The Dutch Data Protection Authority (DDPA) has imposed a €565,000 penalty on the Dutch Ministry of Foreign Affairs over violations of the General Data Protection Regulation (GDPR).
The latest fine comes following an investigation of the data processing activities of the Ministry of Foreign Affairs related to its National Visa Information System (NVIS). Each year, around 530,000 visa applications are processed through the system, with the processing including special category data such as passport photographs and fingerprints. Organizations that process special category data are required to implement stricter security controls than for standard personal data, due to the high sensitivity of the data. The DDPA found the security measures to be lacking at embassies and consulates which put special category data at risk.
The DDPA investigation confirmed that the Ministry of Foreign Affairs had conducted a vulnerability analysis of the NVIS system; however, had not updated that analysis since 2015. There were no procedures in place for checking access logs, and the logging was not complete, so it was not possible to tell which employees had accessed the system. The DDPA also said there was a lack of information about the physical security of the NVIS, the protocols for reporting security issues were not fit for purpose, and there were no protocols specific to the NVIS. An authorization procedure had been created for accessing data in the NVIS; however, that procedure was only implemented in January 2022.
The DDPA also determined the Ministry of Foreign Affairs was in violation of the data transparency principle of the GDPR, as it had not made visa applicants fully aware of how the data provided as part of the visa application process would be used and shared. The Ministry of Foreign Affairs had informed visa applicants that their personal data would be shared with Europol and European authorities but did not state that their personal data would also be shared with third-party contractors.
GDPR fines are most commonly imposed on entities following complaints; however, in this case, the GDPR violations were uncovered as part of the DDPA’s supervisory role, which requires it to monitor the legality of any data processing activities. The violations of the GDPR were deemed to be severe enough to warrant a financial penalty, which will increase by €50,000 every two weeks until the violations are fully addressed. The Dutch Ministry of Foreign Affairs has also been ordered to make major changes to the way it handles and protects personal data. The required changes include creating a new information security policy specifically for NVIS and the creation, maintenance, and regular checking of NVIS access logs.
This is the second GDPR penalty to be imposed by the DDPA on a government department recently. In December 2021, a fine of €2.75 million was proposed to resolve violations of the GDPR by the Dutch Tax and Customs Administration for the unlawful processing of dual nationality data in its FSV system. In total, the Tax Authorities have been fined €3.7 million to resolve the violations related to its FSV system, with the other €950,000 in penalties imposed for insufficient security of the FSV (€500,000) and asking the Data Protection Officer for advice on assessing the risks of the FSV after more than a year (€450,000).