In 2021, Dutch customs did ‘to a significant extent’ not comply with the Police Data Act. Customs did not meet the correct standards for protecting the personal data of Dutch citizens on many points. For example, data was stored for too long, poorly protected and wrongly collected.
This is what State Secretary Aukje de Vries of Benefits and Customs writes in a letter to the House of Representatives. This letter is accompanied by a privacy report drawn up by the Central Government Audit Service. The audit was carried out because this has been an obligation under the Police Data Act since 2019. This law prescribes, among other things, where, when and how the police may and must handle personal data. Recently it turned out that two thirds of the authorities that are required to do so have not yet submitted such an audit.
In an earlier report from before 2021, the State Audit Service concluded that Dutch customs in ‘the majority of the measures’ regarding data protection ‘are not or only partly set up and safeguarded in the organisation’. In 2021, according to the audit department, ‘hardly any progress has been made’. In the second half of the year, Customs did start a number of improvement projects to better regulate data protection, but these did not have any effect until the course of 2022. A more recent report is not yet out; customs should have submitted the report for 2021 by 31 December 2022 at the latest.
The Audit Service describes 32 different points on which customs were checked. In doing so, the service looked at how the process was set up on paper, but also at reality. In only four cases did the data protection practice meet the standards of the Wpg. In eight cases, Customs did not meet the standard at all, in thirteen cases it did so only partially. Moreover, part of the activities could not be checked for various reasons.
For example, customs had no system to determine which personal data were and were not collected. Because each customs officer makes his own assessment of this data collection, the authority does not at all comply with the principles of necessity and lawfulness. It was also poorly described what measures Customs took to protect personal data, the authorization policy did not comply with the Wpg and there are generally no guidelines for processing data according to the Wpg.
The State Secretary mentions the situation ‘seriously’. “The processing of sensitive personal data requires great care.” According to De Vries, Customs is currently working on an improvement process. In it, the body describes what it is doing to better protect data in the future. That report will be sent to the House of Representatives at the beginning of April.
