The personal injury fraud register balances fraud prevention with privacy rights under the GDPR. Personal data, such as name, BSN and claim details, are processed on the legal basis of 'legitimate interest' (Article 6 GDPR). Insurers must conduct a DPIA for high-risk processing. Data subjects have the right to information (Articles 13-14), access (Article 15), rectification (Article 16) and erasure (Article 17). The CFEL acts as the controller and publishes a privacy statement. Data sharing with police or FIOD requires a necessity test. Complaints are directed to the Dutch Data Protection Authority (DPA), which can impose fines up to 20 million euros. Case law, such as CBF Amsterdam on similar registers, requires minimal data and retention periods. Automatic inclusion is prohibited; there must be a 'reasonable suspicion'. Victims can claim damages in case of data breaches. The NVV has drawn up a code of conduct for compliant use. Experts warn against over-retention, which is disproportionate. Transparency on algorithms for fraud scoring is mandatory under the developing Algorithm Transparency Act. (199 words)
Terug naar Encyclopedie
Privacy and GDPR in the Personal Injury Fraud Register
Fraud register processes data based on legitimate interest under GDPR. Rights: access, rectification, and erasure. Complaints to DPA; DPIA required. Transparency on algorithms essential. (28 words)
AA
Arslan AdvocatenLegal Editorial
1 min leestijd