https://ploum.nl/uploads/Artikelen_en_Track_Records_en_expertise/Privacy/cctv-surveillance-camera-g6f811803a_640_mindere_kwaliteit.jpg

Fines under the GDPR in 2022

26 Jan '23

Author(s): Nina Witt & Lars Boer

As part of European Privacy Day on 28 January, and as announced in our annual review Privacy Law in 2022, we have listed the fines imposed by the Dutch data protection authority (the Autoriteit Persoonsgegevens or AP) over the past year. A total of four penalty decisions have been published. In addition, the AP has been involved in two fines imposed by the Spanish data protection authority. Why were these fines imposed and do we see similarities with previous years? What are the main takeaways?

Fine for DPG Media over copy of ID

On 14 January 2022, a fine of EUR 525,000 was imposed by the AP on DPG Media (the company that acquired Sanoma) because customers without an online account had to upload an ID in order to exercise their rights regarding personal data processed about them (deletion, inspection). Processing a copy of an ID could pose significant privacy risks (such as identity fraud). In the AP's view, this should be handled with caution and in this case it was not necessary and unauthorised to require a copy of an ID.

This infringement has not been fined before, but the fact that a copy of an ID should be handled carefully is not new. If data subjects can be identified by other means, such as using a verification email and/or other data already in the organisation's possession, that is the appropriate route. It should also not be made unnecessarily difficult for data subjects to exercise their rights under the GDPR.

Fine for Ministry of Foreign Affairs for poor security, among other reasons 

On 24 Februari 2022, the Ministry of Foreign Affairs was fined EUR 565,000. The AP imposed this fine because the system the ministry used to process visa applications was insufficiently secured. In addition, the ministry provided insufficient information to visa applicants about the processing of their personal data. The AP also imposed an order for periodic penalty payments. The ministry had to get the security of its systems in order and provide sufficient information to visa applicants. Each week that this was not complied with, the ministry would forfeit a penalty of EUR 50,000 for the inadequate security and EUR 10,000 for the inadequate information.

That there are more remedies than just imposing fines is well known. We also saw several instances of fines being imposed for failure to comply with the obligation under the GDPR to ensure appropriate security measures when processing personal data and adequate information provision to data subjects.

Blacklisting fine imposed on tax authority

On 7 April 2022, the highest fine to date (in the Netherlands) was imposed by the AP. This is a fine of EUR 3.7 million, imposed on the tax authority. The fine relates to large-scale illegal processing of personal data on a blacklist, namely the “Fraude Signalering Voorziening” (FSV, translated the Fraud Signaling Facility), for years. The fine was imposed for several reasons:

  • The tax authority had no legal basis for processing the personal data in the FSV;
  • Personal data was processed for purposes incompatible with the purpose for which the data was collected;
  • The personal data being processed was incorrect in several cases;
  • More personal data was processed than necessary;
  • The personal data processed by the tax authority was insufficiently secured; and
  • Because adequate and timely advice was not sought from the Data Protection Officer regarding the implementation of the FSV.

We also see the 'blacklist' in case law. There are specific requirements to maintain such a list and it requires a thorough analysis. The fine imposed here relates to non-compliance with important basic principles of the GDPR. This also further emphasised the importance of seeking timely (prior to any high-risk processing) advice from a DPO, privacy officer and/or legal service provider. 

Fine to Rotterdam police chief of police for not applying data protection impact assessment

At the end of last year, on 17 november 2022, the AP imposed a fine on the chief of police Rotterdam. This was because the Rotterdam police deployed cars with cameras to combat gatherings during times of corona. For the deployment of these cars, the police did not carry out a data protection impact assessment (DPIA) prior to the processing, even though this was mandatory because there was a high privacy risk. This was partly because data was processed using a new technological application and citizens were unlikely to know that images would be collected or how they were used. Furthermore, too many non-emergency images were also processed, according to the AP.

Interestingly, the chief of police himself qualified as a data controller and was fined EUR 50,000. This fine was imposed under specific legislation for the police regarding the processing of personal data, but it is also relevant in the context of the rules that follow from the GDPR. Here we also saw again the question of how long camera images can actually be kept, which needs to be carefully considered in any deployment of cameras. A DPIA is the way to go.

Fines imposed by Spain's data protection authority

Finally, in 2022, the AP was also involved in two fines imposed by the Spanish data protection authority for breaches of the GDPR when processing personal data originating from Dutch data subjects. The first fine of EUR 30,000 was imposed on a Spanish hotel in connection with - there's the subject again - the use of a photograph of hotel visitors' passports to identify guests when placing orders. Guests were not informed about this processing. A Dutch guest complained about this to the AP, which found that the processing was not lawful, among other things because of a lack of consent and necessity of the processing. The use of the passport was also too heavy a means, guests could also be identified by other means.

The second fine in this context was imposed on recruitment agency Michael Page. Again for (among other things) unlawfully requesting ID when a data subject requested access to personal data. Again, a Dutch data subject filed a complaint and - again due to a lack of necessity - this resulted in a fine of EUR 240,000.

Conclusion

In the past year, the AP imposed a lot fewer fines than in previous years (see also, for example, our blog on the AP's fines in the first 3 years under the GDPR). However, we do see that significant fines are still being imposed and it could be that the AP will impose even higher fines in the future, as explained in our earlier blog. Who knows, perhaps again at a higher rate. So it remains as important as ever to comply with the GDPR to avoid the risk of (high) fines.

Need help?

Do you have questions about setting up your (current or planned) processing activities in the right way? Need help conducting a DPIA or putting your processing operations under the microscope again with our Ploum Privacy Quick Scan? Feel free to contact us or email privacy@ploum.nl.


In this blog we have inserted hyperlinks to the penalty decisions published by the AP. These decisions are, unfortunately, only published in Dutch.

Contact

Attorney at law

Lars Boer

Expertises:  IT-Law, Privacy law, Procurement law, Cybersecurity , Technology, Media and Telecom, Commercial Contracts, Start-up and Scale-up,

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)

Subject(s)

Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

{phrase:advantage_3}

{phrase:advantage_4}


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.