AP (The Netherlands) - 31.05.2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 7: Line 7:
|DPA_With_Country=AP (The Netherlands)
|DPA_With_Country=AP (The Netherlands)


|Case_Number_Name=Uitvoeringsinstituut Werknemersverzekeringen (UWV)
|Case_Number_Name=n/a
|ECLI=
|ECLI=



Revision as of 12:43, 14 July 2021

AP (The Netherlands) - n/a
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 31.05.2021
Published: 07.07.2021
Fine: n/a
Parties: Uitvoeringsinstituut Werknemersverzekeringen (UWV)
National Case Number/Name: n/a
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Autoriteit Persoonsgegevens (in NL)
Initial Contributor: n/a

The Dutch DPA fined an administrative agency responsible for providing employment benefits €450,000 for failing to adequately secure personal data, including special categories of data, in messages that were erroneously sent to the wrong recipients on its website. Although the agency took certain organisational measures to secure user data, technical measures were only implemented after nine data security breaches affecting 15,000 individuals.

English Summary

Facts

The Employee Insurance Agency ('Uitvoeringsinstituut Werknemersverzekeringen', or 'UWV') is an independent administrative body, established under Article 2 of the Work and Income Implementation Structure Act (‘Wet structurur uitvoeringsorganisatie werk en inkomen’, ‘SUWI’). Individuals wishing to apply for employment benefits must register with the UWV as jobseekers. Every jobseeker has a personal environment on a section of the UWV website titled My Work Folder (‘Mijn Werkmap’).

Between August 2016 and the end of 2018, the sending of group messages in the ‘My Work Folder’ environment was not properly secured by UWV. As a result, files containing various personal data of job seekers ended up with the wrong recipients, namely in the My Work Folder environment of other job seekers. The personal data included: addresses, details about education, nationality, citizen service numbers, information about physical limitations, psychological and physical work ability, and whether people were too ill to work. The AP initiated an investigation after nine such data leaks had occurred at UWV, impacting more than 15,000 individuals.

Holding

The AP held that UWV had vailed to take appropriate technical and organizational measures to ensure a risk-appropriate level of protection for the processing of personal data in the My Work Folder environment, in violation of Articles 32(1) and (2) GDPR.

In particular, it considered that: the UWV had failed to sufficiently mapped out the risks involved in the processing personal data of jobseekers in advance; rather than taking organizational measures (for example, UWV had sent messages urging employees not to send attachments with group messages in the My Work Folder environment) the UWV should have implemented technical measures earlier (it was not until the end of 2018 that UWV took technical measures to prevent similar data leaks); and, the UWV insufficiently checked and evaluated its own security measures.

The AP emphasised that under Article 32(1) and (2) GDPR, the more ‘sensitive’ data are, the greater threat the data poses to individual privacy, and the greater the demand for security. Si nce the data leaked by UWV included special category health data, the consequences of a security incident relating to the personal data may be very serious for a wide group of individuals, and may relate to, for example, stigmatization or exclusion. The data leaked also included social security numbers, which can be used to link various data files on individuals and therefore pose a higher threat to privacy.

The UWV may still appeal the AP’s decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                     AuthorityPersonal Data
                                                     PO Box93374,2509AJ The HagueJ

                                                     Bezuidenhoutseweg30,2594AV The Hague
                                                     T0708888500-F0708888501
                                                     authority data.nl

Confidential/Registered
UWV
Board of Directors
Attn. Mr.M.R.P.M.Camps
PO Box58285

1040HG
AMSTERDAM





Date Unidentified
May 31, 2021 [CONFIDENTIAL]


                         Contact
                         [CONFIDENTIAL]


Topic

Decisiontoimposeafine


Dear Camps,


The Data Protection Authority (AP) has decided to join the Implementing Institute
employee insurances (UWV) to impose an administrative fine of €450,000.UWV has
insufficientarisk-adjustedsecuritylevelguaranteedandguaranteedwithin the framework of
sending group messages via the MyWorkbook environment

acted with article 13 of the Data Protection Act and article 32, first stone, second paragraph,
of the General Data Protection Regulation.

The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the facts.
TheAPassessesinchapter3oferrespectofprocessingpersonaldata,the

controller of the violation. Chapter 4 discusses the (height of) administrative
fine elaborated and chapter 5 contains the operative part and the remedies clause.
















                                                                                        1Date Unidentified
May 31, 2021 [CONFIDENTIAL]




1 Introduction

1.1Government body concerned


This decision relates to the Employee Insurance Agency Implementing Institute (hereinafter: UWV).
august2016 nine data leaks have occurred at UWV that were similar in nature
data leaks all happened when sending a group message to a group of job seekers.
In doing so, a wrong (Excel) file with a multitude of sensitive and special
personal data of a varying number of job seekers sent with them, such as in the 'My Work Folder'-
environment of job seekers. The number of job seekers whose data between 2016and

2018 were leaked, ran from 10 to 11,062 persons per data leak.

Because in a period of two years, nine similar data leaks had occurred despite that
UWV had indicated that it had taken measures, it was suspected that UWV did not have an appropriate
technical and organizational measures (as required by law) to be appropriate

to achieve a level of security that could prevent new similar data breaches.
That is why the AP has started an official investigation. This decision covers the period from 2012 to
enwith2018.

1.2Process flow


On 4 September 2018, an AP supervisor contacted the op by telephone
data protection officer (hereafter: DPO) of UWV.Supervisors of the AP then have
requested information several times from UWV on which UWV has supplied this information. UWV also has
Further documents sent to the AP on its own initiative.

On 31 October 2019, your WV was asked to respond to the facts as known to the AP until then.

On 14 and 18 November 2019, UWV responded to that request. By letter of 11 March 2021, the AP
sent to YOURVWanintentiontoenforcement.AlsowiththisletterbytheAPinthe
given the opportunity, the UWV on April 8 and 19 gave an opinion on this intention in writing
and the underlying findings report.
















                                                                                    2/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]




2.Facts


2.1TasksUWVandcommunicationwithjobseekers


YOURVissetupon the basis of article2, first paragraph, of theLaw structure implementing organization works
                                                          1 2
income(SUWI).UWVis an independent administrative body with its own legal personality.

Within UWV, the WORK company division is engaged in job placement and reintegration

they map supply and demand through supply and demand. The WORK company focuses primarily on job searches with
a great distance from the labor markets to employers who are willing to hire these job seekers.

Persons who wish to apply for a benefit under the Unemployment Insurance Act must register with UWV
register as a job seeker. 3


Werk.nlisawebsiteofUWV.Since 2007,everyjobseekerandopwerk.nlhaspersonal
                                                                            4
environment that helps him/her in the job search: MyWorkbook. Ifajobseekerandone
benefits, you can do this via My Work Folder among other changes, tasks and job application activities
                                                            5
pass on and exchange messages with attachments with UWV.

UWV can use group messages if you send the same message to several job seekers

must send. These UWV messages come in the My Workbook environment of job seekers
justly.


2.2Source systemwith saved data jobseekers:Sonar


Sonaristhe main source system that the WORK companies and municipalities use for job seekers
                                                                                         6
to work mediation by linking job seekers to vacancies at employers. The system
contains data from the end of 2016 to 2018 on an average of 4,500,000 persons, including
job seekers, the sick and incapacitated for work. 7


Sonar contains 630 data fields containing all kinds of data about people. Not for everyone
                                           8
person, all data fields are filled in. The data in Sonar include NAW,
education (level), nationality, social security number, data about physical limitations, psychological and physical

work ability and whether people feel sick or are too sick to work.

1
2See, among other things, article 4 paragraph 1 SUWI and the ZBO register of the Dutch central government.
 See article 2 paragraph 2 SUWI and article 4 paragraph 1 SUWI and the zbo register of the Dutch central government.
3See article 26, paragraph 1, sub, dene, Unemployment Insurance Act.
4See, among other things, file document98 (Reply by UWV, file "Additional questions AP2110", p.1).
5See, among other things, file piece120 (Pageswebsitewerk.nl'Manual:Using Workbook').
6See, among other things, file document6(PresentationProgrammeraadaboutUWVapplications,p.2,3,6and11).
7See file document38 (Excel file, answer to question6 in the case of data leak1) and file document98 (Reply by UWV, file
"Additional questionsAP2110",p.1).
8
 See file 38 (Excel file, answer to question 6 in the event of a data leak1) and file 81 (Reply by UWV, appendix 1 (file
"AnswerquestionsAPAugust2019",answerquestion9)andattachment4(file"Question9-attachment")).



                                                                                                       3/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




this data could be the state of mind or perception of the job seeker, who is herself an online
has completed the questionnaire. 9


Sonar has about 15,000 users. Half of the total accounts are from WORK companiesbedrijf

municipalitiesandotherhalfisofotherdivisionswithinUWV.Allusershavetheoption
createandsavesearches.Usershavebasedonfunctionandassociatedtasks
access to this data. 10



2.3Group Messaging

On 16 July 2012, the management of the WERKbedrijf, after data leaks via e-mail,

group messaging functionality in Sonar required for sending group messages to
several job seekers at the same time. This decision was also decided together with the QuickReference

Card “send group sonar mail to workbook” into the executive's attention
to bring employees of UWV. AQuickReferenceCardisbyUWVwithintheWORKcompany

used to record procedures and communicate the direction of UWV employees of these
procedures.


Certain actions are required to send a group message or an invitation to a selection via Sona
                               13
send job seekers. First of all, an employee of UWV selects a certain group
personsinSonarrequeststypesofdataabouttheminSonar.Thentheemployeeexports

fromUWVthissetwithdataofspecificpersonsfromSonarensavethewineexporteddata
Then this data is converted into an Excel/csv file. There is no limit on the number

persons whose data can be exported. In addition, the files are not protected,
because according to UWV this would complicate implementation. Then this file is used as a base
                                                           15
to determine the recipients of the group message. The group message is sent after the
UWV then to the recipients in the MyWorkbook environment.Thisprocessfordistribution

ofagroupmessagedescribesUWValdusintheQuickReferenceCard“SonarSendgroupmessages
from Sonar to the workbook” (hereinafter: QRC group messages). 16



9See file document38 (Excel file, answer to question 2 for data leaks 1 to 7) and file document 81 (Reply by UWV, appendix1
(file"Question AnswerAPAugust2019",answertoquestion3) and attachment2(file"Question3 Attachment")).
10
  See, among other things, file document81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019", answer to question
10)).
1See, among other things, file document98(Reply by UWV, file"Additional questionsAP2110",p.3andappendix6(file"29-12
action items listDT",p.3subpoint4)).
12See file document98(ReplybyUWV,file"Additional questionsAP2110",p.2andappendix4(file"28BV06Trailer
banOutlookgroup messages0406212")andattachment5(file"28BV06Decisiondocumentforbidusegroupmailvia

13tlook")).
  See file document 66 (Reply by UWV, p.3).
14See file document38 (Excel file, under “Short description” with regard to all data leaks) and file document81 (Reply by UWV,
attachment1(file"Answer questionsAPAugust2019",answer question11)).
15See file document81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019", answer question11)).
16SeeDocument Document38(Excel File,Appendix29(File"MicrosoftWord97-1003Document"withexplanationforanswertoquestion13

with data leak6 and 7)), file document 91 (Reply by UWV, appendices 1 to 4).



