AP applies incremental penalty authority to the fullest


It is the first time in history that the Dutch Data Protection Authority (DPA) has identified six violations of the GDPR in only one decision. All violations relate to the use and security by the Tax Authorities of its application Fraud Signaling Facility (FSV). An application that included signals about established fraud and signals that could indicate an increased risk of fraud with taxes and benefits.

As several other European countries, The Netherlands has implemented the possibility not only to impose a penalty on private companies under the GDPR, but on governmental bodies as well. Consequently the Tax and Customs Administration could be accused of not having a legal basis for the processing of personal data in FSV. The Tax authorities are also blamed of having processed the personal data in violation of three principles anchored in the General Data Protection Regulation (GDPR), namely the “purpose limitation” principle, the “principle of accuracy” and the principle of “storage limitation”. In addition, the security level of the application was not up to scratch. Finally, the DPA imposed a separate fine for the fact that the advice of the DPO was not sought when carrying out the Data Protection Impact Assessment (DPIA). Pursuant to the GDPR, a DPIA is mandatory for organizations when deploying new ICT projects and applications, in which the processing of personal data plays a role.

Given the nature and scope of the unlawful processing of personal data in FSV, the DPA is of the opinion that the violations by the Tax authorities are very serious. The Tax and Customs Administration has unlawfully processed more than 540,000 signals in FSV relating to more than 270,000 data subjects. This very large group of citizens, including hundreds of minors, have been severely affected in their right to the protection of personal data, the decision said.

The DPA imposes a separate fine on the Tax Authorities for each violation, varying from Euro 250,000 to Euro 750,000. As a result, the DPA imposes a total fine of Euro 3.7 million. A record breaking amount.

Take away

Until now, incremental fines have hardly been imposed by the Dutch DPA. The fact that this is now happening to this extent, can rightly be called a novelty and may signal a change of course in the enforcement policy of the Dutch DPA. Time will tell. We will keep you up to date!


Article provided by INPLP member: Bob Cordemeyer (Cordemeyer & Slager, Netherlands)

Co-author: Sil Kingma




Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.