
RAM never disappeared: the state profiles on
The Risk Analysis Model (RAM) was officially deactivated on 18 May 2018, one day before the GDPR took effect. But RAM never disappeared. Seven successor systems remain in production at the Tax and Customs Administration (Belastingdienst) in 2026, using largely the same data structures and profiling citizens and entrepreneurs without legal basis. The Dutch Data Protection Authority (AP) demanded immediate decommissioning of KTA and Informatiesjabloon in July 2025, the Belastingdienst ignored this. Senior civil servant Teusjan Vlot testified on 26 May 2026 that he still sees 'Excel sheets from the RAM system.' Vlot acknowledged that information management has been out of order for 25 years, that 'there was never really any drive behind action plans,' and that he personally approved the PEFD search queries that excluded HTML. The data vault with 64 million files, 24.3 million substantive, including ~2 million Excel files, contains the evidence. But the state refuses to search systematically. UHT has paid €59 million in penalty payments. Judges impose penalty fines of one euro. No one has been held accountable.
Summary
On 18 May 2018, the Risk Analysis Model (RAM) was deactivated, one day before the General Data Protection Regulation (GDPR/AVG) took effect. The timing was no coincidence. Anyone who thinks profiling by the Belastingdienst (Tax and Customs Administration) has stopped is mistaken. The KPMG report of February 2025 identified seven successor systems that have taken over RAM’s work. The Dutch Data Protection Authority (AP) demanded in July 2025 that two of them be decommissioned immediately, the Belastingdienst ignored this.
On 26 May 2026, senior civil servant Teusjan Vlot testified during the parliamentary debate on the data vault that he still “occasionally sees Excel sheets from the RAM system.” Vlot has only worked there for six years. RAM was shut down in 2018. The only explanation: the successor systems use the same data structures and export formats.
The data vault contains 64 million files, 24.3 million substantive, including ~2 million Excel files, holding evidence that could prove the scale of profiling. The state refuses to search systematically. Meanwhile, the recovery organisation UHT has paid €59 million in penalty payments because it cannot process decisions within statutory deadlines. Judges impose penalty fines of one euro.
The state profiles on, hides the evidence and fails at recovery. This investigation documents the facts, with sources.
RAM was renamed, not dismantled
The KPMG report of February 2025 (330 pages) identified seven systems still in production in 2025 that present “comparable risks” to RAM. The Dutch Data Protection Authority (AP) confirmed this in its letter of 9 July 2025 and concluded that KTA and Informatiesjabloon must be taken out of service immediately. The AP considered ordering the systems shut down per immediate, but found the consequences for the “public task” too far-reaching. The Belastingdienst ignored the call, the systems are still running in May 2026.
The successor systems (2025-2026)
| System | Risk level | Users | Core problem | AP ruling |
|---|---|---|---|---|
| KTA (Customer Supervision Application) | CRITICAL | ~18,000 | No authorisation roles; all screens accessible; sexual orientation derivable | Decommission immediately |
| Informatiesjabloon (Information Template) | CRITICAL | Limited | Excel export of personal data outside secured systems; unlawful processing | Decommission immediately |
| IHP (Information Hub Platform) | HIGH | ~2,000 | Consultations NOT logged | Mitigate |
| IFL (Information for Career) | HIGH | Limited | Excel macros; no transition plan | Mitigate |
| SMOB (Selection Module OB) | MEDIUM | 2,314 | Passive monitoring | Mitigate |
| Gruff | MEDIUM | Limited | No solution architecture | Mitigate |
| PRISMA (Customs) | MEDIUM | Limited | Risk selection system with predefined rules | Mitigate |
Sources: KPMG report, chapter 6; AP letter 9 July 2025
The AP on RAM: “systematically violated”
The Dutch Data Protection Authority formulated four main conclusions about RAM that apply equally to the successors:
- Unlawful processing of personal data, including special categories (health, religion) and criminal data
- Discrimination on nationality, “no objective justifications known”; “discriminatory processing carried out”
- No security, “data could be freely exported from RAM and these extracts were also unsecured”
- Evaded oversight for years, no notifications to DPO or CBP/CPB; “supervisory authorities could therefore not act”
The AP: “The Belastingdienst has systematically violated the regulations regarding the protection of personal data with the RAM application for a long period of time. […] Fundamental rights of citizens were seriously violated.”
