AP (The Netherlands) - 4.02.2021: Difference between revisions
No edit summary |
m (Ar moved page AP (The Netherlands) - Orthodontiepraktijk to AP (The Netherlands) - 4.02.2021) |
||
(6 intermediate revisions by one other user not shown) | |||
Line 53: | Line 53: | ||
}} | }} | ||
The Dutch DPA fined an unnamed orthodontic practice | The Dutch DPA fined an unnamed orthodontic practice €12,000 for failing to implement appropriate technical and organisational measures to secure personal data, including that belonging to children, on its website. | ||
== English Summary == | == English Summary == | ||
Line 67: | Line 67: | ||
Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, ''inter alia'', the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected. | Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, ''inter alia'', the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected. | ||
Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare ('de Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg'). | Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare ('de Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg'). Section 10.1.1 and 13.2.1 of the NEN 7510 highlight that healthcare providers should develop a policy for the use of cryptographic management measures when storing and transmitting information, in order to ensure its confidentiality, integrity, and authenticity. | ||
The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption. | The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption. | ||
Line 74: | Line 74: | ||
The DPA identified a violation of Article 32 GDPR. | The DPA identified a violation of Article 32 GDPR. | ||
It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It | It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data, which is special category data under the GDPR, was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It considered that the provisions of NEN 7510 when reaching this conclusion. | ||
The | The DPA also highlighted that that the fact that no damage resulting from the lack of encryption was known to the orthodontic practice does not alter the fact that insufficient technical and organisational security measures were implemented. | ||
The | The AP considered a fine of €12,000 appropriate and necessary for the violation. It applied the lowest penalty category, category I, under the Penalty Policy Rules 2019 ('Boetebeleidsregels 2019'). The base fine for category is € 100,000, which the AP can adjust to suit the specific case. In this case, the AP saw reason to reduce the fine to €12,000 in accordance with the principle of proportionality. | ||
The orthodontic practice has objected to the fine imposed. The AP has declared this objection unfounded, and an appeal against this is open in court. | The orthodontic practice has objected to the fine imposed. The AP has declared this objection unfounded, and an appeal against this is open in court. | ||
== Comment == | == Comment == |
Latest revision as of 17:07, 12 December 2023
AP (The Netherlands) - Orthodontiepraktijk | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 8 GDPR Article 9 GDPR Article 32 GDPR Regeling gebruik burgerservicenummer in de zorg Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 10.06.2021 |
Published: | 04.02.2021 |
Fine: | 12000 |
Parties: | n/a |
National Case Number/Name: | Orthodontiepraktijk |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Autoriteit Persoongegevens (in NL) |
Initial Contributor: | n/a |
The Dutch DPA fined an unnamed orthodontic practice €12,000 for failing to implement appropriate technical and organisational measures to secure personal data, including that belonging to children, on its website.
English Summary
Facts
The Dutch DPA ('AP') received a complaint stating that a registration form on an unnamed orthodontic practice's ('the practice') website was requesting personal data, including name, address, date of birth, and telephone number, and social security number, as well as health data, from patients. The complainant alleged that this data was not adequately secured, as it was transmitted in an unencrypted format.
The DPA initiated an investigation in response to the complaint, in which it visited the relevant website, and took screenshots. The AP also wrote to the practice requesting information, which was provided to the AP in various letters from the orthodontic practice.
During its investigation, the DPA observed that, among other things, on the practice's website, a window was shown under the heading "Technical details", that displayed the message: "Not encrypted connection". The DPA also technically determined that communication by the patient with the website, including the sending of a completed registration form, took place over a non-encrypted and therefore unsecured connection. Between July 2018 and June 2019, the practice received "at most" ten online registrations via this mechanism.
Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, inter alia, the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected.
Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare ('de Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg'). Section 10.1.1 and 13.2.1 of the NEN 7510 highlight that healthcare providers should develop a policy for the use of cryptographic management measures when storing and transmitting information, in order to ensure its confidentiality, integrity, and authenticity.
The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption.
Holding
The DPA identified a violation of Article 32 GDPR.
It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data, which is special category data under the GDPR, was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It considered that the provisions of NEN 7510 when reaching this conclusion.
The DPA also highlighted that that the fact that no damage resulting from the lack of encryption was known to the orthodontic practice does not alter the fact that insufficient technical and organisational security measures were implemented.
