Privacy statement

Publication date 07-10-2024, 9:39 | Last update 26-02-2025, 10:02

Personal data

Your personal data and the FIOD

The FIOD is designated as a special investigation service under Section 3 of the Wet op de bijzondere opsporingsdiensten (Special Investigation Services Act) and, under the authority of the public prosecutor, the FIOD is responsible for criminal law enforcement in the Ministry of Finance's field of activity. In addition, the FIOD can also be instructed under this Act to carry out enforcement and investigation activities in other policy areas.
This page is part of the general Privacyverklaring van de Belastingdienst (Netherlands Tax Authority Privacy statement). There you will find more information on the processing of personal data by the Netherlands Tax Authority.

What data?

Personal data is information that can be traced back to you as an individual. For example, your name, your home address or your email address. On the website of the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) you will find more information on the definition of personal data.
The FIOD processes personal data as part of the performance of its duties, and in doing so it has to comply with two legal acts:

Wet politiegegevens (Police Data Act; Wpg)
Cover the processing of personal data for the performance of tasks related to criminal law enforcement and in the investigation of criminal offences. We call this police data.
Special categories of police data are only processed when necessary for specific purposes.
Algemene verordening gegevensbescherming (General Data Protection Regulation; AVG)
For processing personal data for tasks other than those assigned by law, such as internal management.

In addition to these two, there are other laws, regulations and decrees that provide further rules on the processing of personal data, such as, for example, the Wet algemene bepalingen burgerservicenummer (Citizen Service Number (General Provisions) Act; Wabb).

Information security

Authorisations

Only authorised staff are granted access to this data. They may only view the data they need to do their jobs. This applies in particular to personal data processed in the context of investigations under the Police Data Act.
The FIOD works with authorisation profiles in this context. This method of working is legally embedded in Article 6 of the Police Data Act.

In expectation of a legal requirement to do so, the FIOD already takes measures such as logging and monitoring within the systems so that it keeps track of what action is performed and at what time in a particular file:

to verify the legality of data processing;
for internal controls;
to ensure the integrity and security of police data;
for criminal proceedings.

Security

The FIOD takes measures - technical and organisational - to protect police or personal data against unauthorised or unlawful processing, intentional loss, and destruction or damage.

Privacy by design and data protection impact assessment

In the maintenance and (further) development of the FIOD's information services, privacy protection is a key concern. This means that privacy-enhancing measures are taken into account right from design through to implementation and management: in other words, privacy by design.

If necessary, a data protection impact assessment is carried out. This will test the effects of data processing on the protection of citizens' data in advance. In particular, it looks at potential privacy breaches and any risks posed by data processing. Where necessary and doable, measures are taken to eliminate or reduce the risks as much as possible.

The Police Data Act also applies to:

the Police;
the Koninklijke Marechaussee (Border police) and the Rijksrecherche (National Police Internal Investigations Department);
the processing of police data by special investigating officers;
the other three special investigation services:
- the Nederlandse Arbeidsinspectie, Directie Opsporing (Netherlands Labour Authority, Investigation Department; NLA-DO)
- the Inlichtingen- en Opsporingsdienst van de Inspectie Leefomgeving en Transport (Intelligence and Investigation Service of the Human Environment and Transport Inspectorate; ILT-IOD)
- the Inlichtingen- en Opsporingsdienst van de Nederlandse Voedsel- en Waren Autoriteit (Intelligence and Investigation Service of the Netherlands Food and Consumer Product Safety Authority; NVWA-IOD).

The main rule for the organisations that have to comply with the Police Data Act is "share, unless". This means that in certain cases we are obliged to make police data available to those other organisations and vice versa, unless there is a legal reason not to. This does not apply to organisations that are not bound by the Police Data Act.

FIOD may only provide data to other parties if there is a legal basis for doing so. For example, the Public Prosecution Service or the Netherlands Tax Authority.
Data may not always be used for a purpose other than that for which it was collected.

Retention periods and destruction

The Police Data Act contains fixed retention periods for personal data. The Police Data Act also distinguishes between deletion and destruction of data. When the FIOD deletes data, it is not yet removed permanently. It is placed behind what is called a ‘digital bulkhead’, separated from the main data pool, and in theory it can no longer be accessed. This would only be possible if there are urgent reasons for doing so, and is subject to specific conditions.

Destruction is the final act. The data can no longer be retrieved.

Rights of data subjects

The person to whom police data relates is legally called a 'data subject'. A data subject has the following rights under the Police Data Act.

Right of access

A data subject has a right to information when it comes to the processing of their personal data. This means that if you want to know whether and, if so, which personal data the FIOD processes about you, you can make a written request. If it appears that the FIOD is processing your personal data, you can submit a request to inspect that personal data and obtain the following information:

the purpose and legal basis for processing your data;
the categories of police data concerned;
whether your data has been disclosed to others in the past period and, if so, to which party/parties;
the intended period of storage of your data or, if that is not possible, the criteria for determining that period;
the origin, where available, of the processing of your data.

Other rights

the right to request rectification, destruction or blocking of your data;

The FIOD aims to handle your request within 6 weeks; if more time is needed, this period can be extended by 4 weeks.

These so-called "data subject's rights" are detailed in paragraph 4 of the Police Data Act.
The rights described above may be reduced, for example to prevent negative a effect on the investigation and prosecution of criminal offences, and the protection of the rights and freedoms of third parties.
If access or rectification is refused, you have the option to appeal this decision, request mediation with the Dutch Data Protection Authority or file a complaint with this organisation.

The FIOD usually decides on General Data Protection Regulation access requests within one month. If necessary, we can extend this period by two months. If we do so, you will be notified.

In some cases, we do not provide access to personal data. In such cases, other interests outweigh your right of access.

Write a letter or e-mail with your request. In it, include your contact details, such as your name, address, postcode and place of residence, and the telephone number where you can be reached during the day. State clearly whether it is a Police Data Act and/or General Data Protection Regulation access request. If it is a Police Data Act access request, please enclose a copy of an identity document on which you may hide your photograph and Citizen Service Number (BSN).

Send your access request to:

FIOD t.a.v. de privacyfunctionaris
Postbus 19266
3501 DG Utrecht

fiod.privacy@belastingdienst.nl

On this Page