Lack of security of visa applications results in a fine from the Dutch Supervisory Authority

The Dutch Supervisory Authority has fined the Ministry of Foreign affairs €565,000 for a lack of security of visa applications. 

 

The Ministry of Foreign affairs has been fined by the Dutch Supervisory Authority for a lack of security of personal data processed for visa applications according to this report from the EDPB. The Dutch Supervisory Authority has found that the personal data in all these applications has not been adequately protected. The Ministry of Foreign Affairs has processed personal data of applicants for an average of 530,000 visa applications per year for the past three years. This personal data includes sensitive information, such as an applicants’ fingerprints, names, addresses, country of birth, purpose of travel, nationality and photograph. In addition, the Dutch Supervisory Authority also found that the Ministry of Foreign Affairs failed to adequately inform visa applicants that their personal data would be shared with other parties.

 

The digital systems used to process visa applications were inadequately secured making it possible for unauthorised parties to access and alter information. 

 

The systems used by the Ministry of Foreign Affairs to process the visa applications were found to be inadequately secured, putting applicants’ personal data at risk. 

The Dutch Supervisory Authority found that the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, known as the National Visa Information System (NVIS), was inadequately secured. As a result, there was a possibility that unauthorised parties could access and change files. User rights need to be appropriately assigned to prevent access unauthorised parties. The DPA suggests regular checks of user rights and data logging. In addition, the Ministry of Foreign Affairs failed to sufficiently inform visa applicants about the sharing of their personal data with third parties.

 

The Dutch Supervisory Authority imposed a fine of €565,000 and ordered the Ministry of Foreign Affairs to come into compliance or face further sanctions. 

 

The Dutch Supervisory Authority fined the Dutch Ministry of Foreign Affairs €565,000 for the long-term, large-scale, and serious GDPR violations associated with its visa-issuing process. In addition to imposing this fine, the Dutch Supervisory Authority also ordered the Minister of Foreign Affairs to ensure that an appropriate level of security is implemented. Failure to do this moving forward would result in a penalty of €50,000 per two week period. The ministry was also ordered to provide applicants with adequate information regarding the sharing of their data, or possibly face a penalty of €10,000 per week.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Pandemic related data collection halted in Germany

Hamburg Commissioner for Data Protection and Freedom of Information has announced an end to pandemic related data collection and storage.

 

Many of the legal measures implemented to contain the coronavirus pandemic have recently come to an end in Hamburg as the hotspot regulation in Hamburg expired on April 30, 2022. While these regulations are being lifted, several obligations and powers to collect personal data are gradually being removed. Companies and public authorities in Hamburg are now expected to stop all pandemic related data collection and are encouraged to use this phase of the pandemic as an opportunity to take stock of their “corona data”. Companies are asked to check their existing databases and delete all data which is considered no longer required. Storing data in the event of a possible future worsening is now considered unnecessary and is no longer possible with the legal basis ceasing to apply.

 

Employee data which was collected under the 3G rule in Germany is required to be deleted.

 

The obligation to delete data particularly  applies to all employers who have previously queried the status of their employees under the German “3G rule”. This rule required employees to provide health data, particularly their COVID-19 status with regard to vaccination, recovery, or negative test results. Entertainment centers, like restaurants or cinemas, for example, are also now required to delete any contact data of any guests that may have been recorded in the context of the pandemic. 

 

The Hamburg Commissioner for Data Protection and Freedom of Information says that special categories of data, collected in the context of the pandemic must now be deleted. 

 

There has now been an official call to delete all sensitive health data which was collected throughout Germany, in the context of the pandemic now that the regulations which provided the legal basis for the collection and storage of this data has expired. Thomas Fuchs, the Hamburg Commissioner for Data Protection and Freedom of Information was quoted in a recent report, as saying “In the last two years we have experienced an exceptional situation in many respects. Special categories of data were also collected on a large scale. These were significant encroachments on fundamental rights, which can be justified in the context of the pandemic. With the expiry of the legal powers, this collected data must now be deleted. In some cases, we observe attempts to maintain surveillance practices or to retain collected data for other purposes and contingencies. Here it is important to do educational work and, if necessary, to intervene in a supervisory manner.” 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Medical data breach leads to major fine from CNIL

Earlier this month, the CNIL imposed a fine of €1.5 million after a medical data breach affecting nearly 500,000 people revealed a company’s security flaws.

