The Dutch Tax Authority vs. GDPR

GDPR, the General Data Protection Regulation, had barely come into effect on 25 May 2018 or it became clear that the Dutch Tax and Customs Administration would not be able just yet to comply with the newly imposed standards governing personal details. The Junior Finance Minister in a recent letter to the Lower House has reported on where the Tax and Customs Administration currently stands in terms of GDPR compliance.

Although the Tax and Customs Administration has been working hard on implementing a range of measures aimed at attaining GDPR compliance, it is yet to succeed in comprehensively removing the obsolete data from its systems. Two reasons have been identified why this should be so. First, drastic modifications are having to be made to a number of older systems in order to enable the removal of obsolete data in line with GDPR standards, as something which will take more time to achieve. Second, all digital documents will need to undergo substantive assessment, as they need to be examined for the presence of personal details (a file name or format rarely if ever sheds light on the actual file content). The obsolete documents are to be stored in a data safe. Rather than Tax and Customs Administration staff continuing to have access to personal details, in future this will be the exclusive preserve of designated data managers.

The Tax and Customs Administration web site contains a privacy statement with information about the personal details of individual tax payers, businesses and the Administration’s own staff that are subject to processing, about the origin of the details in question and about the party or parties to whom such details may where appropriate be made available. A précis of the register of processed details has been issued as an appendix to the privacy statement.

The Tax and Customs Administration has implemented measures aimed at barring the improper sharing of details within its own organisation.

Dutch version: Belastingdienst en AVG