The AP considered a fine of €12,000 appropriate and necessary for the violation. It applied the lowest penalty category, category I, under the Penalty Policy Rules 2019 ('Boetebeleidsregels 2019'). The base fine for category is € 100,000, which the AP can adjust to suit the specific case. In this case, the AP saw reason to reduce the fine to €12,000 in accordance with the principle of proportionality.
The orthodontic practice has objected to the fine imposed. The AP has declared this objection unfounded, and an appeal against this is open in court.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
AuthorityPersonal Data PO Box93374,2509AJ The HagueJ Bezuidenhoutseweg30,2594AV The Hague T0708888500-F0708888501 authority data.nl Confidential/Registered [CONFIDENTIAL] Date Unidentified February 4, 2021 [confidential] Contact [confidential] Topic Decision to impose an administrative fine Dear [involved person], The Data Protection Authority (hereinafter: AP) has decided to impose an administrative fine of € 12,000.00 The AP is of the opinion that in any case in the period from July 1, 2018 to May 29, 2019 has not met your obligation to apply appropriate technical information when processing personal data and organizational measures (Article 32, first paragraph, of the General Ordinance data protection; hereinafter: GDPR). The decision is then explained. Section 1 contains an introduction. Section 2 deals with the processing, processing responsibility and the detected violation. Paragraph 3 becomes discussed the authority of the AP to impose a fine, and the amount of the fine. Section 4 finally contains the decision (the operative part) and the remedies clause. 1 Introduction 1.1. over the offender The company “[company]” is driven by [data subject]. On the website of the orthodontic practice it is stated that the practice has eleven employees, in addition to [the person concerned] as an orthodontist. The practice is located at [address] and the company is registered in the trade register of the Chamber of Commerce under number [Chamber of Commerce number]. 1 Date Unidentified February 4, 2021 [confidential] 1.2. Reason for the investigation process On 27 November 2018, the AP received a complaint as referred to in article 77 of the GDPR. According to the complaintbecome sensitive data via the registration form on the website of the orthodontics practice requested, such as the citizen service number (hereinafter: BSN), but the data is thengegevens sent unencrypted. On 26 February 2019, the AP visited the website of the orthodontics practice in the morning of screenshots made. In a letter dated 29 May 2019, the AP requested [the person concerned] for information. letter of 4 June 2019 replied. On July 4, 2019, the AP visited the website of the orthodontics practice and screenshots there made. In a letter dated 12 August 2019, the AP has requested [the person concerned] for further information. [The person concerned] responded to the letter dated 19 August 2019. The findings and conclusions of the study were recorded in a report dated August 27, 2019. By letter dated 12 September 2019, the AP sent the investigation report to [person concerned]. The AP has thereby expressed the intention to impose an administrative fine and [the person concerned] in the opportunity to comment on it. By letter dated 7 October 2019, supplemented by those dated 9 and 12 December 2019, [the person concerned] has opinion submitted. 2. Fact Assessment The relevant laws and regulations are listed in the appendix to this Decree. 2.1. Processing of personal data At the time of the complaint, the website of the orthodontic practice contained a registration form of new patients. This form contained fields for, among other things, name and address details, date of birth, BSN, telephone numbers of the patients and the parents, information about the school, general practitioner, dentist and insurance company. This data concerns information about an identified or identifiable natural person, and are thus personal data as referred to in article 4, preambles under 1, of the AVG. 2/20 Date Unidentified February 4, 2021 [confidential] From the letter from [person concerned] dated 19 August 2019, it follows that after sending the form, the completed data were stored online. The orthodontic practice received a notification by e-mail of the new registration. An employee of the practice log on to the website, opened the data of the registrations created a new patient in their own patient file the data stored online will be deleted, according to [data subject]. This whole of processing, but also every part of it, including capturing, saving and destroying data, is a processing of personal data as referred to in article 4, opening words, under 2 of the AVG. 2.2. Controller [Data subject] determines the purposes and means of the processing of personal data After all, registration form serves to obtain data from new patients from her orthodontic practice run as a sole proprietorship, required for the treatment and financial processing thereof. [Data subject] is, according to the controller, referred to in Article 4, preamble and under 7, of the AVG. 2.3. Processing Security Violation 2.3.1. preface The controller is obliged under article 32, first paragraph, of the GDPR to take appropriate technical and organizational measures to prevent the processing of personal data against, among other things, loss or unlawful processing of the data. Thesemeasures must ensure an appropriate level