Tag: Dutch DPA
14. April 2022
On April 7th, 2022, the Dutch Data Protection Authority, Autoriteit Persoonsgegevens, imposed the highest-ever fine for data protection violations, amounting to € 3.7 million. It is directed against the Minister of Finance, who was the data controller for the Tax and Customs Administration’s processing operations. The reason for this is the years of unlawful processing of personal data in the Fraud Notification Facility application, a blacklist in which reports and suspected fraud cases were registered.
The investigation revealed several violations of principles and other requirements of the GDPR. Firstly, there was no legal basis for the processing of the personal data included in the list, making it unlawful under Art. 5 (1) (a), Art. 6 (1) GDPR. Secondly, the pre-formulated purposes of collecting the personal data were not clearly defined and thus did not comply with the principle of purpose limitation stipulated in Art. 5 (1) (b) GDPR. Moreover, the personal data were often incorrect and non-updated, which constituted a violation of the principle of accuracy according to Art. 5 (1) (d) GDPR. Since the personal data were also kept longer than the applicable retention period allowed, they were not processed in accordance with the principle of storage limitation as laid down in Art. 5 (1) (e) GDPR. Furthermore, the security of the processing according to Art. 32 (1) GDPR was not ensured by appropriate technical and organizational measures. In addition, the internal Data Protection Officer was not involved properly and in a timely manner in the conduct of the Data Protection Impact Assessment pursuant to Art. 38 (1), 35 (2) GDPR.
The amount of the fine imposed results from the severity, consequences and duration of the violations. With the Fraud Notification Facility, the rights of 270,000 people have been violated in over six years. They were often falsely registered as (possible) fraudsters, which caused them to suffer serious consequences. It left many unable to obtain a payment agreement or eligible for debt rescheduling and therefore, in financial insecurity. The Tax and Customs Administration also used discriminatory practices. Employees were instructed to assess the risk of fraud based on people’s nationality and appearance, among other factors.
The DPA also considered previous serious infringements in determining the amount of the fine. The Minister of Finance was penalized in 2018 for inadequate security of personal data, in 2020 for illegal use of the citizen service number in the VAT identification number of self-employed persons, and in 2021 for the discriminatory and illegal action in the childcare benefits scandal. Following the latter affair, the Fraud Notification Facility was shut down in February 2020.
The Minister of Finance can appeal the decision within six weeks.
23. March 2022
The Dutch Data Protection Authority, autoriteit persoonsgegevens (hereinafter “ap”) imposed a fine of €525,000 on DPG Media at the beginning of March.
The background to the fine were access and deletion requests of various data subjects who had a newspaper subscription or received increased advertising. If a data subject wanted to know what personal data the company had collected about him, he had to send an ID document to DPG Media to prove his identity. The same applied to anyone who asked the company to delete their data. The customer was supposed to either upload a scan of his ID document or send it to the company by mail or letter.
DPG Media’s procedure for proof of identity was criticized for several reasons. From ap’s point of view, too much data was requested and it was made too difficult for the data subjects to assert their rights to access and deletion. If, for example, DPG Media had requested blackened ID documents, this method of proof of identity would also have been questionable. The ap emphasizes that requesting blackened ID documents is often disproportionate.
It also notes that ID documents are documents that are particularly worthy of protection. Especially regarding possible identity theft, they must be handled very carefully.
Thus, ap clarifies that, even if an identification document is in principle suitable for identifying the data subject, less intrusive identifiers should be used in preference. Milder identifiers, but equally suitable in this specific case, are for example to request the postal address for a telephone inquiry or – as recital 57 states – the use of an “authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the data controller.“
4. January 2022
On December 8th, 2021, the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority (DPA)) announced that it had fined the Belastingdienst (the Dutch Tax Administration) €2.75 million. The fine was imposed because, as part of the so-called Toeslagenaaffaire (Childcare Benefit Affair), the Belastingdienst processed data on the (dual) nationality of childcare benefit claimants in an unlawful, discriminatory and therefore unlawful manner over many years, in serious breach of the principles of the General Data Protection Regulation (GDPR).
In the 2010s, the Belastingdienst wrongly reclaimed child benefits from tens of thousands of parents. Even minor formal errors in filling out the forms led to enormous claims, and a supposedly false citizenship could lead to years of stigmatizing fraud investigations. As a result, many families who relied on government assistance were driven into bankruptcy. The Belastingdienst should have deleted the data on dual nationality of Dutch nationals in January 2014, as from that date the dual nationality of Dutch nationals no longer played a legal role in the assessment of applications for childcare benefits. Nevertheless, the Belastingdienst retained and used these data. In May 2018, there were still about 1.4 million people with dual nationality registered in the Belastingdienst’s systems. What initially appeared to be a simple administrative failure has evolved over the years into a major scandal. The final report of the investigative commission, presented in December, concludes that the tax offices systematically preyed on innocent citizens. The Belastingdienst also used the nationality of applicants as an indicator in a system that automatically classified certain applications as risky. Again, the data were not necessary for this purpose. Under the General Data Protection Regulation, it is unlawful to process data on nationality in a discriminatory manner, as the data processing must not violate fundamental rights. These include the right to equality and non-discrimination. Under the GDPR, it is unlawful to process personal data on nationality in a discriminatory manner, as the data processing must not violate fundamental rights. These include the right to equality and non-discrimination. In addition, personal data may only be processed and stored for a specific, predetermined purpose. Processing without a purpose is inadmissible, and here there was no purpose, as nationality is legally irrelevant for the assessment of applications for childcare benefits.
In the statement DPA chair Aleid Wolfsen is quoted:
The government has exclusive responsibility for lots of things. Members of the public don’t have a choice; they are forced to allow the government to process their personal data.
