Important Information

Tax authorities

Parliamentary Paper Related Publications in Parliamentary File

Parliamentary paper

Date of publication OrganizationMeeting annual file and number 14-12-2021 14:33 House of Representatives General2021-202231066 no. 930

Extra information

Publication Information

Publications in the chamber file

Chamber file 31066Show all publications in the main file

Authentic version (PDF) file size: 120 Kb

informations

Printings

31 066 Tax Administration

No. 930 LIST OF QUESTIONS AND ANSWERS

Established December 7, 2021

The standing committee for Finance asked a number of questions to the State Secretary for Finance about the letter dated 29 October 2021 regarding the cabinet's response to the Data Protection Authority's report on Fraud Signaling Provision (FSV) (Parliamentary Paper) 31 066, No. 911) .The Secretary of State answered these questions by letter dated December 3, 2021. Questions and answers are printed below.

The President-in-Office of the Committee, Tielen

The commission's assistant clerk, Lips

1In addition to the points for improvement mentioned, how are the mentioned abuses dealt with? Which processes will be deployed?

On October 29, 2021, the Data Protection Authority (AP) published the investigation report “Tax Administration; processing of personal data in the Fraud Signaling Facility (FSV)”. FSV was deported in February 2020. In the report, the AP concludes that by processing personal data in FSV, the tax authorities have acted in violation of the principles of legality, purpose, accuracy and storage limitation of the General Data Protection Regulation (AVG). In addition, the tax authorities have not taken sufficient appropriate technical and organizational measures to ensure an appropriate level of security for the personal data in FSV. The data protection officer (FG), the internal privacy supervisor, is also not properly and timely involved in the assessment of FSV's privacy aspects. The analysis of the implications of the AP's investigation report on the processing of personal data in FSV for the revised signals process and the temporary support application developed for this purpose are currently being identified. Where necessary, processing takes place in the Data Protection Impact Assessment (GEB) drawn up for this purpose. A GEB is a risk analysis when processing personal data. Your House will be informed after the DPO and AP have reviewed and given advice on these changes in accordance with AVG laws and regulations. This facility will not be put into use until these steps have been completed.

In addition, in the letter dated October 27, 2021, the AP expressed serious concerns about the privacy organization of the tax authorities. The AP provides advice and advice in the letter. In the opinion of the AP, it is urgent to take further steps, drawing attention to the following points:

•Strengthening internal supervision within the tax authorities;
•Integral assessment of risks within the tax authorities and an improvement of the overall overview of the chain of processing by the tax authorities;
•Improving the privacy organization within the tax authorities.

Following the AP's report on FSV and the letter about the privacy organization, a working group was set up with participants from the policy department (including the DPO), tax authorities, surcharges and customs. The purpose of the working group is to strengthen the privacy organization of Finance. The working group ensures, among other things, the coordination of action plans for this purpose (from the Policy Department, Tax Administration, Surcharges and Customs). The action plans include the role of Chief Privacy Officer (CPO). The result of this elaboration is included and established in the Ministry of Finance's privacy policy.

A bill is also being worked on: the Tax and Customs Administration Data Processing Act. This bill aims to strengthen and future-proof the principles for processing data by the tax authorities, surcharges and Customs. In addition, the bill aims to create a legal framework for ensuring the lawful, proper and transparent processing of data by these three implementing organizations. Your House was previously informed about this.1An important question in response to the report is the consequences for citizens registered in FSV. PwC has been investigating the effect of FSV since April 2021. On October 14 and 28, officials from the Ministry of Finance gave a technical briefing to your House's Standing Committee on Finance about the possible options for offering recovery to citizens in FSV. The various options will be further developed in the coming period, after which decision-making can take place in coordination with your House.

2What processes have been initiated to see to what extent such abuses still occur elsewhere in the organization today or have occurred in the past?

With the Repair, Improvement, Guarantee plan (HVB), various processes have been initiated in this area. For example, inventories have been made of applications with nationality and/or medical or criminal data and lists of risk and/or fraud signals and nationality in the personal work environment of the employees. These are now being reviewed by a review committee. In addition, an investigation into the safeguards in risk selection is underway. In the AO/IC in order project (Administrative Organization/Internal Control), the service units are helped to describe their processes and, where applicable, to test their processes for compliance with the GDPR, the Government Information Security Baseline (BIO) and Archives Act 1995 (hereinafter Archives Act). In the HVB quarterly report November 25, 20212 your House has received an overview of the latest state of affairs of these processes.

3What part of the 270,000 people at the Fraud Signaling Facility (FSV) also claim benefits?

This does not have to have a relationship with FSV, because recovery is intertwined with the current allowance system. There can be a recovery of surcharges for several reasons. For example, recovery may result from a correction to the income tax return, but there can also be a recovery in case of a change in the number of hours, childcare or other actual annual incomes than previously expected by the beneficiaries. On average, across all surcharges, not just for people in FSV, the definitive granting of the allowance led to a recovery among 31% of the applicants for the 2012 tax year, which was reduced to 20% over 2018.

So far, around 9700 citizens who have reported to UHT also appear in FSV. Up to and including 2019, around 8,500 citizens had to deal with a recovery of €1,500 and more at least once. On Friday, December 3, 2021, the PricewaterhouseCoopers research report on the effects of FSV on eligible citizens registered in FSV by the then Supervisory Board of the Tax Administration will be published.

4Can you explain whether and how fraudulent signals are currently being processed by the tax authorities and how these signals are followed up?

I read your question in such a way that fraudulent signals mean external reports that the tax authorities receive and that were registered in FSV in the past. Newly received reports of possible tax compliance deficiencies are currently stored in the mailboxes where they arrive. Access to these mailboxes is very limited and reports are not being dealt with. Signals of possible fraud that immediately give rise to an investigation, for example in the context of criminal law, are being addressed. A new process for assessing signals has been developed, with a temporary supporting application, Temporary Signaling Facility (TSV). Before the process and the application are put into use, a GEB is executed on them. To ensure that the handling of personal data meets the requirements, the tax authorities are looking at the implications of the report.3 from the Data Protection Authority about FSV has for the revised process and application. After the GEB has been adapted to this, it is again submitted to the DPO and subsequently also to the AP for advice. After processing the advice, a decision will be made about starting the signaling process. By the way, supervision is not only dependent on the treatment of signals. For example, book surveys are still being carried out and returns are being processed based on the use of selections in the massive process.

5Can you indicate what raising awareness among employees consists of?

It is essential that employees handle data responsibly and that they are aware of the rules under the AVG, BIO and the Archives Act. In this context, all new employees receive an AVG course as part of their onboarding program. Part of the HVB plan is to provide a new intranet page about “dealing responsibly with data”. Since October 2021, the Online Security Awareness Game has been available for all employees of the tax authorities, and for Customs and Surcharges employees. The game rounds will be periodically repeated, updated or expanded with current themes. Through various rounds of games that are tailored to the tax authorities, attention will be paid to raising awareness about security and AVG in an accessible way.