of security, taking into account the state of the art the execution costs, the risks of the processing and the nature of the data to be protected. The question whether the controller referred to in Article 32, first paragraph, of the GDPRAV has taken measures, will be assessed as follows in case the present one of a patient's BSN by a care provider must comply with NEN7510.Datisa information security standard for health care. The obligation to comply with this standard from article 2 of the Regulations for the use of citizen service number in healthcare, read in conjunction with article 8 of the Supplementary Provisions for the Processing of Personal Data in Healthcare. Also outside these legalwet obligation with regard to the citizen service number, health care applies that NEN7510 the general accepted security standards. NEN7510 is further elaborated in NEN7510-1and NEN7510-2. Chapter 10 of NEN7510-2 discusses control measures related to cryptography. These measures are aimed at ensuring correct and effective use of cryptography in order to 1Article 8, first paragraph, of this Act relates to the provision of care. It follows from article 1, preamble under b, of that law that the financial-administrative settlement is also part of this. That settlement begins with the submission of the required data, such as the social security number. Compare the drafting history of this provision (Parliamentary PapersII2005/06, 30 380, no. 3, page 20). 2Compare the CPPGuidelines for the protection of personal data (Government Gazette 2013 nr. 5174, p.11). 3/20 Date Unidentified February 4, 2021 [confidential] to protect confidentiality, authenticities/or integrity of information. In Section 10.1.1 is mentionthattoprotectinformation,apolicyfortheuseofcryptographic control measures should be developed and implemented. These may include be used for the purpose of ensuring confidentiality, by decoding information use to protect sensitive or critical information during storage or transmission. Chapter 13 of NEN7510-2 deals with control measures with regard to communications security. Section 13.2 contains controls related to transport of information. The purpose of these control measures is to maintain the security of information that is exchanged within an organization and with an external entity. In Section 13.2.1 is mention that when using communication facilities for information transport, consideration must be given to be taken to use cryptographic techniques, for example to protect confidentiality, to protect the integrity and authenticity of information. With regard to the state of the art with regard to cryptographic techniques is further from importance that the National Cyber Security Center (hereinafter: NCSC) also points out the importance of its website 3 of protecting communication when sensitive information is sent over a connection. According to the NCSC is TLS(TransportLayerSecurity), the most commonly used protocol for securing connections on the internet. Application of TLS on web traffic is done via the HTTPS protocol on the using a TLS certificate. 4 A TLS certificate can be obtained free of charge, provided that costs are incurred as a rule to let an IT install or renew the certificate on the server because the validity period is expired. These are short-term operations that only involve wage costs. 2.3.2. Facts [The person concerned] has stated that the website of the orthodontic practice went online on 4 June 2010. 5 Because at the time of the first information request from the AP, a new website was being worked on, silk then-existing website referred to as 'old website'. The AP visited the website – which has since been replaced by another – on February 26, 2019. It was noted that the website, as stated, contained a form for the registration of new patients. This form contained fields for, among other things, contact details of the patients the patient's parents and social security number. The AP has also noted that the website at the time of the visitintothenotusedanencryptedconnection at all.Thisisshownfromthescreenshotsin appendix 9 of the investigation report, of which an excerpt is included below: 3 4https://www.ncsc.nl/subjects/connection security. For example, at non-profit certificate authority Let's Encrypt, < https://letsencrypt.org/>. There are certificate authorities that take precious offer certificates(ExtendedValidation,orEV). Such certificates provide more information about the party to whom the certificate is provided, but do not lead to a different or better encryption of the information exchanged. 5Letter dated 19 August 2019, appendix 8 to the investigation report. 4/20Date Unidentified February 4, 2021 [confidential] Figure 1: Cutout of the page formation of the website[url]. In the displayed window, under the heading “Technical details” there is a message “Unencrypted connection” included. This message reads: “The website[url] does not support encryption for the page you data that is sent over the Internet without encryption can pass through others are seen.” [Data subject] acknowledged that the old website did not use an encrypted connection. The 6 developer of the old website never pointed her out to that possibility made use of, according to [person concerned]. It follows from [the person concerned]'s letter of 19 August 2019 that if a form was sent, the data was stored on the web server on which the old website was running received a notification about this. After logging into the website, the saved data was viewed, taken over into the administration of the practice and finally removed from the web server.Between July 2018 and June 2019, the practice received no more than ten online registrations, according to [person concerned]. 