And the sanction? None. The AP did not impose fines because the violations “were committed more than seven years ago.” The fine for the FSV in 2020 was only €2.75 million, a fraction of a day’s budget for a government organisation. The government’s message to itself is clear: violating fundamental rights has no consequences.
Vlot’s testimony: RAM lives on
During the parliamentary debate of 26 May 2026, senior civil servant Teusjan Vlot stated that the Belastingdienst’s information management has been out of order for 25 years. Vlot: “We keep running into that. And that will continue to be the case, because we simply cannot structure that information.” Vlot admitted that the Belastingdienst had promised clean-up plans for the data vault, but “there was never really any drive behind those action plans and the actual cleaning up.” After a reorganisation, “no one felt ownership anymore” of the files. And: he had personally approved the extensions that PEFD used in its searches, the same searches that systematically excluded HTML.
Vlot also said something remarkable: he indicated that he still sees Excel sheets from the RAM system. Vlot has only worked at the Belastingdienst for six years. RAM was closed on 18 May 2018, long before Vlot joined. The only logical explanation is that the successor systems use the same Excel export formats and data structures as RAM. IFL runs on Excel macros and has no transition plan. Informatiesjabloon exports personal data to Excel outside all security controls.
Approximately 20 data coordinators had access to the data vault. Vlot confirmed that it also contains “documents about fraud approach, projects” that the Belastingdienst “has never been aware of.”
RAM never disappeared. It lives on under different names.
The data vault: what is the state hiding?
The letter to Parliament of 22 May 2026 (2026D24511) contains the first file type analysis of the data vault. The figures speak for themselves.
Total size
| Category | Number of files |
|---|---|
| Total in data vault | 64 million |
| Substantive files (loose) | ~19,625,031 |
| ZIP files | ~180,000 (containing ~4.7 million files) |
| Total substantive | 24,327,796 |
| Technical/process files | ~40 million (“probably limited relevance”) |
Source: Letter 2026D24511, appendix “File type analysis”
Breakdown by department
| Department | Number of files | Percentage |
|---|---|---|
| Belastingdienst (various directorates) | 13,245,223 | 54.5% |
| Former Customs directorate | 6,184,718 | 25.4% |
| Former Toeslagen (Benefits) directorate | 195,089 | 0.8% |
| Other (ZIP, technical) | ~4,700,000 | 19.3% |
The government has spoken for months about “64 million files from toeslagen and customs.” This is misleading. Of the 24.3 million substantive files, only 0.8% comes from the Benefits directorate. The vast majority, 80%, comes from the Belastingdienst and Customs. These are precisely the departments that operated RAM and that still use the successor systems (KTA, IHP, IFL, Informatiesjabloon). The data vault is primarily a RAM and tax dossier, not a childcare benefits issue.
File types
| Type | Number | Description |
|---|---|---|
| .doc | ~4.5 million (18.3%) | Legacy Word format, memos, letters, policy documents |
| ~2.8 million (11.7%) | Together with .doc: ~7.3 million documents | |
| Images (.tif.jpg.gif) | ~4 million (~16%) | Possibly scanned documents |
| Excel files | ~2 million (~8%) | RAM exports, KTA exports, Informatiesjabloon data |
| HTML | unknown | Systematically excluded during PEFD searches |
| ZIP | 180,000 (~0.7%) | Containing ~4.7 million files |
What the technical briefing revealed
During the technical briefing of 26 May 2026, Director of Information Security Richard Schuurs supplemented the figures:
- 31,000 unique file types, the vault contains a vast array of formats far beyond the known .doc/.pdf/.xlsx
- ~87,000 relevant files in the ~46,000 ZIP files yet to be extracted, Schuurs: “there are sufficient techniques to crack ZIP files”
- Destruction freeze since 9 October 2025, nothing has been destroyed since
- Logging IS present, unlike RAM, where extracts were untraceable, there is now a log of who accessed what
- The vault contains not only business documents but also “photos from company parties” and “performance reviews”
- Knowledge about the data vault has “become very thin” after years of neglect
The important role of Excel, 2 million hidden spreadsheets
The KPMG report documented that RAM produced 2,662 Excel files with RAM extracts, of which 1,170 were unique. Of these, 369 extracts contained nationality data. The State Secretary’s recovery investigation was limited to 14 spreadsheets.