6How is the privacy of employees at the tax authorities who want to report violations of citizens' privacy rules guaranteed?

When an employee wants to report a suspicion of an integrity violation, for example if a violation of citizens' privacy rules is suspected, the hotlines or employees who receive reports are obliged not to reveal the identity of the reporter. If an employee wants to remain anonymous, the reporter can contact a counselor, who can report on behalf of the reporter without disclosing the reporter's identity. An employee can also contact the independent Finance Integrity Commission (CiF). This committee consists of three independent members who do not work at the Ministry of Finance. The committee ensures that the identity of the reporter is not known further than necessary for the investigation and treatment of the report. This committee is under the responsibility of the Secretary General of the Ministry of Finance4.

7How are tax authorities actively challenged to report citizens' privacy violations in processes, procedures, conversations and systems to the Chief Privacy Officer?

Employees can report using two procedures:

1) Data breach reporting procedure
2) Incident reporting procedure

In addition, I think it is essential that employees handle data responsibly and that they are aware of the rules under the AVG, BIO and the Archives Act. Part of the HVB plan, in addition to providing a new intranet page about “dealing responsibly with data,” has recently launched an Online Security Awareness Game and an AVG course for new employees. The AP has recommended that a Chief Privacy Officer (CPO) be appointed. The tax authorities have a privacy officer, but acknowledges that this can be strengthened with the appointment of a CPO. The tax authorities adopt the AP's recommendation to appoint a CPO. The privacy organization of Finance, including the role of Chief Privacy Officer, was developed by the working group mentioned in the answer to question 1. The result of this elaboration is included and determined in the privacy policy of the Ministry of Finance.

8Whose responsibility is the Chief Privacy Officer and to which (government) persons is this person expected to report?

The AP has recommended that a Chief Privacy Officer (CPO) be appointed. The tax authorities have a privacy officer, but acknowledges that this can be strengthened with the appointment of a CPO. The tax authorities adopt the AP's recommendation to appoint a CPO. The privacy organization of Finance, including the role of Chief Privacy Officer, was developed by the working group mentioned in the answer to question 1. The result of this elaboration is included and determined in the privacy policy of the Ministry of Finance. The privacy officer of the tax authorities is part of the official organization of the tax authorities. The privacy officer is accountable through the regular hierarchical official lines. Within the tax authorities, reports are made to the Director General of the Tax Administration through the regular planning and control cycle by the privacy officer. In addition, the privacy officer makes an overarching report on the status of privacy within the tax authorities for the DPO and the CIO of Finance. In his capacity as CIO Finance, the Deputy Secretary-General of Finance has privacy in his portfolio. The Minister of Finance is the controller within the meaning of the GDPR. Based on portfolio distribution, the State Secretary for Finance, Taxation and Tax Administration and the State Secretary for Finance, Surcharges and Customs are internal controllers for the use of personal data by the tax authorities, customs and surcharges.

9Can you indicate how many FTEs within the tax authorities are involved in the privacy organization, how many employees (external) have been hired, and what costs are involved?

The tax authorities have a privacy team that consists of six permanent employees (budget approximately €625,000 per year) and four temporary employees (expected costs are €220,000 in 2021 and €925,000 in 2022). In addition, each management of the tax authorities has a contact person for questions about data protection, the so-called data coordinator. However, most directors have more employees for whom data protection is part of the range of tasks. The number of employees and these costs for the entire tax authorities are part of the regular staff budgets.

10Can you view the privacy organization of the tax authorities in an organization chart?

There is no separate organization chart available for the privacy organization of the tax authorities. The team around the privacy officer of the tax authorities is part of the Group Directorate of Information Provision and Data Control (IV&D). The IV&D group management is one of the governing directors of the tax authorities.

11Are reports and recommendations from the Chief Privacy Officer recorded in writing and periodically reported to the House? If so, at what frequency?

The AP has recommended that a Chief Privacy Officer (CPO) be appointed. The tax authorities have a privacy officer, but acknowledges that this can be strengthened with the appointment of a CPO. The tax authorities adopt the AP's recommendation to appoint a CPO. The privacy organization of Finance, including the role of Chief Privacy Officer, was developed by the working group mentioned in the answer to question 1. The result of this elaboration is included and determined in the privacy policy of the Ministry of Finance. The privacy officer reports in the planning and control cycle, or upon request, to the DG Tax Administration. In addition, the privacy officer makes an overarching report on the status of privacy within the tax authorities for the DPO and the CIO of Finance. The privacy officer does not prepare reports that go to the House. The privacy officer performs all advisory and coordinating activities in the field of data protection law within the tax authorities. The privacy officer and team are located within the Information and Data Control Group Directorate of the Tax Administration.

12How are risks to people's rights and freedoms identified and addressed at an operational level at an early stage?

As explained in the answers to questions 6 and 7, employees can report suspicions of citizens' privacy violations in various ways.Your House will arrive on October 13, 2020 (Parliamentary Paper). 31 066, No. 709) promised a systematic review of the processes and applications. Part of this review is the development of a checklist that practically translates the preconditional legislation (AVG, BIO and Archives Act). By including the questions from the checklist in the methodologies for designing processes and applications, the production process structurally ensures that newly designed processes and adjustments to existing processes (including the associated applications) demonstrably meet the requirements of the AVG, BIO and Archives Act. This better fulfills the privacy by design principles of the AVG. In the AO/IC in order project (Administrative Organization/Internal Control), the service units are helped to describe their processes and, where applicable, to test their processes for compliance with the AVG, the BIO and the Archives Act. Although these actions have been taken to reduce the risk of recurrence, problems cannot be ruled out. In such cases, I use the following triad: investigating, taking measures where necessary and informing the House of Representatives about this.

13How are the processing responsibilities within the tax authorities clearly defined?

The (general) directors of the management of the tax authorities are internal controllers, on behalf of the Minister of Finance. The use of personal data (processing) is recorded in the register of processing activities. The register specifies, among other things, which director is the internal controller.

14How does privacy protection take place when unbundling Customs and Fees from the tax authorities?

Customs, Surcharges and the tax authorities have made agreements about safeguarding privacy when unbundling. The current situation where the tax authorities carry out tasks and activities for Customs and Surcharges in the field of privacy will be maintained until the privacy organization at Customs and Surcharges is set up to take over these activities. Customs has taken the first step by appointing a Chief Privacy Officer (CPO) as of December 1, 2021. In the long run, there will also be its own CPO. In the coming period, the Customs and Surcharges privacy organization will be further set up. This design takes place in conjunction with the action plans to strengthen the privacy organization of Finance.

15What shows that the Data Protection Officer (DPO) operates completely independently?

