Dutch Supervisory Authority for Data Protection (AP)-Dutch Tax and Customs Administration (4/7/2022)

Details:

Summary	The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, and criminal personal data as part of the list maintenance. The DPA initially found that the administration did not have a valid legal basis for processing the data contained in the list. For this reason, the data were processed unlawfully. Further, the DPA found that the information in the list was often incorrect, so that a large number of individuals were falsely registered as possible fraudsters. In addition, the investigation revealed that the maintenance of the list led to discrimination against some individuals, as the risk of fraud was determined on the basis of the nationality and appearance of the data subjects, among other factors. For example, donations to mosques were considered a risk factor for fraud. Furthermore, the DPA found that the administration violated its obligation under the GDPR to implement appropriate technical and organizational measures that ensure adequate protection of the personal data it collects. Indeed, the administration had inadequately secured the personal data. The DPA also found that the administration had violated the principle of storage limitation by storing the data for a longer time contrary to the retention period established for the personal data in the list. Furthermore, the DPA found that the processing of the data in the list had not been necessary for the administration to properly perform its tasks. The processing was therefore disproportionate. Also, the administration had not sufficiently defined the purposes underlying the processing and thus violated the principle of purpose limitation. The fine is composed as follows: EUR 1 million for a breach of Art. 5 (1) a) GDPR and Art. 6 (1) GDPR; EUR 750,000 for a breach of Art. 5 (1) b) GDPR; EUR 750,000 for a breach of Art. 5 (1) d) GDPR; EUR 250,000 for a breach of Art. 5 (1) e) GDPR; EUR 500,000 for a breach of Art. 32 (1) GDPR EUR 450,000 for a breach of Art. 35 (2) GDPR.
Link:	link link
Related articles:	Art. 5 (1) a), b), d), e) GDPR, Art. 6 (1) GDPR, Art. 32 (1) GDPR, Art. 35 (2) GDPR
Type:	Non-compliance with general data processing principles
Fine:	EUR 3,700,000
Sector	Public Sector and Education

All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/

Tags: case law