6Opinion of 7 October 2019 on the intention to impose an administrative fine. 5/20 Date Unidentified February 4, 2021 [confidential] 7 [Data subject] had the old website taken offline on 29 May 2019. On July 4, 2019, the AP visited the website of the orthodontics practice again and noted that the website, now renewed, did use an encrypted connection, but no longer a includes an online registration form.Instead, a registration form is now offered in the form from a PDF file, which can be downloaded, printed, filled out, and delivered to the practice. 2.3.3. Rating The question whether [the person concerned] the appropriate technical and referred to in article 32, first paragraph, of the GDPR has taken organizational measures – as stated under 2.3.1 – must be answered to the hand of NEN7510. This NEN standard is mandatory for the use of the BSN and for the care This standard also includes the accepted security standards. The AP notes that the old website of the orthodontics practice did not have a TLS certificate as a result, did not use the HTTPS protocol. Communication with the website, including the sending a completed registration form, therefore went over an unencrypted one and so unsecured connection. This made some availability of the registration form an increased risk of a “man-in-the-middle attack”, where information is sent intercepted and/or modified, without the sending and receiving party knowing It is thus established that [the person concerned] has not taken any control measures with regard to communication security. That is not in accordance with the provisions of NEN7510 (including the paragraphs 10.1 and 13.2). It should be borne in mind that the patients of an orthodontic practice are usually minor children. This follows from the nature of the treatment, the fields of the registration form (which asks for the details of the parents) and the visual material on the website of the orthodontic practice the data of these minor children who are on the unencrypted, unsecured connection In addition, it is not only about the social security number, but also data that is closely related are to the health of the patient concerned. In view of the sensitive nature of the data that could be collected via the registration form sent, and, on the other hand, the state of the techniques and the associated very low levels execution costs of an encrypted connection, the conclusion is that [the person concerned] does not have an appropriate has taken technical and organizational measures to prevent the processing of personal data protect against loss or unlawful processing. With this, she has article 32, first paragraph, of the GDPR violate. 7Letter dated 19 August 2019, Appendix 8 to the investigation report. 6/20 Date Unidentified February 4, 2021 [confidential] 2.3.4. ViewsandreactionAP In its view, [the person concerned] intends to impose an administrative fine on the next brought forward. The developer of the old website never pointed out to [the person concerned] the possibility of a the encrypted connection. If she knew about it, she would certainly have used it. Otherwise, she has been active tried to comply with the AVG, by having an audit carried out by a every two years DutchAssociationofOrthodontistsdesignatedcertificationbureau.Privacyispart of the audit.The latest report, dated June 2017, shows that the website has been reviewed and that no comments have been made.The same certification agency provided a roadmap in March 2018 to comply with the AVG. [Involved person] has completed this plan point by point, and although attention is spent on privacy and information security, there is no mention that the website must use a encrypted connection. Furthermore, [the person concerned] is visited every five years by colleagues orthodontists. Nor did the last visitation report indicate the lack of an encrypted website connection.No one has complained to [involved person] about the security and there is for as far as she knows, no damage suffered. Finally, [the person concerned] took the old website offline immediately andassignedtobettersecurethenewwebsite. This view does not lead the AP to a different point of view on the detected violation. An audit by a certification agency, a step-by-step plan in preparation for the application of the GDPR and a peer review do not dismiss [data subject], as controller, not from the article32, first paragraph, of the GDPR, the obligation laid down to comply with the technical requirements referred to in that provision organizational measures. That others have not pointed out to her, while they assumed that this would happen where necessary, does not absolve her of her own responsibility for being active ensure a technically secure processing of personal data. An organization that internet data of sensitive nature and much of children processes, has a large responsibility to make sure that such data is also safe about the be sent on the internet. Incidentally, the contents of the audit report and the report of the peer reviewnotthatintheframeworkoftheauditandvisitattentionhasbeenpaidtoprotection of personal data. That no one has complained to [the person concerned] that no damage is known to her, also takes into account that they do not take sufficient technical and