Minister of Finance – Court Ruling (Netherlands, 2026)

In 2021, the Dutch Tax Administration informed a data subject that they were unlawfully included in its database (the Fraud Signalling System, FSV). The use of the FSV did not comply with the GDPR; some data subjects’ data were unlawfully processed, too many employees had access to the data, and the data retention periods were too long. The data subject made an access request, and also requested their data to be rectified and erased under Articles 16 and 17 GDPR respectively. In 2022, the Minister of Finance (the controller) rejected the rectification and erasure request. The data subject brought a case to the District Court of Noord-Holland, who ordered the controller to comply with the data subject’s erasure request within one month of the ruling. The controller appealed the decision to the court, arguing that they did not have the obligation to erase the data under Article 17(3) GDPR. The court reversed the decision of the District Court, and stated that the controller had the right to dismiss the data subject’s rectification and erasure request. Article 16 GDPR is limited to incorrect or incomplete personal data, and the data subject did not specify in what way their data was incorrect or inaccurate. According to the court, the data subject wished to clear their name through the rectification request, which is not provided for under the GDPR. In terms of Article 17 GDPR, the court considered that processing the personal data was provisionally necessary in the public interest for the purpose of remedying the unlawful adverse effects of the FSV. Therefore, the decision to deny the data subject’s erasure request was proportionate despite the fact that said data was processed unlawfully. The court also considered the measures the controller had taken to limit the further processing of the data subject’s data.