Rights Violated: Archives Act, GDPR, and the Childcare Benefits Scandal

Summary

An investigation into the information management practices of the Dutch Tax and Customs Administration (Belastingdienst/Toeslagen) in connection with the childcare benefits scandal reveals seven systematic violations of the Archives Act 1995 (Archiefwet), the General Data Protection Regulation (AVG/GDPR), and fundamental human rights. Drawing on reports by the Inspectorate of Government Information and Heritage (Inspectie Overheidsinformatie en Erfgoed), the Inspectorate Report 2021, and documents released under the Open Government Act (WOO), this investigation establishes that at least 17 statutory provisions were breached. The consequences range from incomplete case files and destroyed archives to the systematic denial of court access and legal protection to thousands of affected individuals.

Key Findings

1. No Durable Accessible Information Management (Archives Regulation art. 20)

The Tax and Customs Administration lacked a durable, accessible, and retrievable information management system. Information about individual citizens was dispersed across 11 or more physical and digital locations. Reconstructing a single case file required up to 400 hours per file. This constitutes a direct violation of the requirements imposed by the Archives Act regarding the durable accessibility of government archives.

2. Premature Destruction of Archives (Archives Act art. 3)

Approximately 9,000 files were destroyed before the statutory retention period had expired. An incorrect retention period was applied during the destruction process. Archives Act art. 3 stipulates that destruction of government archives may only take place on the basis of an approved selection list (selectielijst). This provision was systematically disregarded.

3. Incomplete Destruction Declarations (Archives Decree art. 8)

Destruction declarations contained only generic information, with no specification at the file or document level. Archives Decree art. 8 requires that destruction be recorded in a transparent and traceable manner. The absence of file-specific declarations makes it impossible to verify what was destroyed and whether this occurred in accordance with the applicable selection list.

4. No Overview of Information (IOC Framework)

The Tax and Customs Administration lacked an inventory of its own information holdings. More than 100 network drives were in use containing an estimated 3 million files, without any inventory or structure. The Information and Object Control (IOC) framework, which should form the basis for manageable information systems, was entirely absent.

5. Insufficient Management and Quality System (Archives Regulation art. 16)

The Tax and Customs Administration did not meet the requirements of Archives Regulation art. 16 regarding the management and quality system for archives. The i-Control Monitor had issued recommendations for improvement of information management in both 2015 and 2019. These recommendations were systematically ignored. No functioning internal control mechanism existed to safeguard the quality of archive management.

6. GDPR Cleansing in Violation of the Archives Act

In the context of GDPR compliance, archival records were destroyed without adequate safeguards under the Archives Act. Employees were required to independently determine which retention periods applied. What was precisely destroyed in the course of this “GDPR cleansing” remains unknown. The Inspectorate of Government Information and Heritage stated that the GDPR and the Archives Act must be considered together and that the GDPR is not a licence for destruction.

7. Retention Periods Incorrectly Applied

Retention periods were linked exclusively to the DAS system (Documentary Structural Design) and not to the TVS, TAV systems, or network drives. This means that for large portions of the information infrastructure, no retention periods had been established, rendering destruction uncontrollable.

Rights Violated

Right of Access (GDPR art. 15)

Citizens lacked adequate access to their own files. The files were incomplete due to dispersion across 11+ locations, and the required processing time of 400 hours per file rendered effective exercise of the right of access virtually impossible.

Right to a Fair Trial (ECHR art. 6)

The incomplete files resulted in incomplete appeal dossiers before the court. Citizens were consequently unable to adequately defend themselves in legal proceedings against the Tax and Customs Administration.

Right to Protection Against Arbitrary Treatment (ECHR art. 14)

The systematic incompleteness of files and the arbitrary application of retention periods led to unequal and arbitrary treatment of affected individuals.

Right to Government Accountability (Constitution art. 42, 68, 110)

The Constitution assigns responsibility for ministerial conduct to the government (art. 42), transparency of decision-making (art. 68), and the right to information (art. 110). The structural inadequacy of archive management and the inaccessibility of information violate these constitutional obligations.

Right to Data Protection (GDPR art. 5, 6, 9, 32)

The GDPR principles of purpose limitation (art. 6), data minimisation (art. 5), processing restrictions (art. 9), and security of processing (art. 32) were systematically violated through the unmanageable information infrastructure and the uncontrolled destruction of data.

Right to an Effective Remedy (ECHR art. 13)

The combination of incomplete files, destroyed archives, and inadequate accountability structures deprived affected individuals of the possibility of effective legal protection.

Total Overview: Violated Laws and Articles

In total, statutory provisions were breached across six distinct legal frameworks:

1. Archives Act 1995 (Archiefwet) — art. 3 (premature destruction)
2. Archives Decree 1995 (Archiefbesluit) — art. 8 (incomplete destruction declarations)
3. Archives Regulation (Archiefreglement) — art. 16 (insufficient management and quality system), art. 20 (no durable accessible information provision)
4. General Data Protection Regulation (GDPR/AVG) — art. 5, 6, 9, 15, 32
5. European Convention on Human Rights (ECHR) — art. 6, 13, 14
6. Charter of Fundamental Rights of the European Union — related provisions
7. Constitution of the Kingdom of the Netherlands — art. 42, 68, 110
8. Open Government Act (Woo) — implicitly, through inadequate archive management that rendered WOO requests impossible

This brings the total to at least 17 individual statutory provisions that were systematically breached.

