Lack of security of visa applications results in a fine from the Dutch Supervisory Authority

The Dutch Supervisory Authority has fined the Ministry of Foreign affairs €565,000 for a lack of security of visa applications. 

 

The Ministry of Foreign affairs has been fined by the Dutch Supervisory Authority for a lack of security of personal data processed for visa applications according to this report from the EDPB. The Dutch Supervisory Authority has found that the personal data in all these applications has not been adequately protected. The Ministry of Foreign Affairs has processed personal data of applicants for an average of 530,000 visa applications per year for the past three years. This personal data includes sensitive information, such as an applicants’ fingerprints, names, addresses, country of birth, purpose of travel, nationality and photograph. In addition, the Dutch Supervisory Authority also found that the Ministry of Foreign Affairs failed to adequately inform visa applicants that their personal data would be shared with other parties.

 

The digital systems used to process visa applications were inadequately secured making it possible for unauthorised parties to access and alter information. 

 

The systems used by the Ministry of Foreign Affairs to process the visa applications were found to be inadequately secured, putting applicants’ personal data at risk. 

The Dutch Supervisory Authority found that the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, known as the National Visa Information System (NVIS), was inadequately secured. As a result, there was a possibility that unauthorised parties could access and change files. User rights need to be appropriately assigned to prevent access unauthorised parties. The DPA suggests regular checks of user rights and data logging. In addition, the Ministry of Foreign Affairs failed to sufficiently inform visa applicants about the sharing of their personal data with third parties.

 

The Dutch Supervisory Authority imposed a fine of €565,000 and ordered the Ministry of Foreign Affairs to come into compliance or face further sanctions. 

 

The Dutch Supervisory Authority fined the Dutch Ministry of Foreign Affairs €565,000 for the long-term, large-scale, and serious GDPR violations associated with its visa-issuing process. In addition to imposing this fine, the Dutch Supervisory Authority also ordered the Minister of Foreign Affairs to ensure that an appropriate level of security is implemented. Failure to do this moving forward would result in a penalty of €50,000 per two week period. The ministry was also ordered to provide applicants with adequate information regarding the sharing of their data, or possibly face a penalty of €10,000 per week.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Record fine imposed by the Dutch DPA

A record fine was imposed on the Tax and Customs Administration by the Dutch DPA for multiple GDPR violations. 

 

The Dutch Data Protection Authority has imposed a fine of 3.7 million euros on the Tax and Customs Administration due to years of unlawful processing of personal data in their Fraud Signalling Facility. According to this report from the Dutch DPA this operation involved a blacklist on which the Tax and Customs Administration kept records of fraud. These records often led to major consequences for people who were included (sometimes innocently). During an investigation into the Fraud Signalling Facility, the Dutch DPA found a long list of GDPR violations. This resulted in the DPA’s highest fine to date. The DPA found this necessary due to the seriousness of the violations, the impact on large numbers of people, and the length of time over which violations continued.

 

The Dutch DPA’s investigation revealed several serious GDPR violations. 

 

The investigation revealed, for starters, that the Tax and Customs Administration had no legal basis for processing the personal data on the list. Without a legal basis, the processing of personal data is prohibited under the GDPR. Another major issue with the fraud list is that the personal data was, in several cases, incorrect. As a result, people were wrongly registered as possible fraudsters, facing serious consequences as a result. In addition, According to the Dutch DPA, the security of the data on this list was considered insufficient, and the internal data protection officer of the Tax and Customs Administration did not have early enough involvement in the setting up of the list. The Tax and Customs Administration’s investigation also revealed that employees were instructed to base the risk of fraud partly on discriminatory factors such as nationality and people’s appearance.

 

 When determining the amount of the fine, the Dutch DPA took into account each of the GDPR violations committed by the Tax and Customs Administration, resulting in its highest overall fine to date.

 

When determining the amount of the fine, the AP also took into account the fact that the Tax and Customs Administration has committed serious violations of the GDPR. The record fine of €3.7 million included a €1 million fine for the processing of personal data without a legal basis, €750,000 for a failure to define the Fraud Signalling facility (or FSV) in advance. There was an additional €750,000 for the incorrect data included in the FSV blacklist and €250,000 for the length of time this data was kept. The insufficient security of this data landed the Tax and Customs Administration another €500,000. The Dutch DPA also applied a fine of €450,000 for the Tax and Customs Administration taking over a year before having risk assessed by their internal DPO. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.