Netherlands: AP fines Ministry of Foreign Affairs €565,000 for insufficiently informing data subjects and lack of security measures in processing of personal data
The Dutch data protection authority ('AP') announced, on 6 April 2022, its decision issued, on 24 February 2022, in which it imposed a fine of €565,000 on the Ministry of Foreign Affairs ('the Ministry'), for violations of Articles 13(1)(e) and 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation conducted by the AP.
Background to the decision
In particular, the AP noted that it had carried out an investigation at the Ministry in accordance with the Schengen evaluation, which explicitly states that the AP must carry out regular checks at the Dutch consular. Moreover, the decision notes that these checks were a part of the police and judicial multi-year plan that the AP follows in the context of its supervision of, among other things, the Schengen Information System ('SIS II') and the Visa Information System ('VIS').
Furthermore, the AP outlined that the AP's investigation focused on the selected physical, organisational, and technical security aspects of the New Visa Information System ('NVIS') in the context of the Schengen visa process, and included the security plan, physical security, the granting of access rights to the NVIS, and the logging of the NVIS usage. In addition, the AP highlighted that compliance with legal requirements was checked with regards to the provision of information to visa applicants and the training of employees involved in the visa process.
Findings of the AP
Subsequently, the AP noted that the Ministry is designated as a data controller of the NVIS, as, among other things, the Ministry is responsible for determining the purpose and means for the processing of personal data within the NVIS.
Further to this, the AP highlighted that the Ministry had handled an average of 530,000 visa applications per year for the past three years, and that all of the personal data of the citizens from these applications are insufficiently secured. Moreover, the AP noted that the categories of data affected include sensitive data, and encompass names, addresses, places of residence, country of birth, purpose of trip, nationality, photos, and fingerprints, which qualifies as biometric data.
In its findings, the AP came to the following conclusions:
- security plan: the AP stated that the Ministry did not have a security plan with regards to the NVIS, therefore it is in violation of Articles 24 and 32(1) of the GDPR;
- physical security:
- by not explicitly determining which parts of the IT infrastructure should be regarded as the critical infrastructure of the visa process, the AP concluded that the Ministry acted in violation of Article 32(1) of the GDPR from at least 1 September 2018 until at least the spring of 2020;
- in regards to drawing up emergency plans and the protection of equipment against disruption in utilities from at least 1 September 2018 to date, the AP found that the Ministry violated provisions of Article 32(1) of the GDPR;
- the lack of security guarantees when entering the zone that requires extra security, the AP found that the physical security of the areas where the visa process is being worked on in London did not comply with Article 32(1) of the GDPR from 1 September 2018 to April 2020;
- the AP held that the Ministry did not demonstrate that there are sufficient guarantees for the physical security at work in the NVIS in public spaces and that the Ministry has also not checked the effectiveness of the policy in this regard from at least 1 September 2018 to date, thus acting in violation of Article 32(1) of the GDPR;
- access rights to the NVIS:
- the AP stated that the Ministry did not have formal registration and deregistration procedures in place from at least 1 September 2018 to 1 January 2022 with regard to the allocation of access rights to the NVIS, therefore violating Article 32(1) of the GDPR;
- the AP held that the Ministry acted in violation of Article 32(1) of the GDPR with regards to the procedure concerning the control access rights to the NVIS environment and the control thereof in practice from at least 1 September 2018 to date;
- logging of the NVIS usage: the AP concluded that the Ministry did not act in accordance with Article 32(1) of the GDPR, in view of the deficiencies in log files, in combination with the fact that the Ministry did not regularly assess and there was no procedure in place;
- NVIS usage control - security incidents: the AP held that the Ministry did not take sufficient appropriate organisational measures to prevent unlawful data processing with regard to the deficiencies in the procedure for reporting security incidents from at least 1 September 2018 to 13 October 2021; and
- information provision to visa applicants: the AP outlined that the Ministry in its privacy statement did not state all recipients of personal data and did not mention the sharing of personal data with third parties from at least 1 September 2018 to data, therefore violating Article 13(1)(e) of the GDPR.
In conclusion, the AP deemed it appropriate, in view of the seriousness of the violation, to impose a fine of €565,000 on the Ministry for acting in violation of Articles 13(1)(e) and 32(1) of the GDPR. Moreover, the AP ordered the Ministry to end the violations by takings appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
In addition, the AP imposed an order, subject to periodic penalty payments, for fixing the security provision (€50,000 every two weeks) and the information provision (€10,000 per week).
UPDATE (17 May 2022)
EDPB publishes English summary of AP's decision to fine Ministry of Foreign Affairs €565,000
The European Data Protection Board ('EDPB') published, on 16 May 2022, an English summary of the AP's decision to fine the Ministry of Foreign Affairs €565,000 for inadequately securing visa applications.
You can read the summary here.