The GDPR contains a number of obligations for the controller to ensure the independence of the DPO (Art. 38 (2), (3) and (6) GDPR). This includes the duty to support the DPO in his tasks by providing him with access to personal data and processing activities, providing him with the necessary resources to perform his tasks and maintaining his expertise. There is also the duty to ensure that the DPO cannot receive instructions and that he cannot be fired or punished for carrying out his duties. The DPO must be able to report to the highest management level. Any other tasks or obligations of the DPO should not lead to a conflict of interest. At the Ministry of Finance, safeguarding independence has been reflected, among other things, in the DPO's decision to appoint. The designation decision states that the DPO is involved in privacy issues, that there is an annual review of the resources required for his tasks, that no instructions may be addressed to the DPO, and that he reports directly to the highest management level (DPO Designation Decision, Stcrt. 2018, no. 70894). The DPO for Finance is organizationally positioned at the Security Officer Office (BVA). This office has brought together various tasks and functions that require a comparable impartial and independent position within Finance. The office is positioned directly under the Deputy SG, i.e. in an independent position with regard to, among others, the tax authorities, surcharges and Customs. In addition, it has been explicitly agreed and established that, if necessary, direct access to the official and political leadership is possible for the DPO. He also has a full-time appointment so that it is ensured that there are no other tasks that could lead to a conflict of interest.

16Given that after disabling FSV and shutting down the related signals process, the tax authorities have completely revised this process and went through all privacy aspects, what changes have now been made based on the findings of the report by the Data Protection Authority (AP)?

The implications of the AP's research report on the processing of personal data in FSV for the revised signals process and the temporary support application developed for this purpose are currently being identified. Where necessary, processing takes place in the GEB set up for this purpose. Your House will be informed after the DPO and AP have given advice on these changes, in accordance with the laws and regulations in the field of the GDPR (see also answer to question 4).

17When is the Tax Authorities Data Processing Act expected? How will this Act relate to other laws such as the Public Administration Act (Wob) /Open Government Act (Woo), the Archives Act, and other similar laws?

The bill on the Safeguarding Data Processing Act (Tax Administration, Surcharges and Customs) is currently being prepared, in close cooperation with these organizations. Data processing by the tax authorities, surcharges and Customs is extensive and complex, and requires careful preparation of the bill. This is followed by an internet consultation, advice by the AP, decision-making by the cabinet and advice by the Council of State. I expect to submit the bill to your House in the autumn of 2022 at the earliest. The bill aims to strengthen and future-proof the principles for processing data by the tax authorities, surcharges and customs. In addition, the bill aims to create a legal framework for ensuring the lawful, proper and transparent processing of data by these three implementing organizations. In this context, there are several laws that also provide guarantees for the processing of data. The bill thus complements the legal obligations of the Wob, the Woo and the Archives Act. In addition to these laws, of course, the AVG and the AVG Implementation Act also play an important role. The explanatory memorandum to the bill on the Data Processing Act, Tax Administration, Surcharges and Customs will explain the relationship between the Wob, the Woo, the Archives Act and other relevant laws.

18When is the PwC report expected?

PwC's study into the effects of registration in FSV on citizens and companies is divided into three sub-studies: one into the effects of use by the (former) Supervisory Board, one for the Department of Private Individuals, and one for the Department of Small and Medium-sized Enterprises (SMEs). In addition, I asked PwC to conduct additional research into the external data sharing from FSV and the queries used. The PwC Fees report will be shared with your House by 3 December, as indicated in the letter dated 30 November 2021. The survey for Individuals is also almost complete, but it takes longer for SMEs. I aim to have the investigations completed before the end of the year and will share the findings with your House as soon as possible.

19How much FTE has the privacy officer team expanded by? Can you specify this in terms of increases in FTE and budget?

The team around the privacy officer has been expanded to include two employees and has consisted of six permanent employees since March 2021 (budget approximately €625,000 per year). In addition, the team has four temporary employees (in 2021, the expected costs are €220,000 and in 2022 €925,000). Furthermore, each management of the tax authorities has at least one contact person for questions about data protection, the so-called data coordinator. However, most directors have more employees for whom data protection is part of the range of tasks.

20With which organizations have parts of the blacklist been shared?

I asked PwC to investigate whether information from FSV was shared with other organizations. I cannot anticipate the conclusions of this report. Like I spoke to your House last June 17th.5 have inquired, the tax authorities also investigated with a pilot for reference year 2019 whether, and if so to what extent, information from FSV was used. Within the pilot, in relation to the investigated covenant partners,6 no indications were found that information from FSV was structurally shared.

21Which click signals led people to the list? Are these click signals with Report Crime Anonymous and click signals to the tax authorities? How have they been validated?

Tips & Clicks is one of the categories in FSV in which signals could be placed. In the KPMG report of July 10, 20207 about the operation and use of FSV, the different types of Tips & Clicks that were received and registered are described. The KMPG report describes in detail what Tips & Clicks were, which different hotlines there were and how the signals were assessed and treated by the various directors.

22What kind of survey by a municipality led to inclusion in the list, given that a number of people came to the list via the municipalities?

This concerns information requests from municipalities that requested tax data under the legal obligations of the tax authorities to provide information for the performance of the statutory tasks of municipalities. An example of such an obligation is article 64 of the Participation Act and article 5.2.3 of the Social Support Act.

23Can you name all the times that the Secretary-General, the Director General, the Secretary of State or the Minister has been informed about FSV in the past seven years and send the underlying documents to the House?

In my letter dated April 28, 2020, I discussed the creation of FSV and also added an FSV timeline.8 This also discusses the decision-making regarding FSV. In addition, I refer you to the FSV/Black List WOB Request Decision that was made public on January 27, 2021. The documents made public are attached to the decision. Work instructions related to FSV were made public in the letters dated July 10, 2020 and January 27, 2021. I am also willing to share the documents from the tax authorities to the AP with your House, see the answer to questions 32, 84 and 85.

24When was the first data protection impact assessment (GEB) prepared by the tax authorities? Who read that GEB?

I assume that by this question you mean when the first GEB was drawn up about FSV. As an attachment to the Letter to Parliament dated 28 April 2020, a timeline about this has been shared.9

25Has a data breach from FSV ever been reported to the AP? If so, can you provide details about this?

There was no report of a data breach from FSV to the AP. The broad access when using the FSV application is not a data breach. This involved authorized access to carry out employees' tasks. A data breach involves access to or destruction, modification or release of personal data by an organization without this organization's intention. According to this definition, there is no data breach. The employees who were allowed to access the data in FSV were authorized by their team manager for a predetermined task (role). As stated earlier and found out afterwards, more employees had access to FSV than necessary.

26What criminal data has been included in FSV by the tax authorities? Is it about convictions or could people also get on the list without a judge's conviction? If so, when, for example as a result of a criminal order by the Public Prosecutor's Office or by dismissal?

