Dutch tax authorities seriously violated GDPR privacy law with blacklist: Data protection authority

The Dutch Tax Authority "seriously violated the GDPR privacy law" by processing the data of approximately a quarter of a million citizens for years in the fraud system FSV, which acted as a blacklist of possible fraudsters. This is the conclusion of the Dutch Data Protection Authority (AP) after an investigation.

The investigation confirmed the view that people could end up on the blacklist at the slightest signal. An anonymous report from, for example, an angry neighbor or jealous ex could be enough. And once on the list, you could never get off. The data was also kept for far too long and was accessible to many Tax Authority employees.

AP chairman Aleid Wolfsen emphasized that the Tax Authority must "obviously" tackle fraud. "But our investigation showed that the Tax Authority registered and used fraud signals in a way that is absolutely not allowed. Innocent people were victimized as a result."

FSV was in use from late 2013 to early 2020. A predecessor to the system was online since 2001. The system was only turned off after media publications about the blacklist discredited the Tax Authority.

Further investigation has yet to show in which ways people were affected by their registration in FSV. In any case, it is known that the blacklist played a role in the childcare allowance scandal. For example, people on the FSV were refused a payment arrangement when their childcare allowances were reclaimed.