                                                                                                           4/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]



According to YOURViser, when sending a group message, there is a limitation on the number of persons to
                                         17
whom the message can be sent. Since mid-2013 to the present, this number is limited to 100 every
prevent technical problems in Sonarte, thereby improving its performance and stability
                                      18
messaging is smoother. All used versions of the QRC group messages state that if
a UWV employee nevertheless wants to approach more than 100 people via the My Work Folder environment, this

at the FunctionalManagementcanberequested.FunctionalManagementcanthemaximumverytemporarily
increase to a larger number of persons. Furthermore, the QRC group messages state that attachments can be

are sent along with group messages via Sonar, but it is preferable not to do so. 20


In the period from January 2016 to September 2018, according to YOURVintotal61,214

group messages sent via the My Workbook environment, with an average of 215 recipients
personspergroup message. 21


2.4Data leaks related to the group messages


In total, nine data leaks have occurred since the beginning of 2016 related to the personal
                                                  22 23
environment of job seekers: MyWorkbook. UWV has reported eight of these data leaks to the AP.
Before January 1, 2016 there is no obligation to report data leaks to the AP.


With these data leaks, when creating the group message, the Excel file with the export from . is always

Sonar added. This resulted in this export file (instead of a message that had been sent
should be like for example a vacancy text) in the MyWorkbook environment of job seekers

rightly so.So itcouldnotseesecurethefilewiththeindividualdataaboutall
recipients of the message will reach all intended recipients. 24


The AP has shown in the table below the most important facts about the data leaks. 25











17See file document81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019", answer question11)).
18See file document 91 (Reply by UWV, appendices 1 to 4).
19See file document91 (Reply by UWV, appendices 1 to 4).
20See file document 91 (Reply by UWV, appendices 1 to 4).
21
  See file document 86 (Reply by UWV, appendix 1 (file “numbers_messages_ap”)) and file document 91 (Reply by
UWV,appendix5(file"numbers_messages_ap")).
22See, among other things, file documents8 to 12 and 15 to 21 (data leak (continued) notifications to AP) and file documents38 (Excel file, reply to
question6mball data leaks).
23 The ninth data breach has not been reported to the AP, because UWV does not consider it likely that this is a risk to the rights and

freedoms of persons. See, among other things, file document 81 (Reply by UWV, appendix 1 (file "Answering questions AP
August 2019"), answer question8)) and file 83 (answer by UWV, answer question8).
24See also file document 45 (Reply by UWV, appendix “Decision memorandum FG research”, p.2).
25Source of this data: see file record8,9,10,11,12,15,16,17,18,19,20,21,38,51,81,86and98.




                                                                                                            5/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




       Date data breach Number Number Type data
                         stakeholders involved who

                         whose message het
                         datahaveopened

                         leaked
                                                          Surname, Citizen Service Number (BSN), last occupation,
 1 22-8-2016 195 14
                                                          education level and row ID

 2 14-9-2016 151 20 Surname, place of residence, date of birth, social security number,
                                                          first WW day, date on which WW expired

                                                          of some whether they are sick or at work, that they
                                                          not being reachable by text message or not being digitally skilled


 3 15-9-2016 135 26 BSN

 4 22-9-2016 11062 26 Surname, zip code, city, e-mail address,
                                                          BSN, age, gender, profession (sector),
                                                          education (level), first unemployment benefit day and date

                                                          when WW ends, or status of cvactive or
                                                          expiration, number of daysWW on which
                                                          job seekerhas right, row ID


 5 21-2-2017 189 10 BSN, initials, surname, gender, e-mail
                                                          email address, age, WERKbedrijf location, first
                                                          WW day, total score on the online questionnaires
                                                          a brief description of barriers to

                                                          regarding finding work (such as psychologically
                                                          or physical work ability), including for 73
                                                          data subjects health data. This one

                                                          health data do not concern a disease or
                                                          medical reports, but, for example, whether
                                                          someone is too sick to work. The first WW-
                                                          day it can be deduced that all 189 involved

                                                          receive unemployment benefits (not the amount de
                                                          thereof).


 6 26-3-2018 10 7 Name, zip code, place of residence, education (level)
                                                          and social security number


 7 28-3-2018 90 12 Surname, zip code,
                                                          place of residence, professional sector and BSN














                                                                                                    6/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]



 8 3-8-2018 2503 70 Surname, gender, date of birth, social security number,
                                                         telephone number, level of education, last occupation,

                                                         last employer, categories
                                                         driver's license, oral and written skills
                                                         Dutch, first, second and third
                                                         professional sector, registration/mediation profession,

                                                         available hours per week, hours still working,
                                                         first WW day, maximum last day WW-
                                                         benefit, age group based on first unemployment benefit
                                                         day, indication, whether there is an exemption and the
                                                         ID.


 9 5/9/2018 996 9 Last name enrow ID




2.5 Policy within UWV


WithinUWV, in any case 2016, policy was drawn up to address risks in the processing of
to detect and deal with personal data early on the basis of a careful risk assessment,

where risks are neutralized or explicitly accepted by a director
UWV to register the (outcomes of) risk assessments based on the policy. 26


Also, within YOUR VIN, at least from 2016 to 2020, a policy had been drawn up for technical and

implement organizational security measures in a risk-driven manner and setzet
check, evaluate and adapt. 27


2.6PracticewithinUWV


2.6.1Weighing the risks in practice
The AP has asked UWV several times whether and if so what risk analyzes have been carried out in order to
                                                                     28
protect personal data when sending group messages. HowandwhichrisksUWV
has weighed precisely, partly in response to the data leaks that have occurred, to determine whether

personal data when sending group messages via the My Work Folder environment sufficient than
UWV did not mention being sufficiently secured. 29


YOURV turns out not to be clear in its answers, even sometimes to give a contradictory image about it
(periodically) performing risk analyzes with regard to the security of personal data at the

sending group messages via the My Work Folder environment. UWV has stated in any case that it


26See appendix 1 page 25 for the exact parts from the policy documents of the UWV.
2See appendix 1 page 25 for the exact parts from the policy documents of the UWV.
28See, among other things, file document27 (Letter to UWV, p.4-5) and file document69 (Letter to UWV, question 12) and file document 93 (E-mail to UWV).
29See, among other things, file document38 (Excel file, reply to 11 under data leak1 to 4) and file document81 (Reply by UWV, appendix1

(file"Answering questionsAPAugust2019",answertoquestion12)) and file 98(answer by UWV, file
"Additional questionsAP2110",p.2).



                                                                                                    7/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]



did not perform a risk analysis prior to the 2012 decision to go into group messaging
send via the My Work Folder environment. UWV has stated several times that from 2016 to

and with the latest data leak in 2018 in the context of data security during transmission
ofgroupmessagesthroughtheMyWorkbookenvironmenthasperformedrisk assessments
answersfromYOURVandsubmissionsisnotshowedhowtheseriskconsiderationsare

made and which risks have been weighed up at any open moment in that period. UWV has also
risks not regularly weighed up. 30


2.6.2Measures, checks and adjustments in practice
YOURSendofdataleaknotificationstotheAPofthesecondandthirddataleaktheyareinvestigating
                                                                              31
was whether technical measures are possible to prevent these data leaks. Inthenotificationofthe
fourth data leak at the AP gave YOU to investigate whether it was possible to place “such”
                                                        32
files” in the MyWorkbook environment. UWsetsenddataleaknotificationstotheAP
of the third and fourth dates leaked at the end of September 2016 that the employee who made the mistake
this was addressed by management and that awareness was being looked into. 33


After the first four data leaks in 2016, UWV decided to take organizational measures.
                                                                                           34
On 28 September 2016, UW first decided to take temporary organizational measures. And however
UWV has stated that these temporary measures still apply, as a result of a decision of the

District manager consultation (DMO) of UWV that the temporary measures to be taken on 28 September 2016
it was decided, in October 2016, to be replaced by other organizational measures
AP established that UWV has drawn up the “Guideline for safe communication at WORK company” and that it

intend not to investigate the possibilities of taking technical measures by
YOURViscarried out.In addition,theAPconcludedthattherecommended after October 20th 2016

organizational measure(s) prior to the fifth data leak has not been checked nor
evaluated by UWV. 35


UWV subsequently decided after the fifth data breach (February 21, 2017) to further organizational
measures with regard to the sending of group messages via the My Workbook environment,

namely by increasing awareness in doing so. UWV did that through workshops and a few visits
to districts.UWVthendecidednottotaketechnicalmeasures.Otherwise,thereafter20

october2016theorganizationalmeasure(s)inforcewith regardtothesendingof
group messages via the My Work Folder environment also not before the sixth data breach by UWV
                                36
neither checked nor evaluated. The statement of UWV that these measures have been checked and
evaluated, UWV has not substantiated with documentation.




30See appendix1, page 26 and 27 for the exact answers of the UWV.
3See file documents9 and 10 (Data breach notifications).
32See file documents11 and 12 (Data breach (continued) notifications).
3See File Document 10 (Data Breach Report) and File Documents 11 and 12 (Data Breach (Continued) Reports).
34
35See appendix 1 page 28 and 29 for the exact measures of the UWV.
  See appendix 1, pages 30 to 34 for the exact measures and statements of the UWV.
36See appendix 1, pages 33 to 35 for the exact measures and statements of the UWV.



                                                                                                    8/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]



After the seventh data breach (March 28, 2018), UWV decided on several organizational measures.
However, your WORK company have not checked as such whether these measures are actually
have been introduced. Apart from two measures, YOURVook has no documents or a further

substantiation provided on the basis of which it can be established or the organizational measures
are secured in documentation and when they are implemented.