This mainly concerns attachments to signals received from the Police and other authorities. These are so-called hemp messages and police reports and police court rulings. In addition, claims under article 126nd of the Code of Criminal Procedure are registered in FSV as a request for information. The AP report includes an overview of types of criminal data that were included in FSV.

27In view of the fact that when the General Data Protection Regulation (AVG) was introduced, there was a program at the tax authorities to make the tax authorities compliant, can you explain why the FSV list did not come up?

In the period 2017—2018, the tax authorities implemented a program to implement the AVG. Your Room is on May 28, 201910 informed about the progress of the implementation of the AVG with the tax authorities. I conclude that the image that was previously shared with your House was not entirely complete and therefore too positive. In May 2019, the tax authorities in particular declared compliance with the presence of the necessary AVG instruments, while further elaboration was needed within the organization. I stated this earlier in my letter to Parliament dated 10 July 2020 that the analyses were not carried out deeply enough and therefore promised to systematically review all business processes. As stated earlier, this requires at least three years. Complying with the GDPR requires permanent effort and continuous attention. During the plenary discussion of the 2022 Tax Plan, member Omtzigt asked whether there were any warnings regarding FSV earlier, before the 2019 GEB. An initial inventory shows that there have previously been internal signals that were not adequately addressed. I'm currently continuing to investigate this, for example at what level these reports were made and what was done with them. I will come back to this with the next quarterly report on Repair, Improvement and Security, which I want to send to your House in early 2022.

28How big is the privacy officer team after the expansion? is that sufficient for a complex organization such as the tax authorities?

The team around the privacy officer has expanded to include two employees and has consisted of six permanent employees since March 2021. In addition, the team has four temporary employees. Furthermore, each division or management of the tax authorities has a contact person for questions about data protection, the so-called data coordinator. Most directors, however, have more employees for whom data protection is part of their duties. In response to the AP's letter dated October 27, 2021 about the tax authorities's privacy organization, improvement actions are being initiated. This will show whether further strengthening the team around the privacy officer is required. The knowledge and skills to comply with the GDPR during implementation must also be in order. Merely strengthening the privacy officer's team will therefore not be enough.

29When is the tax authorities AVG compliant?

In the period 2017—2018, the tax authorities implemented a program to implement the AVG. Your Room is on May 28, 201911 informed about the progress of the implementation of the AVG with the tax authorities. I conclude that the image that was previously shared with your House was not entirely complete and therefore too positive. In May 2019, the tax authorities in particular declared compliance with the presence of the necessary AVG instruments, while further elaboration was needed within the organization. The inventory of data processing carried out by the AVG program in 2017/2018 for the further establishment of the AVG processing register also highlighted the process of “analyzing, assessing and sharing risk signals”. The program identified risks related to the process, including the absence of a GEB (then called Privacy Impact Assessment). These risks have been addressed, but they have not been adequately followed up. The AP's report on FSV confirms that things are not going well yet. In response to the problems with compliance with the GDPR, the tax authorities started the HVB program in 2020. In this context, work is being done, among other things, to put business processes and the associated products and facilities in order. In my letter to Parliament dated 10 July 2020, I indicated that this takes at least three years. Complying with the GDPR requires continuous effort and constant attention.

30Can you provide an overview of all the studies that are ongoing and have run into FSV and who are carrying them out, what the question is (was) and when the studies are expected to be completed?

When Who ContentsOn April 28, 2020, I shared the findings of an internal investigation into FSV with your House.1.internt.A.V. FSV addressed the following: • How did the FSV system work and what did citizens and companies notice about it? • In particular, what was the effect of the FSV system for Allowances? • What problems are there with the FSV system? On July 10, 20202 I shared a KPMG investigation into FSV with your House. KPMGKPMG investigated three aspects:1. The operation and use of FSV and similar applications in risk selection and supervision processes.2. Exploring the organization of information flows.3. The safeguards for treating signals of possible fraud.On June 17.3 I have the conclusions of an internal pilot study into FSV data sharing with four covenant partners4 shared with your room.InternThe question was whether and to what extent information from FSV was shared and how that information was used within the relevant partnership. On October 29.5 the Data Protection Authority (AP) has published an investigation into FSV.APThe AP investigated: 1. the legal basis for processing personal data in the FSV application; 2. the security of the application; 3. the retention periods used; 4. the accuracy of the personal data; 5. the requirements of the AVG for a user. I asked PwC to investigate the effects of registering in FSV on citizens and companies.PwC In question 18, I will discuss the various sub-studies and the planning. The research questions are:1. What were the effects of a report in FSV in the process of selecting and treating beneficiaries? 2. To what extent did these effects occur? 3. What can be concluded about the legality of the decision-making and the resulting actions that were (partly) based on a report in FSV? 4. What were the possible implications of recording coherent signals from the CAF in FSV?

¹Parliamentary paper 31 066, no. 632.

²Parliamentary paper 31 066, No. 681.

³Parliamentary paper 31 066, No. 852.

⁴Regional information and expertise centers in the Northern Netherlands, the national steering group for intervention teams (LSI), cooperation under article 64 Suwi and Health Fraud Information Hub (IKZ).

⁵Parliamentary paper 31 066, No. 911.

31Has FSV's data ever been (been) linked to other systems via an automatic system, such as the information office?

I mean automatic links, a link to another application, or “plug-ins”. There have been no automated links between FSV and systems of other organizations such as the Intelligence Bureau.

32Can you make the communication and documents submitted to the AP from the Tax Administration/Ministry of Finance public?

Yes, I am willing to share the documents from the tax authorities to the AP with your House. However, compiling this dossier requires a careful approach. Indeed, the requested documents contain confidential information from employees of the tax authorities. In addition, the requested documents may provide insight into the AP's control approach. Currently, coordination is taking place between the AP and the tax authorities about the documents to be provided. I ask your House more time to compile this file.

33Can you guarantee that the FSV list, the application and the features from the ICT will not be destroyed in order to always be able to reopen research?

The Chief Information Security Officer (CISO) has secured a backup of FSV's data containing the situation as of February 26, 2020. The intention is to keep FSV's data, including the application, for research in the vault for as long as it is responsible and technically feasible. I will see if it is possible to transfer the data related to FSV to the National Archives.

34Have you ever received or asked for internal or external advice about FSV in the past ten years? If so, what was that advice?

In my letter dated April 28, 2020, I discussed the creation of FSV and also added an FSV timeline.12 This also discusses the decision-making regarding FSV. In addition, I refer you to the FSV/Black List WOB Request Decision that was made public on January 27, 2021. The documents made public are attached to the decision. As I said in response to question 32, I am willing to share the documents from the tax authorities to the AP with your House.

35If a GEB was already drawn up on January 21, 2019, in which the tax authorities themselves concluded that the privacy rules were not complied with, why was the FSV only switched off on February 27, 2020? So why did this unlawful blacklist continue for more than a year??