There are potentially 2 million Excel files in the data vault.
The AP confirmed in its letter of 9 July 2025: “In the 20 years that RAM was used, approximately 500,000 selections were made. Of only 1,170 of these selections was a RAM extract found in the Belastingdienst’s archives (this is less than 0.25%).”
Less than 0.25% of RAM selections have been recovered. The remaining 99.75% may be in the 2 million Excel files in the data vault or was destroyed.
Even more hidden environments
The letter of 22 May 2026 revealed more than just the data vault:
- 1,004 mailboxes, copies (not originals) of mailboxes and collaboration environments from former Benefits directorate staff, secured in May 2020. Unlike the data vault, the originals remained available for searches, but the copies were never searched
- Q-drives and Connect People, Director-General for Fiscal Affairs Ardi Wissink confirmed that personal staff drives (“Q-drives”) and Connect People environments are also being sought, these have not yet been found
- Woo requests potentially answered incompletely, Wissink: the approach also covers “older requests where information from the data vault could change the decision”
- FSV data vault, the term “data vault” is also used for the shielded FSV environment
- RAM as priority, RAM is explicitly named as a track-1 priority topic for the external committee
The state speaks of “one data vault.” The reality is an archipelago of shielded environments, data vault, mailboxes, Q-drives, Connect People, that have not been searched in any investigation.
The damage continues: UHT and the one-euro doctrine
While the state continues profiling and shields evidence, the recovery operation for childcare benefits victims is failing fundamentally. Trouw journalist Emiel Hakkenes documented on 24 May 2026 how the Recovery Organisation for Toeslagen (UHT) has paid €59 million in penalty payments because it cannot process decisions within statutory deadlines.
The case of the mother from Zwolle
A victimised mother filed four objections in September 2022 against reassessments of childcare benefit (2009-2012). Three and a half years later, UHT has still not processed those objections. Lawyer Narda Teke-Bozkurt went to court four times. Each time, the judge imposed a deadline with a penalty payment. UHT missed all deadlines and has by now paid ~€70,000 in penalties to this one mother.
Source: Trouw, 24 May 2026
The one-euro doctrine
The judge in Zwolle concluded that the penalties were apparently insufficient incentive. Instead of imposing higher penalties or making a decision itself, the judge imposed a penalty of one euro per day, with a maximum of one euro. Lawyer Teke-Bozkurt: “This is how you flush citizens’ legal protection down the toilet.”
Administrative law lecturer Rens Koenraad (Tilburg Law School): “Such a one-euro doctrine undermines the authority of judicial decisions.” He argued the judge should have made a decision itself: “Then you say to the government: if you don’t decide, I will.”
The two-week deadline set by the judge? Expired. No decision. The government ignores the judiciary and the judge cannot do anything more.
The systematic deadlock
This is not an incident. By the end of 2025, UHT had paid €59 million in penalties. The Council of State extended decision deadlines from 18 to 40 to 60 weeks. Even that doesn’t help:
| Party | Problem |
|---|---|
| UHT | “Insufficient staff”; prioritises “with penalty” files over normal track, “It is unclear what further happens at this department” |
| Judges | Can increase penalties (costs the state money) or extend (costs the citizen time) or give up (€1) |
| Citizens | Wait years for decisions; penalties are not compensation for unresolved damage |
| State | Pays €59M in penalties instead of hiring more case managers |
This is the state failing to recover from a scandal that brought down a cabinet, while the systems that caused the scandal are still running.