After the eighth data leak(3August 2018), UWVdecidedtointroduceatechnical
measure, which is to block the possibility of adding, among other things, Excel
fileswhensendinggroupmessagesviatheMyWorkbookenvironmentfordataleakageinthere

This technical measure was implemented in December 2018, so far after the ninth data breach, by UWV
implemented.
The abovementioned facts cover the period from 2012 to 2018. This concludes the investigation of

the AP only relates to this period. In its view, UWV still has the following
declared over the period after 2018.


UWV has stated that in the process for sending group messages in the My Work Folder-
environment next to the technical measure, which has the specific risk of sending Excel lists
removed, also actively used to raise extra awareness among (new) employees in the implementation who

have frequent (digital) contact with job seekers for the performance of their tasks
are nowwithin WORKcompanytheprocessdescriptionsandQuickReferenceCards(QRCs)annually
evaluated and adjusted if necessary.


Furthermore, at the end of 2018, the FG carried out a study on behalf of the Board of Directors of UWW
following the eighth data, a report of findings appeared to be prepared. Specifictothe

mitigating the risks of sending group messages in the MyWorkbook environment, it
DPO investigationthatthetechnicalmeasurethatuploadsExcelfilestotheMyWorkbook-
environment, is an effective measure to prevent this type of data leakage.


Partly as a result of the FG investigation, UWVWERK company has continued to be assigned to KPMG
given to conduct a broader investigation into the source system SONAR. This to determine value

vulnerabilities and risks are located in a technical, process as well as organizational area,
in which the already existing organizational and technical measures have also been evaluated (check-
phase). In 2020, this research resulted in four advisory reports with 77 recommendations
                                                              39
advisory report privacy is largely disclosed by UWV.

As a result of the advisory reports, the large-scale improvement project SONARIB&P was started in 2020,

which aims to address the findings of the survey and the SONAR IB&P risk level
reduce strength (act->plan->do-phases).UWVwillbeanextratechnicalmeasure


3See appendix 1, pages 35 to 41 for the exact measures and statements of the UWV.
3The 'Step-by-step plan Sharing Safe Personal Data'whatUWVcommunicatedtoemployees on May 1,2018.Tevenshad
UWVexpandedtheQRCgroupmessageswiththepassageaboutcleaning(Excel)filesandthe4-eyesprinciple.
3See https://www.uwv.nl/overuwv/Images/bijlage-1-bij-besluit-wob- Request-research report-sonar-privacy.pdf.




                                                                                              9/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]


implement the export functionality from SONAR for employees in the implementation, except for someenkel

authorized employees will be closed.

Seeing the recommendations from the KPMG research according to YOUR V Also to improve the
risk management process, including the Plan-Do-Check-Act cycle (hereinafter: PDCA cycle).

this improvement in risk management and the implementation of control measures will
WORKcompanythegrowthinimplementingthePDCAcycle–and therebyensuring that
appropriate technical and organizational measures have been taken and are being continued.



3.Legal Review

3.1Processing of personal data

As of May 25, 2018, the General Data Protection Regulation (GDPR) will apply. Given the

facts in this investigation took place between 2012 and 2018, the AP will both
personal data (Wbp) as the AVG keys.

The concept of personal data is defined in article 1, sub, of the Wb and article 4, part 1, of

the AVG.Inarticle 16 of the Wbp, data about health are considered special
personal datamarked.TheGDPRmarkedinarticle9dataabouthealthas well as
special data.


Personal data within the meaning of the Wb and AVG are all information about an identified or
identifiable natural person.Sonar contains data about natural persons such as
names, addresses, the SSN and other information. This information allows the Sonar registered
natural persons, among which job seekers are identified directly or indirectly.Sonar contains
so personal data within the meaning of article 1, under a, of the Wb and article 4, part 1, of the AVG.


Sonar also includes data on physical limitations and the mental and physical
workabilityofpersons.Also statesinSonarofpersonsfeelingsicktowork.On
under article 16 of the Wb and article 4, part 15, of the AVG, this is data about the

health.

From the above it follows that UWVwhen sending group messages via the MyWorkbook environment
personal data, including the BSN and health data, processed within the meaning of the Wbpen

the AVG.






4 On that date, pursuant to article 51 of the UAVG, the Personal Data Protection Act (Wbp) was withdrawn.



                                                                                     10/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



3.2 Controller


The term (controller) is defined in article 1, sub, of the Wb and article
4, part 7, of the AVG. In the case of independent administrative bodies at state level, the body charged with the
duties and exercise of powers for which the data is processed, as a controller

are notable.

As stated in section 2.1, YOUR V is set under a law, namely the SUWI. U W V is a
independent administrative body of the central government with its own legal personality. As above

in the case of independent administrative bodies at state level, is the body charged with the tasks and exercise
of powers for which the data is being processed, as responsible.UWVW
has both legal and de facto control over the processing of data that
are collected within the scope of group messaging through the workbook.


Based on the above, the APUW marks Vaan as (controller) responsible as referred to in
article 1, part, of the Wb and article 4, part 7, of the AVG for the processing of

personal data in the context of sending group messages via the workbook.

3.3Securityofdataprocessing


3.3.1Legal framework
From September 1, 2001 to May 25, 2018, the security of the processing of
personal data, article 13 of the Wbp. The security obligation extends to all parts of

the process of data processing. The term «appropriate» implies that the security in
in accordance with the state of the art. This is firstly to no demand from professional
ethics of persons in charge of information security. The standards of the sea ethics are applied in this
provision of a legal capstone, in the sense that there is a legal obligation for the

the responsible person is connected. The term «suitable» also indicates a proportionality between the
security measures and the nature of the data to protect. For example, as the data
have a more sensitive character, or the context in which they are used a greater threat to the

privacy, strict requirements are placed on data security.

The European Directive on the basis of which, among other things, Article 13 of the Wbp has been drafted under
otherwith regard tothesecurityoftheprocessingofpersonaldata:“thatthe

principles of protection (…) must be reflected in the obligations imposed on persons, public authorities,
undertakings or other bodies that carry out the processing are imposed, and obligations that in particular
relate to the quality of the data, the technical security, the registration with the supervisory
authorities and the circumstances in which the processing may be carried out (…)”. It also includes

with regard to the security of the processing of data: “that the protection of the
rights and freedoms of data subjects in connection with the processing of personal data, both in design and in

41
 See Directive 95/46/EC of 24 October 1995 on the protection of natural persons with regard to the processing of
personal data and with regard to the free movement of such data, recital 25. Underline of the AP.



                                                                                           11/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




in the execution of the processing requires appropriate technical measures, in particular to ensure safety
guarantee and thus prevent any unauthorized processing;(…)”. 42


The Dutch DPA has in a case that concerned access to electronic medical records - with respect to
of the taking of security measures in the context of article 13 of the Wbp is judged as follows:

“A responsible person may only proceed to take purely organizational measures if he can demonstrate that
it is not possible to take appropriate technical measures. This must be compensated for with additional
                                                           43
organizational measures and monitoring compliance with them”.

In order to implement article 13 of the Wbp, the Dutch DPA has in 2013 guidelines with regard to security

of the processing of personal data (hereinafter: Dutch DPA guidelines). When drafting the
CBP guidelines have been sought to join the ISO27001. The guidelines set as necessary

preconditions to ensure a continuous appropriate security level of processing of
to obtain and guarantee personal data as required by law: “take measures based on

risk analysis, security standards and applying and embedding in a plan-do-check-act cycle”.

The CBP guidelines state about this PDCA cycle: ''After establishing the reliability requirements, the

responsible measures with which he ensures that the reliability requirements are met. Then
The person responsible checks whether the measures have actually been taken and have the desired effect. The total

reliability requirements, measures and control are regularly evaluated and adjusted where necessary, so that
a permanently appropriate level of security is achieved”.5


Like ISO27001, the CBP guidelines (as part of the PDCA cycle) also write before the
controller takessecurity measures based on a risk analysis, whereby he

identifies threats that could lead to a security incident, the consequences it
securityincidentmayhaveandthechancethatthesuccessfollowsoccur.Wheninventoryand

assessing the risks are relevant mainly to the consequences that those involved may experience from
unlawful processing of their personal data. Depending on the nature of, these consequences may
the processing and processing of the processed data, including stigmatization or
                                                                               46
exclusion, harm to health or exposure to (identity) fraud.


In the GDPR, Article 32 contains the requirements concerning the security of the processing of personal data
The risk should be taken into account when determining appropriate measures
privileges and freedoms of persons. 47


Recital 83oftheGDPRstatesaboutensuringthesecurityofprocessing

personal data and assessment of the risks: “In order to ensure security and to prevent the

42See Directive 95/46/EC, Recital 46. Underlining the AP.
43See, among other things, caseZ2003-0145,p.3.
44
45See CBP Guidelines: Security of Personal Data, https://wetten.overheid.nl/BWBR0033572/2013-03-01.
  See CBP Guidelines: Security of Personal Data, https://wetten.overheid.nl/BWBR0033572/2013-03-01.
46See CBP Guidelines: Security of Personal Data, https://wetten.overheid.nl/BWBR0033572/2013-03-01.
47See also recital 75 of the GDPR.



                                                                                                       12/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]



processing infringes this Regulation, the controller or the processor shall
processing to assess the inherent risks and take measures, such as encryption, to mitigate those risks.

measures to ensure an appropriate level of security, including confidentiality, account
taking into account the state of the techniques, the execution costs, the risks and the nature of the protection to be protected

personal data. When assessing data security risks, attention should be paid to risks that
occur in data processing, such as the destruction, loss, modification, unauthorized

provision of or unauthorized access to the data transmitted, stored or otherwise processed, either
by accident it is illegal, which in particular can lead to physical, material or immaterial damage.”


Finally, in 2007 the Decree on information security government service (hereinafter: VIR) is in force
become. In 2014, the Administrative Statement Information Security, UWV declares to go to the VIR
          49
handle. With regard to the concepts used in the VIR, it is stated: “The concept framework of the
Information Security Code (ISO17799:2005) is adopted in this regulation”. The PDCA cycle off
                                                         51
ISO17799:2005 has since been incorporated into ISO27001. This standard contains a number of steps that
must be performed. The steps form a so-called Plan-Do-Check-Act cycle (hereafter:
PDCA cycle) to respond to (ever-changing) threats in relation to the information. 52


Article 4 VIR identifies the responsibilities of line management

notes to the VIRis about article 4 VIR includes the following: “Created deliberately to article 4 in
to formulate terms of the Planning and Control cycle, in accordance with regular business operations. (…) Information security itself
                                                           53
takes place via the Deming quality circle (PDCA cycle)”. In the article-by-article explanation of the VIR is
in addition, with regard to article 4: “For the effectuation of information security, we work through the PlanDo
CheckActcycle(...).Afterdeterminingwhatisneeded(reliabilityrequirements),measuresaretaken

checked whether these measures have the desired effect (control). This control can directly lead to
adjustment in the measures. Also, the total of requirements, measures and control can be subject to revision (evaluation).
                                                                                            54
go through this quality circle and ensure the adequate level of security at all times”.