In November 2018, the tax authorities were instructed to draw up a GEB about FSV. The Concept GEB was completed in January 2019. The scope of the Concept GEB was too limited: only the application itself was the subject of research and not the full use of personal data in the supervisory processes. This should have been the case. In addition, the conclusion of the Concept GEB should have already been a reason to involve the privacy officer of the tax authorities and the Data Protection Officer (DPO) to assess whether the system could still be worked carefully in accordance with the AVG. Insufficient attention has been paid to this. As part of the AVG, the tax authorities carried out research into applications with (extensive) export opportunities. As a result, measures have been taken to limit the risks of using FSV. In November 2019, as a result of these risk-reducing measures, another study was conducted into the conclusions from the Concept GEB. This led to an updated GEB in November 2019, which concludes, among other things, that measures have already been taken as a result of the additional investigation, but that not all other measures in the draft GEB have been implemented yet. The conclusion from the January 2019 draft GEB should have been a reason to involve the privacy officer of the tax authorities and the DPO. As the internal supervisor of the Ministry of Finance, the DPO could have advised on how to deal with the conclusions from the draft GEB. The privacy officer and the DPO finally became aware of this draft GEB on February 20, 2020. However, due to the importance of processing signals for supervision, among other things, the existing facility (FSV) has not been decommissioned. In retrospect, this was an incorrect decision. See also the timeline for my letter dated April 28, 2020.13

36How were the flaws within FSV overlooked when they were introduced?

When developing FSV in 2013, the importance of correct taxation and payment of surcharges was paramount. At that time, insufficient attention was paid to the use and security of data. However, the fact that dealing with data in this way is not appropriate should have been recognized earlier and led to action.

37What is being done in concrete terms to improve the testing of systems in the future?

Your House has been promised a systematic review of the processes and applications.14 Part of this review is the development of a checklist that practically translates the preconditional legislation (AVG, BIO and Archives Act). By including the questions from the checklist in the methods for designing processes and applications, it is better ensured that newly designed processes and adjustments to existing processes (including the associated applications) demonstrably meet the requirements of the AVG, BIO and Archives Act. This better fulfills the privacy by design principles of the AVG.

38How are the purposes for such systems now defined?

Your House has been promised a systematic review of the processes and applications15. Part of this review is the development of a checklist that practically translates the preconditional legislation (AVG, BIO and Archives Act). By including the questions from the checklist in the methods for designing processes and applications, it is better ensured that newly designed processes and adjustments to existing processes (including the associated applications) demonstrably meet the requirements of the AVG, BIO and Archives Act. This better fulfills the privacy by design principles of the AVG. In addition, in order to comply with the GDPR, for example, the purpose of the processing and the why of the application (s) used are always described.

39What were the reasons for the failure to keep, delete and/or rectify data?

As the AP also found in its report (sections 3.5 and 3.6), FSV did not include functionality to (permanently) delete data and findings from signal-based research were not fed back into FSV. As a result, data was not updated, deleted or rectified in accordance with the requirements of the GDPR.

40What are the consequences for keeping sensitive information, such as personal data, for too long?

Keeping personal data for too long is contrary to the principle of storage limitation (Article 5, paragraph 1, introductory words and point e, of the GDPR); this means that personal data may not be kept longer than necessary. If that does happen, it is unlawful.

41How can relevant experts be prevented from being involved too late in such processes in the future?

As stated in the answer to questions 36 and 37, new processes and the adaptation to existing ones must be designed through the production process. The production process is a description of what it takes to change processes. This is now being worked on, as part of the design methodology, so that relevant experts are involved in designing and testing processes and applications at the right times.

42What consultants, experts and/or advice were requested when setting up and implementing FSV?

The external party that was commissioned to develop and build FSV was CapGemini. Commissioned by the tax authorities, CapGemini converted the PIT application into FSV. The tax authorities remained responsible for the design of the application.

43How many lists of people similar to FSV have existed? Are there 211 or more? Is the Exclusion List for Allowances with 350,000 people also included? How many FSV-comparable lists of people are still in use?

FSV was an application. When investigating FSV, KPMG was also asked whether there are similar applications. KPMG found no applications that are very similar to FSV16In my cover letter to the KPMG report, I announced an inventory of lists of nationality and/or risk or fraud signals in the personal environment. In my letter dated November 25, 202117 I will give you the latest state of affairs on this process. As explained therein, after analyzing the revenue from the inventory, 132 lists remained. In terms of structure, these vary from locally developed applications to Word or Excel files from the personal environment of employees. The investigation into these lists has not yet been completed. In my letter dated July 10, 2020, I discussed the use of FSV in Allowances and the exclusion list. The exclusion list for Allowances is not one of the lists provided by employees during the inventory, because the list was already known to the Allowances management team at the time. This is what is referred to in the interim report of the Advisory Committee on Implementation of Allowances dated November 14, 2019.18. Placing it on the exclusion list prevents a final decision from being sent for specific surcharges and allowance years. The function of the exclusion list is currently embedded in technically validated treatment plans.

44Is it true that there is a new alert list for sharing fraud data? What is the name of this list and how does it work? Were the AP and the DPO involved in this list? If so, in what way?

A new process for assessing and treating external signals has been designed and a temporary application has been developed to support this process. This process and application are currently not in use. For the processing of personal data in the process, a GEB has been drawn up that was submitted in draft to the DPO for advice. The implications of the AP report for this GEB are currently being identified. After the GEB has been amended, it will be submitted again to the DPO and to the AP for review and advice. The new signals process and application will not be put into use until the GEB has been adapted to the advice of FG and AP, has been adopted by the responsible directors and the measures described in the GEB have been implemented.

45When is the legislative proposal for the Data Protection Act (Tax and Customs Administration) expected in the House?

The bill on the Safeguarding Data Processing Act (Tax Administration, Surcharges and Customs) is currently being prepared, in close cooperation with the relevant parts of the Tax Administration, Surcharges and Customs. Data processing by the tax authorities, surcharges and Customs is extensive and requires careful preparation of the bill. This is followed by an internet consultation, advice by the Data Protection Authority, decision-making by the cabinet and advice by the Council of State. I expect to submit the bill to your House in the autumn of 2022 at the earliest.

46Can you give an estimate as to the deadline for implementing the adopted motions?

In my letter dated November 25, 202119 I will discuss the implementation of a number of motions by members Marijnissen20, Azarkan21 Country Fast22. As part of member Marijnissen's first motion, 200,000 letters have now been sent to people in FSV. At the beginning of 2022, I expect to be able to send the remaining letters. In the same motion by member Marijnissen, the government is asked to clean up unlawful or improperly used data within the government. The Secretary of State for Internal Affairs and Kingdom Relations reports on the interdepartmental approach to this request.23. To implement member Marijnissen's second motion, if the necessary information is available, I expect to be able to send most of the letters with the reason for registration by the end of 2021. When PwC's investigation into external data sharing from FSV, mentioned under question 18, is completed, I will inform the citizens who were in FSV about this — if possible. Member Azarkan's motion to make it possible to view FSV in an accessible way has been implemented. Under question 51, I will elaborate on the implementation of Member Snell's motion.