organizational security measures has hit. 2.3.5. Conclusion In view of the foregoing, the AP is of the opinion that [the person concerned] Article 32, first paragraph, of the AVG of May 25, 2018 (when the GDPR came into effect) until May 29, 2019, because she thewebsiteoftheorthodonticspracticeofferedaregistrationformthatnotuseda encrypted connection while that form was intended to exchange sensitive data. 7/20 Date Unidentified February 4, 2021 [confidential] 3. Administrative fine 3.1. Power of the AP to impose an administrative fine Under Article 58, second paragraph, preamble below i, the AP is read in conjunction with Article 83 of the GDPR, authorized to impose an administrative fine. According to article 83, first paragraph, an imposed to be effective, proportionately deterrent.It follows from the fourth paragraph of that provision that breaches of the obligations of the controller (including those mentioned in Article 32 of the GDPR) are subject to fines up to €10,000,000.00 or, for a company, up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher. Pursuant to Article 14, paragraph 3, of the Implementing Act of the General Data Protection Regulation (hereafter: UAVG) the AP may in the event of a violation of the provisions of article 83, fourth, fifth or sixth paragraph, of the AVNot to impose an administrative fine on at the most endthese members mentioned amounts. In exercising its power to impose an administrative fine, the AP applies the 8 Fines Policy Rules of the Authority for Personal Data 2019 (hereinafter: Fines Policy Rules 2019). 3.2. Fine policy rulesAuthorityPersonal data2019 The relevant provisions of the Fines Policy Rules 2019 are listed in the appendix to this Decree system of the Fine Policy Rules 2019 is as follows. The violations for which the AP can impose a fine up to the amount stated above are in the Finespolicy rules2019categorizedinthreefinecategories.Thesecategoriesareorderedby gravityoftheviolationofthementionedarticles,wherebycategoryIdeleastseriousviolations category III contain the most serious offences. The categories are subject to increasing monetary fines connected. This follows from article 2, under 2.1 and 2.3 of the Fine Policy Rules 2019. CategoryI Fine range between €0 and €200,000 Basic fine: €100,000 Category II Fine range between €120,000 and €500,000 Basic fine: €310,000 Category III Fine range between €300,000 and €750,000 Basic fine: €525,000 According to article 6 of the 2019 Fine Policy Rules, the AP determines the amount of the fine through the basic fine up or down, depending on the extent to which the factors mentioned in Article 7 give cause to do so. Under Article 8, it is possible to assign the next higher or lower category to apply if the fine category determined for the infringement is not appropriate in the specific case punishmentallows. 8Published in Stcrt. 2019,14586, March 14, 2019. 8/20 Date Unidentified February 4, 2021 [confidential] 3.3. fine amount The AP considers a fine of €12,000.00 to be appropriate and appropriate for the violation found herein. in the following paragraphs, this is substantiated as follows. First of all, the AP sees a reason for the lower finecategoryIapply.Therearenofinereducingorincreasingfactorsapplicablethat require the adjustment of the basic fine of €100,000.00 for that fine category. culpability of the conduct does not give rise to this. The AP sees a reason to on the ground from the principle of proportionality to moderate the fine and up to the aforementioned amount. 3.3.1. Fine categories basic fine The violation of article 32 of the GDPR (Processing Security) is, according to appendix I to the Fines Policy Rules 2019, classified in category II. As follows from the table for this, applies to this category a penalty bandwidth of €120,000.00 and €500,000.00 and a basic fine of €310,000.00. In this case, this fine bandwidth and basic fine cannot lead to an appropriate penalty of the detected violation. In doing so, the AP takes into account that the investigation sees the violation on the registration form on the practice's website, and not on the patient administration as such. Technically, the registration form forms a separate system from that administration thereforeapply under article 8 of the Fine Policy Rules 2019 category I(for which a fine range applies from €0.00 to €200,000 and a basic fine of €100,000.00), and also within that category the fine is moderate and on the basis of what is not in this and the following paragraphs considered. The basic fine is based on a neutral starting point, and should be increased or decreased as far as the Article 7 of the Fines Policy Rules 2019, the factors mentioned give rise to this the amount of the fine must be proportionate and attuned to the seriousness of the violations to the extent to which this can be blamed on the offender (compared articles 3:4 and 5:46 of the General Law administrative law; hereinafter: Awb). The factors mentioned in Article 7 give rise to notes. The factors not discussed are not applicable in this case. a.Nature, seriousness, duration of the infringement According to [person concerned], the website with the registration form went online on October 27, 2010 and on Taken offline May 29, 2019. Although the form was available for eight years and seven months for use, the AP's research focused on the period from May 25, 2018 to May 29, 2019. the AP aligns with the date on which the GDPR became applicable. That means the violation, for 9 as far as taken into account, has lasted approximately one year. TheAPrespectsthatthe violation was structurally of a long duration, all the more so because [person involved] also applied before it 9Article 13 of the Personal Data Protection Act (hereinafter: Wbp) is materially comparable to Article 32, first paragraph, of the GDPR: both provisions oblige the taking of technical and organizational measures to ensure an appropriate ensure security levels. The interpretation of article 13 of the Wbp is no different from that of article 32 of the GDPR, described in paragraphs 2.3.2 and 2.3.3. Also in the period that the Wbp was valid, [the person concerned] was therefore in violation. 