Biggest GDPR Fines in the Netherlands: Foreign Office Fined for Poor Security

Published on:
March 10, 2024
|
Reading time:
2 min.
WRITTEN BY
Ulrika Skadhauge
Assistant attorney
TABLE OF CONTENTS

Get our EU Casebook 2023

Want to dive into more GDPR fines and other interesting cases from the EU?

Do you want to dive into a worst-case example of what happens when an organisation doesn’t comply with GDPR obligations regarding risk assessment of vendors?

In this blog post, we cover one of the biggest fines in Dutch GDPR history given to a foreign office that didn’t ensure appropriate security.

Therefore, we take you through:

  • The case in brief: Inadequate security measures of data processor
  • The decision from the Dutch DPA
  • Our 4 remarks on the case.

The case in brief: Inadequate security measures of data processor

Over the last three years, The Dutch Ministry of Foreign Affairs has processed approximately 530,000 visa applications per year.

To facilitate the Schengen visa process, the Ministry used the National Visa Information System (NVIS) as its digital platform.

However, the security measures of the NVIS were inadequate, leading to the possibility of unauthorized access and tampering of files.

Also, the Ministry failed to inform visa applicants about the sharing of their personal data with third-party entities.

The decision from the Dutch DPA

The Dutch DPA imposed an administrative fine of 55,000 EUR on the Ministry of Foreign Affairs for inadequate security regarding visa applications (GDPR, Article 32).

Our 4 remarks on the case

#1: Complying with Article 23

If a controller must live up to certain security requirements due to specialist legislation, these requirements will often align with GDPR, Article 32.

This is because Article 32 of the GDPR obliges the data controller to ensure appropriate security measures in light of the nature, scope, context and purposes of processing personal data.

#2: Higher sensitivity asks for better safety measurements

When the sensitivity of the personal data is high, the requirements for safety measurements also rise. When dealing with highly sensitive personal data, the requirements for safety measures also rise correspondingly.

#3: Limited user access

Within an organization, user access should always be limited so that employees only have access to necessary personal data corresponding to their role.

You can ensure this by implementing procedures for granting and revoking user access to different employees at different points in time.

#4: Procedures on logging

Logging is an effective way to ensure technical security. However, if the logs contain personal data, procedures must be implemented to ensure compliance with data processing regulations.

This case on the Dutch foreign office has taught us one thing in particular:

How crucial it is to conduct risk assessments on vendors and IT systems.

We can help you complete an overview of risk levels for all your vendors and systems with a single click.

This way, you can easily connect your processes and prioritize your tasks. 

Get our EU Casebook 2023

Want to dive into more GDPR fines and other interesting cases from the EU?

Download now
Published:
March 10, 2024
Category:
GDPR