Privacy Statement

Personal data

Your personal data and FINCEN
FINCEN has been designated as a special investigation service (BOD) pursuant to Article 3 of the Special Investigation Services Act and is charged, under the authority of the public prosecutor, with the criminal enforcement of the legal order in the area of work of the Ministry of Finance. In addition, FINCEN can also be instructed on the basis of this Act to carry out enforcement and investigation activities in other policy areas.
This page is part of the general Privacy Statement of the Tax and Customs Administration. There you will find more information about the processing of personal data by the Tax and Customs Administration.

What data?

Personal data is information that can be traced back to you as a person. For example, your name, your home address or your e-mail address. You can find more information about the definition of personal data on the website of the Dutch Data Protection Authority. FINCEN processes personal data in the context of the execution of its tasks and has to deal with two laws in doing so:

  • Police Data Act (Wpg)
    For the processing of personal data for the performance of tasks in the context of criminal enforcement of the legal order and in the investigation of criminal offences. We call this police data.
    Special categories of police data are only processed when this is necessary to achieve the purpose of the processing.
  • General Data Protection Regulation (GDPR)
    For the processing of personal data for tasks other than those assigned by law, such as internal business operations.

In addition to these two, there are other laws, regulations and decrees that provide further rules on the processing of personal data, such as the General Provisions Citizen Service Number Act (Wabb).

Information security

Authorizations
Only employees who are authorized to do so will have access to this data. They may only view the data that they need to do their work. This applies in particular to personal data that are processed in the context of investigations based on the Wpg (police data).
FINCEN works with authorization profiles for this. This method is legally anchored in article 6 Wpg.

In anticipation of a legal obligation to do so, FINCEN takes measures such as logging and monitoring within the systems so that it is recorded which action is performed at what time in a specific file:

  • to verify the legality of data processing;
  • for internal controls;
  • to ensure the integrity and security of police data;
  • for criminal proceedings.

Security
FINCEN takes measures—technical and organisational—to protect police or personal data against unauthorised or unlawful processing, and against intentional loss, destruction or damage.

Privacy by design and data protection impact assessment

In the maintenance and (further) development of the information services of FINCEN, privacy protection is an important point of attention. This means that privacy-enhancing measures are considered from design to implementation and management: privacy by design.

If necessary, a data protection impact assessment is carried out. This is used to test in advance what the effects of data processing are on the data protection of citizens. In particular, the privacy infringement and any risks that the data processing entails are examined. Where necessary and possible, measures are taken to eliminate the risks or reduce them as much as possible.

Sharing data

The Wpg also applies to:

  • the Police;
  • the Royal Marechaussee and the National Criminal Investigation Department;
  • the processing of police data by special investigating officers (BOAs);
  • the other 3 special investigation services:
    • The Dutch Labour Inspectorate, Investigation Directorate (NLA-DO)
    • The Intelligence and Investigation Service of the Environment and Transport Inspectorate (ILT-IOD)
    • The Intelligence and Investigation Service of the Netherlands Food and Consumer Product Safety Authority (NVWA-IOD)

The main rule for organisations that must comply with the Wpg is “share unless”. This means that in certain cases we are obliged to make police data available to those other organisations and vice versa. This does not apply to organisations that are not bound by the Wpg.

FINCEN may only provide data to other parties if there is a legal basis for this. Think of the Public Prosecution Service or the Tax and Customs Administration.
Data may not always be used for a purpose other than that for which it was collected.

Retention periods and destruction

The Wpg contains fixed retention periods for personal data. The Wpg also distinguishes between deleting and destroying data. If FINCEN deletes data, it is not yet definitively gone. It is, as it were, placed behind a digital partition and can in principle no longer be viewed. This is only possible if there are urgent reasons for this and such incidental processing is subject to specific conditions.

Destruction is a definitive action. The data can no longer be retrieved.

Rights of data subjects

The person to whom a police data relates is legally called a ‘data subject’. A data subject has the following rights arising from the Wpg:

Right of access
A data subject has the right to information about the processing of his personal data. This means that if you want to know whether and, if so, which personal data FINCEN processes about you, you can submit a written request for access to this. If it appears that FINCEN processes your data, you can submit a request to access this personal data and to obtain the following information:

  • the purposes and legal basis of the processing of your data;
  • the categories of police data concerned;
  • whether your data has been provided to others in the recent period and, if so, to which party(ies);
  • the envisaged period for which your data will be stored, or, if that is not possible, the criteria used to determine that period;
  • the origin, if available, of the processing of your data.

Other rights

  • the right to request rectification, destruction or blocking of your data;
    FINCEN will process your request in principle within 6 weeks; if more time is needed, this period can be extended by 4 weeks.

These so-called “rights of the data subject” are further elaborated in section 4 of the Wpg.
The rights mentioned above can be restricted, for example to prevent adverse consequences for the investigation and prosecution of criminal offences and the protection of the rights and freedoms of third parties.
If access or rectification is refused, you have the option to appeal against this decision, to submit a request for mediation to the Dutch Data Protection Authority or to file a complaint with this body.

FINCEN usually decides on AVG access requests within 1 month. If necessary, we can extend this period by 2 months. If we do so, you will be notified.

In some cases we do not provide access to personal data. In that case, other interests outweigh your right to access.

Write a letter or email with your request. Include your contact details, such as your name, address, zip code and city, and the telephone number where you can be reached during the day. Clearly state whether it concerns a Wpg and/or AVG access request. If it concerns a Wpg access request, please include a copy of an identity document on which you may obscure your photo and Citizen Service Number.