The timeline of concealment
From the letters to Parliament and the Trouw investigation of 26 May 2026, a pattern of systematic delay and information withholding emerges:
| Date | Event |
|---|---|
| May 2019 | Data vault created with 64 million files |
| 17 Dec 2020 | POK report “Unprecedented injustice”, data vault not searched |
| 18 Dec 2020 | Last filling of data vault |
| Feb 2022 | PEFD established, data vault not searched |
| 19 Oct 2022 | PEFD receives list of file extensions, HTML systematically excluded |
| End 2022 | Last delivery of files to PEFD, incomplete |
| 26 Feb 2024 | PEFD report “Blind to people and law”, data vault not searched |
| Jul 2025 | Data vault “rediscovered” during hard drive cleanup |
| 31 Jul 2025 | Memorandum to state secretaries about data vault |
| Aug 2025 | State Secretary Van Oostenbruggen initials; GBB signal to executive team |
| 22 Aug 2025 | NSC leaves cabinet, political crisis right after data vault signal |
| 16 Oct 2025 | Sample results on desk of State Secretary Heijnen, documents not delivered to PEFD |
| 20 Nov 2025 | Inventory completed, confirmed: PEFD documents in vault, not delivered |
| Dec 2025 | December memorandum does not reach state secretaries |
| 15 Apr 2026 | Parliament informed, 9 months after discovery |
| 22 May 2026 | Letter with file type analysis |
| 26 May 2026 | Parliamentary debate; Vlot testifies |
Esther Lammers in Trouw: State secretaries already knew about the data vault in the summer of 2025. Civil servants wrote in draft letters that the vault was “no secret”, a state secretary corrected in the margin: “Mentioning something is not the same as informing.” In another note: “Tell it like it is.”
The state knew. The state remained silent. For nine months. During those nine months, Woo requests, AVG/GDPR requests and ongoing lawsuits proceeded, all without the data vault being mentioned.
The scale of surveillance
The scale of RAM’s profiling is difficult to comprehend. Here is what the official sources document:
| Metric | Number | Source |
|---|---|---|
| RAM entities (total) | 2.2 million | KPMG report 2025 |
| Source systems linked | 69 | KPMG report |
| Data tables | 250 | KPMG report |
| RAM selections (20 years) | ~500,000 | AP letter July 2025; KPMG |
| RAM extracts recovered | 1,170 (0.25%) | KPMG; AP |
| Selections on nationality | 14 extracts | KPMG |
| Extracts with nationality data | 369 of 1,170 | KPMG |
| Excel files distributed | 2,662 (via USB, email, CD) | KPMG |
| Citizens in Belastingdienst data | 11 million | WRR Working Paper 021, 2016 |
| Companies in data | 1.5 million | WRR 2016 |
| Transactions per day | 1 million | WRR 2016 |
| Vehicles in RAM | 10.5 million | KPMG report, part 1 |
| Data vault files (total) | 64 million | Letter 2026D24511 |
| Data vault files (substantive) | 24.3 million | Letter 2026D24511 |
| Excel files in data vault | ~2 million | Letter 2026D24511 |
| Toeslagen files in data vault | 195,089 (0.8%) | Letter 2026D24511 |
| BD + Customs in data vault | 19.4 million (80%) | Letter 2026D24511 |
| FSV registrations | ~180,000 citizens | PwC; Committee-Donner |
| Toeslagen families affected | ~26,000 | Parliamentary documents |
The AP put it sharply: “In the 20 years that RAM was used, approximately 500,000 selections were made. Of only 1,170 of these was a RAM extract found, less than 0.25%. The total number of persons harmed by RAM cannot be determined.”
The WRR warned as early as April 2016, four years before the childcare benefits scandal: “An enormous and rapidly growing data complex is emerging […] This happens largely unnoticed, both as a result of the lack of transparency and the lack of attention from media and politics.” No one listened.
