The Netherlands, Data Protection Authority, 25 November 2021, Dutch Child Benefit Scandal

Case Overview

Share via:

CountryThe Netherlands

Deciding BodyData Protection Authority

AreaPublic Administration

UserPublic

Case NameDutch Child Benefit Scandal

Authority (English)Data Protection Authority

TechnologyFraud Detection

ProviderPublic

Decision Date25 November 2021

Authority (Original)Autoriteit Persoonsgegevens

Grounds for DecisionEU Law

Legal RequirementAccess to Information, Human Oversight, User Responsibility

Case Summary

The Dutch Data Protection Authority (AP) fined the Dutch Tax Administration €2,750,000 for unlawfully processing personal data without proper legal justification and infringing upon the principle of fairness. This breach violated Article 5(1)(a) in connection with Article 6(1)(e) of the GDPR, as well as Article 6 in connection with Article 8 of the Personal Data Protection Act (Wbp).

During the period from 2013 to 2019, approximately 26,000 parents were wrongly accused by authorities of fraudulent childcare benefit claims. As a result, these parents were required to repay the entirety of the allowances they had received.

The Dutch DPA identified three instances of unlawful data processing prior to May 25, 2018, violating Article 5(1)(e) in conjunction with Article 6(1) of the GDPR and Article 6 in conjunction with Article 8 of the Wbp. Additionally, the DPA found that the second and third processing operations breached the fairness principle outlined in Article 5(1)(e) of the GDPR and Article 6 of the Wbp. Due to the severity of the violations, the prolonged duration over multiple years, and the clear responsibility, the DPA imposed an administrative fine under Article 58(2) in conjunction with Article 83 of the GDPR.

Access to the full judgment

Further notes on contested technology

  • → AI Technology
  • → Solely Automated-Decision
  • → The technology is deployed

Author of the case note

Elliot Ross