Case Summary
The Dutch Data Protection Authority (AP) fined the Dutch Tax Administration €2,750,000 for unlawfully processing personal data without proper legal justification and infringing upon the principle of fairness. This breach violated Article 5(1)(a) in connection with Article 6(1)(e) of the GDPR, as well as Article 6 in connection with Article 8 of the Personal Data Protection Act (Wbp).
During the period from 2013 to 2019, approximately 26,000 parents were wrongly accused by authorities of fraudulent childcare benefit claims. As a result, these parents were required to repay the entirety of the allowances they had received.
The Dutch DPA identified three instances of unlawful data processing prior to May 25, 2018, violating Article 5(1)(e) in conjunction with Article 6(1) of the GDPR and Article 6 in conjunction with Article 8 of the Wbp. Additionally, the DPA found that the second and third processing operations breached the fairness principle outlined in Article 5(1)(e) of the GDPR and Article 6 of the Wbp. Due to the severity of the violations, the prolonged duration over multiple years, and the clear responsibility, the DPA imposed an administrative fine under Article 58(2) in conjunction with Article 83 of the GDPR.
Access to the full judgment
Further notes on contested technology
- → AI Technology
- → Solely Automated-Decision
- → The technology is deployed
Author of the case note
