AP (The Netherlands) - z2018-02009: Difference between revisions
From GDPRhub
mNo edit summary |
mNo edit summary |
||
| Line 44: | Line 44: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=GDPR MASTer Project | |Initial_Contributor=[https://networkinstitute.org/projects/appropriate-measures-for-security-investigating-legal-and-technical-requirements-under-the-gdpr/ GDPR MASTer Project] | ||
| | | | ||
}} | }} | ||
| Line 50: | Line 50: | ||
A Dutch employer portal UWV, handling employee health data is investigated for use of one-factor authentication (email address and password) to grant access to the portal. The Dutch Data Protection Authority considers this insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. | A Dutch employer portal UWV, handling employee health data is investigated for use of one-factor authentication (email address and password) to grant access to the portal. The Dutch Data Protection Authority considers this insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
to be added | to be added | ||
=== Dispute === | ===Dispute=== | ||
=== Holding === | ===Holding=== | ||
to be added | to be added | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. | The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. | ||
Revision as of 17:30, 31 March 2021
| AP - Employee Insurance Agency (UWV) | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 31.07.2018 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Employee Insurance Agency (UWV) |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | AP (in NL) |
| Initial Contributor: | GDPR MASTer Project |
A Dutch employer portal UWV, handling employee health data is investigated for use of one-factor authentication (email address and password) to grant access to the portal. The Dutch Data Protection Authority considers this insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative.
English Summary
Facts
to be added
Dispute
Holding
to be added
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Personal data
P.O. Box 93374, 2509AJ The Hague
Bezuidenhoutseweg 30,2594AV The Hague
T0708888500-F0708888501
authoritypersonal data.nl
Registered
UWV
Board of Directors
P.O. Box 58285
1040HGAmsterdam
Date
July 31, 2018 Our reference
z2018-02009
Contact
[CONFIDENTIAL]
0708888500
Topic
Cease and desist
Resume
1. The Dutch Data Protection Authority (hereinafter: the AP) on 27 March 2017 on the basis of Article 60 of the
Personal Data Protection Act (hereinafter: the Wbp), such as the time gold, an investigation is instituted
to the use of multi-factor authentication in the employers' portal of the Implementing Institute
Employers' insurance (hereinafter: the UWV).
2. The UWV processes in the employer portal, among other things, personal data relating to the
healthofworkers
find through multi-factor authentication. TheUWV follows this moment with one-factor authentication.
providing access to the employer portal.
3. The AP has noted in the report definitive findings (hereinafter: the investigative report) that the
UWV that acts contrary to Article 13 of the Wbp, such as that the time gold, on the basis of which, for
insofar as this is important, a responsible person must take measures against personal data
protect against loss or any form of unlawful processing.
4. The AP based on the compulsory decision in the research report, given by the UWV orally
view on the intention of the AP to be subject to a burden to add and by it
UWV at request of the AP provided information
5. On May 25, 2018, the General Data Protection Regulation (hereinafter: the GDPR) applies
The AVG states in Article 32, first paragraph, the same obligation, as that gold on the basis of Article 13.
Attachment (es) 2 1 Date Our reference
July 31, 2018 z2018-02009
This violation continues, violates the UWV Article 32, first member, of the
GDPR.
6.Wishes to connect the UWV to the system of Recognition to this way more factor authentication.
when granting access to the employer's portal
expect only to continue using the Recognition to be logged on the employer's portal
since the first question by the AP by letter of 25 November 2015, meanwhile moved to
November 1, 2019.
7. As a result of the above, the AP has decided to use Article 16, first paragraph, of the
General Data Protection Regulation (hereinafter: UAVG) in conjunction with
Article 5:32, first paragraph, of the General Administrative Law Act (hereinafter: the AWB)
With the charge under penalty, the AP intends to insure that the detected violation
an end is being made.
8. By 31 October 2019, the access to the employers' portal must be provided by an appropriate
security levels are provided, where logging into the portal is only possible through one
Appropriate form of multi-factor authentication. Part of the last is the UWV requirement
confidence level must again determine by performing a risk analysis using the
most recent version of the Guide "Reliability levels for digital services, a
guidelines for government organizations "(version 4).
