Dutch Government Agencies Fined; 'Serious' GDPR ViolationsDutch Tax Authority, Ministry of Foreign Affairs Incur Millions in Penalties
The Dutch Data Protection Authority - or Autoriteit Persoonsgegevens - has penalized two government agencies, the Dutch Tax and Customs Administration and the Ministry of Foreign Affairs, for "serious" violations of the General Data Protection Regulation.
The government departments have addressed the majority of the issues involved and are now compliant with the data protection requirements, according to the country's watchdog. They do, however, have the option to raise an objection against the penalty.
Tax Authority Fined 3.7 Million Euros
The Dutch Tax and Customs Administration has been penalized with a fine of 3.7 million euros ($4 million) for several counts of GDPR violations for the unlawful maintenance of a list, known as fraud signaling facility, in which the tax authorities noted indications of fraud.
This amount, according to Jimmy Orucevic, an independent Switzerland-based privacy consultant, is the highest ever recorded by the ministry.
"The tax authorities received this fine because of the years of illegal processing of personal data in the Fraud Signaling Facility (FSV)," the DPA says.
The list, maintained for more than six years, contained entries for approximately 270,000 individuals, according to the DPA. The violations of the GDPR privacy law came to light when the DPA conducted a thorough investigation of the Tax and Customs Administration in October 2021, which found that the administration had violated several principles of data processing, including privacy laws and transparency, purpose limitation, accuracy and storage limitation.
Orucevic, citing the DPA investigation, says, "The data stored in the list were often incorrect or not up to date and had been kept for too long." He also says the Tax and Customs Administration "had not precisely defined the processing purposes of the list in advance." The DPA considers these to be serious violations.
The DPA's investigation also revealed that the staff of the Tax and Customs Administration had assessed the risks of fraud on the basis of personal preferences, including appearance and nationality of the assessed person. "The Tax and Customs Administration had no legal basis for processing the personal data on the list. Without such a GDPR basis, the processing of personal data is prohibited," the DPA says.
The security of the procedures used by the authorities while processing the personal data was also questionable, the DPA says. The six GDPR violations from the Tax and Customs Administration that have cumulatively drawn the highest fine ever imposed by the DPA are listed below, based on the list provided by the DPA and Orucevic's LinkedIn post:
- The Tax and Customs Administration had no legal basis for processing personal data in the FSV. Fine: 1,000,000 euros ($1.1 million) for breach of Art. 5(1)(a) and Art. 6(1);
- The goal of the FSV was not specifically defined in advance. Fine: 750,000 euros ($800,000) for breach of Art. 5(1)(b);
- The FSV contained incorrect and nonupdated data. Fine: 750,000 euros ($800,000) for breach of Art. 5(1)(d);
- The FSV list was kept for far too long. Fine: 250,000 euros ($270,000) for infringement of Art. 5(1)(e);
- The FSV's security was insufficient. Fine: 500,000 euros ($550,000) for infringement of Art. 32 (1);
- Only after more than a year did the tax authority ask the DPO [the internal privacy supervisor or data protection officer] for advice when assessing the risks of the FSV. Fine: 450,000 euros ($490,000) for infringement of Art. 35(2).
Aleid Wolfsen, chairman of the Dutch DPA, says: "With FSV, the Tax and Customs Administration has violated the rights of the 270,000 people on that list in an unprecedented way. People were often wrongly labeled as fraudsters, with dire consequences. If you were registered in FSV, some did not receive a payment arrangement or were not eligible for debt restructuring. The tax authorities have turned lives upside down with FSV."
Fine for Vulnerable Visa Applications
In the other case, the DPA imposed a fine of 565,000 euros ($600,000) on the Dutch Ministry of Foreign Affairs for a "long-term, large-scale, and serious" violation of the GDPR laws in its visa-issuing process.
"NVIS, the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, is inadequately secured. As a result, there is a risk that unauthorized persons could access and change files. Furthermore, the Ministry of Foreign Affairs failed to provide visa applicants with sufficient information about the sharing of their personal data with third parties," the DPA says.
According to the statistics provided by the DPA, the Ministry of Foreign Affairs, in the past three years, has processed an average of 530,000 visa applications per year. It says that personal data, including sensitive information - such as applicant's fingerprints, name, address, country of birth, purpose of travel, nationality and photograph - in all these applications was found to be insufficiently protected.
The ministry, according to the DPA, has been aware of the security risks in its visa system for some time, but did not act swiftly enough and has done very little in response.
Monique Verdier, DPA deputy chairperson, says, "Given that visa applicants are required to submit personal data, the Ministry of Foreign Affairs should have immediately taken the measures necessary to protect their data properly. Because the security of the system has been insufficient for so many years now, in our view the Ministry of Foreign Affairs has been - and remains - seriously negligent."
The second count of violation of GDPR by the ministry involves transparency. The DPA says that inadequate information was provided to the visa applicants about the sharing of their personal data with third parties. Under GDPR, the ministry is required to ensure that transparency is maintained so that people know with whom the ministry is sharing their personal data.
As sensitive data is contained in thousands of visa applications sent each year, the DPA has now instructed the Ministry of Foreign Affairs to inform people what part of their data is being processed and shared with the third parties.
In addition to the fine, the DPA imposed a separate order on the ministry for ensuring adoption of appropriate security measures. If the ministry failed to follow it, it would be subjected to a penalty of 50,000 euros ($54,000) every two weeks. The order also included the clause for providing the applicants with adequate information about their data usage, failing which the ministry would be subject to a penalty of 10,000 euros ($10,800) per week, up to a maximum of 300,000 euros ($325,000).
The DPA confirms that the ministry has adapted the information it provides to visa applicants, and in doing so, has complied with this order within the specified time limit.
Are Fines the Best Approach?
Peter Galdies, founder and senior consultant of DQM GRC, a U.K.-based specialist data protection and privacy consultancy, tells Information Security Media Group that fines may not always be the best approach, "as it may be the taxpayer or central government funds that eventually pick up the bill rather than the offending organization."
Galdies says that having the individuals responsible for managing and directing the organization feel "the wrath of the legislator directly through personal fines or internal censures" may "provide a better incentive to others to ensure such breaches are prevented."
Legislators may also be able to prevent the data in question from being further processed, he says.