The constitutional crisis
The combination of continuing profiling systems, a hidden data vault and a failing recovery apparatus strikes at the heart of the rule of law:
Violated norms
| Norm | Violation |
|---|---|
| Art. 1 Constitution (equal treatment) | RAM and successors select on nationality, AP: “discriminatory processing” |
| Art. 8 ECHR (private life) | 20+ years of uncontrolled data collection; 2.2 million entities profiled |
| Art. 14 ECHR (discrimination prohibition) | Systematic profiling on origin |
| Art. 6 ECHR (fair trial) | No access, no objection, no appeal against profiling |
| Art. 1 P1 ECHR (property protection) | Entrepreneurs harmed by profiling-based tax assessments |
| GDPR / Wbp | RAM never registered; AP: “systematically violated”; successors without legal basis analysis |
| Open Government Act (Woo) | Data vault concealed for 7 years; Woo requests answered incompletely |
| Archives Act | ~9,000 files destroyed under GDPR pretext; Inspectorate OE (2021): “extraordinarily unfortunate coincidence” |
| Parliamentary Inquiry Act | Documents not provided to PEFD and POK, the data vault contains missing documents |
The state as its own judge
The State Secretary concluded in December 2025: “no reason to assume that citizens were harmed” by the successor systems. This while:
- KTA gives 18,000 employees access to all personal data without authorisation roles, AP demanded immediate decommissioning
- Informatiesjabloon exports personal data to Excel outside all security, AP: “unlawful processing”
- IHP consultations are not logged, impossible to know who viewed what
- IFL runs on Excel macros without a transition plan, the state has no plan to fix this
- The data vault with 2 million Excel files has not been searched
- The recovery investigation was limited to 14 spreadsheets out of 1,170 known extracts
The AP summed it up in its letter: “These are violations so serious that a firm sanction would not be out of place.” But sanctions did not materialise. The government does not punish itself.
The external committee, an empty promise?
The letter of 22 May 2026 announced an “external committee” with four tasks: assessment of relevant documents, method of sharing with Parliament and society, relationship to past conclusions and reporting with an auditor’s statement. As of 27 May 2026, the committee has not yet been established. There are “discussions with potential committee members.”
At the same time, Director-General for Fiscal Affairs Richard Stavers warned during the debate: “no concrete indications that there is relevant information in the vault for individual cases.” This while the government’s own letter documents that PEFD documents were indeed in the vault and had not been delivered. Stavers also admitted that staff mailboxes at scale 16+ may have been missed during the PEFD searches.
The letter confirms that the approach also covers “older Woo and information requests” “where information from the data vault could change the decision.” Third track: previous Woo requests may have been answered incompletely because the data vault was not searched.
Why this matters
The profiling continues. Not in secret, Parliament has been informed about the successor systems (Letter 6 March 2025, Letter 3 December 2025). But the consequences are absent:
- No civil servant or office holder has been held personally accountable for profiling 2.2 million entities over 20 years
- No successor system has been taken out of service, the AP demanded this in July 2025; May 2026: everything still running
- The data vault is not being systematically searched, the external committee has yet to start; the investigation is limited to “track 1” with eight priority themes: PEFD, commitment de Vries (recovery operation), RAM, CAF, POK, HVB lists, Groningen and Uber
- Recovery for victims is absent, UHT cannot even process decisions (€59M in penalties), let alone compensate damage
- Judges are powerless, the one-euro doctrine shows that administrative law can no longer compel the government
- The AP cannot sanction, violations older than seven years are time-barred; the government simply lied long enough
The Ministry of Finance also classifies “hotspots”, events that lead to intensive interaction between government and citizens, including the voluntary departure scheme, MH17, Brexit and Covid. Archive documents relating to these hotspots are designated for permanent preservation. But the data vault, which may touch all of these topics, is only now, seven years after its creation, being indexed by external party Knowledge Plaza.
Preview: the next investigation
This investigation is the first in a series. In the next investigation, Courts as rubber stamps: how ministries make their own laws, we document:
- How judges are structurally buckling under the combination of statutory deadlines, staff shortages at government agencies and administrative law that lacks effective enforcement mechanisms
- How ministries introduce their own norm-setting that neutralises higher norms from the Constitution, ECHR and EU directives, including profiling systems operating without legal basis
- Whether it is time for criminal reports, criminal liability of individual decision-makers for the systematic violation of fundamental rights of hundreds of thousands of citizens and entrepreneurs
The rule of law is not an abstract concept. It is the guarantee that the state uses its power within boundaries. When those boundaries are systematically crossed and no institution, not the judiciary, not parliament, not the regulator, is able to enforce redress, only one question remains: who stops the state?
