Dutch Tax Authority not fully GDPR-compliant as deadline approaches

The Netherlands’ Department of Finance warns that not all aspects of the EU privacy law will be implemented by the 25 May deadline

The Dutch Tax Authority has warned that it is not yet compliant with the EU’s General Data Protection Regulation (GDPR), which will come into force on 25 May. The statement was made in the authority’s bi-annual report in April.

This is not the first time the tax authority has raised concerns about its GDPR compliance, having done so in its previous bi-annual report in November 2017.

The report, which outlined the overall state of the tax authority, mentioned the GDPR in just a few paragraphs, saying it aims to take a short and a long approach to the new law. “The short approach means we accelerate the phasing out of outdated processes,” a spokesperson said. “By 25 May, we will also have a comprehensive overview of all processes and authorisations, and a roadmap of when those will be compliant.”

The long approach, the report said, is to “transition the tax authority to a durable compliance with the law”. It added: “That means that by the end of May, the tax authority will not be fully compliant with the GDPR.”

Computer Weekly recently spoke to Aleid Wolfsen, chairman of the AP, the Netherlands’ privacy watchdog, who stressed that no organisation would get special treatment. “After 25 May, wrong is wrong,” he said.

That means there will be no exception made for the tax authority, said a spokesperson for the AP. “The tax authority collects an exceptionally large amount of information on citizens,” the spokesperson said. “Institutes like these are not above the law and will be treated equally after 25 May.”

The tax authority has been reprimanded by the Dutch courts several times before when it was found to have violated citizens’ privacy. In one case, the organisation had wrongly supplied private data to a housing organisation.

Read more about GDPR in the Netherlands

The tax authority said it is in talks with the privacy watchdog, as is mandatory under current Dutch law and under the GDPR. However, the talks so far amount to little more than a notification to the watchdog.

It is still unclear what will happen in the Netherlands after 25 May. Theoretically, the AP can conduct investigations and hand out fines, but the watchdog has previously been criticised for not taking action. Wolfsen has complained about the organisation being under-staffed, so it remains to be seen whether fines will be imposed.

Critics are not surprised by the news. “This shows exactly how the Dutch government views privacy,” said Reinout Barth of PrivacyBarometer, a site that follows privacy developments in the Netherlands. “It is an obstacle, not something that is inherent in its systems. You can’t change that in a few months.”

Read more on IT legislation and regulation

Data Center
Data Management