9/20Date Unidentified February 4, 2021 [confidential] of the AVG, on the basis of the Personal Data Protection Act, was mandatory and appropriate security level.That obligation did not arise first when it applies become of the AVG. The A reckons the [person concerned] that she as a professional care provider in the run-up to the the period examined did not take care of the . referred to in article 32, first paragraph, of the GDPR appropriate technical and organizational measures, through a correct implementation of NEN7510. It applies to the BSN that it is obligated to do so on the basis of the Use Regulation social security number in health care. For the other data that were sent via the form, that NEN7510 contains the end-care generally accepted security standards. [Data subject] had here must be informed by virtue of its capacity as a healthcare provider. [Involved person] has furthermore not only created the theoretical possibility that the form are used to transmit sensitive data over an unsecured connection after all, that the form has actually been used that the violated standard was intended to protect, has been called into question. Although the exact number submissions of the form can no longer be determined, the AP considers it not improbable that it form was also used when the Wbp was applicable, including only appropriate security level was required. The AP reckons the [person concerned] that the violation took a long time and was contrary to the norms that apply specifically to her profession (care). That the violation also actually led to the ability to send sensitive data over an unsecured connection, consider the APextra sorry. g.The categories of data to which the infringement relates First of all, you were asked for the BSN via the registration form. That in itself is only sensitive, but this is more true if the data is viewed in conjunction with the other data requested sensitivity is also apparent from the legal obligation to comply with NEN7510. Viewed together, the data provide so much information about the patient to be written, that the risk of identity fraud exists if the data were intercepted. also taking into account that it often concerned the data of minors, as stated in paragraph 2.3.3. Furthermore, the other data requested are just as sensitive, because they are related to you with the health of the patient to be registered. This also applies to the registration with a orthodontist as such. The AP has not investigated, partly because the processing no longer takes place or this qualifies as special personal data as referred to in article 9 of the AVG, but is sufficient with the finding that the form has been used to send sensitive data. The AP reckons the [person concerned] that the violation relates to sensitive data of minors. 10/20 Date Unidentified February 4, 2021 [confidential] Increase or decrease basic fine In view of the foregoing, the AP in the factors listed in the 2019 Fine Policy Rules, to the extent application in the present case, no reason to reduce the basic fine fine amount is also not in question. 3.3.2. culpability of the conduct On the basis of article 5:46, second paragraph, of the Awb, the AP keeps the AP when imposing an administrative fine take into account the extent to which they can be blamed on the offender. Because in this case it concerns a violation, is for the imposition of an administrative fine in accordance with established case law does not require that it is shown that intent may presuppose the AP culpability if it criminality is established.10 As stated in paragraph 2.3.4, [Data Subject] has, in its opinion, pointed to an audit report, step-by-step planer preparation for the AVG and a report of a collegiate visitation. According to [person involved] did she not point in any of these pieces of the shortcoming with regard to the online registration form. Insofar as [the person concerned] means that this is a question of reduced culpability, the AP does not follow her.As a health care provider she should have been familiar with the care for that care applicable security standards. It does not alter the fact that others have not pointed out the shortcoming to her its own obligations as a controller. Now that the violation [the person concerned] can be fully blamed, the culpability of the violation is no reason to reduce the amount of the fine. 3.3.3. proportionality Finally, the AP will assess on the basis of articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality) or the application of its policy for determining the amount of the fine, given the circumstances of the concrete case, does not lead to a disproportionate outcome. In the light of the proportionality of the imposition of the fine, the AP considers it important that the violation, as stated in paragraph 3.3.1, see the non-secure use of a registration form on the website of the practice, and not on the entire patient administration. The AP has about the use of the unsecured connection received one complaint. The AP has no . about the patient administration itself received signals and therefore has not conducted any research. Furthermore, the use of the registration formremained limited in the eligibility period. 