The Dutch Supervisory Authority has fined the Ministry of Foreign affairs €565,000 for a lack of security of visa applications.
The Ministry of Foreign affairs has been fined by the Dutch Supervisory Authority for a lack of security of personal data processed for visa applications according to this report from the EDPB. The Dutch Supervisory Authority has found that the personal data in all these applications has not been adequately protected. The Ministry of Foreign Affairs has processed personal data of applicants for an average of 530,000 visa applications per year for the past three years. This personal data includes sensitive information, such as an applicants’ fingerprints, names, addresses, country of birth, purpose of travel, nationality and photograph. In addition, the Dutch Supervisory Authority also found that the Ministry of Foreign Affairs failed to adequately inform visa applicants that their personal data would be shared with other parties.
The digital systems used to process visa applications were inadequately secured making it possible for unauthorised parties to access and alter information.
The systems used by the Ministry of Foreign Affairs to process the visa applications were found to be inadequately secured, putting applicants’ personal data at risk.
The Dutch Supervisory Authority found that the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, known as the National Visa Information System (NVIS), was inadequately secured. As a result, there was a possibility that unauthorised parties could access and change files. User rights need to be appropriately assigned to prevent access unauthorised parties. The DPA suggests regular checks of user rights and data logging. In addition, the Ministry of Foreign Affairs failed to sufficiently inform visa applicants about the sharing of their personal data with third parties.
The Dutch Supervisory Authority imposed a fine of €565,000 and ordered the Ministry of Foreign Affairs to come into compliance or face further sanctions.
The Dutch Supervisory Authority fined the Dutch Ministry of Foreign Affairs €565,000 for the long-term, large-scale, and serious GDPR violations associated with its visa-issuing process. In addition to imposing this fine, the Dutch Supervisory Authority also ordered the Minister of Foreign Affairs to ensure that an appropriate level of security is implemented. Failure to do this moving forward would result in a penalty of €50,000 per two week period. The ministry was also ordered to provide applicants with adequate information regarding the sharing of their data, or possibly face a penalty of €10,000 per week.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today
Hamburg Commissioner for Data Protection and Freedom of Information has announced an end to pandemic related data collection and storage.
Many of the legal measures implemented to contain the coronavirus pandemic have recently come to an end in Hamburg as the hotspot regulation in Hamburg expired on April 30, 2022. While these regulations are being lifted, several obligations and powers to collect personal data are gradually being removed. Companies and public authorities in Hamburg are now expected to stop all pandemic related data collection and are encouraged to use this phase of the pandemic as an opportunity to take stock of their “corona data”. Companies are asked to check their existing databases and delete all data which is considered no longer required. Storing data in the event of a possible future worsening is now considered unnecessary and is no longer possible with the legal basis ceasing to apply.
Employee data which was collected under the 3G rule in Germany is required to be deleted.
The obligation to delete data particularly applies to all employers who have previously queried the status of their employees under the German “3G rule”. This rule required employees to provide health data, particularly their COVID-19 status with regard to vaccination, recovery, or negative test results. Entertainment centers, like restaurants or cinemas, for example, are also now required to delete any contact data of any guests that may have been recorded in the context of the pandemic.
The Hamburg Commissioner for Data Protection and Freedom of Information says that special categories of data, collected in the context of the pandemic must now be deleted.
There has now been an official call to delete all sensitive health data which was collected throughout Germany, in the context of the pandemic now that the regulations which provided the legal basis for the collection and storage of this data has expired. Thomas Fuchs, the Hamburg Commissioner for Data Protection and Freedom of Information was quoted in a recent report, as saying “In the last two years we have experienced an exceptional situation in many respects. Special categories of data were also collected on a large scale. These were significant encroachments on fundamental rights, which can be justified in the context of the pandemic. With the expiry of the legal powers, this collected data must now be deleted. In some cases, we observe attempts to maintain surveillance practices or to retain collected data for other purposes and contingencies. Here it is important to do educational work and, if necessary, to intervene in a supervisory manner.”