3.3.2Assessment
From both article 13 of the Wb and article 32, first and second paragraph, of the GDPR it follows that the
controller must take appropriate technical and organizational measures to

security level of the processing of personal data appropriate to the risk
guarantee/guarantee. These provisions are intended to guarantee the same (legal) interests and there is no

(substantial) material change of the regulations on this point.


To ensure a risk-adjusted level of security in the processing of personal data
guarantee/guarantee, a controller should therefore analyze risk, appropriate


48Government Gazette28 June 2007, no.122. https://zoek.officielebekendmakingen.nl/stcrt-2007-122-p11-SC81084.html.
49Government Gazette2014,15447,https://zoek.officielebekendmakingen.nl/stcrt-2014-15447.html.
50Government Gazette28 June 2007, no.122, p.12.
51ISO/IEC27001:2013chapters6t/m10.
52
53See, among others, ISO/IEC27001:2013,Chapters 6 to 10 and ISO/IEC27001:2017.
  Government Gazette28june2007, no.122,p.12.
54Government Gazette28 June 2007, no.122, p.15-16.



                                                                                                          13/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



take measures and evaluate the move. These steps form the preconditions for a continuous
ensure an appropriate level of security for the processing of personal data in line with the law,
namely by embedding in a plan-do-check-act cycle (PDCA cycle). This cycle is in line with the
procedure mentioned in article 32, first paragraph, of the GDPR, namely a procedure for

periodically test, assess and evaluate the effectiveness of the technical and
organizational measures to protect the processing. Also the VIR, where your WV is located
has conformed, is based on ISO 27001 and writes a PDCA cycle. This general
accepted security standard takes into account the AP in this case. The AP works the

different steps of the PDCA cycle below.

Weighing the risks for persons before determining measures
Thestartingpointthatisperformedunderthesecureoftheprocessingof

personal data is a weighing up of the risks of that processing. Based on this, it is determined
what measures are necessary to counter these risks.

It follows from the WB and the AVG explanation that when considering data security risks

attention should be paid to risks that arise in the processing of personal data. Such as
unauthorized disclosure of or unauthorized access to processed data
and assessing the risks are relevant mainly to the consequences that persons may experience from a
unlawful processing of personal data. The more sensitive the data is,

or the context in which they are used a greater threat to privacypersoonlijk
mean, stricter requirements are placed on the security of personal data.

When sending group messages via the MyWorkbook environment, as stated in section 2.4,

there have been several (accidental) unauthorized disclosures or unauthorized disclosures
access of processed personal data of job seekers. UWV is therefore expected that they,
to arrive at a security level appropriate to the risks, continuously inventory and
assessesthatmayleadtoasecurityincident.UWVexistedfromatleast2016

policy to detect and tackle risks in the processing of data early on
the basis of a careful risk assessment. The VIR also obliges UWV to carry out an explicit risk assessment
determining appropriate security measures.


As concluded in section 3.1 the AP, YOUR Vin Sonar processes a multitude of different
personal data of a highly sensitive nature, including data about the health of persons
andthe BSN.UWVprocessedat the end of the period from 2016 to 2018, data on an average of 4,500,000
persons. Jobseekers, the sick and incapacitated for work and who are legally obliged to register with

UWMust provide therefor their personal data,must be able to rely on UWV
properly weighs the risks that these persons run
security incident with regard to the data that UWV processes may be serious for
a large group of persons. Thus, it may not sufficiently secure the processing of these

personal data lead to stigmatization or exclusion. Now UWVookthe BSNprocessingwhatinthe





                                                                                      14/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



practicesignificantly facilitateslinkingofdifferentfiles,moreexistingforpersons
whose data in Sonar represents an additional risk of a threat to privacy.


The policy of UWV contains measures, including an explicit risk assessment as part of a
PDCA cycle. Contrary to this policy, it appears that UWVin their answers regarding the

sendinggroupmessagesviatheMyWorkbookenvironmentprovidesacontroversialimageaboutthe
performing such risk assessments with regard to the security of personal data. UWV
has in any case stated that prior to the decision in 2012 to only send group messages
sendviatheMyWorkbookenvironmentnoriskanalysishasbeenperformed.UWV thenasked

thatfrom2016tothelastdataleakin2018underthesecurityof
personal data when sending group messages via the My Work Folder environment
has carried out risk assessments
showed how UWV has made these risk assessments and what risks are involved at any time in that

period have been weighed up and how they have considered the possible consequences for job seekers
insofar as UWV is of the opinion that the proposed measures of October 2016 do represent a risk assessment
contains, the AP notes that there is a balancing of risks in the sense of the (explanation of the) law

It only contains a proposal for measures without further substantiation. It also shows
this document does not indicate that risks to persons have been taken into account when proposing measures. Stronger
yet, UWV only talks about risks that YOURV itself runs in its customer communication.
organization such as UWV, which processes so many particularly sensitive data of so many people,

and the consequences for them when sending group messages via the Myworkbook environment
can be far-reaching, it does not or does not take sufficient account of the risks for job seekers
extra careless when determining security measures.


Based on the above, the AP concludes that UWV with regard to the impact of
security measuresin the context of sending group messages via the MyWorkbook-
environment the risks for job seekers, who, in view of the sensitivity of the data that UWV processes

can be drastic, in any case in the period from 2012 to 2018 not/insufficiently mapped
with this.UWVinsufficientlyhas a risk-adjusted level of security
guaranteedandguaranteed.


Taking technical and organizational measures
Aftermappingandweighingtherisksforpersonsofdataprocessing
the determined measures should then be implemented and carried out. Both article

13of the Wbp as article 32, first paragraph, of the GDPR, obliges the controller to the
takingtechnicalandorganizationalmeasurestoprotecttheprocessingof
to safeguard personal data.


Paragraph 2.6 shows that UWV only has organizational measures until December 2018
implemented in the context of sending group messages via the My Workbook environment to theom
to ensure the security of the processing of personal data. An example of a

55
 See appendix1page30.



                                                                                         15/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



organizational measureisthemessagewhereemployeesarecalledpreferablyno
Sending attachmentswithgroupmessagingthroughSonar.Themeasuresregardingarestrictiononthe
number of job seekers to whom the message can be sent further, as YOURVook puts it,
to avoid technical problems in Sonart that would improve its operation and stability

themessaging traffic is smoother.Thisisnotforthesecurityoftheprocessingof
personal data. This limitation only applies to the number of recipients of a message,
but does not limit the number of job seekers whose data can be obtained by UVW
In addition, the limitation to 100 recipients could be bypassed by a request to do so

to dowithFunctionalManagement.Fiveoftheninedataleaksisthesamegroupmessagetomore than
100 job seekers sent simultaneously via the My Work Folder environment.

UWV had decided on 20 October 2016 (after the fourth data breach) to conduct an investigation in the short term

start to the possibility of taking technical measures, including the technical
make it impossible to add Excel files to a workbook message.It then has until after
the eighth date in September 2018 lasted before UWV subsequently decided to take
a technical measure, namely blocking the possibility of adding, among others

Excel files when sending group messages via the Myworkbook environment.However, it turns out
UWV only in December 2018 (before the ninth date on September 5, 2018 and after the 2016
announced investigation into the introduction of technical measures) has proceeded to the three
months earlier decision to actually carry out. Taking this technical

measure is therefore possible.

The data leaks do not seem urgent for UWV to initiate the research suggested in 2016U
to the possibility of carrying out technical measures soon. By not (also)

implementingatechnicalmeasurehasyourVinadequatelyadaptedtoarisk
securitylevelguaranteedtherebyacceptedariskofdata leaks for more than two years
with a lot of data concerning a large group of citizens.


Checkingandadaptingmeasures
Technical and organizational security measures should be based on both the Wb and the AVG
to ensure a level of security appropriate to the risk.This is necessary in any case
to check whether the measures have been implemented, correctly applied or carried out and what

theeffectofthemeasuresisontheinitiallyidentifiedrisks.Basedonthischeckofthe
measures are then determined whether the measures are still appropriately tailored to the risk
security level or whether additional measures are required.


WithinUWVmoneyfrominanycase2016to2020policytotakemeasures
check and, if necessary, adjust as part of a PDCA cycle
UWV does not have a generic policy in which it checks whether UWV central measures are in place
implemented in practice by the responsible division(s) and that regional offices to some degree

can give your own interpretation to central policy.UWV also reports about this that no
formally protocolled procedure is within UWV, within which is




                                                                                     16/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]


checked whether such agreed organizational and process measures are takenword

implemented, because that would be impractical given the size of the organization and quantity
decisions that UWV takes.

YOU also indicate that it has not checked or measures decided upon as a result

of data leaks have actually been introduced. UWV has also entered into force after 20 October 2016
being the organizational measure(s) prior to the fifth (2017) and sixth (2018) data breach
checkednorevaluated.Finally,UWVhasnotshownthatithasopenmoment
checked whether the organizational measures that were in place prior to the eighth data breach (2018)

have been introduced.UWV has also not evaluated these organizational measures.

As previously concluded, the consequences for job seekers are insufficiently secured sending
of group messages through the workbook. Especially at an organization like UWV, which is so much sensitive
and special personal data of so many persons are processed, it is necessary to check whether

measures are actually (correctly) implemented evaluate the move and adjust it where necessary
fit.JobseekersandotherswhoarelegallyobligatedregisterwithUWVTherefor
must provide their data, must be able to rely on UWV measures
checks, evaluates and adjusts if necessary.


Based on the above, the AP concludes that UWV has implemented the security measures in the
framework of the sending of group messages via the My Workbook environment does not have/insufficiently
auditedandevaluated,makingUWVinadequatearisk-adjustedsecuritylevel

hasguaranteedandguaranteed.

3.4Opinion of UWVenreactionAP

In this paragraph, the AP briefly summarizes your view of UWV with the response of the AP.


YOURV notice first stop that it regrets that it has not been sufficiently fulfilled
different phases of the PDCA cycle. UW strongly supports the findings of the AP
to improve this process.