9. In the event of non-compliance with the grace period, your period is subject to a penalty of
EUR 150,000 payable for each month that the load is not (fully) executed, with a maximum
from EUR900.0000.
Course of procedure
10. On August 29, 2017, the AP sent the study report to the UWV.
The public version of the report was published on November 14, 2017 on the AP website.
11. By letter of August 15, 2017, the AP has now given some cause for the study to theUWV.
questioned about the size of the employer portal.
12. By letter of August 30, 2017, theUWV has responded to the questions that the AP by letter of August 15.
2017.
13. By letter of 11 September 2017, theUWV has given its response to the research report.
indicates, among other things, that the security level does not meet the requirements of
article13oftheWbpanditwant toclarifytheimplementationoftheRecognitionlevel
substantial.
2/12 Date Our reference
July 31, 2018 z2018-02009
14. By letter of 9 November 2017, the UWV informed the AP about the progress of the implementation.
vaneRecognition.
15. The AP has notified the UWV by letter of December 14, 2017 of its intention to charge a charge.
subject to a penalty sumandtheUWFindisplaced orallyorwrittenher
to bring opinions about it.UWVisinvitedfor a hearing.
16. The hearing took place on February 6, 2018.
Annex 1 to this Decision is attached.
17. On the basis of what was discussed during the hearing, the UWV sent a letter of 28 February
2018 additional information data and additional documents provided, including the project plan
eRecognition.
18. As a result of the information received by the letter of 28 February 2018, the AP has given to the UWV at
letter of 15 March 2018 asked questions.
19. By letter of April 3, 2018, theUWV has responded to the questions of the AP of March 15, 2018 and here
"Risk analysis absenteeism report" (hereinafter: the risk analysis).
20. Based on the information received by the letter of April 3, 2018, the AP has given to the UWV by letter.
of May 14, 2018 asked questions.
21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018.
Research report
22. In the research report, the AP found that the UWV in the employers' portal
personal data about health. Access to the employer's portal is obtained by
Entering an email address and password. This is a form of one-factor authentication.
23. From article 13 of the Wbp- now article 32, first paragraph, of the AVG- ensues that a
responsibleappliesmeasures to protect personal data from loss or
any form of unlawful processing. The term "appropriate" also means a proportionality
Intermediatesecuritymeasuresthe nature oftheprotecteddata
the personal data that is processed in the employer portal of the UWV, namely data about
the health of employees, it should be given access to the portal via the internet, given the
state of the art, places find means and at least multi-factor authentication.
24. The UWV has taken specified measures to allow unauthorized access to the
employer portal, such as conducting annual penetration and security tests and
continuous logging and monitoring of use. These measures are due to authentication
not fit because they can provide an appropriate level of protection for gaining access
3/12 Date Our reference
July 31, 2018 z2018-02009
to the application.Because theUWV does not apply more factor authentication, nor in any other way
Appropriate measures has affected victims to obtain access to the data contained in the
employers' portal, trade the UWV in conflict with article 13 of the Wbp, as it was gold at the time.
Legal framework
25. The relevant legal framework is included as Annex 2 to this Decision.
GDPR
26. In the investigation report, the AP has a violation of the standard from Article 13 of the Wbp
As of May 25, 2018, AVG and UAVG of applications, the Wbp, has been withdrawn.
27. When assessing whether there is also a violation of the GDPR standard, it is important that the standard
under the AVGmaterial does not change significantly with regard to the standard under the Wbp.
The norm from Article 13 of the Wbpisthans laid down in Article 32, first and second part, of the AVG.
The latter article states that the controller, taking into account the situation of the
technique, implementation costs, as well as with nature, scope, context and processing purposes
and the likelihood and severity of the risks to the rights and freedoms of persons,
appropriate technical and organizational measures must be taken to suit the risk
security level safeguards. This obligation is materially consistent with the obligation
Article 13 of the Wbp.
