The Data Vault: GDPR Measures and Hidden Evidence at Toeslagen
A data vault created in May 2019 as a stopgap GDPR measure by the Belastingdienst was rediscovered in April 2026 containing at least 64 million unsorted files that were never searched for parliamentary investigations into the childcare benefits scandal. Sample checks confirm documents that should have been provided to the Parlementaire Enquête Fraudebeleid en Dienstverlening (PEFD) sat in the vault but were never delivered. The government waited nine months after discovery before informing parliament.
Executive Summary
In May 2019, the Belastingdienst’s Concerndirectie IV&D created a “data vault” as an emergency measure because the agency could not meet the GDPR deadline of 25 May 2019. The vault moved outdated personal data to a secured environment but was explicitly “not an archive function.” The promised follow-up — assessing which files should be permanently retained, destroyed, or returned — was never executed. Seven years later, in April 2026, the vault was rediscovered containing at least 64 million unsorted files. Sample checks confirmed that documents required by the Parlementaire Enquête Fraudebeleid en Dienstverlening (PEFD) were present but never delivered. The cabinet knew since July 2025 but waited nine months to inform parliament.
What Happened
On 16 May 2019, IV&D sent notes to the Directieteam Belastingdienst reporting that the agency would “not timely delete outdated data in full scope” before the GDPR deadline. The data vault was deployed as a “simple but sufficiently effective” mitigation. Its structure mirrored the Q-drive system, with vault administrators appointed per directorate.
Specifically at Toeslagen, three measures were pending: (1) moving 2006 data to the vault for “further careful handling,” (2) masking the second nationality “as quickly as possible” so it was no longer visible, with physical deletion promised “later this year,” and (3) applying selection lists for data destruction. 19 of 24 directorates had outstanding GDPR measures on 21 May 2019.
The Q-drive inventory of Directie Toeslagen shows approximately 100 collaboration areas that ended up in the vault, including folders for POK responses (TSL_UT_Bbt-pok-pfc), crisis team documents (TSL_IM_ToeslagenCrashteam), Track 3 recovery files (TSL_IM_Spoor3), objection letters (TSL_UT_Bezwaarbrieven), and frozen assets administration (TSL_IM_BCA-Gestalde-gelden).
On 15 April 2026, State Secretaries Eerenberg and Palmen informed parliament that the vault had “reappeared” with 64 million files, never searched for PEFD, POK, FSV, CAF or RAM investigations.
Evidence
The source document blg-1197678 (4,252 lines of extracted text) contains the original IV&D notes. Key quotes: “A subsequent step will need to be that an assessment is made of what actually needs to be removed, permanently preserved, or returned” — this step was never taken. “The data vault does not serve an archive function” — yet it contained potentially archive-worthy documents.
The second nationality was still visible in Toeslagen systems in May 2019, years after discriminatory use was identified. Deloitte’s “BVR Nationaliteit” was built into SAS models in 2013; the AP imposed a €2.75 million fine in 2020 for discriminatory processing. The nationality field was only masked reactively under GDPR pressure.
The nine-month delay (July 2025 to April 2026) between discovery and parliamentary notification raises serious questions about compliance with Article 68 of the Constitution, which requires ministers to provide parliament with requested information.
Analysis
The data vault represents a compounded institutional failure: the Belastingdienst failed to achieve GDPR compliance, created a temporary measure that became permanent through neglect, and then failed to search the vault for the most significant parliamentary investigations in Dutch history.
Legally, multiple frameworks are implicated: AVG Article 5(1)(e) (storage limitation), AVG Article 89 (archiving in the public interest), Archiefwet Article 3 (prohibition of premature destruction), Grondwet Article 68 (parliamentary information obligation), and Woo Article 5.1 (public access). The Q-drive structure reveals that POK-specific folders existed — folders that should have been provided to the parliamentary inquiry but were not.
The Inspectie Overheidsinformatie en Erfgoed launched a preliminary investigation on 22 April 2026, confirming that the information was “not sustainably accessible” and that the vault’s contents were “not included in important deliveries of information to parliamentary investigations.”
Sources
- blg-1197678 — IV&D internal notes May 2019 (Kamerdossierstuk, 4,252 lines)
- Kamerbrief Eerenberg/Palmen 15-04-2026, kenmerk 2026-0000132235
- Rijksoverheid beslisnota 15-04-2026
- NOS 15-04-2026 and 16-04-2026
- Inspectie OE 22-04-2026: preliminary investigation data vault
- iBestuur 16-04-2026: sample checks confirm missed PEFD documents
Sources
- blg-1197678 — IV&D internal notes May 2019 (Kamerdossierstuk)
- Kamerbrief Eerenberg/Palmen 15-04-2026, kenmerk 2026-0000132235
- NOS 15-04-2026: Data vault disappeared from sight
- NOS 16-04-2026: Parliament furious, 'Is this a cover-up?'
- Inspectie OE preliminary investigation 22-04-2026
- iBestuur 16-04-2026: Sample checks confirm missed PEFD documents