3.4.1View on factual findings
YOURFISH believes that the analysis of the eighth data leak shows that the eighth data appeared to be directly affected
measures have been analyzed as well as evaluated by UWV, whereby measures are also proposed.


The AP notes about this that UWV has indeed analyzed and evaluated the eighth data, but
this analysis does not show that UWV is processing personal data in the context of sending
ofgroupmessagesthroughtheMyWorkbookenvironmenthasevaluatedonitself.Theevaluationofa
loosedata leakinsufficient fulfillment of a risk-adjusted security level with associated

PDCA cycle. In addition, it cannot be deduced from the analysis that UWV has taken immediate action.
The introduction of the technical measure has been discussed by UWV, but this measure has only been




                                                                                       17/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



introduced later. In addition, the AP considers it to evaluate measures that should have been introduced
useless.


YOURFleshnotbackinthefindingsthatitindicatedAugust2019thattheWORKcompanyanexternal
would conduct research into the export functionality from Sonars to the sending of group messages via

the work folder.

The AP did not take your plan to have an external investigation carried out as a fact
because this was only an intention of UWV yet. In addition, this intention does not refer to the period of

the established violation. However, the AP did mention this investigation in paragraph 2.6 of the present
decision.


3.4.2Viewpointonlegalframeworkandassessment
The norm that a responsible person may only proceed to take purely organizational measures if he can
demonstratethatitisnotpossibletotakeappropriatetechnicalmeasures,according toUWVissufficientlyfollowedfromthe CBP-
2013 security guidelines, a CBP case and the other sources cited in the report.


The AP does not follow this view of UWV. First, the AP did not refer only to a CBP case,
but also to the Directive 95/46/EC of 24 October 1995 on the protection of natural
persons in connection with the processing of personal data and with regard to the free movement of those

data, considerations 25 and 46. Secondly, both article 13 of the Wbp and article 32 of the AVG
that the controller must take appropriate technical and organizational measures.
Technical and organizational measures must be taken cumulatively. The standard in article 13

oftheWbpenarticle32oftheAVGisconsistentlyclear, according to theAP.UWVhasnomore
argued that it was allowed to limit its impact solely by organizational measures,
since it was not possible to take appropriate technical measures
would also have been untenable, now that YOU will find in December 2018 just in the end and technical

measure has been implemented.

It is possible that not all measures were equally effective and may have been misjudged

the conclusion cannot be drawn from YOURV that the implementation of
appropriate measures. And from the single data that has been sitting for some time between the evaluation moments and the
According to the UWV, on the basis of the findings, the introduction of the technical measure cannot be concluded that
from the eighth date there has been no or insufficient completion of the implementation of appropriate measures, if

as a result of insufficient risk management.

The AP does not follow this view of UWV and motivates this as follows. The AP has assessed the whole
whether UWV has a security level appropriate to the risk for the processing concerned

guaranteedandguaranteed.ThatUWVhastakensomeorganizationalmeasuresdoesn't matter
the determination that UWV has insufficient risk analyses, technical measures and checks
As a result, as stated by YOUR Vook itself, the security measures are not effective

56
 https://www.autoriteitpersoonsgegevens.nl/nl/nieuws/arbodienst-handelt-niet-slagen-met-wbp-%C2%A0



                                                                                             18/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]


In addition, UWV did not come up with the recommendation until after the eighth data breach (August 3, 2018)

to take technical measures, while in October 2016 it was already decided in the District Manager consultation that
in the short term, the possibility of technical possibilities had to be explored
In the intervening period of almost 2 years, UWVal thus failed to conduct this research.


YOU further believe that an evaluation has taken place after the eighth date of the leak.
above, UWV does not follow the duration of the detected violation. According to UWV, after the eighth
data leakage is applied to an appropriate level of security.


TheAPisevaluatedwithUWandthattheeighthdataleakhasbeenevaluated.However,thisevaluationcontainsonlyone
data breach. The AP would like to emphasize again that UWV the measures taken are not in periodic
has fully evaluated and has not sufficiently analyzed the risks in advance
moreover, the investigation only took place from November 2018 and the technical measure was by UWVin
introduced in december 2018. The AP therefore also does not follow the view that UWV from the eighth data breach

(August 3, 2018)guaranteedandguaranteedarisk-adaptedsecuritylevel.

In hindsight, with today's knowledge, according to UWV, the process has not been followed sufficiently and is insufficient
documented.UWV notes here that the findings do not show that they have not been filled in at all

at the different phases of the PDCA cycle or during the entire period from 2012 to the end of 2018.

The AP agrees that the findings do not indicate that the
different phases of the PDCA cycle, but notes that this has not been sufficiently specified.
It appears from what YOUR Vwel has documented that only the jamming was taken into account

of the systems of UWV where the risks for those involved were not mentioned. UWV has furthermore
some organizational measures taken, but not the necessary (and technical) measures
resulting in an insufficient level of security.

3.5 Conclusion


The AP concludes that UWVinsufficientlyasecurityleveladjustedtotherisk
guaranteed and guaranteed in the context of sending group messages via the My
Workbook environment. As a result, there was a continuing violation where YOUFIND

period from 2012 to May 24, 2018 has acted contrary to article 13 of the Wbp from 25
May 2018 to December 2018 has acted contrary to article 32, first stone, second paragraph, of the AVG.














                                                                                       19/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




4.Penance

4.1 Introduction


UWV has acted in conflict with article 13 of the Wb and article 32, first stone and second paragraph, of the AVG.
For the established violation, the AP uses its power to fine your
layfortheperiodfrom1january2016(startpenaltyauthorityAP)untilDecember2018.Consideringseverity

of the violation and the extent to which it can be blamed on UWV, the AP considers the imposition of
a fine. The AP motivates this in the following.


Considering that in this case, there is a continuing violation that is subject to both the Wbp and the GDPR
occurred, the AP has checked against the substantive law as it applied at the time when the
behavior took place. In this case, both article 13 of the Wb and article 32, first stone, second paragraph, of
the AVG. These provisions are intended to guarantee the same legal interests and there is no (material)

material change of the regulations on this point. Given that the gravity of the infringement is
at the time of the Wbp, the AP sees reason in this case to join the 'Penance policy rules'
Dutch Data Protection Authority2016'.


4.2 Fine policy rules of the Dutch Data Protection Authority 2016

In this case, DeAPusesthe‘Finance Policy RulesAuthority of Personal Data2016’ (Fine Policy Rules)
for the fulfillment of the power to impose an administrative fine, including determining
                    57
from the height of it. In the Fine policy rules, a category formats bandwidth has been chosen
systematically.


Violationofarticle13oftheWbpisingpartincategoryII.CategoryIIhasafinebandwidth
between €120,000 and €500,000. Within the bandwidth, the AP sets a basic fine. As a starting point
applies that the AP sets the basic fine at 33% of the bandwidth of the violation linked to
fine category. In this case, the basic fine is set at €245,400.


4.3 Fine amount

The amount of the fine adjusts the AP to the factors mentioned in article 6 of the

Fine policy rules, by decreasing or increasing the base amount. It is about an assessment of the
seriousness of the violation in the specific case, the extent to which the violation may affect the offender
be blamed and, if there is reason to do so, other circumstances such as the (financial)
circumstances in which the offender finds himself.




5Policies of the Data Authority of December 15, 2015, as last amended on July 6, 2016, with regard to
the imposition of administrative fines (Finance Policy Rules of the Data Protection Authority 2016), Stcrt.2016,2043.
5Finance Policy Rules, p.10-11.



                                                                                         20/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



4.3.1Seriousnessoftheviolation
Any processing of personal data must be done properly and lawfully
organizationswithprocessingdatainfringetheprivacyofcitizensitof
it is very important that they apply a level of security appropriate to risk. When determining risk

for the data subject include the nature of the personal data and scope of the processing
important: these factors determine potential damage for the individual involved in, for example,
loss, alteration or unlawful processing of the data. As the data becomes more sensitive
character, or the context in which they are used, is a greater threat to personal

privacy, stricter requirements are imposed on the security of personal data. The
APconcludedthatUWVinsufficientlyhasarisk-adjustedsecuritylevel
guaranteedandguaranteedwithin the context of sending group messages via the MyWorkbook-
surroundings.


With regard to the nature of the data, the AP has determined that YOURVinSonar has a multitude of
processes various data of a highly sensitive nature, including data about the
health of persons and the BSN. Jobseekers, the sick and incapacitated for work and who are legally

are required to register with UWVandthereforemustprovidetheirpersonaldata,must
can be confident that YOURV properly weighs the risks that these people run.
TheimpactofasecurityincidentwiththepersonaldatathatUWVprocesscanbemajor
for a sizable group of persons. Thus, it may be insufficiently secure of this data

leadtostigmatizationorexclusion.NowUWValsotheBSNprocesseswhatinpracticealink
of different files considerably easier, is more available for persons whose data in
Sonar is an additional risk of a threat to privacy.


In addition to the sensitive nature of the data, UWV also processes data from a great many citizens.
UWVprocessedinSonarintheperiodfrom2016to2018dataaboutan average of 4,500,000
persons. All these people were at risk because of the insufficient security level of
UWV.In addition, YOURVal has leaked personal data on several occasions. Out of a total of 15.331

people has leaked YOUR data when sending group messages via the workbook.Finally
the AP notes that the violation lasted 2 years and 11 months. The AP considers this very serious.

In view of the above, the AP sees, on the basis of the degree of seriousness of the violation, reason to

to impose a fine on YOU and increase the basic amount of the fine to €450,000.

4.3.2 Blame
According to article 6, second paragraph, of the Policy Rules, the AP takes into account the extent to which the

violation can be blamed on the violator. If the violation was committed intentionally or it
as a result of serious culpable negligence as referred to in article 66, fourth paragraph, of the Wbp,
assuming that there is a significant degree of culpability on the part of the offender.


According to the parliamentary history of 'serious culpable negligence' as referred to in Article 66,
fourth paragraph, of the Wbp, applies if “the violation is the result of serious culpable negligence, i.e.




                                                                                       21/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



the result of gross, considerably careless, negligent or injudicious action.” In this connection
                                                                                  60
it is noted that by “acting” as referred to herein, is also meant an omission.