28. This means that, since the investigated facts and the relevant circumstances arose
of the research report until some of the things are not changed, as of May 25, 2018.
violation of Article 32, first paragraph, of the GDPR.
Viewpoint
29. As a result of the APS's intention to place a burden under penalty, the UWV has
During the hearing of February 6, 2018 orally, I saw your way
noteworthythatYourExpects thatthe employer's portal security is inadequate
requirements arising from Article 13 of the Wbpentans Article 32, first member, of the AVG, because theUWV
no more factor authentication applies to the granting of access to the portal.
30. The UWV has decided in April 2017 to start the implementation of the Recognition level
3 / Substantial, where multi-factor authentication is applied so that the violation of Article 13
The Wbpentansarticle32, first, oftheAVGis deleted.
the confidence level, the fact that in the employer portal only health data are displayed
who see the sick report or the fact that someone is pregnant.
The nature of the sickness report is not processed.
4/12 Date Our reference
July 31, 2018 z2018-02009
31. The UWV has advanced and explored other solutions but how to connect to it
eRecognition of any real possibility to achieve more factor authentication.
The arrival of the Digital Government Act (hereinafter: Wdo) is primarily the intention that all government parties
make use of the means contained in this law.
32. In the implementation of the Recognition of the UWV, it depends in part on others and that the UWV is
a number of problems, causing the implementation to wait longer than the UWV had
hoped.
Rating
Assessment framework
33. In the research report, the AP noted that the UWV in the employer's portal
processes personal data, including special personal data.
data, citizen service number, financial data and data about disability, dismissed childbirth.
Employers can log in via the internet to the portal and by e-mail address and password
1
It is a form of one-factor authentication.
It is known that this situation has not changed.
34. Article 32, first paragraph, of the GDPR stipulates that the controller applies the technical and
Organizational measures must be taken to protect personal data from loss or
unlawful processing. These measures guarantee, taking into account the state of the technology
and costs of food implementation, an appropriate security level eliminating the risks that
processing the nature of the protection data bring to it.
35. This means that the controller, in the case of the UWV, must translate the risks
for the data subject whose personal data are processed according to the reliability requirements against which
the service offered (the employer portal) must satisfy that within the field
information security if the most recent and representative interpretation thereof is seen.
36. In determining the risk of the data subject, the nature of the personal data among others
Nature of processing of importance: these factors determine the potential damage for individual
For example, loss, alteration, or illegal processing of data
From the translationstroke to the confidence level of the employers portalcan use the UWV
making the Guide "Reliability levels for digital services, a guide for
government organizations, version 4 of the Forum Standardization (hereinafter: the Guide).
37. The use of this Guide is not mandatory, but provides an assessment framework for
government organizations for determining reliability levels for digital services
1
Authenticate the process of verifying that a user who will log into an application / system is actually who
he / she claims to be.
5/12 Date Our reference
July 31, 2018 z2018-02009
of which it can be accepted that it reflects in so far as most recent insights and demands.
Provide security standards then, after determining the application
2
confidence level, guidance in taking appropriate measures.
38. The AP has investigated whether the UWV has taken the appropriate measures regarding authentication.
when logging into the employer's portal.
theprotectingpersonal data, which translates to a minimum to handle
The assessment in this decision, then, is based only on the nature of the issue
protect personal data. Not excluded that other factors and nature of the
personal data require a higher level of security. However, the AP cannot, as in the present case
order will come, for or in the place of theUWVall –inHandReachVersion4included-relevant
assessing factors. It is up to the UWV to include these factors in a risk analysis and thus
Determine the correct security level. 3
Person's health data
39. In Article 4, section 15, of the GDPR, the following definition is given: "Health information.
hispersonal data related to the physical or mental state of a natural
person, including data about health services provided with which information is about
health status is given. Under AV, remain unchanged that concept
"Health data" should be understood: it does not include only the data that a doctor
medical research or medical treatment, but all data that the spiritual or
physical health of a person.
reported a given about the health, even though it does not say anything about the nature of the condition. 4
In the employer portal, the following data are processed: the date entry
sick leave, the date of termination sick leave, illness due to pregnancy, childbirth or
organ donation, date of births and date of maternity leave.
