The Dutch Data Protection Authority has approved over 140 private warning register permits for the financial sector, based on a single collective impact assessment. Human Rights in Finance EU explains why this violates GDPR — and why it affects EU citizens across multiple member states.
In the first quarter of 2026, the Dutch Data Protection Authority (known as the AP, or Autoriteit Persoonsgegevens) granted over 140 licenses allowing financial institutions to process criminal personal data and share customer signals through a private blacklist system called PIFI.
Human Rights in Finance EU (HRIF.EU) has filed formal objections against this block-wise provision of licenses. Our core argument is simple: the AP did not assess each institution individually as required under GDPR and Dutch data protection law. That is not individual authorisation. That looks more like rubber-stamping — at scale.
What is PIFI? The Dutch financial sector’s private blacklist explained
PIFI stands for Protocol Incidentenwaarschuwingssysteem Financiële Instellingen — the Financial Institutions Incident Warning System. It is the ruleset governing private warning registers in the Dutch financial sector. With these licenses, version 2026 is up and running. But you can see the prior version (2021) here.
Banks, insurers, mortgage providers and health insurers can register individuals they consider to have been involved in fraud, abuse or integrity risks. They then share those signals with each other through a hit/no-hit system: one institution flags a person, and others can see that a flag exists.
The consequences for those registered are serious:
- Refusal of a bank account, insurance, mortgage or credit
- Termination of an existing customer relationship
- Reputational damage lasting years
- Heightened scrutiny at every new financial institution approached
No criminal conviction is required. Registration may follow from a private institution’s internal assessment, provided the institution considers the protocol criteria met. The person concerned may not even know they have been flagged. In practice, this can amount to financial exclusion without a court judgment, without prosecution, and without the safeguards normally associated with criminal-law allegations.
Because PIFI involves criminal personal data — a strictly protected category under Article 10 GDPR — prior authorisation by the AP is required under Dutch implementing legislation (Article 33 UAVG). That authorisation must be individual, concrete, and based on a proper assessment of necessity, proportionality and subsidiarity per institution.
The AP granted 140+ permits. But the published permit model and underlying decision do not show that the AP carried out such an individual, institution-by-institution assessment. Instead, the AP relied on one sector protocol and a collective DPIA submitted by industry associations, while acknowledging that each participating institution remains individually responsible for its own Incident Register and External Reference Register.
In our view this constitutes a misuse of the AP’s authorisation power: using an individual permit mechanism to achieve a sector-wide outcome that the underlying legislation does not permit.
Changes in the the 2026 version: from fraud warning to wider private surveillance infrastructure
PIFI has expanded significantly from its earlier versions. Where it once covered only proven fraud, the 2026 version now encompasses:
- Incidents and suspicions
- Integrity risks
- Improper conduct
- Aggression
- Cybercrime
- Product misuse
- Any other behaviour that financial institutions themselves consider relevant
That last category is the problem. Institutions are now effectively left to determine for themselves when data sharing about a customer is justified. There is no prior court order and no independent public check before a person is flagged by a private institution. Public oversight is remote, ex post and largely dependent on complaints, audits and enforcement choices.
This is a structural shift: from a narrow warning system for serious proven cases to a sector-wide infrastructure through which private parties collectively determine who remains trustworthy within the financial system. The 2026 permits gave that infrastructure a legal stamp of approval — without examining whether it deserved one.
Blackmail by blacklist: how banks are using PIFI against customers
HRIF.EU has already received reports from people directly affected. A disturbing pattern has emerged.
HRIF.EU has received reports that banks are using the threat of PIFI registration to pressure customers into leaving banking relationships. Customers are presented with off-boarding agreements — documents in which they “voluntarily” agree never to bank with that institution again. They sign not because they want to, but because the alternative is PIFI registration, which would make it effectively impossible to obtain financial services anywhere.
This is coercion dressed as consent. It is financial exclusion through the back door. And it is happening now, under permits the AP has just granted.
The AP’s own track record: mass surveillance warnings, zero enforcement
What makes the AP’s decision to grant these permits particularly troubling is its own recent history.
Between 2020 and 2024, five major Dutch banks — ABN AMRO, ING, Rabobank, Triodos and de Volksbank — operated a joint transaction monitoring system called Transactie Monitoring Nederland (TMNL). This system pooled transaction data from all participating banks and analysed it collectively.
The scale was extraordinary. The system processed an estimated 10 billion transactions. Approximately 1.5 billion data points fell under Article 9 GDPR as special category data — including information revealing political affiliations and religious beliefs — processed without a valid legal basis.