47Is there direct contact with victims? How was this designed? What's included from this?

Yes, there is direct contact. People who are in the FSV can contact a hotline at the tax authorities by phone. So far, this hotline has been contacted approximately 14,000 times. Around 500 of them had specific questions that could not be answered in one telephone contact. These have been forwarded to specialists. These specialists investigate the question or questions asked by the person concerned, formulate an answer and then call the person concerned to give this answer and further discuss it if desired. The second stream of direct contact consists of those involved who file a complaint. To date, nearly 200 complaints have been received. Complaints are also investigated by specialists. After an answer has been formulated, those involved are called to discuss and answer the complaint. So far, 90% of all incoming complaints could be dealt with in this way.

48How broad is the investigation into the extent to which victims were affected by the abuses? What is the concrete research question and which aspects are being considered?

Question 30 describes the research questions of PwC's research into the effects of FSV on citizens and companies.

49Is it true that around 5,000 employees had free access to the FSV? Is it true that they were able to add or remove new data to their heart's content? So, is it true that FSV looked somewhat like wikipedia?

It is true that there were 5000 authorizations to consult FSV. As outlined in the AP report24 The number of authorizations to access FSV was 160 when it was put into use in 2013 and rose to 5,000 in May 2019, before being reduced to 1,300. As described in the response to Parliamentary questions dated 13 October 202025 The mentioned number of more than 5,000 concerns no employees but granted permissions. The number of unique employees who had access to FSV was 4,249. An employee can have multiple permissions for multiple roles. As a result, the number of employees (4,249) is lower than the number of permissions. 3,319 employees out of 4,249 had permission to consult. In addition to the permission to consult, 930 employees also had permission to enter or change signals. The input or change of a signal was logged. With regard to change, it is still important that the recording of mutations in FSV was very limited. I know no signs of adding or removing data to my heart's content. Employees can assume that the tools provided by the employer to carry out the complex tasks of the tax authorities are safe and meet the legal requirements. That was not the case with FSV. FSV was nothing like the public Internet encyclopedia Wikipedia.

50Is it true that data protection in FSV was not at the level of a decent rule of law? Do such blacklists also exist in other countries? Which countries are these? Are these democratic states of law or authoritarian states with an incomplete rule of law or even dictatorships?

The processing of data in FSV did not meet the requirements of the GDPR. I have no insight into data processing in other countries.

51When is a decision to be expected about the FSV compensation scheme?

I asked PwC to investigate the effects of FSV on citizens and companies. In anticipation of the results of the research, possible solutions are already being considered. On October 14 and 28, officials from the Ministry of Finance gave a technical briefing to your House's Standing Committee on Finance about the possible options for offering recovery to citizens in FSV. The various options will be further developed in the coming period, after which, it is expected, decision-making can take place in consultation with your House in the first half of 2022. On February 1, the House of Representatives passed the motion by member Snels et al.26 adopted. This asks the government to identify how many people were unfairly harmed by an entry into FSV and what damage these people have experienced and, based on this, to develop a possible compensation scheme for wronged citizens. To implement this, PwC's research and the process of identifying disadvantage in case of rejection of MSNP is ongoing.

52Is it true that a listing in FSV not only led to the non-granting of amicable debt restructuring, as has been claimed until recently, but that these consequences were much broader?

I asked PwC to investigate the effects of registering in FSV. I cannot anticipate the conclusions of this report. The technical briefings on 14 and 28 October last discussed possible effects and pointed out that the effects are mainly a result of the risk studies and not so much of registration in FSV.

53Is it true that many people experience a listing in FSV as a stigma in the sense that they are included on a fraud list and are therefore considered a fraud?

I can imagine that people experience registering in FSV as stigmatizing. With the special phone number for FSV, people regularly ask whether their registration means that they are seen as a fraudster. FSV was a system for recording various signals, not just signals of risks in a report or possible fraud. The name Fraud Signaling Facility was therefore chosen unhappily. Even if a registration was a fraud signal, this does not mean that the person concerned was automatically seen as a fraudster; it only means that a signal was received. As you know, FSV did not comply with AVG.

54How and when did the name Fraud Signaling Facility come about? Was that during the period (2012—2014) when fraud was suspected everywhere?

The name Fraud Signaling Facility (also known as Fraud Signals Provision) came about during the period in which the application was developed, in 2012/2013. In retrospect, this name should not have been chosen because the name does not match the functionality (see also question 53).

55Is it true that there are also reports via Report Crime Anonymous in the FSV? What filters were used for notifications?

Yes, that's right. See the answer to question 21 about this. No filters were applied to reports.

56Can you indicate the state of affairs with regard to the Tax Authorities Data Processing Act?

57Is it true that it also involved not granting deductions, deviating from the tax return, extra checks, stricter controls than usual, stricter supervision, delay in determining final assessments, not granting benefits, including the childcare allowance, not granting other tax facilities and payment arrangements, and imposing fines and other penalties? Is this a complete list of adverse effects or are there more?

PwC is currently researching the effects on citizens and companies of registering in FSV. I am not yet able to list the effects nor give a complete list. The technical briefings on October 14 and 28 discussed possible effects.

58What format do you use to describe the problems mentioned within the tax authorities when it comes to the AVG?

The tax authorities are not sufficiently compliant with the AVG. This conclusion is very harsh and requires a large-scale improvement approach. For the plan of action to improve privacy organization, see also the answer to question 1.

59How is the implementation of the recommendations mentioned monitored?Following the AP's letter dated October 27, 2021, plans of action are being made. Your House will be informed about the progress in the first quarter of 2022. See also the answer to question 1 for this.

60How much FTE will the privacy officer team consist of? When will this staff capacity be realised?

61Which part of the 270,000 people on the FSV list will no longer be able to find out the reason?

On October 14 and 28, officials from the Ministry of Finance gave a technical briefing to your House's Standing Committee on Finance about the possible options for offering recovery to citizens in FSV. In addition, it was indicated that 50— 60% of the FSV registrants are unlikely to find out a reason. If there is no reason to find out, this is mainly because many FSV recordings come from PIT (FSV's predecessor). During the migration from PIT to FSV, many details were lost, making analysis and finding out the reason for registration difficult or impossible.

62Which part of the 270,000 people on the FSV list also claim benefits?

105,000 people recovered the allowance in the same tax year as the year in which a person concerned was admitted to FSV. Nearly 165,000 people have recovered the allowance, from the time of registration in FSV until now. This does not have to have a relationship with FSV, because recovery is intertwined with the current allowance system. There can be a recovery of surcharges for several reasons. For example, recovery may result from a correction to the income tax return, but there can also be a recovery in case of a change in the number of hours, childcare or other actual annual incomes than previously expected by the beneficiaries. On average, across all surcharges, not just for people in FSV, the definitive granting of the allowance led to a recovery among 31% of the applicants for the 2012 tax year, which was reduced to 20% over 2018.