References
Official documents
- KPMG Report on RAM, part 1, rijksoverheid.nl (7 February 2025, 330 pages)
- KPMG Report on RAM, part 2, rijksoverheid.nl
- Letter to Parliament: policy response RAM (6 March 2025), State Secretary Van Oostenbruggen
- Review of RAM-comparable systems (March 2025), rijksoverheid.nl
- Dutch Data Protection Authority (AP), letter on RAM and comparable systems (9 July 2025), ref. 2025-002145, AP concludes systematic violation, discrimination, demands immediate decommissioning of KTA and Informatiesjabloon; confirms ~500,000 selections over 20 years; less than 0.25% recovered
- Letter 2026D17991 data vault (15 April 2026), Eerenberg & Palmen
- Letter 2026D24511 file types data vault (22 May 2026), Eerenberg & Palmen, contains file type analysis, 1,004 mailboxes, external committee, track-1 priorities
- Tweede Kamer: appendices to 2026D24511, unvalidated timeline, file type analysis (PDF), decision memo, timeline notes
- Letter to Parliament 3 December 2025 / January 2026 (RAM follow-up), State Secretary Heijnen
Media
- Trouw, Esther Lammers: “Parliament full of questions about discovered data vault at Tax Authority”, 26 May 2026, “state secretaries knew about data vault in summer of 2025”
- Trouw, Emiel Hakkenes: “Even after 59 million euros in penalties, government insufficiently active for childcare parents”, 24 May 2026, “one-euro doctrine”; “you flush legal protection down the toilet”
- Debatdirect Tweede Kamer, 26 May 2026, Operation of digital data vaults, Vlot: “information management not in order for 25 years”; “Excel sheets from RAM system”; “never driven by action plans”; Schuurs: “31,000 unique file types”; “87,000 relevant files in ZIPs”; “destruction freeze 9 October 2025”; Stavers: “no concrete indications”; Wissink: “Woo requests potentially answered incompletely”
OpenBrief research reports
- RAM and SME Profiling: The Tip of the Iceberg, 14 May 2026
- Data Vault: 64 Million Hidden Records Discovered, 13 March 2026
- Credibility of the Dutch Rule of Law, 25 May 2026
Other sources
- WRR Working Paper 021, “Big Data for Fraud Prevention” (April 2016), ISBN 978-94-90186-30-2, documents 11 million citizens, 1.5 million companies, 1 million transactions/day; “enormous and rapidly growing data complex […] largely unnoticed”
- Dutch Data Protection Authority, FSV penalty decision July 2020 (€2.75 million)
- Inspectorate for Government Information and Heritage report, April 2021 (ISBN 978-90-773541-0-0)
- PwC working document FSV, February 2022
- Committee-Donner, March 2020
Sources
- KPMG Report on RAM, 7 February 2025 (330 pages), rijksoverheid.nl
- Letter to Parliament: policy response RAM (6 March 2025), State Secretary Van Oostenbruggen
- Review of RAM-comparable systems (March 2025), rijksoverheid.nl
- Dutch Data Protection Authority (AP), letter on RAM and comparable systems, 9 July 2025 (ref. 2025-002145)
- Letter 2026D17991 (data vault), 15 April 2026 (Eerenberg & Palmen)
- Letter 2026D24511 (data vault file types), 22 May 2026 (Eerenberg & Palmen)
- Trouw, Esther Lammers: 'Parliament full of questions about discovered data vault at Tax Authority', 26 May 2026
- Trouw, Emiel Hakkenes: 'Even after 59 million euros in penalties, government insufficiently active for childcare parents', 24 May 2026
- Letter to Parliament 3 December 2025 (RAM follow-up), State Secretary Heijnen
- Debatdirect Tweede Kamer, 26 May 2026, Operation of digital data vaults
- WRR Working Paper 021, 'Big Data for Fraud Prevention', April 2016 (ISBN 978-94-90186-30-2)
- OpenBrief, 'RAM and SME Profiling: The Tip of the Iceberg', 14 May 2026
