Dutch Privacy Regulator Fines Governmental Agencies for Significant GDPR Violations

The Dutch Privacy Protection Authority imposed an unprecedented fine of 4,750,000 Euros for significant violations of the General Data Protection Regulations (GDPR). The regulator’s investigation found that the Dutch Tax Authority had unlawfully collected sensitive personal data of over 250,000 Dutch citizens and recorded it in its fraud signaling system for over six years. Some of the individuals whose data was recorded in the system were wrongfully identified as potential fraudsters.

According to the Dutch data protection authority, the Dutch Tax Authority committed the following violations:

  • Processing personal data without a proper legal basis under the GDPR.
  • Processing personal data without predetermining a purpose for processing.
  • Inclusion of incorrect and outdated data in the system.
  • Retention of data for an excessive duration.
  • Deficient security measures.
  • Unjustifiable delays in conducting a compulsory data protection impact assessment.

In addition, the Dutch regulator imposed a fine of 565,000 Euros on the Dutch Ministry of Foreign Affairs for extended, large-scale violations of the GDPR in its visa application process. The regulator determined that the Ministry did not provide applicants with sufficient information regarding the sharing of their personal data with third parties, and did not implement sufficient security measures in the visa application system.

CLICK HERE to read the Dutch Data Protection Authority’s press release on the Tax Authority’s violations (in Dutch).

CLICK HERE to read the Dutch Privacy Protection Authority’s press release on the Ministry of Foreign Affairs’ violations.