Privacy and GDPR in the Rotterdam Personal Injury Fraud Register

The personal injury fraud register in Rotterdam balances fraud prevention with privacy rights under the GDPR, particularly relevant for the port city with many injury claims from accidents in the Rotterdam port and industry. Personal data, such as name, BSN and claim details from local traffic accidents or work-related injuries, are processed on the basis of 'legitimate interest' (Article 6 GDPR). Insurers in the Rotterdam-Rijnmond region must conduct a DPIA for high-risk processing, such as in large-scale port incidents. Data subjects have the right to information (Articles 13-14), access (Article 15), rectification (Article 16) and erasure (Article 17). The CFEL remains the controller and publishes a privacy statement adapted to the Rotterdam context. Data sharing with Rotterdam police or FIOD requires a strict necessity test. Complaints are filed with the Dutch Data Protection Authority (DPA), which can impose fines up to 20 million euros. Case law from the Rotterdam District Court, analogous to CBF Amsterdam cases, requires minimal data and short retention periods for registers. Automatic inclusion is prohibited; a 'reasonable suspicion' of fraud, for example in suspicious port claims, is essential. Victims from Rotterdam can claim damages for data breaches via the local cantonal court. The NVV has a code of conduct for compliant use in the region. Experts warn against over-retention, disproportionate for temporary port workers. Transparency regarding algorithms in fraud scoring is mandatory under the emerging Algorithm Transparency Act, crucial for Rotterdam insurance practices. (218 words)