The effects of registration in FSV and the effects on surcharges are currently being investigated by PwC. See the answer to question 3.

63Is it true that there are also reports via ECD-FIOD in the FSV? Which filters were used here?

It is possible that there are reports in FSV via the FIOD. These were not placed in FSV by the FIOD itself, because the FIOD did not have any mutational rights in FSV. If a signal received by the FIOD has been forwarded (after assessment) to the tax authorities, this report may be included in FSV with a reference to FIOD. No separate filters were used here.

64Can you outline how the AP provided guidance in implementing the internal supervision of the creation of the replacement for the FSV system?

The intended guideline At the initiative of the AP, was granted to the DPO in a number of conversations in light of the DPO's advice of 9 June 2021 on a (draft) GEB concerning a new process for dealing with signals and the supporting application to be used for that purpose. Home zone guideline can be placed as part of the consultation between the AP and the DPO referred to in the GDPR (Article 39, paragraph 1, part e, GDPR). As previously indicated, a draft of this GEB adapted in response to the AP report on FSV will be submitted to the DPO again, and also to the AP as part of the prior consultation referred to in the GDPR (Article 36 GDPR).

65Apart from the FG team, what about setting up a privacy organization within the tax authorities to promote compliance with the GDPR?

66How has internal supervision within the tax authorities been strengthened?

As far as internal supervision by the DPO is concerned, the following applies. The tax authorities fall under the internal supervision of the DPO of the Ministry of Finance. See also the answer to question 15. As of August 2020, the DPO has a team of a total of 5 people (4.2 fte). In addition, the DPO may request the ADR to carry out audits for the purposes of the FG.

67What about the comprehensive assessments of risks within the tax authorities?

Risk management is an ongoing process to make risks transparent and manageable in line with the agreed objectives. Ultimately, risk management and risk thinking should be a standard part of the way our employees work. Since 2019, the tax authorities have been working to improve risk management in the Management Information and Risk Management (MI/RM) program. The MI/RM program aims to get a risk management approach to work. In preparation for the 2022 Tax Administration Annual Plan, another strategic risk analysis (SRA) was carried out.

In 2022, the focus is on strengthening risk management for the top strategic risks by defining measures to reduce the residual risk to an acceptable level and monitoring the developments of the strategic risks. The information security risk has been identified as a top risk for the tax authorities, including compliance with privacy requirements and laws and regulations. With regard to the AVG, the AO/IC project is in order and the service components are being helped to describe their processes and, where possible, with testing of their processes for complying with the General Data Protection Regulation (AVG), the Government Information Security Baseline (BIO) and the Archives Act.

68Has the overall overview of the chain of processing operations by the tax authorities improved? So, yes in what way?

The processes of the tax authorities chains are described in architectural products. The improvement process for the register of processing operations is in line with this. As a result, the overall overview of the processing chains is gradually improving. In my letter to Parliament dated 10 July 2020, I indicated that this takes at least three years.

69How has the privacy organization within the tax authorities improved?

As part of the plan, the tax authorities have initiated HVB activities to increase knowledge and skills, a game has been developed to raise awareness (Online Security Awareness Game), all new employees receive an AVG course as part of their onboarding program and a technical infrastructure for data is also being set up.

70Has the extension of functions in team FG ensured compliance with the GDPR?

As an internal supervisor, a DPO supervises and advises on the obligations of the AVG. The DPO's supervision and advice are intended to contribute to compliance with the GDPR. This from the so-called “third line” of responsibilities. Strengthening internal supervision, no matter how big, does not automatically mean that the organization has compliance in order, but it does make a greater contribution to this.

71How much resources does team FG have to comply with the GDPR?

The FG of Finance Team has 4.2 FTE staff, a total of 5 people, as well as the possibility to request the State Audit Service to carry out audits for the DG. There is also the possibility to hire or outsource research and a training budget.

72What about the complete replacement of FSV? Have all GeBs been submitted to team FG in that context? If not, why not?

As indicated in the answer to questions 4 and 44, a new process and a new supporting application for assessing and dealing with surveillance signals have been developed. A GEB is carried out on the processing of personal data. The DPO has issued a recommendation on the draft of the GEB. The determination of the GEB has been suspended until the implications of the AP's report on FSV have been identified and processed. Based on the amended GEB, the DPO issues renewed advice. The AP is also being asked for advice about the modified GEB. The process and application will not be put into use until after completion of these steps.

73Given that the roles, functions and work processes (data protection, privacy, data control and security and related processes are being improved), can you provide an overview of what these improvements consist of?

The following actions were performed:

•The FG team at the core department has been expanded to include a deputy DPO, a lawyer/policy officer and a policy support officer.
•The team of the tax authorities privacy officer has been expanded to include 2 advisors.
•There is a project “improving the register of processing operations” with a project manager.
•There is a GEB brigade of 3 external hiring (part of the 4 temporary hiring employees as described in question 19) who help to eliminate the delays in the GeBs and also help improve the register of processing operations.
•Each service unit within the tax authorities sets up an information management, data and security department (I&DS), also to support the tax authorities in broad chains.
•The AO/IC program in order has been set up. This program supports the service units in reviewing and making their processes compliant. The objectives of the BOO project (business processes in order) have been incorporated into this program.
•An evaluation to improve the role of data coordinator has been carried out and actions are being planned.
•A GEB procedure for the tax authorities has been established.
•The tax authorities participate in the Finance Information in Order (IOO) program and has set up its own management program Information Management in Order (PRIO BD).
•An employee awareness campaign has been set up and is currently underway.
•A BIO re-implementation support program has been set up and started.

74How much FTE has the privacy officer team expanded by?

75How many GeBs were involved, given that additional employees were hired to expedite the review of GeBs? How much do you need to hire extra employees? Why aren't these permanent spots?

As of the reference date October 18, 2021, there were 38 GeBs for which no advice has yet been issued. The hiring for the GEB activities consists of 3 people (part of the 4 temporary hiring employees as described in question 19). The reason these are not permanent places is that they are a temporary catch-up. Structural embedding follows when it is clear how to improve the privacy organization.

76How is the procedure for performing GeBs?

The GEB procedure was adopted by the Tax Administration Board (DT BD) on October 29, 2020 and has been in use ever since. The procedure will be recalibrated in 2022.

This procedure describes which steps should always be taken in the event of a (intention) of a new processing, a change in processing that involves new risks, or when processing is recalibrated (every three years). The GEB procedure consists of the steps:

—A preliminary analysis that identifies the internal controller and assesses whether carrying out a DPO is mandatory or necessary;
—Legal review
—Risk Analysis
—Design processing
—Appreciation by the Group Management of Information Provision and Data Control
—Initiate corrective actions
—FG advice
—Processing advice from FG
—Internal data controller signs advice and follow-up decisions before consultation
—Updating the register of processing operations

77How is the safeguarding of the DPO's involvement formalized?

