26 Jan '23
As part of European Privacy Day on 28 January, and as announced in our annual review Privacy Law in 2022, we have listed the fines imposed by the Dutch data protection authority (the Autoriteit Persoonsgegevens or AP) over the past year. A total of four penalty decisions have been published. In addition, the AP has been involved in two fines imposed by the Spanish data protection authority. Why were these fines imposed and do we see similarities with previous years? What are the main takeaways?
On 14 January 2022, a fine of EUR 525,000 was imposed by the AP on DPG Media (the company that acquired Sanoma) because customers without an online account had to upload an ID in order to exercise their rights regarding personal data processed about them (deletion, inspection). Processing a copy of an ID could pose significant privacy risks (such as identity fraud). In the AP's view, this should be handled with caution and in this case it was not necessary and unauthorised to require a copy of an ID.
This infringement has not been fined before, but the fact that a copy of an ID should be handled carefully is not new. If data subjects can be identified by other means, such as using a verification email and/or other data already in the organisation's possession, that is the appropriate route. It should also not be made unnecessarily difficult for data subjects to exercise their rights under the GDPR.
On 24 Februari 2022, the Ministry of Foreign Affairs was fined EUR 565,000. The AP imposed this fine because the system the ministry used to process visa applications was insufficiently secured. In addition, the ministry provided insufficient information to visa applicants about the processing of their personal data. The AP also imposed an order for periodic penalty payments. The ministry had to get the security of its systems in order and provide sufficient information to visa applicants. Each week that this was not complied with, the ministry would forfeit a penalty of EUR 50,000 for the inadequate security and EUR 10,000 for the inadequate information.
That there are more remedies than just imposing fines is well known. We also saw several instances of fines being imposed for failure to comply with the obligation under the GDPR to ensure appropriate security measures when processing personal data and adequate information provision to data subjects.
On 7 April 2022, the highest fine to date (in the Netherlands) was imposed by the AP. This is a fine of EUR 3.7 million, imposed on the tax authority. The fine relates to large-scale illegal processing of personal data on a blacklist, namely the “Fraude Signalering Voorziening” (FSV, translated the Fraud Signaling Facility), for years. The fine was imposed for several reasons:
We also see the 'blacklist' in case law. There are specific requirements to maintain such a list and it requires a thorough analysis. The fine imposed here relates to non-compliance with important basic principles of the GDPR. This also further emphasised the importance of seeking timely (prior to any high-risk processing) advice from a DPO, privacy officer and/or legal service provider.
At the end of last year, on 17 november 2022, the AP imposed a fine on the chief of police Rotterdam. This was because the Rotterdam police deployed cars with cameras to combat gatherings during times of corona. For the deployment of these cars, the police did not carry out a data protection impact assessment (DPIA) prior to the processing, even though this was mandatory because there was a high privacy risk. This was partly because data was processed using a new technological application and citizens were unlikely to know that images would be collected or how they were used. Furthermore, too many non-emergency images were also processed, according to the AP.
Interestingly, the chief of police himself qualified as a data controller and was fined EUR 50,000. This fine was imposed under specific legislation for the police regarding the processing of personal data, but it is also relevant in the context of the rules that follow from the GDPR. Here we also saw again the question of how long camera images can actually be kept, which needs to be carefully considered in any deployment of cameras. A DPIA is the way to go.
Finally, in 2022, the AP was also involved in two fines imposed by the Spanish data protection authority for breaches of the GDPR when processing personal data originating from Dutch data subjects. The first fine of EUR 30,000 was imposed on a Spanish hotel in connection with - there's the subject again - the use of a photograph of hotel visitors' passports to identify guests when placing orders. Guests were not informed about this processing. A Dutch guest complained about this to the AP, which found that the processing was not lawful, among other things because of a lack of consent and necessity of the processing. The use of the passport was also too heavy a means, guests could also be identified by other means.
The second fine in this context was imposed on recruitment agency Michael Page. Again for (among other things) unlawfully requesting ID when a data subject requested access to personal data. Again, a Dutch data subject filed a complaint and - again due to a lack of necessity - this resulted in a fine of EUR 240,000.
In the past year, the AP imposed a lot fewer fines than in previous years (see also, for example, our blog on the AP's fines in the first 3 years under the GDPR). However, we do see that significant fines are still being imposed and it could be that the AP will impose even higher fines in the future, as explained in our earlier blog. Who knows, perhaps again at a higher rate. So it remains as important as ever to comply with the GDPR to avoid the risk of (high) fines.
Do you have questions about setting up your (current or planned) processing activities in the right way? Need help conducting a DPIA or putting your processing operations under the microscope again with our Ploum Privacy Quick Scan? Feel free to contact us or email privacy@ploum.nl.
In this blog we have inserted hyperlinks to the penalty decisions published by the AP. These decisions are, unfortunately, only published in Dutch.
20 Dec 24
29 Nov 24
11 Nov 24
14 Oct 24
13 Oct 24
07 Oct 24
13 Aug 24
13 Aug 24
04 Jun 24
13 May 24
02 May 24
08 Apr 24
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.