 

Early last year, a major data breach affecting nearly 500,000 people was reported. The breach involved information including users’ surnames, first names , social security numbers, names of their prescribing doctors, dates of their examinations, and most critically medical information on conditions (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data). In February 2021, the CNIL carried out several inquiries into the company DEDALUS BIOLOGY, a software company, which supports medical analysis laboratories. Based on the findings, CNIL concluded that the company had breached several obligations under the GDPR, in particular the obligation to ensure the security of personal data. The CNIL decided to impose a fine of 1.5 million euros and to make this decision public. The amount of this fine was decided based on the seriousness of the violations, but also considered the turnover of the company.

 

CNIL sanctioned the software company for violating several GDPR obligations following the medical data breach.

 

Two companies requested the services of DEDALUS BIOLOGY for the migration from software to another tool. In this case, the company extracted a larger volume of data than was required to perform this task. The company has therefore processed data beyond the instructions given by the data controllers.

This breach of the obligation for the processor to comply with the instructions of the controller is a violation of article 29 of the GDPR. CNIL also fined the company over a breach of the obligation to regulate their processing by a formalized legal act as the maintenance contracts transmitted to CNIL by DEDALUS did not contain the information provided for by article 28-3 of the GDPR which stated that data processing “…shall be governed by a contract or other legal act under Union or Member State law…”

 

During its investigation, CNIL also encountered several technical and organizational faults in terms of security within DEDALUS BIOLOGY with regard to the operations of migrating the software to another. These included the lack of a specific procedure for data migration operations, the lack of encryption of personal data stored on a problematic server, as well as  the absence of automatic deletion of data after migration to the other software. In addition the company’s systems lacked the authentication required from the Internet to access the public area of ​​the server and had user accounts shared between several employees on the private area of the server. DEDALUS also lacked a supervision procedure and security alert escalation on the server. This lack of satisfactory security measures contributed to the data breach which compromised the medical and administrative data of nearly 500,000 people and violated  Article 32 of the GDPR. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New cookie consent popup launched by Google following CNIL fine

Google is rolling out a new cookie consent pop up, after receiving a fine from the CNIL under the EU GDPR.

 

Google recently shared a preview of its new cookie consent popup. This new popup will initially be available on YouTube in France. However Google has expressed that it plans to roll out the new design across all Google services in Europe. This new cookie consent popup comes a few months after the CNIL of France fined Google €150 million for breaching data protection law. According to CNIL, Google failed to comply with current regulation with regard to presenting tracking choices to users with the previous cookie consent popup. Not only has the text been updated, but more importantly, the choices offered at the bottom of the cookie consent popup are very different.

 

Google made some drastic changes to the choices offered at the bottom of the new cookie consent pop up.

 

The choices at the bottom of the screen, as will be reflected in the new cookie consent popup, are radically different. With the old design, users had two options — “I Agree” and “Customize”. With the old popup, users who clicked on “Customize”, would be taken to a separate web page with several options. In order to disable all personalization settings, they would have to click “off” three times and then click confirm. In the new design, there is now a third option, a “Deny All” button that lets users opt out of tracking altogether with a single click, with the two main buttons being the same color, size and shape. Under the EU GDPR and the ePrivacy rules, online services have to obtain clear consent from their users before they can process not-strictly necessary cookies data. Consent must be informed, specific and freely given in order for it to be legally obtained. The new approach will allow Google to get more meaningful consent from users.

 

Inspired by guidance from the CNIL, under the EU GDPR, Google has overhauled its approach to managing cookies.

 

After the initial roll out of the updated popup on YouTube in France, Google plans to use the same design for its search engine as well across the European Economic Area, the U.K. and Switzerland. Many users won’t see the updated popup. Users who are already logged into a Google account have settings that are already stored in their profiles. Also, people who are using Google Chrome more than likely have their web browser tied to their Google accounts if they have ever logged into a Google service in the past. New users will soon experience more options with the new cookie consent popup. Existing users can however review their privacy settings. “Following conversations and in accordance with specific directives from the Commission nationale de l’informatique et des libertés (CNIL), we carried out a complete overhaul of our approach. In particular, we have changed the infrastructure we use to manage cookies,” Google wrote in a recent blog.

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.