40. In view of the nature of the personal data, the employer's portal entails half data
concerning a person's health, which is considered a special category of personal data as
referred to in Article 9, first paragraph, of the AVG is noted.
Increased risk
41. In the Guidelines for the security of personal data, the AP has elaborated the requirements regarding security.
The AP indicates that in certain categories of personal data, the consequences of loss or
illegal processing can be serious.this are data with a higher or high risk.
In any case, these categories cover special personal data.
2 See also CBP Guidelines, Security of personal data, February 2013
3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision.
4 Chamber documents II1997 / 98, 25892, No. 3, p. 102
6/12 Date Our reference
July 31, 2018 z2018-02009
5
42. In addition, the AP uses the Guide version4.
confidence levels based on the IDAS regulation for digital identifiers
6
trust services, which are in force from 1 July 2016 (hereinafter: the eIDAS regulation).
The eIDAS regulation distinguishes three levels of trustworthiness of authentication tools: low,
substanceandhigh.The Guideprovidesaclassificationmodelwithinhasimplified
risk analysis of the digital service can be made.
theprotectpersonaldata.In thisfourclassespersonaldata are distinguished: class
0, I (basic), II (increased risk) and III (high risk), where data with increased risk also has a
higher security level requirements.
43. The AP ascertains that the data processed in the employer's portal, according to the Guide
so-called class II personal data is because it concerns special personal data
7
class II data is an increased risk. Of a high risk, as in the so-called class III-
data, see the nature of the data that are processed in the portal.
Multi-factor authentication
44. Processing of Class II data is according to the Guide to Minimum Confidence Level
8
"Substantial" of application. Also when answering the question about this
confidence levels appropriate measures are as referred to in Article 32, first paragraph, of the GDPR
The Guide offers a framework: both for reliability level "substantial" and
confidence level "high", if type authenticator, multi-factor authentication is required. 9
45. The requirement of multi-factor authentication when granting access to a system in which
health data is processed, in addition, it is not complied with by security standards such as
NEN-7510, which indicates the application of the Code for information security ISO / IEC
27002 in health care:
5
6 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization
Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and
trust services for electronic transactions in the internal market
7 A guide for government organizations, version 4, Forum for Standardization, p. 33
8 A guide for government organizations, version 4, Forum for Standardization, p. 29.
based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial".
You will have to make this assessment yourself, see also margin number 54 and further.
9
A guide for government organizations, version 4, Forum for Standardization, p. 24-25.
Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures
on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation
(EU) No. 910/2014, on which the Guide is based.
7/12 Date Our reference
July 31, 2018 z2018-02009
Health information systems that process personal health information, belonging to user identities
determine this should be done by means of authentication in which at least the two factors are involved
be. "0
46. As appropriate the measure referred to in Article 32, first paragraph, of the AVG must be
access to the employer's portal to use multi-factor authentication.
Access to the portal takes place through a form of one-factor authentication, trading theUWVin
contrary to Article 32, first member, of the AVG.UWV has also recognized this.
Offender
47. Notice theUWVis as an offender, because it is the controller in the sense of the AVG.
The UWV establishes the purpose of the means for the processing of personal data: the
The employer portal is a service of the UWV and is made available by the UWV
employers, for which purposes of data processing are determined by the UWV.
The UWV also has it in its power to end the violation.
The solution from the UWV: eRecognition
48. By letter of January 25, 2016, the UWV has already addressed the violation of Article 32, first member, of the
Wbp recognized. TheUWV indicated that they intend to be used for the employer's portal
Make of Recognition, which feature provides for the use of multi-factor authentication in the
providing access to the employer portal.
49. ERecognition is a system that companies provide electronic access to the government
government facilities. Entrepreneurs or employees of an organization can go together
login and easy identification at different organizations. Government organizations need
do not develop their own authentication system, but can connect to the system
The development of Recognition is a public-private partnership that is directed under the direction of the
Ministries of Economic Affairs and Climate and Domestic Affairs and Kingdom Relations.