See the answer to questions 15 and 76. In addition, the requirement to seek the advice of the DPO when executing a DPO is included in the GEB procedures of the Ministry of Finance and the Tax Administration. At Finance, the DPO is also the (functional) manager of the register of processing activities, giving him direct insight into the development of the register, from which internal controller has accepted responsibility for which data processing to be mentioned in the register. In addition, the Finance Privacy Policy regulates the DPO's involvement in various consultation bodies.

The obligation to ask the DPO for advice follows from the GDPR. Executed GeBs are submitted to the DPO for advice by the tax authorities. Structural discussions also take place, for example, about improving the quality of the register of processing activities and about data leaks.

78How has employee awareness been increased? What does the plan consist of?

79How is “employee awareness increased” as indicated at the bottom of page 4 of your letter?

80Are the risks to rights and freedoms considered from the entire chain? And what does that show?

I read your question in such a way that you ask about the risks to the rights and freedoms of the new signaling process. A new process for assessing signals has been developed, with a temporary supporting application, Temporary Signaling Facility (TSV). Before the application is put into use, a GEB is executed on the signal process. To ensure that the handling of personal data meets the requirements, the tax authorities are looking at what implications the recently published report by the Data Protection Authority on FSV has for the revised process and application. After these implications have been assessed and the GEB has been adapted accordingly, reviewed by the DPO and subsequently submitted to the AP for advice, a decision will be made to resume the signaling process.

81Is it true that PwC is conducting five studies? When are these studies to be expected?

It is true that there are three sub-studies and two additional assignments. Under question 18, I went into more detail about the planning of these studies.

82What does the privacy organization within the tax authorities themselves look like at the moment (officers, roles, part-time/full-time, place in the organization chart and perseverance)? Do you consider this sufficient?

The team around the privacy officer has expanded to include two people and has consisted of six permanent employees since March 2021. In addition, the team has four temporary employees. Furthermore, each division or management of the tax authorities has a contact person for questions about data protection, the so-called data coordinator. However, most directors have more employees for whom data protection is part of the range of tasks. I am of the opinion that this is not enough, this should be further developed in the new privacy organization.

83Is there a privacy organization within Customs and within the Tax Authority/Surcharges? If so, what does it look like?

Until the moment that the privacy organization at Customs itself has been set up, Customs is part of the privacy organization of the tax authorities. Internally, Customs has currently organized it in such a way that, at a central and decentralized level, privacy employees serve as a source of information for privacy issues from the organization. The central data coordinator at Customs is affiliated with the Tax and Customs Administration's broad privacy consultation and has structural consultations with the DPO and with the privacy officer of the Tax Service. Within DG Surcharges, the privacy organization has been set up. Until the privacy organization is set up under Fees, Surcharges is part of the privacy organization of the tax authorities. Internally, Surcharges has currently organized it in such a way that, at a central and decentralized level, privacy employees serve as a source of information for privacy issues from the organization. The data coordinators at Surcharges are affiliated with the Tax and Customs Administration's broad privacy consultation. In addition, the Privacy Coordinator has structural consultations with the DPO and the privacy officer of the Tax Service. Customs, Surcharges and the Tax Administration have made agreements about safeguarding privacy when unbundling. The current situation will remain in place until the privacy organization at Customs and Surcharges is set up to take over the activities and tasks that the tax authorities currently carry out for them in the field of privacy. Customs took the first step by appointing a Chief Privacy Officer (CPO) as of December 1, 2021. In the long run, there will also be its own CPO. In the coming period, the Customs and Surcharges privacy organization will be further set up. This organization takes place in conjunction with the action, and action plans, to strengthen the privacy organization of Finance.

84Can you send the “report, statements from the FSV tax office staff,” submitted on June 30, 2020 to the House, possibly after consultation with the AP?

85Can you list the documents you have submitted to the AP? Are those documents public? If not, why not?

86What requests did the Ministry of Finance receive from the AP in February 2021? What activities have been initiated in this regard?

On February 25, 2021, the AP sent two (same) letters to the State Secretaries for Finance, reminding the tax authorities of the right of access for those involved in FSV. Following the memorandum meeting on 1 February 2021 (Parliamentary Paper) 31 066, No. 784) and the commitment made during the consultation to provide FSV citizens with an FSV ruling, urges the AP to explicitly point out the possibility of submitting an FSV inspection request to the tax authorities when informing those involved. The AP states that in this way, those involved are actively facilitated in exercising their privacy right. This letter was sent to your House on March 25, 2021. The tax authorities complied with the AP's request. In the information letters to concerned citizens that are in FSV, they are reminded of their right to access. This is also easily possible via the website.

¹Parliamentary paper 32 140, No. 51; Parliamentary paper 35 302, no. 6 country 13; Parliamentary paper 35 300 IX, No. 13 country 16; Parliamentary paper 35 572, no. 5, 17 country 23; Parliamentary paper 31 066, No. 820 Parliamentary paper 35 925 IX, No. 4.

²Parliamentary paper 31 066, No. 920.

³Parliamentary paper 31 066, No. 911.

⁴Parliamentary paper 31 066, no. 632.

⁵Parliamentary paper 31 066, No. 852.

⁶Regional Information and Expertise Center (RIEC) Northern Netherlands, the National Steering Committee on Intervention Teams (LSI), cooperation under article 64 Suwi and Health Fraud Information Hub (IKZ).

⁷Parliamentary paper 31 066, No. 681.

⁸Parliamentary paper 31 066, no. 632.

⁹Parliamentary paper 31 066, no. 632.

¹⁰Parliamentary paper 31 066, no. 485.

¹¹Parliamentary paper 31 066, No. 485.

¹²Parliamentary paper 31 066, no. 632.

¹³Parliamentary paper 31 066, no. 632.

¹⁴Parliamentary paper 31 066, No. 709.

¹⁵Parliamentary paper 31 066, No. 709.

¹⁶Parliamentary paper 31 066, No. 681.

¹⁷Parliamentary paper 31 066, No. 920.

¹⁸Parliamentary paper 31 066, no. 546.

¹⁹Parliamentary paper 31 066, nr 920.

²⁰Parliamentary paper 35 510, No. 21 and Parliamentary Paper 28 362, No. 41.

²¹Parliamentary paper 31 066, No. 840.

²²Parliamentary paper 31 066, No. 776.

²³Parliamentary papers, 26 643 and 32 761, No. 751.

²⁴Parliamentary paper 31 066, No. 911.

²⁵Parliamentary paper 31 066, No. 710.

²⁶Parliamentary paper 31 066, No. 776.

Date

03 November 2024

Author (s)

research

Source

No items found.

Readers' comments

No items found.