The Dutch Data Protection Authority warns the Dutch government against publishing a list of fraudsters. This list is published by the Chamber of Commerce. The privacy regulator is critical of this and wants the House of Representatives to take action.
It concerns the Trade Register Data Vision, an amendment to the Trade Register Decree and the Trade Register Act. This data vision contains various ways of making data from the Trade Register of the Chamber of Commerce public, but at the same time also protecting the privacy of entrepreneurs. One of the measures in the data vision is that the Chamber of Commerce can publish a list of entrepreneurs with a management ban. This could, for example, concern entrepreneurs who have previously been convicted of fraud and are therefore temporarily prohibited from operating a company.
After Minister of Economic Affairs Micky Adriaansens sent the bill to the House of Representatives, the Dutch Data Protection Authority also looked to the law. The AP issued a negative advice on the law in February 2022. The privacy regulator says that the public fraud list of Chamber of Commerce data is disproportionate.
According to the AP, the list does not have to be public. It would also be enough if a director cannot register in the Trade Register because of the list. The regulator warns that data once made public can haunt a director for the rest of his life. This can ‘have serious consequences for his reputation in the full breadth of his social functioning’.
It is striking that the minister does not adopt the AP’s advice. “The Dutch Data Protection Authority has previously issued a negative advice on the publication of administrative bans. This advice is not being followed, because a new situation has been created with the stronger privacy protection in the Trade Register”, she writes. The minister is referring to the maximum term, which has been reduced in a new advice to a maximum period in which the list will become public.
The AP considers this measure insufficient. “In the opinion of the AP, the argument actually weighs next to nothing; since public data nowadays never actually disappear from the public eye, the fact that a person involved once had a management ban can remain a fact of general knowledge for life.”
In the first place, the Dutch Data Protection Authority is now calling on the House of Representatives to still demand a change in the law. It does so in a letter to the Digital Affairs Commission, in which it mentions the objections again. If the House of Representatives does not take any action, the AP can in theory proceed with enforcement. This would mean that the regulator first conducts an investigation, in which it definitively tests the measure against relevant laws, especially the GDPR. Based on this, the supervisor can prohibit the minister from further implementing the measure or stop the measure. In extreme cases, a fine may also follow.