Tax and Customs Administration has once again received a GDPR fine for its actions in the subsidies scandal. The Dutch data protection authority is levying a record fine of 3.7 million euros for the notorious fraud signaling facility system that was central to the case.
the fine For the account of Minister Sigrid Kaag of Finance, she is jointly and severally responsible for the tax authorities. This is the second fine that IRS has received for its role in the allowances scandal. In December last year, AP already shared a file A fine of 2.75 million euros Out, at that time still because of the benefits provisions system or TVS. At the time, that was the highest fine the AP had ever offered for violating the GDPR.
The Dutch data protection authority has considered the collection of data by the tax authorities in the System of Fraud Signals Facility, abbreviated FSV. This is one of the most famous systems used by the tax authorities in the subsidies scandal, over which the Dutch government resigned at the beginning of 2021. The FSV contained the characteristics of Dutch citizens, including their income, but also their ethnicity, origin and health. When these citizens filed a tax return or applied for benefits, a risk score was created based on those characteristics. In this way, the tax authorities identified the opportunity for a citizen to defraud. In total, the data of 244,273 people and 30,000 entrepreneurs were on that “black list”.
Four violations
According to the privacy supervisor, Tax and Customs Administration violated the GDPR Privacy Act on four counts with the use of the FSV. In any case, this happened between November 2013 and February 2020. According to the Associated Press, “Tax and Customs Administration acted in contravention of the principles of legality, target specifications, health, and storage restrictions.” In addition, there were no measures to secure the data in this database, and the data protection officer was not properly involved in securing the list.
The Associated Press is strict about the violations and describes them as serious. In the first place, “there was no basis for the processing of personal data in the FSV”. There was no obligation to process fraud signals in the system. Tax authorities have defended themselves against this by saying the service has a “public interest” to process data, but that argument is not valid, according to the Associated Press. There is no law that mandates the collection of specific data, she said. Also, so much data would be collected that its processing was not proportional. The purpose of the blacklist was not clear, according to the Associated Press, so it wasn’t clear in advance what data could be collected and what could not. The latter is also a violation of the GDPR, because a clear purpose for data collection must be established in advance.
The regulator is also critical of the fact that much of the old data was blacklisted. Tax and Customs Administration will not remove or correct them and thus violate the retention period.
bad insurance
In addition to improper data collection, Tax and Customs Administration has also taken very few measures to protect data. Inadequate technical and organizational measures have been taken with regard to access security, registration and registration control, the regulator writes. at Relatively short fine decision The AP does not describe the measures involved. The AP writes that unauthorized employees can request data. Also, the data was sometimes exported from the system so that more people could access it. Partly for this reason, Tax and Customs Administration did not have “insight into the further processing of the data”.
In addition to the seriousness of the violations, the AP considers the nature and scope of the appropriations scandal “extremely serious.” It was possible to process data on hundreds of minors and citizens had an “unequal attitude” towards the tax authorities. Tax authorities have also shared data from the blacklist with other government agencies and private parties. “The Associated Press finds it reprehensible that the Tax and Customs Administration, given its broad powers and the unequal attitude it holds toward the citizen, has treated its authorities so negligently in this case,” the AP wrote. The consequences for the blacklisted citizens were “extremely serious”.
The abuse continued for years. The AP considers it extremely dangerous for the violations to continue in a structural form for a longer period.
FG . role
The AP also mentions the role of the data protection officer in the case. This data protection officer is mandatory in most government organizations and must oversee data processing. According to the Associated Press, the data protection official was hardly involved when conducting a data protection impact assessment. This only happened after that. The AP believes the data protection official could have warned tax authorities about improper data collection if he had previously been involved. The Associated Press described this as a “serious violation”.
Remarkably, the AP took past violations into account when determining the amount of the fine. This was not only about a previous fine for the allowance scandal, but also about The fact that tax authorities used BSNs incorrectly and that in 2018 there was poor registration of those with access to another unrelated department. “Now that the AP has once again established that the Secretary processed personal data without legal basis and did not adequately secure it, the Associated Press considers these previously identified violations to be relevant prior violations,” the AP wrote. “The Associated Press has demonstrated that this points to persistent problems of a structural nature that cannot lead to an outcome other than that in which the Tax and Customs Administration and the official leadership of the Department and the Minister have (committed) widespread neglect for years and neglect and even act in a discriminatory and therefore improper manner in Application of legal rules relating to data protection.
high fine
The fine for illegal data collection is 1 million euros. This is higher than the basic amount of €725,000 which is applied as a fine for that particular violation. Since there were no restrictions on the purpose of data collection, the AP increased the base amount from 525,000 to 750,000 euros. The fact that the data was not always correct and the tax authorities did not adhere to the retention period, both lead to the same increased fine. The tax authorities will be fined another 500,000 euros for poor data protection. Bad involvement of the Data Protection Office (DPO) results in a fine of €450,000.
The use of the FSV database has been discontinued since February 2020. The government of Ruti III then resigned due to this issue. A fine for the government goes directly to the pot of public funds. Tweakers wrote last year Backstory of what happens when the government fines itself†
“Total coffee specialist. Hardcore reader. Incurable music scholar. Web guru. Freelance troublemaker. Problem solver. Travel trailblazer.”
More Stories
Thai Air Force wants Swedish Gripen 39 fighter jets
Ageas surprises with higher operating result
Horse Palace in Belt for sale