Here is what the AP did about it:
August 2021: The AP received a sector-level DPIA from the banks and explicitly stated it would not study it, as that was “not opportune at this time.” No enforcement action followed.
January 2023: The AP itself warned the Dutch Parliament in a formal position paper that joint banking data sharing constitutes mass surveillance, can render people unbankable, and creates serious risks of discrimination — particularly on grounds of race, ethnicity and religion. The paper is publicly available here.
September 2024: HRIF.EU submitted comprehensive evidence of the violations. The AP declined to enforce, citing the need for “further investigation.”
Throughout: Key documents, including a Deloitte audit report on the destruction of customer data, were not provided to HRIF.EU or the Amsterdam District Court.
Q1 2026: The AP granted 140+ PIFI permits, again based on a collective sector DPIA from the same industry associations, without verifying whether its own 2023 warnings had been addressed by any individual institution.
The pattern is consistent: warnings on paper, inaction in practice, and permits that legitimise the next iteration of the same system.
Why this is a European problem — and why Article 60 GDPR matters
This is not only a Dutch problem. It directly concerns data protection authorities and citizens across the EU.
PIFI registers and shares signals about individuals who are or have been customers of Dutch financial institutions. Those individuals are not exclusively Dutch residents. EU citizens from Belgium, Germany, France and other member states who hold accounts, insurance policies or mortgages with Dutch institutions can appear in the system.
This constitutes – in our view – cross-border processing within the meaning of Article 4(23) GDPR.
Where cross-border processing is involved, the lead supervisory authority — here the AP — is required under Article 60 GDPR to cooperate with the supervisory authorities of other affected member states, share a draft decision, and incorporate their observations before reaching a final decision.
The AP does not appear to have done this. It granted 140+ permits without any visible consultation of foreign data protection authorities. The AP cannot avoid the GDPR cooperation mechanism merely by framing the PIFI permits as national authorisations. Where the authorised processing foreseeably affects data subjects in other Member States, the AP must at least explain whether Article 60 GDPR is triggered and, if not, why not.
The same failure occurred with TMNL. Transaction data from customers making payments to political parties and religious organisations in France, Belgium and Germany was processed in the Dutch banking dragnet for nearly three years. The AP never consulted the relevant European authorities before deciding not to enforce.
EU citizens in multiple member states had their Article 9 GDPR rights violated. Their national data protection authorities were entitled to participate in decisions about enforcement and authorisation. They were not informed.
A uniquely Dutch problem — and why that matters for Europe
The PIFI permit system is not just a Dutch administrative failure. It reveals a structural tension within the GDPR’s framework for criminal personal data that has been resolved very differently across member states — and the Dutch approach is an outlier.
Article 10 GDPR sets the baseline: criminal personal data may only be processed under official authority control, or where member state law provides appropriate safeguards. What those safeguards look like is left to national implementing legislation. The results across the EU vary dramatically.
Preliminary comparative analysis suggests that the Dutch permit mechanism is unusually permissive. In several Member States, private processing of criminal personal data is far more narrowly confined and does not appear to provide an equivalent gateway for cross-sector financial blacklisting.
National law in those countries reserves access to such data for the data subject themselves, or restricts processing to very specific limited contexts such as employment screening for roles involving vulnerable groups. A PIFI-style system would be difficult to reconcile with those more restrictive national approaches. No permit from a DPA could create one, because the underlying national law does not provide that gateway.
The Netherlands chose a different path. The Dutch GDPR Implementation Act (UAVG) created a permit mechanism under Article 33 allowing private parties to share criminal personal data with each other, subject to individual authorisation by the AP. That mechanism exists precisely because the Dutch legislator wanted the AP to act as a genuine gate — assessing necessity, proportionality and subsidiarity per institution, per system, per use case.
The AP’s block permit approach for PIFI 2026 appears to undermine that gate by replacing individual scrutiny with sector-level approval. The Dutch DPA has used its permit power to create exactly the kind of private cross-sector criminal data infrastructure that most other EU member states have chosen — through their national legislatures — not to allow at all.
What we are asking/doing — and what needs to happen
HRIF.EU has filed objections against the 140+ PIFI permits. We are requesting that the AP:
- Revoke or suspend all PIFI 2026 permits pending individual reassessment
- Conduct a genuine per-institution necessity, proportionality and subsidiarity review
- Require independent external auditing rather than self-reporting by industry associations
HRIF.EU will ask the EDPB and relevant national supervisory authorities to request information from the AP about its handling of both TMNL and PIFI, including whether the GDPR cooperation mechanism should have been used.