Google was reprimanded by the Belgian SA due to lack of transparency concerning a request to have articles delisted.
This recent decision by the Belgian SA concerns a lawyer who was previously disbarred less than 10 years ago, who had requested that articles and information concerning his disbarment be delisted. The complainant currently works as a legal advisor and had his complaint dismissed by the Belgian SA. According to this report by the EDPB, the Authority reprimanded Google for a lack of transparency in this case. Under the GDPR, the Belgian SA recognized some shortcomings in the manner in which Google handled the complainant’s request.
Google reprimanded by Belgian Supervisory Authority despite the complaint made against the company being dismissed
While the Belgian Supervisory Authority dismissed complaints regarding Google’s refusal to delist, the Authority found it necessary to reprimand the company due to SuperSonics in the manner in which the delisting request was handled. Google did not honor the complainants request based on a reasoning that the public still has an interest to access the information concerning the lawyer in the search engine. The Belgian Supervisory Authority, while not in disagreement with this, found that the complainant was effectively ‘passed around’ from Google Ireland to Google LLC via Google Belgium, and that there were issues with the quality of the statement of why the delisting is refused. This statement was said to lack transparency, and to be in violation of Article 12 of the GDPR.
The Belgian Supervisory Authority found issues with the quality of the response to the data subject’s request.
With regard to Article 17 of the GDPR, the Belgian Supervisory Authority found Google to be in violation of article 12 of the GDPR. Article 17 relates to the data subject’s right to erasure, and while the authority dismissed the complaints of the data subject in this instance, the company was found to be in violation of Article 12 due to the lack of transparency in responding to the data subject’s request. Article 12 states that “the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…” In this case, due to unclear identification of the controller, the authority found issues with the quality of the response to the data subject’s request, and reprimanded the company.
CNIL has published guidance on the establishment of contacts via recorded telephone conversations.
In the establishment of a contract, it is sometimes necessary to record a telephone conversation as proof of the formation of the contract. Under the law, this is permitted where necessary. Therefore, in order for an organisation to lawfully record telephone conversations, it must, as data controller, demonstrate that there is no other way to prove that a contract has been formed with the data subject. CNIL has published a report, detailing the factors to be considered when an organisation may need to record phone conversations in the establishment of a contract.
While some contracts can be formed orally, others must be established by a written act.
Registration must be necessary to prove the formation of the contract. For written contracts, registration is not necessary in order to establish the formation of the contract. However, when a consumer is contacted by telephone with the aim of forming a contract relating to the sale of goods or the supply of a service, for example, the customer is only bound by this, after having signed and accepted it on a durable medium, like a written contract. The recording of telephone conversations for purposes of proof of the formation of the contract is therefore unnecessary in this context. However, for contracts that can be taken out orally (for example, for the purchase of certain paid services), if the recording of conversations is possible, the principle of data minimization must be respected in the process.
In cases where the contract is established via a telephone conversation, only the part of the conversation relating to the establishment of the contract may be recorded.
In cases where contracts can be taken out over a recorded line, unless legal provisions allow it, these recordings may not be permanent or systematic. Only the conversations relating to the establishment of a contract by telephone may be recorded. Therefore, the company or organization will have to provide mechanisms to record the telephone conversation between the phone operator and the consumer only from the moment when the conversation clearly relates to the establishment of a contract . The relevant part of the conversation can only be retained in the absence of any other proof of the formation of the contract. The recording of the telephone conversation also cannot be triggered by default, in an automated way. Ideally, the phone operator would manually trigger the recording, only in cases where the purpose of the conversation is to confirm a contract which cannot be proven by any other means.
Processing of personal data which is based on the establishment of the contract is permitted under the GDPR.
When people agree to enter into a contract by telephone, the recordings of the telephone conversations can be processed on the basis of the legal basis of the contract under the GDPR. Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.