Court case UTR 24/4044 – Court Ruling (Netherlands, 2025)

The data subject requested access to personal data processed in the Fraud Signalling System (FSV), including the reason for inclusion, the municipality that requested his data, and whether he had received fraud codes. The FSV was a tool employed by the Dutch Tax and Customs Administration to monitor potential tax fraud by analysing citizens' personal data. The Minister (the controller) granted partial access to the FSV data, but rejected access to certain fraud codes, as they related to a third party’s data. The Minister also explained the reason for the data subject’s inclusion in the FSV, including the municipality’s request. The data subject argued that the response was insufficient and requested further details, including the exact date of inclusion in the FSV, the names of officials involved, and access to more systems. The controller provided the name of the municipality that made the request, but did not provide the names of employees involved or screenshots of the search in the FSV. The data subject contested the controller's decision, and brought the case to the Central Netherlands District Court. The court found that the controller had provided sufficient access to the data subject’s personal data in the FSV. There was no obligation to provide additional data or screenshots of the search. The court ruled that the controller was correct in not providing the names of employees or third-party personal data, as the data subject's request for access to other applications, systems, and correspondence was deemed outside the scope of the original access request. The case was dismissed, but the controller was ordered to pay €500 compensation for the delay in its response, but no additional data or documents were required to be provided to the data subject.