Dutch Tax Office violated data privacy
The Dutch Tax Service had erroneously blacklisted tens of thousands of people. It violated the data security of tens of thousands of people it blacklisted. The Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens – AP) announced in its report published today that the Department violated the data privacy of approximately 270 thousand people for 7 years.

In the statement, he emphasized that this situation clearly violates many articles of the General Data Protection Regulation (GDPR) of the European Union. In addition, personal data was processed without legal basis and this data was seen by many employees.

It turned out that the department made wrong decisions on the basis of outdated data. According to the statement, personal data was stored in the system for a very long time.

Thus, this proved to be a violation of the Privacy Act in the Netherlands. Many innocent people were victimized. Due to the mistake of the Tax Office, thousands of people were subject to tax inspection and did not receive the payments they deserved.

Dutch Tax Agency breached the data privacy of tens of thousands of people

The report of the Dutch Data Protection Authority also revealed that the Tax Office used the Fraude Alert System (Fraude Signaling Voorziening), known as FSV, in 2013-2020. The department incorrectly processed the information it received from other public institutions.

It has mistakenly registered more than 270,000 people on FSV’s blacklist as “scammers or potential fraudsters”. The AP’s report was submitted to the Ministry of Finance to determine possible sanctions to be imposed on the Tax Administration.

The use of the Fraud Warning System was banned in 2020 because it violated the Dutch Privacy Act and produced unsafe results. In local media coverage of the report, AP Director Aleid Wolfsen said, “Our investigation shows that the Tax Office is using the FSV system in an unauthorized way and clearly breaching data security.” made the statement.

Violated Dutch Personal Data Protection Law

According to the Dutch Personal Data Protection Law, personal data can only be processed in the following cases: the data subject has given his express consent for the processing. Data processing must be necessary for the performance of a contract to which the data subject is a party or for taking pre-contractual measures necessary for the conclusion of a contract and in response to the data subject’s request.

It must be ensured that the data processing is necessary to comply with a legal obligation to which the data controller is subject. The data is necessary to protect a vital interest of the data subject. In other words, the Dutch Tax Office has officially violated the data privacy of tens of thousands of people due to its faulty transactions.