Inspectorate Position: GDPR versus Archives Act

The Inspectorate of Government Information and Heritage has explicitly articulated its position on the relationship between the GDPR and the Archives Act. The key points from the inspectorate’s assessment are:

• The GDPR and the Archives Act must be considered together; they are not separate, conflicting regimes.
• The GDPR is not a licence for destruction of government archives. The right to erasure does not automatically outweigh the archival obligation.
• Existing selection lists must be respected in the application of both the Archives Act and the GDPR.
• It is not acceptable to maintain two separate overviews with different retention periods for the same information.
• The Data Protection Officer (FG) and the information management department must collaborate to apply both legal frameworks in an integrated manner.

This position is of particular significance given that the Tax and Customs Administration invoked the GDPR as justification for archive destruction, without incorporating the Archives Act into its deliberations.

Context

The childcare benefits scandal (toeslagenaffaire) refers to the systematic and unjustified prosecution of thousands of parents by the Dutch Tax and Customs Administration (Belastingdienst/Toeslagen) in connection with childcare benefit claims. Following the Parliamentary Inquiry Committee on Childcare Benefits (2020) and the resignation of the Rutte III cabinet, the role of archive management and information governance came to the forefront. The Inspectorate of Government Information and Heritage investigated the information management practices and published its findings in the Inspectorate Report 2021. Additional information was released through WOO requests. This investigation consolidates the findings from these sources into a systematic overview of the violated rights and statutory provisions.

Evidence Base

• Inspectorate of Government Information and Heritage — website publications and inspection reports concerning the Tax and Customs Administration.
• Inspectorate Report 2021 — the primary report of the Inspectorate on information management at the Tax and Customs Administration.
• WOO documents — documents released under the Open Government Act concerning archive management, destruction, and GDPR application.
• i-Control Monitor reports 2015 and 2019 — internal and external audits with recommendations for improvement of information management.
• Documentation on DAS, TVS, TAV systems and network drives within the Tax and Customs Administration.

Analysis

The seven identified violations do not constitute isolated incidents but form a systematic pattern. The core of the problem lies in the complete absence of functioning information management. Without an inventory of its own information (IOC framework), without a linked retention period policy, and without a functioning quality system, any form of responsible archive management was impossible.

The i-Control Monitor had warned as early as 2015 and again in 2019. The fact that these recommendations were ignored points to an institutional inability or unwillingness to structurally address information management. This reinforces the conclusion that the violations are not the result of incidental negligence but of structurally deficient governance.

The GDPR cleansing warrants particular attention. While the GDPR aims to protect the personal sphere, in the practice of the Tax and Customs Administration it was used as justification for archive destruction — whereby precisely the information citizens needed to enforce their rights was destroyed. The Inspectorate rightly stated that both frameworks must be considered together. Practice demonstrates the opposite occurred: the GDPR was applied as an independent instrument, detached from the Archives Act, with destruction as the result.

The consequences for the legal position of affected individuals are severe. Incomplete files led to incomplete appeal proceedings (ECHR art. 6), impossible WOO requests, and an effective denial of the right to an effective remedy (ECHR art. 13). The violation of the archival duty is therefore not merely an administrative shortcoming but a direct undermining of the rule of law.

Timeline

• 2015 — The i-Control Monitor publishes recommendations for improvement of information management at the Tax and Customs Administration. The recommendations are not followed up.
• 2019 — The i-Control Monitor repeats its recommendations. Again, no adequate follow-up takes place.
• 2020-12 — The Parliamentary Inquiry Committee on Childcare Benefits concludes that the Tax and Customs Administration acted systematically unlawfully.
• 2021-01 — The Rutte III cabinet resigns in connection with the childcare benefits scandal.
• 2021 — The Inspectorate of Government Information and Heritage publishes the Inspectorate Report 2021 with findings on archive management and information governance.
• 2021 — Establishment that approximately 9,000 files were prematurely destroyed.
• 2021 — Establishment that retention periods were linked exclusively to the DAS system and not to TVS, TAV, or network drives.
• 2022-05 — The Open Government Act (Woo) enters into force.
• 2022–present — WOO requests yield additional documentation on the scope of the archive violations.
• 2026-04-28 — Publication of this investigation by Open Brief Network.

Sources

• Inspectorate of Government Information and Heritage (Inspectie Overheidsinformatie en Erfgoed) — website publications on information management at the Tax and Customs Administration.
• Inspectorate Report 2021, Inspectorate of Government Information and Heritage.
• i-Control Monitor reports 2015 and 2019.
• WOO documents released in connection with the childcare benefits scandal.
• Archives Act 1995 (Archiefwet 1995, Stb. 1995, 1), including Archives Decree 1995 (Archiefbesluit) and Archives Regulation (Archiefreglement).
• General Data Protection Regulation (GDPR/AVG), Regulation (EU) 2016/679.
• European Convention on Human Rights and Fundamental Freedoms (ECHR).
• Charter of Fundamental Rights of the European Union (2012/C 326/02).
• Constitution of the Kingdom of the Netherlands (Grondwet).
• Open Government Act (Wet Open Overheid, Woo), entered into force 1 May 2022.
• Report of the Parliamentary Inquiry Committee on Childcare Benefits, 2020.

Methodological Notes

• This investigation is based on public inspectorate reports, WOO documents, and legislation. The full internal archive of the Tax and Customs Administration has not been requested.
• The exact number of destroyed files is based on estimates from the Inspectorate Report 2021; the actual number may be higher given the incomplete destruction declarations.
• The estimate of 3 million files across 100+ network drives is drawn from the Inspectorate; the actual scope may be larger due to the absence of an inventory.
• The figure of “400 hours per file” refers to the estimated time required for full reconstruction; this estimate originates from inspectorate documentation.
• What was precisely destroyed during the GDPR cleansing is unknown and can no longer be reconstructed.
• The attribution of specific ECHR articles to the identified violations represents an interpretation by the research author based on the factual findings.