmental bodies as well. Consequently the Tax and Customs Administration could be accused of not having a legal basis for the processing of personal data in FSV. The Tax authorities are also blamed of having processed the personal data in violation of three principles anchored in the General Data Protection Regulation (GDPR), namely the “purpose limitation” principle, the “principle of accuracy” and the principle of “storage limitation”. In addition, the security level of the application was not up to scratch. Finally, the DPA imposed a separate fine for the fact that the advice of the DPO was not sought when carrying out the Data Protection Impact Assessment (DPIA). Pursuant to the GDPR, a DPIA is mandatory for organizations when deploying new ICT projects and applications, in which the processing of personal data plays a role.
Given the nature and scope of the unlawful processing of personal data in FSV, the DPA is of the opinion that the violations by the Tax authorities are very serious. The Tax and Customs Administration has unlawfully processed more than 540,000 signals in FSV relating to more than 270,000 data subjects. This very large group of citizens, including hundreds of minors, have been severely affected in their right to the protection of personal data, the decision said.
The DPA imposes a separate fine on the Tax Authorities for each violation, varying from Euro 250,000 to Euro 750,000. As a result, the DPA imposes a total fine of Euro 3.7 million. A record breaking amount.
Until now, incremental fines have hardly been imposed by the Dutch DPA. The fact that this is now happening to this extent, can rightly be called a novelty and may signal a change of course in the enforcement policy of the Dutch DPA. Time will tell. We will keep you up to date!
Article provided by INPLP member: Bob Cordemeyer (Cordemeyer & Slager, Netherlands)
Co author: Sil Kingma
Dr. Tobias Höllwarth (Managing Director INPLP)