YOURFISH believes that the findings of the AP do not follow that there are serious culpable
negligence. The first four data leaks were for YOUR reason to make serious adjustments in the process

to implement and invest in awareness of the risks associated with manual processing. According to
YOURViserbetweenthefifthandtheeighthdataleakdeployedonstrengtheningthisorganizational
measures(such as workshops).According to UWVdate,thismeansintheprocessforsending

groupmessagesintheMyWorkbookenvironmentalrightisdeployedforsecurity measures
to improve.


The AP does not follow this view of UWV and motivates this as follows. YOUR Fish is obligated to
use a security level that matches the nature and scope of the processing and that UWV
now that YOURV has not ensured an adequate level of security for years, the AP believes that
YOU have been seriously negligent in failing to weigh up the risks to citizens, in taking appropriate

security measures and check and adjust these measures. For the organizational
measures that have been implemented in accordance with YOURVwelfare, UWV has not based these measures on
risk assessments and how they have considered the possible consequences for those involved

YOURVindicatedthatithasnotcheckedorthemeasurestakenafterthedataleak
have actually been introduced and evaluated.


The Wbp, the AVG and the CBP guidelines regarding the security of the processing of
personal data have expressly described that organizations are risk-adjusted
security level.UWVmaybecomeconsideringthesensitivegroundandlargesize
the processing is expected to be aware of the standards that apply to it there

acts accordingly.

In addition, the AP considers it very negligent and negligent that UWV only leaks no data in December

2018has proceededtoimplementtechnicalmeasures.Namelyblockingthe
ability to add, among others, Excel files, when sending group messages
via the Myworkbook environment.Citizenswhobecomeobligedtoprovidepersonaldata

assume that the UW will take the necessary measures to their
to protect personal data.

The AP considers the fact that YOURVook has not complied with its own policy rules.

that the policy of UWV indicates that measures must be taken on the basis of explicit
risk assessments as part of a PDCA cycle, UWV did not take sufficient account
with the risks and consequences for job seekers. In addition, UWV did not have a

technical measureintroducedwhileUWVon20October2016alreadydecidedonshortterma
to start an investigation into the possibility of taking technical measures. It also has UWV

59
60Parliamentary PapersII2014/15.33662,no.16,p.1.
  ActsII2014/15,51,item9,p.11.



                                                                                          22/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



not checked whether the measures that were taken in response to the data leaks were
have actually been introduced into the organization. The violation is therefore the consequence ofgrofen
Significantly negligent actions by UWV.


In the opinion of the AP, all of the above shows that UWV grossly, considerably careless or
acted negligently, resulting in serious culpable negligence on the part of
UWV. In view of the circumstances of this case and the criterion of seriously culpable negligence
Under the Wbp, however, the AP sees no reason to reduce or further increase the fine.


4.3.3Proportionality
Finally, the AP assesses on the basis of article 5:46 of the General Administrative Law Act
codifiedproportionalityprincipleortheapplicationofitspolicytodeterminealtitude

of the fine, given the circumstances of the specific case, does not lead to a disproportionate outcome.

The AP believes that, given the seriousness of the violation and the extent to which it can be charged to UWV
accused, (the amount of) the fine is proportional. The organizational measures that according to UWVwel

are affected, according to the AP, the present infringement of article 13 of the Wb and article 32, first
and the second paragraph, of the AVG, not removed. Not weighing the risks for citizens, the lack of
have appropriate security measures and fail to check and evaluate these measures
after all, led to an insufficiently risk-adjusted security level
in addition, it took almost 3 years with the privacy of 4,500,000 persons not being sufficiently guaranteed.


In view of all the circumstances of this case, the AP sees no reason for the amount of the fine based on
the circumstances mentioned in proportion and at the end of the Fine Policy, as applicable in
the present case, further increase or decrease.


4.4 Conclusion
The AP sets the total fine at €450,000.



















6For the justification, see paragraphs 4.3.1 and 4.3.2.



                                                                                         23/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




5.Dictum

The AP submits to the Implementing Institute Employee Insurance for Violation of Article 13 of
the Wbpen article 32, first stone, second paragraph, of the AV No administrative fine on the amount of
€450,000 (say four hundred and fifty thousand euros).


Yours sincerely,
AuthorityPersonal Data,

w.g.



drs.C.E.Mur
board member












Remedies Clause
If you do not agree with this decision, you can within six weeks of the date of shipment of the
decide to submit an objection digitally or on paper to the Data Protection Authority. Submit it
of an objection suspends the effect of this decision. To submit a digital objection, see
www.autoriteitpersoonsgegevens.nl, under the heading 'Objection', at the bottom of the page under the heading

‘Contact with the Data Authority’. The address for submission on paper is: Authority
Personal data, P.O. Box93374,2509AJDenHaag. Mention on the envelope 'Awb-objection' and put in the
title of your letter 'objection'. Write your objection at least:
     Your name and address

     The date of your notice of objection
     The reference (case number) mentioned in this letter; you can also receive a copy of this decision
       attach
     The reason(s) why you do not agree with this decision

     Your signature
For more information, see: https://autoriteitpersoonsgegevens.nl/nl/bezwaar-maken



6The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).




                                                                                       24/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




Attachment 1


1. Policy of UWV

UWV has in its policy documents “Strategic Policy Information Security and Privacy (IB&P)”, which apply

for the period 2016-2020, included: “that management takes decisions based on careful consideration
of the risks”. It also states the following: “Depending on the results of the analyses, risks are

an adequate system of measures neutralized or explicitly accepted by a director
central registration. UWV continues to ensure that continuity, quality and safety are guaranteed.
means that risks are detected early and dealt with in a professional manner”. 64


VoorsthasUWFindpolicydocuments“TacticalPolicy,Information SecurityandPrivacy(IB&P)Legal

Framework”, which was valid from April 2016 to at least January 2019, included the following:
processing and storage of data are required technical and organizational security measures
                                                                                                          65
a risk-driven way selected and realized, in accordance withUWVTacticalIB&PPolicySectionB‘BIRUWV’.”

UWV has in its policy documents, which are valid from April 2016 until at least January 2019,

the following is included: “In the processing and storage of data, the required technical and
organizational security measures selected and realized in a risk-driven manner, in accordance with UWV
                                        66
TacticalIB&PPolicySectionB'BIRUWV'.

With regard to checking, evaluating and adjusting measures, YOU put in her
                                                                                  67
policy document, valid from December 2015 to at least January 2019:
“4.2.The organizational units: primary actors

IB&P risk management is primarily invested in the organizational units themselves.
reported, in accordance with the own agreements. From the central monitoring of the IB&P risks, the

organizational units were asked to report on the UWV-widetop IB&P risks.
The organizational units have the following responsibilities:
     • Reporting from the executive responsibility on the progress of the victorious prioritized measures

         and improvement actions (using a format) and any new IB&P risks through the divisional reporting;
     • Periodically reassess the (BIR) improvement plans with improvement actions based on the UWV-wide

         identified IB&P risks;

63
  See file 38 (Excel file, attachment 6 (file “UWVBZIBP Strategic Policyv190”, p.7)) and attachment 11 (file "UWVBZIBP"
StrategicPolicyv202(AVG version)", p7-8).These attachmentsarepartoffile“Document”inanswertoquestion4below
data breach1).
64 Ditto.
65See file document38(Excel file, attachment7(file“UWVBZIBPSectionAWelijkFrameworkv100.docx”,p.11)andappendix10(file
"YOURVBZIBPSectionAuthorizedFrameworkv102(AVG version)",p.12).Theseattachmentsarepartoffile“Document”inresponseto
question4onderdata leak1).
66See dossier document38(Excel file, attachment 7(file“UWVBZIBPSectionAWelijkFrameworkv100.docx”,p.11)andappendix10(file

"YOURVBZIBPSectionAuthorizedFrameworkv102(AVG version)",p.12).Theseattachmentsarepartoffile“Document”inresponseto
question4onderdata leak1).
67Seefiledocument38(Excel file,appendix9(file“UWVBZIBPSectieCBorgingBIRControlv200”whichispartof
file“Document”foranswertoquestion4underdatalek1,p.7-8)).



                                                                                                           25/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



     • Implementing own risk inventory measures based on the prioritized UWV-wide IB&P risks

         and maintained (via the improvement plans).

4.3. Administrative affairs: coordinating role

The substantive support and monitoring for IB&Pis centrally invested in Administrative Affairs.
Governance is responsible for the coordination and the overall picture of the IB&P risks.
obtaining the overall picture, the Board of Directors carries out the following activities:

     • Monitoring the progress in the realization of actions and measures in the field of IB&P, such as progress on
         the improvement plans;
     • Periodically conducting a substantive qualitative investigation (Quality Assurance) into the status of the IB&P

         improvement actions and management of the top IB&P risks at the organizational units;
     • Delivery of an IB&P report to the Coalition IB&P and the Board of Directors, periodically or at

         particularities;
     • Coordinating the annual exercise of the assessment of the UWV-wide risks and (BIR) improvement plans;
     • Providing substantive support about the improvement plans and actions to be carried out;
                                                                                         68
     • Keeping the overview of the most important UWV-wide IB&P risks up-to-date”.

2.PracticewithinUWV


2.1 Weighing the risks in practice


UWV indicates that it is: “an organization that generally
and is also pragmatic in investigating and preventing data leaks. UWV opts for a pragmatic
approach with concrete improvements instead of bulky reports. Documents that we, for example, as 'risk analysis'
can be called 'research' by the department, which makes it understandably only
                                                      69
wrong may give the impression that we are not complete”.

To the question whether before the decision in 2012 to group messages in any other way than through Outlook

sending a risk analysis has been carried out, UWV reports: “There is a risk of sending group messages via the
workbook no risk analysis prepared”. 70


When asked howYOURVin2012determinedthatsendinggroupmessagesviatheMyWorkbook-
environment is an acceptable risk, what security measures have been considered and what the trade-off is
has been created, UWV replies: “The work folder has a link with SONARenwerk.nl, and the customer must
ofhis/herDigiDintlogintoopenandseemessages.In addition,–unlike-can access

sending via outlook - once sent messages will be deleted if a message is sent incorrectly.
the workbook as one of the secure channels to exchange data and messages with”. 71



68Seefiledocument38(Excel file,appendix9(file“UWVBZIBPSectieCBorgingBIRControlv200”which is part of
file“Document”foranswertoquestion4underdatalek1,p.7-8)).
69See file document 46 (Reply by UWV, appendix 2 (file “Letter AP information request 29042019”, p.1)).
70See file document98(Reply by UWV, file"Additional questionsAP2110",p.2,appendix4(file"Explanation note
meetingExecutive teamWORKcompany”) and attachment5(file“28BV06DecisiondocumentforbidusegroupmailviaOutlook”)).
71See file document98 (Reply by UWV, file "Additional questions AP2110", p. 2).




                                                                                                         26/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]



To the question whether the specific data leaks have led to the carrying out of a risk analysis
indicates UWVaan:“YOURVeninthespecialdivisionWORKcompanyhasareasonofthefourleaksin2016a

risk analysis has been carried out. This risk analysis can be found in the document: 'Proposer DMOWERKbedrijf' and its
appendices, containing guidelines for employees”. Inthisoctober2016submitteristhenext
included: “To face the unrest and disrupt the service as little as possible, but at the same time

to conduct a thorough analysis of where we run our customer communication risks, we propose the following measures
in front of(…)". 73


In response to the question whether a risk analysis was carried out after each data, UWV stated the following:
“During 2016, UWV saw no need to carry out a PIA as such. The Business Security Officer (BSO) of
Werkbedrijf has made an evaluation (sic) for the District Managers regarding the data leaks in August

September2016.See hereforthesubmitter-aproposalfordecision-making-of the 4quarter2016 of the BSO
WORKING company with which to take decisions/impact analysis/measures and conclusions and recommendations.
appendixaguidelineSafeCommunicationatWERKbedrijf.Duedatein2017oneleakwassawUWVnonecessary

to adjust the policy and to carry out a PIA. After the two leaks in 2018, the Board of Directors has
Data protection requested to start an investigation”. 74


UWV indicates on the question why the leak in 2017 saw no need to carry out a risk analysis
the following to:“UWVhasconsideredandofcoursegivenweighttotherightsand
                                                                                         75
freedoms of those involved. Now, with today's knowledge, this trade-off may be different”. UWVhas
on request, no documents were supplied in which the assessment made at the time is recorded.


With regard to the data leaks, five to eight UWV reports: “The risk of more leaks became low
considered measures from October 2016 to work sufficiently, as explained again in the answer of
the information request. At that moment, a number of other ICT measures in the systems have a high priority.
                                                                                                            76
In hindsight, it was a misjudgment that the technical measures should have been taken sooner.”
UWV has not substantiated what the estimate was based on that the risk should be considered low
considered.


UWV has stated in relation to the eighth data breach: “The Data Protection Officer (DPO) has

As a result of this data, an investigation was conducted into export functionality within the workbook. After that (sic) performs
the Data Protection Officer (DPO) on behalf of the Board of Directors is currently conducting a risk analysis on
Sonar”.77









72See file document 46 (Reply by UWV, appendix 2 (file “Letter AP information request 29042019”, p.1)).
73See, among others, file document38(Excel file, attachment27(file“MicrosoftWord97-2003 document”in response to11underdataleak1
to 4, p.2)) and file 102 (Reply by UWV, appendix 2 (file “42DMO-B04.161017ESNotitieDMOWB", p.2)).
74See, among other things, file document38 (Excel file, reply to 11 under data leak1 to 4).
75
76See file document 81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019", answer to question 12)).
  See file documents65 and 66 (Reply by UWV, p.2).
77See, among other things, file document38 (Excel file, reply to 11 under data leak7).



                                                                                                         27/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]



2.2Measures, checks and adjustments in practice


Temporary measures of 28 September 2016


UWV states that it was necessary the measures that were in place before the fourth data leaked
evaluate and that it has decided to take measures. 78


With regard to the measures taken after the four data leaks in 2016, UWV reported: “Then are immediate
                                                                                      79
organizational and process measures taken to mitigate the risks and recurrence”. from the submitter
from 18 October 2016 it appears that the “DTWERK company” on 28 September 2016-after the fourth data breach-until the

had decided on the following temporary measures, which relate to the sending of messages with
attachments via the MyWorkbook environment to multiple job seekers at the same time: 80
































On 30 September 2016, these temporary measures and instructions were communicated to the managers
                                                     81
from the WORK company via the following WORK message:




78See, among other things, file document38(Excel file,answertoquestion18underdataleak1t/m4).
79See file documents65 and 66 (Reply by UWV, p.1).
80See file documents 65 and 66 (Reply by UWV, appendix, answer to question2) and file document 102 (Reply by UWV),

81jlage2(file“42DMO-B04.161017ESNotitieDMOWB",p.1).
  See file document 98 (Reply by UWV, appendix 2 (file "Work message 30 September 2016", p. 2 and 3)).



                                                                                                    28/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



























UWV states that these temporary measures and instructions were communicated to . on 4 October 2016
all (then employed) employees via a newsletter WORK In Performance with the following text: 82


















UWVindicatesonthepreviouspagementionedtemporarymeasuresthattheywillbecompleted asap

came into effect after 28 September 2016. UWV also states that in view of the importance of these measures
andtherelevantforthetypeofrisksmainlyinvolved inthistypeofdataleaks,thesetemporarymeasures
would still be in effect at this time. However, UWV has not substantiated this with documents.








82See file document98 (Reply by UWV, appendix 3 (file “WIU4October 2016”)).
8See file documents65 and 66 (answer by UWV, appendix, answer to question 2).



                                                                                              29/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



Measuresproposed in October 2016


In the submission of October 18, 2016, which has been drawn up in preparation for the District Managers' Meeting
(DMO) on October 20, 2016, the following is stated about the temporary measures mentioned above: 84













Therefore, in October 2016, DMO was asked to agree to the measures below, in order to
replacement of the temporary measures decided on 28 September 2016: 85





































84See file document102 (Reply by UWV, appendix 2(file“42DMO-B04.161017ESNotitieDMOWB",p.2)).
85See file document102 (Reply by UWV, appendix 2(file“42DMO-B04.161017ESNotitieDMOWB",p.2)).



                                                                                               30/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



During the DMO of October 20, 2016, it was noted that the measures proposed above
                   86
followingdecided:


































It follows from these minutes that the DMO on October 20, 2016 only with the (mentioned on page 30)

measures 1 to 6 has agreed. In addition, it has been decided that measures 7 to 10 -
including an investigation into concrete technical measures in the short term.


UWV indicates that all measures (mentioned on page 30) have been implemented. UWV has 87
not (sufficiently) substantiated if the implementation has taken place. Of the measures

1 to 6 has YOURV only shown that the “Guideline safe communication at WORK company” is
drawn up. As seen below, these undated-Guideline principles for
                      89
safe communication:




86
  See file document 102 (Reply by UWV, appendix 1 (file “42DMO-A04. Decisions and action points overview 20Oct.2016”, p.3
and4)).
87 See file 38 (Excel file, answer to question 14 under data leak1).
88Seefiledocument38(Excel file,attachment33(file"161020AttachmentADDataLeaksWB",whichispartoffile"Microsoft
Word document"in response to question15underdata leak1)).
89Seefiledocument38(Excel file,attachment33(file"161020attachmentADDataLeaksWB",whichispartoffile"Microsoft

Word document"in response to question15underdata leak1)).



                                                                                                     31/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]












































From page 30 and 31 it follows that the DMO decided on 20 October 2016 to conduct an investigation into the
to postpone the possibilities of technical measures until further notice. To the question whether this investigation
                                                                                 90
took place, UWV answered: “No, this investigation did not take place”.

UWV reports with regard to the question of how it has been checked or proposed measures after each data breach

have also actually been introduced: “YOURVandWORKcompanyhavenotas suchcheckedormeasuresthat
have been taken as a result of data leaks have actually been implemented. UWV has no generic policy in which it
checks whether UWV central measures have been implemented by the responsible division(s).


90
  See file documents65 and 66 (answer by UWV, appendix, p.1, answer to question 3).



                                                                                            32/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




WORKcompanyoperating throughoutthe country can give regional offices to a certain extent their own interpretation
                                                         91
central policy, for example awareness campaigns”. UWV also reports about this: “There is no formalform
protocolled procedure within UWV, which is checked or agreed upon at a central level

organizational and process measures are carried out. That would be impracticable given the size of the
organization and the amount of decisions that UWV takes”. UWV mentions its response to the actual

findings, however, that she would have checked whether the measures taken in practice
have been brought. Your statement has not been substantiated with documentation.


On the question whether and in what way the measures to which UWV in response to the first four data leaks

had decided have been evaluated, what the results of that evaluation were and whether the desired effect of that
measures had been achieved, UWV reports: “No, given the absolute limited number of leaks from 2017 compared to

2016, UWV saw no reason to assume that the mitigating measures did not correctly address the risks
addressees”. And: “In 2017, given the relatively small number of leaks(1), UWV saw no reason to exist
                         95
evaluate measures”.


UWVstatesthe following about the way in which it carries out evaluation:“There is no formal
protocolledevaluationprocessaftereachofthesevendataleaks.ThatisnotthewayYouWVinalle

casesworks.Involveddepartmentsconcludedovera long time in close consultationthatthetakenin2016
measures were sufficient. Unfortunately, this conclusion turned out to be incorrect”. UWV mentions its response to the actual
                                                                                                         97
findings, however, that evaluations have been carried out with regard to measures taken. This one
Your statement has not been substantiated.


Fifth data breach


UWVindicatedthatafterthefifthdataleak,itiscontinuedtoincreaseawarenesswiththe
                                                              98
sending messages via the MyWorkbook environment. InthatframeafterthedataleakheadedJuly 20,2017
The following WORK message sent to WORK company managers by UWV: 99














91See file 38 (Excel file, answer to question 16 under data leak 1 to 7).
92See file documents65 and 66 (Reply by UWV, appendix, p.2, answer to question 4).
93See file documents109 and 116 (UW's response to factual findings, p.3).
94See, among other things, file document38 (Excel file, answer to question 18 under data leak6).
95
  See, among other things, file document38 (Excel file, answer to question 18 under data leak1 to 4).
96See file documents65 and 66 (Reply by UWV, appendix, p.2, answer to question 5).
97See file documents109 and 116 (UW's response to factual findings, p.3).
98See, among other things, file document38 (Excel file, answer to question 13 under data leak5).
99See file 38(Excel file, attachment31(file"MicrosoftWord document"inanswertoquestion14underdataleak5)).




                                                                                                            33/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




































UWV also states with regard to this data leak: "UWV/WERKbedrijf has as a result of this leak the Directive 'Safe

communicating'”and UWV has adopted the “Guideline for safe communication at WORK company” with the
answering questions about the fifth data breach. 10Based on what it says on page 31, it seems
following, however, that this guideline had already been drafted after the fourth data breach. And as already mentioned,

UWV has not provided any proof that the measure has actually been introduced or checked.


UWV further states with regard to the fifth data leak in 2017: “Important for the decision on less time,
after this leak, no additional technical measures to take was only for a full release agenda, in combination with a
far-reaching change assignment for WERKbedrijf”. UWV has not supplied any documents in which this decision is

contained.

UWV has with regard to the question of how it has been checked that the measures mentioned are also

have actually performedansweredthatYOURVandWORKcompanyhavenotassuch
checked whether measures taken in response to data leaks are real
          102
implemented.


10See, among other things, file document38 (Excel file, answer to question 18 under data leak5).
10See file document 81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019"), answer to question 12).
10See file 38 (Excel file, answer to question 16 under data leak 1 to 7).



                                                                                                   34/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



To the question whether and in what way the measures that UW had decided upon after the fifth data leak

evaluated, what the results of that evaluation were and whether the desired effect of those measures was
reached, UWV reports: "No evaluation has taken place after this because it was considered an incident
for which mitigating measures seemed effective at the time". 103


With regard to the way in which it carries out evaluations of measures, UWV states the following: “There is no

formally protocolled through the evaluation process after each of the seven data leaks. That is not the way UWV
works in all cases.Involveddepartmentsconcludedovera long time in close consultationthatthetakenin2016
measures were sufficient. Unfortunately, this conclusion turned out to be incorrect”.10UWV states its reaction to the actual
                                                                                                    105
findings, however, that evaluations have been carried out with regard to measures taken. This one
statement that there would have been evaluated is not substantiated with documentation from which the evaluation

actually turns out.

Sixthtotenwithninthdata breach(2018)


UWV has indicated that there are no measures due to the sixth data leak on March 26, 2018
affected.106According toUWVisaftertheseventhdateheadedMarch 28th,2018andtheeighthdataheadedAugust 3rd
                                             107
2018,decided onthefollowingmeasures:


"-WorkshopPreventionData Leaks
This concerns a workshop aimed at raising awareness about working with personal data and
performing risk assessments together. The workshop has been transferred to representatives from all through the ‘train the trainer’

labor market regions, which subsequently rolled out the training across the branches.
-Frequently used toolkit page on DWU
Due to the introduction of AVG, the toolkit page of the IB&P is further expanded and there is a lot of material

offered. This part supports the above workshop.
-Step-by-step plan Safe Personal data sharing

In light of the entry into force of the GDPR, the old directive 'Safer Digital Communication' has been replaced by the
guideline 'Step-by-step plan for Safe Sharing of personal data'
-Attentiononmanagement

An annual consultation meeting Information Security & Privacy and Security takes place with the regional management.
currently running a UWVwide IB&Ptrainingformanagerswithin itabreakoutsession‘data leaksandrole

management therein'
-RolloutSLIM
In the roll-out of SMARTWork, there is much more focus on working safely and preventing data leaks.

MT sessions, as well as during branch wide kick-offs.
Technical measure:



10See, among other things, file document38 (Excel file, answer to question 18 under data leak5).
10See file documents65 and 66 (Reply by UWV, appendix, p.2, answer to question 5).
10See file documents109 and 116 (UWV's response to factual findings, p.3).
10See file document 81 (Reply by UWV, appendix 3 (file "Question 7 appendix 2")).
10See, among other things, file document38 (Excel file, answer to question 13 under data leak 6 and 7).



                                                                                                       35/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



Attachments block
WERKbedrijf made it impossible through an early release on the weekend of 15/16 December 2019(sic)

made to attach noglangero.a.Excel files in the Workbook to messages.”

With the exception of the measures regarding the “Step-by-step plan Safe Sharing of Personal Information” and

the technical measure has not supplied any documents or further substantiation on the basis of
of which it can be established how the above measures are secured in documentation.
Furthermore, it has not become clear when the above measures have been implemented.


UWV has supplied a version of the “Step-by-step plan for Safe Sharing of Personal Information”. That step-by-step plan is
dated 26 April 2018 and thus drafted after the seventh date. UWV declares about this: “In hetlicht
of the entry into force of the GDPR, the old directive 'Safer Digital Communication' has been replaced by the directive
"Step-by-step plan for Safe Sharing of personal data". This step-by-step plan looks like this:





































108
  See file 38 (Excel file, answer to question 13 under data leak 6 and 7).



                                                                                            36/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]



















































                                                                           37/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]




The step-by-step plan is on May 1, 2018 via the newsletter to employees of the WERKbedrijf
communicated: 109
































To the question whether there are technical measures between the first stone and the eighth date on August 3, 2018

implemented, UWV replied: “UWV did not implement any technical measure during that period,
but several organizational and process-related measures have been implemented.However, we are of the opinion that this fact

must be viewed in the light of the risk assessment that UWV made at the time and the earlier outlined
the area of IB&P measures as a result of targets, which is described in the letter”. 110


After the eighth data leak, UWVanalyzed on August 20, 2018 how the data leak could have been
take place and how specific data leak direction involved is handled. This analysis is described
                                                                      111
in a document containing the following recommendations:









109
  See file documents 109 and 116 (UWV response to factual findings, appendix “WORK in progress”, item 07).
11See file documents65 and 66 (Reply by UWV, appendix, p.1, answer to question 1).
11See file document38(Excel file, attachment42(file“MicrosoftWord document”in response to question18underdataleak7),p.3).



                                                                                                     38/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]































Furthermore, about the above-mentioned analysis, UWV stated: “First of all, WERKbedrijf in September
2018based onananalysisofwaterfailurewentinAlkmaar(…)-notfollowingtheorganizationaland

process-basedsecurityrules-onnewinstructionsent toemployeesforhandlingbulkmessagesvia
the Briefcase to prevent this type from leaking. More research in the sense of a comprehensive report is not here

basisbecausethecausewasclear.(…)BasedonthisanalysisUWVookdecidedtotaketechnicalmeasures
take-whereasbeforedeterminedthatorganizationalandprocess-relatedsecuritymeasuresweresufficient-i.e.a
block in the work folder that prevents ero.a. no longer sending excel files, which means mid
                   112
December has happened”.

On September 3, 2018, so one month after the eighth dates, it seemed two days before the ninth

data breach,the QRCgroupmessagesextendedwithaframethepassagewithinstructionstodataleak
prevent: 113











11See file document 46 (Reply by UWV, appendix 2 (file “Letter AP information request 29042019”), p.1).
11See file document91 (Reply by UWV, appendix 4(file "QRCSonarSend group message to the Werkmap22072013",
p.1)).




                                                                                                    39/41Date Unidentified
May 31, 2021 [CONFIDENTIAL]





























At the first point in the above-mentioned passage from QRC group messages of September 3, 2018

states that the export lists for the sending of group messages must first be carried out by the employees
be cleaned by removing data from the file, leaving only the row ID
about.Furthermore, this version of the QRC group messages states that the 4-eyes principle must be used

In earlier versions of the QRC group messages provided, these instructions about the
clean and the row ID and the 4-eye principle are not included.


On September 4, 2018, the AP had a telephone consultation with the FG of UWV.
others considered whether technical measures had meanwhile been introduced. In that conversation

the FG has indicated that, to his knowledge, no technical
measures had been introduced. He further indicated that the four-eyes principle had been introduced. He thought
thatthemethodinherentisnotsecurewhendataisextractedfromasystemandina

office application continue to be processed. He was of the opinion that employees of UWV immediately
system must work that does not have sufficient guarantees. 114


In response to the eighth data, the FG of UWV has been requested by the Board of Directors of
UWVinvestigatedanddescribedthisinthe“FGreportoffindings:DatalekAlkmaar”of30
               115
November2018. The results of that investigation presented to the Council of on 22 January 2019
Board of Directors Work company presented. Indie presentation includes:


11See file document22 (Telephone note FGUWV).
11See file document81, appendix5 (file "Question16_ConceptFG report") and file documents109and116(ReactionUWVtofactual
findings, p.3).
11See file document38(Excel file,answertoquestion11underdataleak7)andfilepiece51(file“ResultsFG investigation
Werkbedrijfv010”, p.7en9).



                                                                                                40/41Date Unidentified

May 31, 2021 [CONFIDENTIAL]



     “Measure to disable the upload of Excel files to the workbook is working for this specific leak.
     (…)

     “Plasters Paste: Process agreements are not ‘hard’ enforced”(…)
      “Policy Doesn't Come to the Workplace:

           Understanding process agreements
           Awereness does not reach all employees”


Finally, in mid-December 2018, UWV introduced a technical measure, namely blocking
of the ability to add, among other things, Excel files, when sending

group messaging through the Myworkbook environment. 117


UWV has with regard to the question of how it has been checked whether measures are actually
enteredansweredthatYOUVandWERKcompanyhavenotcheckedassuchormeasuresthat
                                                                              118
have been taken as a result of data leaks have actually been introduced.


When asked whether UW had external parties investigated the data breaches,
yourWV replies with regard to the first eight data breaches:“YourV did not see any added data at the time
value in having an external investigation carried out because given the measures taken, the risk is mitigated
     119
seemed”. UWVhasconsideredtheeighthdataleak:“UWVInternal InvestigationbyAdministrative Affairs
commissioned by FG where external expertise was gained from a consultant”. 120


UWVstatesthe following about the way in which it carries out evaluation:“There is no formal

protocolledevaluationprocessaftereachofthesevendataleaks.ThatisnotthewayYouWVinalle
casesworks.Involveddepartmentsconcludedovera long time in close consultationthatthetakenin2016
measures were sufficient. Unfortunately, this conclusion turned out to be incorrect”. UWV mentions its response to the actual
                                                                                                      122
findings, however, that evaluations have been carried out with regard to measures taken. This one
statement that there would have been evaluated is not substantiated with documentation from which the evaluation

actually turns out.












11See file document38 (Reply by UWV, letter), file document38 (Excel file, answer to question 13 under data leak6 and7),
file documents 65 and 66 (Reply by UWV, p.2 and appendix, p. 1, answer to question2) and file document 81 (Reply by
UWV, appendix 1 (file "Answering questionsAPAugust2019", answer to question 17)).
11See, among other things, file document38 (Excel file, answer to question 17 under data leak1 to 7).
11See file document38(Excel file,answertoquestion12underdataleak1t/m6).
120
121iefilepiece38(Excel file,answertoquestion12underdataleak7).
  See file documents65 and 66 (answer by UWV, appendix, p.2, answer to question 5).
12See file documents109 and 116 (UWV's response to factual findings, p.3).



                                                                                                         41/41