ERecognition recognizes five different confidence levels. At these reliability levels is
A connection sought to the three reliability levels that distinguish each IDAS regulation
requirements that are imposed on the means by the regulation. The government organization determines it itself
confidence level that is applied.
50. TheUWVhas indicated thattheintroductionofRecognitionbytheUWVshould be viewed in the
light of the Wd is currently in preparation.
can log in for Dutch citizens and companies with (semi-) government
The Netherlands the EU directive on accessibility of government websites and apps. 1 Ahead of the
10
11 NEN-7510 (2017), p. 57
https://www.digitaleoverheid.nl/ilisi/identification-en-authenticatie/eid/wet-gdi/.
8/12 Date Our reference
July 31, 2018 z2018-02009
Wdo has been developed by the government.
eRecognition.
51. TheUWV has indicated the implementation of the Recognition to see any real solution.
has explored possible between solutions, where multi-factor authentication with smsalst second factor
The most feasible and safe alternative option was.
as long as the implementation of the Recognitions is in addition the implementation of
Delay recognition, because this must be done by the same team.
be effective and proportionate in short on the map two drastic implementation pathways go through:
This leads to textbook administration tasks for employers and ineffective use of public resources.
Time course / planning
52. TheUWV has indicated that it was already in use in 2015 to connect to Recognition.
However, the UWV is the availability of the RSIN (Legal Entities and Partnerships
Information number) and the BSN for sole proprietorships in the system of Recognition necessary, because
withoutthese numberstheUWVeRecognitioncan'tlinktohersystems.
Expansion of the systemdepending on third parties and has set this expansion as a condition for the
In April 2017, the UWV has concluded the implementation of Recognition.
because of the moment view is linked from the RSIN to the Recognition (87.7% of the
Users of the Employer Portal is identified by RSIN).
has theUWVindicatedconnection toRecognitiontoexpectationrealized inMay2018
In November 2017, around theUWV, the preliminary research.In February 2018, theUWV has
projectplane Recognition Employer Portal determined upon request from the AP the AP do.
53. According to this project plan, the UWV will take place on November 1, 2018 as the implementation date, followed by a
rollout period of one year that users can switch from the portal.
has indicated the UWV now assumes implementation in the fourth quarter of 2018.
The BSN is also expected to be added to the system in the second half of 2018.
The same implementation date applies with rollout period. There is also no group of users (0.7%) who are not
Can make use of Recognitions for which no solution is available yet. TheUWV has
indicated that if no solution is available, this group cannot use any more by 1 November 2019
makingthe employer portal.
Confidence level; application Guide version 4
54. In 2015, the US has made the hand of the available Guide of Forum standardization,
12
version 3 performed a risk analysis. This version of the guide is based on European
12A guide for government organizations: assurance levels for authentication at
electronic government services, version 3, Forum Standardization
9/12 Date Our reference
July 31, 2018 z2018-02009
STORFramework.This risk analysis showed that levelSTORK3 is appropriate.
The UWV has carried out the AP for this risk analysis upon request by letter of 3 April 2018.
55. In November 2016, version 4 of the Guide appeared. This version is no longer based on the
STORK framework but, as previously shown, on the IDAS regulation.
However, there is no reason to keep the risk analysis of 2015 against the light again
The newest version of the Guide.
Risk analysis of 2015 UWV's hot IDAS system has taken into account as proposed legislation.
Therefore, the new version of the Guide has not given any reason for a new one
perform risk analysis ".
56. According to the project plane Recognition Employers Portal, the UWV has chosen to connect
eRecognition level3 This corresponds to the IDAS level substantial.
57. The AP establishes that the risk analysis of the UWV from 2015 is based on version 3 of the Guide.
The norm from article 32, first paragraph, of the AVG, and previously article 13 of the Wbp, write before the
(processing) responsible for taking appropriate technical and organizational measures
in order to ensure appropriate security level, including taking into account the situation
It is decided, among other things, that a risk assessment has already been carried out from time to time again.
must be updated using the currently valid standards.
on the way of the UWV, because the risk analysis is carried out again in 2015
The most recent version of the Guide.
at the end of the implementation period of, in this case, eRecognition, it is possible that there is no
appropriate security level.
