Dutch Tax and Customs Administration – €3,700,000 Fine (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Dutch Tax and Customs Administration was fined EUR 3.7 million for mishandling personal data. They kept a list of over 270,000 people, including minors, with incorrect and discriminatory information. This case highlights the importance of having a valid reason and proper security measures when handling personal data.
What happened
The Dutch Tax and Customs Administration kept a list of over 270,000 people with incorrect and discriminatory data, without a valid legal basis.
Who was affected
Individuals, including minors, whose personal data was recorded on a list by the Dutch Tax and Customs Administration.
What the authority found
The Dutch DPA found that the administration unlawfully processed personal data, failed to secure it properly, and discriminated against individuals based on nationality and appearance.
Why this matters
This case underscores the need for organizations to ensure they have a valid reason for data processing and to implement strong data protection measures. It also warns against discriminatory practices in data handling.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, and criminal personal data as part of the list maintenance. The DPA initially found that the administration did not have a valid legal basis for processing the data contained in the list. For this reason, the data were processed unlawfully. Further, the DPA found that the information in the list was often incorrect, so that a large number of individuals were falsely registered as possible fraudsters. In addition, the investigation revealed that the maintenance of the list led to discrimination against some individuals, as the risk of fraud was determined on the basis of the nationality and appearance of the data subjects, among other factors. For example, donations to mosques were considered a risk factor for fraud. Furthermore, the DPA found that the administration violated its obligation under the GDPR to implement appropriate technical and organizational measures that ensure adequate protection of the personal data it collects. Indeed, the administration had inadequately secured the personal data. The DPA also found that the administration had violated the principle of storage limitation by storing the data for a longer time contrary to the retention period established for the personal data in the list. Furthermore, the DPA found that the processing of the data in the list had not been necessary for the administration to properly perform its tasks. The processing was therefore disproportionate. Also, the administration had not sufficiently defined the purposes underlying the
Related Enforcement Actions (0)
No other enforcement actions found for Dutch Tax and Customs Administration in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 April 2022
Authority
Autoriteit Persoonsgegevens
Fine Amount
€3,700,000
Enforcement Tracker ID
ETid-1124
About this data
Cite as: Cookie Fines. Dutch Tax and Customs Administration - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: