Skip to main content

AP applies incremental penalty authority to the fullest


It is the first time in history that the Dutch Data Protection Authority (DPA) has identified six violations of the GDPR in only one decision. All violations relate to the use and security by the Tax Authorities of its application Fraud Signaling Facility (FSV). An application that included signals about established fraud and signals that could indicate an increased risk of fraud with taxes and benefits.

As several other European countries, The Netherlands has implemented the possibility not only to impose a penalty on private companies under the GDPR, but on governmental bodies as well. Consequently the Tax and Customs Administration could be accused of not having a legal basis for the processing of personal data in FSV. The Tax authorities are also blamed of having processed the personal data in violation of three principles anchored in the General Data Protection Regulation (GDPR), namely the “purpose limitation” principle, the “principle of accuracy” and the principle of “storage limitation”. In addition, the security level of the application was not up to scratch. Finally, the DPA imposed a separate fine for the fact that the advice of the DPO was not sought when carrying out the Data Protection Impact Assessment (DPIA). Pursuant to the GDPR, a DPIA is mandatory for organizations when deploying new ICT projects and applications, in which the processing of personal data plays a role.

Given the nature and scope of the unlawful processing of personal data in FSV, the DPA is of the opinion that the violations by the Tax authorities are very serious. The Tax and Customs Administration has unlawfully processed more than 540,000 signals in FSV relating to more than 270,000 data subjects. This very large group of citizens, including hundreds of minors, have been severely affected in their right to the protection of personal data, the decision said.

The DPA imposes a separate fine on the Tax Authorities for each violation, varying from Euro 250,000 to Euro 750,000. As a result, the DPA imposes a total fine of Euro 3.7 million. A record breaking amount.

Take away

Until now, incremental fines have hardly been imposed by the Dutch DPA. The fact that this is now happening to this extent, can rightly be called a novelty and may signal a change of course in the enforcement policy of the Dutch DPA. Time will tell. We will keep you up to date!


Article provided by INPLP member: Bob Cordemeyer (Cordemeyer & Slager, Netherlands)

Co author: Sil Kingma




Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.