Lack of security of visa applications results in a fine from the Dutch Supervisory Authority

The Dutch Supervisory Authority has fined the Ministry of Foreign affairs €565,000 for a lack of security of visa applications. 

 

The Ministry of Foreign affairs has been fined by the Dutch Supervisory Authority for a lack of security of personal data processed for visa applications according to this report from the EDPB. The Dutch Supervisory Authority has found that the personal data in all these applications has not been adequately protected. The Ministry of Foreign Affairs has processed personal data of applicants for an average of 530,000 visa applications per year for the past three years. This personal data includes sensitive information, such as an applicants’ fingerprints, names, addresses, country of birth, purpose of travel, nationality and photograph. In addition, the Dutch Supervisory Authority also found that the Ministry of Foreign Affairs failed to adequately inform visa applicants that their personal data would be shared with other parties.

 

The digital systems used to process visa applications were inadequately secured making it possible for unauthorised parties to access and alter information. 

 

The systems used by the Ministry of Foreign Affairs to process the visa applications were found to be inadequately secured, putting applicants’ personal data at risk. 

The Dutch Supervisory Authority found that the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, known as the National Visa Information System (NVIS), was inadequately secured. As a result, there was a possibility that unauthorised parties could access and change files. User rights need to be appropriately assigned to prevent access unauthorised parties. The DPA suggests regular checks of user rights and data logging. In addition, the Ministry of Foreign Affairs failed to sufficiently inform visa applicants about the sharing of their personal data with third parties.

 

The Dutch Supervisory Authority imposed a fine of €565,000 and ordered the Ministry of Foreign Affairs to come into compliance or face further sanctions. 

 

The Dutch Supervisory Authority fined the Dutch Ministry of Foreign Affairs €565,000 for the long-term, large-scale, and serious GDPR violations associated with its visa-issuing process. In addition to imposing this fine, the Dutch Supervisory Authority also ordered the Minister of Foreign Affairs to ensure that an appropriate level of security is implemented. Failure to do this moving forward would result in a penalty of €50,000 per two week period. The ministry was also ordered to provide applicants with adequate information regarding the sharing of their data, or possibly face a penalty of €10,000 per week.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Google reprimanded by Belgian SA

Google was reprimanded by the Belgian SA due to lack of transparency concerning a request to have articles delisted.

 

This recent decision by the Belgian SA concerns a lawyer who was previously disbarred less than 10 years ago, who had requested that articles and information concerning his disbarment be delisted. The complainant currently works as a legal advisor and had his complaint dismissed by the Belgian SA. According to this report by the EDPB, the Authority reprimanded Google for a lack of transparency in this case. Under the GDPR, the Belgian SA recognized some shortcomings in the manner in which Google handled the complainant’s request. 

 

Google reprimanded by Belgian Supervisory Authority despite the complaint made against the company being dismissed

 

While the Belgian Supervisory Authority dismissed complaints regarding Google’s refusal to delist, the Authority found it necessary to reprimand the company due to SuperSonics in the manner in which the delisting request was handled. Google did not honor the complainants request based on a reasoning that the public still has an interest to access the information concerning the lawyer in the search engine. The Belgian Supervisory Authority, while not in disagreement with this, found that the complainant was effectively ‘passed around’ from Google Ireland to Google LLC via Google Belgium, and that there were issues with the quality of the statement of why the delisting is refused. This statement was said to lack transparency, and to be in violation of Article 12 of the GDPR. 

 

The Belgian Supervisory Authority found issues with the quality of the response to the data subject’s request.

 

With regard to Article 17 of the GDPR, the Belgian Supervisory Authority found Google to be in violation of article 12 of the GDPR. Article 17 relates to the data subject’s right to erasure, and while the authority dismissed the complaints of the data subject in this instance, the company was found to be in violation of Article 12 due to the lack of transparency in responding to the data subject’s request. Article 12 states that “the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…” In this case, due to unclear identification of the controller, the authority found issues with the quality of the response to the data subject’s request, and reprimanded the company. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New cookie consent popup launched by Google following CNIL fine

Google is rolling out a new cookie consent pop up, after receiving a fine from the CNIL under the EU GDPR.