That’s why it’s crucial that everyone can have absolute confidence that this processing is done properly. That the government doesn’t keep and process unnecessary data about individuals. And that there is never any element of discrimination involved in an individual’s contact with the government.
That went horribly wrong at the Benefits Office, with all the associated consequences. Obviously this fine cannot undo any of the harm done. But it is an important step within a broader recovery process.
In the wake of the DPA investigation, the Belastingdienst began to clean up its internal systems. In the summer of 2020, the dual nationalities of Dutch nationals were completely deleted from the systems. According to the DPA, since October 2018, the Belastingdienst no longer uses the nationality of applicants to assess risk. And since February 2019, it no longer uses the data to fight organized fraud. The fine was imposed on the Minister of Finance because he is responsible for the processing of personal data within the Belastingdienst.
10. June 2021
Company fails to appoint an EU representative. Dutch data protection authority imposes fine of €525,000.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a fine of €525,000 on Locatefamily.com on May 12, 2021. The company failed to comply with its obligation under Article 27 of the EU General Data Protection Regulation, which required the company to appoint a representative in the EU.
The online platform caught the attention of the authorities because it published the contact details (including telephone numbers and addresses) of individuals. In this regard, the Dutch data protection authority stated that data subjects had often not registered for the online platform. In particular, the data subjects did not know how the company had obtained their data.
After numerous complaints from individuals, the data protection authority determined that the online platform had not complied with requests to delete data. It further came to light that the company had no branches in the EU and had not appointed a representative accordingly. This made it almost impossible for data subjects to assert their rights against the company.
Article 27(2)(a) of the GDPR provides that companies not established in the EU that offer goods or services to persons in the EU or monitor the conduct of persons in the EU must designate a representative in the EU. Although exceptions to this are possible, they are narrowly defined.
An exemption may be considered if the processing of personal data is occasional and does not involve the extensive processing of sensitive personal data or the processing of personal data in connection with criminal convictions and offenses. The processing must also not, taking into account the nature, context, scope and purposes of the processing, result in a risk to the rights and freedoms of natural persons.
As no exceptional case existed in the assessment of the Dutch data protection authority, the company imposed a fine in the amount of €525,000 on Locatefamily.com. To avoid further penalties, the company was to appoint an EU representative by a certain deadline.
6. May 2020
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), has issued a EUR 725 000 fine on April 30th to a company for scanning the fingerprints of its employees in order to record attendance.
As fingerprints fall under sensitive data according to Art. 9 GDPR, by being biometric data and therefore can easily identify a data subject, the Dutch DPA has addressed two exceptions in the present case: explicit consent according to Art. 9 II a GDPR, and the necessity of the processing for security reasons, which are related back to Art.9 II g GDPR.
According to the Dutch DPA, none of the two exceptions apply.
In the first case, the Dutch DPA states that the employer has shown no proof of valid explicit consent of the employees. Rather, the Dutch DPA is of the opinion that in an employment relationship, consent cannot be given freely. While it is tricky to ensure freely given consent in situations where one side is dependant on the other, it is possible to ensure such a freely given consent by the means of offering an alternative form of processing, allowing the employee to choose from two options according to their own judgement. In the case brought to the Dutch DPA, this had not been the case. Rather, employees felt obligated to give their consent, especially since the denial resulted in a personal meeting with the director. An alternative option to scanning their fingerprints was not given by the company.
The second exception of the necessity of the processing for security reasons was also dismantled by the Dutch DPA. It reasoned with the fact that such an exception only applies in cases where the security of the systems or the building depend on biometric data, and cannot be done by a less invasive method. While the activities of the company remain confidential, the Dutch DPA has denied them to be of that level of importance that security can only be done through biometrics. Therefore, the fingerprint scanning in the matter was unnecessary and disproportionate to the invasion of the employees’ privacy.
As this case shows, it is recommendable to be careful with the processing of biometric data. In particular, companies should ensure to have valid consent before progressing with the processing of sensitive data to mitigate the risks of a fine.
12. March 2020
The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association (“KNLTB”) with EUR 525,000 for selling personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes.
In 2018, the KNLTB illegally provided personal data of its members to two sponsors for a fee. One sponsor received personal data from 50,000 members and the other sponsor from more than 300,000 members. It turned out that the KNLTB sold personal data such as name, gender and address to third parties without obtaining consent of the data subjects.
The KNLTB found that it had a legitimate interest in selling the data. However, the data protection authority rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors. The KNLTB has objected to the fine decision. The Dutch Data Protection Authority will assess this.
9. April 2019
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), announced an update on its policy regarding administrative fines.
In addition to the Dutch GDPR implementation law the published policy provides insides on how the Dutch DPA will use its fining powers. According to the policy the DPA differentiats three or four categories of infringements. Each infringement is fined with a basic fine and a specific penalty bandwidth.
The DPA calculates the fine in two steps. First the basic fine is applied, second the basic fine is increased or decreased according to the classification to the different categories. Various aspects are included in the calculation of the fine, such as:
- the nature, the seriousness and duration of the violation,
- the number of data subjects affected,
- the extent of the damage and of the data compromised,
- the intentional or negligent nature of the violation,
- the measures adopted to mitigate the damages,
- the measures that were implemented to ensure compliance with the GDPR, including information security measures,
- prior violations,
- the level of cooperation with the DPA,
- the types of data involved,
- how the DPA became aware of the violation, including whether (and if so, to what extent) the data controller or processor reported the violation,
- adherence to approved codes of conduct an certification mechanisms,
- any other applicable aggravating or mitigating factors.
The maximum amount in general is €1.000.000,00, but the fine can be higher in case the Dutch DPA decides that the calculated maximum amount is inappropriate in the particular case.