58. Although the reliability level of Stork3 corresponds to version3 of the Guide.
IDAS Confidence Levels Substantial version 4 of the Guide, how to use both versions of the
Guide to various assessment frameworks.
possible until the outcome that a higher confidence level should be assumed from the UWV
up to now based on version 3 of the Guide.
choice of measures to be taken according to the appropriate security level
guarantees. The APcannotfororintoplaceoftheUWValloutHandoverVersion4relevant
factors.
Constrained and favored term
59. From article 16, first member, of the UAVG, in conjunction with article 5:32, first member, of the AWB follows
that the AP is authorized to impose a charge under a penalty if in violation of Article 32, first paragraph
the AVG. Pursuant to Article 5: 2, first paragraph, bottom b, of the AWB, the cabinet is aimed at the end of
the violations detected the occurrence of recurrence.
10/12 Date Our reference
July 31, 2018 z2018-02009
60. The AP orders the US within the time limit for favoring the decision to take the violation of Article 32,
first member, of the AVG.
measures must be taken to ensure an appropriate security level with regard to the relationship
of access to the employer's portal, where logging in is only possible by means of a suitable form of
multi-factor authentication (for example, by using Recognition).
of the confidence level for the employer portal has used a meanwhile
outdated version of the Guide, the UWV should update the confidence level
determine by performing a risk analysis using version 4 of the Guide.
61. Section 5: 32a, subsection 2, of the AWB provides that a grace period is to be set during
which the offender can execute without forfeiture of a penalty. "Term
During which a charge can be carried out without forfeiture of a penalty, it must be short
The time limit should be long enough to be able to carry out the load.
62. Having regard to the foregoing decision, the AP that the YOUR V must appear at the end of October 31, 2019.
The AP has taken into account the planning when determining the term of favor
of the UWV regarding the implementation of the Recognitions of the said roll-out period
one year after implementation on November 1, 2018.
63. Article 5: 32b, third paragraph, of theAwb prescribes that the penalty amounts are in reasonable proportion.
to the severity of the violated interest to the intended effect of the penalty.
It is important that a compulsion must execute such an incentive that the burden is met.
64. If the UWV does not end the detected violation within the beneficiary period, it forfeits the
The AP fixes the amount of this penalty sum at € 150,000 for each month that the
load has not been (fully) carried out up to a maximum of € 900,000.
height of these amounts in reasonable proportion to the gravity of the violation by the violation
importance - the protection of special personal data and of the personal sphere of life
those involved –and they are also sufficiently high to end your moving violation.
This includes the AP cost that is associated with the implementation of Recognition, as well as the
structurally additional costs per year.
65. The APRequestheUWSimplybefore1October2018the re-performed risk analysisin whichtheUWV
to the employer portal, to send a reliability level award.
that the AP is authorized to conduct a study, including an on-site study, if it does
useful.
11/12 Date Our reference
July 31, 2018 z2018-02009
Operative part
TheA imposes a charge on the UWV, for violation of Article 32, first paragraph, of the GDPR.
penalty with the following content:
-TheUWVshould provide access to the employer's portal by 31 October 2019 at the latest.
Appropriate security level provided, whereby logging in from that moment is only possible by means of a
appropriate form of multi-factor authentication.
confidence level to redetermine by performing a risk analysis using version 4
of the Guide.
-The UWV forfeits a penalty of € 150,000 after expiry of this term (in words:
one hundred and fifty thousand euros) for each month that the load is not (fully) carried out to a maximum
of € 900,000 (in words: nine hundred thousand euros).
The Authority Personal data,
On their behalf,
Signed
Mr. A. Wolfsen
Chairman
If you do not agree with this decision, you can send it within six weeks
a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag,
stating “Awb objection” on the envelope.
12/12