 

Google recently shared a preview of its new cookie consent popup. This new popup will initially be available on YouTube in France. However Google has expressed that it plans to roll out the new design across all Google services in Europe. This new cookie consent popup comes a few months after the CNIL of France fined Google €150 million for breaching data protection law. According to CNIL, Google failed to comply with current regulation with regard to presenting tracking choices to users with the previous cookie consent popup. Not only has the text been updated, but more importantly, the choices offered at the bottom of the cookie consent popup are very different.

 

Google made some drastic changes to the choices offered at the bottom of the new cookie consent pop up.

 

The choices at the bottom of the screen, as will be reflected in the new cookie consent popup, are radically different. With the old design, users had two options — “I Agree” and “Customize”. With the old popup, users who clicked on “Customize”, would be taken to a separate web page with several options. In order to disable all personalization settings, they would have to click “off” three times and then click confirm. In the new design, there is now a third option, a “Deny All” button that lets users opt out of tracking altogether with a single click, with the two main buttons being the same color, size and shape. Under the EU GDPR and the ePrivacy rules, online services have to obtain clear consent from their users before they can process not-strictly necessary cookies data. Consent must be informed, specific and freely given in order for it to be legally obtained. The new approach will allow Google to get more meaningful consent from users.

 

Inspired by guidance from the CNIL, under the EU GDPR, Google has overhauled its approach to managing cookies.

 

After the initial roll out of the updated popup on YouTube in France, Google plans to use the same design for its search engine as well across the European Economic Area, the U.K. and Switzerland. Many users won’t see the updated popup. Users who are already logged into a Google account have settings that are already stored in their profiles. Also, people who are using Google Chrome more than likely have their web browser tied to their Google accounts if they have ever logged into a Google service in the past. New users will soon experience more options with the new cookie consent popup. Existing users can however review their privacy settings. “Following conversations and in accordance with specific directives from the Commission nationale de l’informatique et des libertés (CNIL), we carried out a complete overhaul of our approach. In particular, we have changed the infrastructure we use to manage cookies,” Google wrote in a recent blog.

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Record fine imposed by the Dutch DPA

A record fine was imposed on the Tax and Customs Administration by the Dutch DPA for multiple GDPR violations. 

 

The Dutch Data Protection Authority has imposed a fine of 3.7 million euros on the Tax and Customs Administration due to years of unlawful processing of personal data in their Fraud Signalling Facility. According to this report from the Dutch DPA this operation involved a blacklist on which the Tax and Customs Administration kept records of fraud. These records often led to major consequences for people who were included (sometimes innocently). During an investigation into the Fraud Signalling Facility, the Dutch DPA found a long list of GDPR violations. This resulted in the DPA’s highest fine to date. The DPA found this necessary due to the seriousness of the violations, the impact on large numbers of people, and the length of time over which violations continued.

 

The Dutch DPA’s investigation revealed several serious GDPR violations. 

 

The investigation revealed, for starters, that the Tax and Customs Administration had no legal basis for processing the personal data on the list. Without a legal basis, the processing of personal data is prohibited under the GDPR. Another major issue with the fraud list is that the personal data was, in several cases, incorrect. As a result, people were wrongly registered as possible fraudsters, facing serious consequences as a result. In addition, According to the Dutch DPA, the security of the data on this list was considered insufficient, and the internal data protection officer of the Tax and Customs Administration did not have early enough involvement in the setting up of the list. The Tax and Customs Administration’s investigation also revealed that employees were instructed to base the risk of fraud partly on discriminatory factors such as nationality and people’s appearance.

 

 When determining the amount of the fine, the Dutch DPA took into account each of the GDPR violations committed by the Tax and Customs Administration, resulting in its highest overall fine to date.

 

When determining the amount of the fine, the AP also took into account the fact that the Tax and Customs Administration has committed serious violations of the GDPR. The record fine of €3.7 million included a €1 million fine for the processing of personal data without a legal basis, €750,000 for a failure to define the Fraud Signalling facility (or FSV) in advance. There was an additional €750,000 for the incorrect data included in the FSV blacklist and €250,000 for the length of time this data was kept. The insufficient security of this data landed the Tax and Customs Administration another €500,000. The Dutch DPA also applied a fine of €450,000 for the Tax and Customs Administration taking over a year before having risk assessed by their internal DPO. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.