Biggest GDPR Fines in the Netherlands: Foreign Office Fined for Poor Security
- March 10, 2024
Do you want to dive into a worst-case example of what happens when an organisation doesn’t comply with GDPR obligations regarding risk assessment of vendors?
In this blog post, we cover one of the biggest fines in Dutch GDPR history given to a foreign office that didn’t ensure appropriate security.
Therefore, we take you through:
The case in brief: Inadequate security measures of data processor
Over the last three years, The Dutch Ministry of Foreign Affairs has processed approximately 530,000 visa applications per year.
To facilitate the Schengen visa process, the Ministry used the National Visa Information System (NVIS) as its digital platform.
However, the security measures of the NVIS were inadequate, leading to the possibility of unauthorized access and tampering of files.
Also, the Ministry failed to inform visa applicants about the sharing of their personal data with third-party entities.
The decision from the Dutch DPA
The Dutch DPA imposed an administrative fine of 55,000 EUR on the Ministry of Foreign Affairs for inadequate security regarding visa applications (GDPR, Article 32).
Get our EU Casebook 2023
Want to dive into more GDPR fines and other interesting cases from the EU?
Our 4 remarks on the case
#1: Complying with Article 23
If a controller must live up to certain security requirements due to specialist legislation, these requirements will often align with GDPR, Article 32.
This is because Article 32 of the GDPR obliges the data controller to ensure appropriate security measures in light of the nature, scope, context and purposes of processing personal data.
#2: Higher sensitivity asks for better safety measurements
When the sensitivity of the personal data is high, the requirements for safety measurements also rise. When dealing with highly sensitive personal data, the requirements for safety measures also rise correspondingly.
#3: Limited user access
Within an organization, user access should always be limited so that employees only have access to necessary personal data corresponding to their role.
You can ensure this by implementing procedures for granting and revoking user access to different employees at different points in time.
#4: Procedures on logging
Logging is an effective way to ensure technical security. However, if the logs contain personal data, procedures must be implemented to ensure compliance with data processing regulations.
This case on the Dutch foreign office has taught us one thing in particular:
How crucial it is to conduct risk assessments on vendors and IT systems.
We can help you complete an overview of risk levels for all your vendors and systems with a single click.
This way, you can easily connect your processes and prioritize your tasks.
Risk management solution for your GDPR compliance
Do you want to manage and navigate your risks efficiently?
