Dutch tax authority handed record fine for discriminatory data processing

Out-Law News | 13 Dec 2021 | 1:46 pm | 1 min. read

The Dutch Data Protection Authority (DDPA) has imposed a record 2.75 million fine on the nation’s Tax and Customs Administration (TCA, in Dutch: Belastingdienst), for its use of discriminatory data processing practices.

This record fine is the latest development in a long-running scandal over the TCA’s handling of the childcare allowance.

An investigation found that the TCA had been unlawfully processing the nationality data of people who applied for childcare benefits for years.

The scale of the breach was so severe, according to the DDPA, that it had chosen to ignore the penalty policies it usually used to calculate fines. This internal policy normally limits GDPR fines to €1m per breach, but can be deviated from for very serious misconducts.

Kingma Nienke1

Nienke Kingma

Associate

It is interesting that the DDPA explicitly chose to abandon its own penalty policy, which means the breach can be qualified as a severe violation of the GDPR.

DDPA chairman, Aleid Wolfsen, said: 'Sometimes data processing is done exclusively by governmental institutions – hence, as a citizen you don't have any freedom to choose another service provider. Therefore, you are forced into government data processing.”

“It is precisely for this reason that you must be able to trust this will be done properly, and that the government is not storing and processing information about you unnecessarily, and that discrimination does not happen in your processing relationship with the government,” he added.

The DDPA said the TCA used the dual nationality data of applicants as a risk indicator before awarding the childcare benefits – despite legislation making clear that dual nationality should not play a part in such assessment. Nationality data of applicants had been used in order to fight organised fraud, which was unnecessary and prohibited

The TCA should have paid more attention to the data storage principle of the GDPR and should have deleted any unlawful data it held in 2014, but four years later, the DDPA found that the nationality data of 1.4m Dutch citizens was still registered.

Nienke Kingma, data protection expert at Pinsent Masons, said: “It is interesting that the DDPA explicitly chose to abandon its own penalty policy, which means the breach can be qualified as a severe violation of the GDPR.”

The TCA said the dual nationality data was fully deleted from its system by mid-2020, and it has not used the data in its risk classification model since October 2018.

Andre Walter, data protection expert at Pinsent Masons said: “This record sum triggers a debate about how meaningful a monetary sanction of a governmental institution can really actually be, given the fine is technically Dutch taxpayer’s money anyway. The fine amount flows back into the general government budget that finances the TCA.”