10Compared rulings of the CBb of 29 October 2014(ECLI:NL:CBB:2014:395, ow. 3.5.4), 2 September 2015(ECLI:NL:CBB:2015:312, ow. 3.7) and March 7, 2016 (ECLI:NL:CBB:2016:54, ow. 8.3). Also compare the rulings of the Administrative Jurisdiction Division of August 29, 2018(ECLI:NL:RVS:2018:2879,ow.3.2) and December 5,2018(ECLI:NL:RVS:2018:3969,ow.5.1). Finally, see Parliamentary PapersII 2003/04,29 702,no.3,p. 134. 11/20 Date Unidentified February 4, 2021 [confidential] In addition, it is important that the company of [the person concerned] must be counted among the middle and small business(SME). Also, given the low cost associated with secure shipping from a form (compare paragraph 2.3.1), it is not plausible that as a result of the violation financial profits have been made or losses have been avoided. In all the circumstances mentioned, the AP sees reason to apply the basic amount of € 100,000.00 to moderate. The AP considers, also in view of the seriousness of the violation, the substantial capacity of the companiesthe target group whose personal data are processed, a fine of €12,000.00 suitable provided. Finally, the AP should consider whether what [the person concerned] has put forward in its view on the intention to enforce it is reason to assume that this fine will result in a would lead to a disproportionate outcome. [The person concerned] has stated in her opinion that she is a finer of the basic amount of fine category II (€ 310,000.00) would never be able to pay. She has a provisional assessment of income tax for 2018 submitted. However, it is stated in paragraph 3.3.1 that not fine category II is applied, but fine category I. The corresponding base amount is moreover, hereby moderated to €12,000.00. It does not follow from the documents submitted by [the person concerned] that this fine would have disproportionate consequences, for example because the orthodontic practice in the continued existence would be threatened. The AP therefore sees no reason in the capacity of [person involved] to further moderate the fine. 3.4. Conclusion The AP sets the fine for the violation of article 32, first paragraph, of the AVG, in view of the previous fixed at €12,000.00. 12/20 Date Unidentified February 4, 2021 [confidential] 4. dictum fine The AP explains to [the person concerned], acting under the name of [company], for violation of article 32, first paragraph, of the AV No administrative fine, amounting to €12,000.00 (in words: twelve thousand euros). 11 Yours sincerely, AuthorityPersonal Data, drs.C.E.Mur board member Remedies Clause If you do not agree with this decision, you can within six weeks of the date of shipment of the decide to submit an objection digitally or on paper to the Data Protection Authority Article 38 of the AVG Implementation Act suspends the submission of an objection to the operation of the decision to impose the administrative fine. Mention in your notice of objection at least: your name and address; the date of your notice of objection; the reference (case number) mentioned in this letter, or enclose a copy of this decision; the reason(s) why you do not agree with this decision; your signature. You can submit the notice of objection digitally via the website. Go to www.autoreitinformatie.nl, en click at the bottom of the page, under the heading “Contact with the Data Authority”, on the link “Objection to a decision”. From there, use the “Objection Form”. Do you prefer to send the notice of objection by post? Then you can send it to the following address: AuthorityPersonal Data Legal Affairs & Legislative Advice Department, Objection Department PO Box93374 2509AJ THE HAGUE 11The AP will hand over the claim to the Central Judicial Collection Agency (CJIB). 13/20Date Unidentified February 4, 2021 [confidential] APPENDIX–Legal Framework General Data Protection Regulation (GDPR) Article 2 (Material scope 1. This Regulation applies to wholly or partly automated processing, as well as to the processing of data that are included in a file or that are intended are to be included. […] Article 3(Territorial scope 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not. […] Article 4 (Definitions) For the purposes of this Regulation: 1) "personal data": any information about an identified or identifiable natural person ("the data subject"); if identifiable is considered a natural person who directly or indirectly can be identified, especially by an identifier such as a name, anaam identification number, location data, an online identifier or of one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person; 2) "processing" means any operation or set of operations relating to personal data or a set of data, whether or not carried out via automated processes, such as the collect, capture, organize, structure, save, update or change, retrieve, consult, use, provide by transmission, distribute or otherwise make available set, align or combine, shield, delete or destroy data; […] 7) "controller" means a natural or legal person, a public authority, a service or other body which, alone or together with others, is the purpose of the means for the processing of data; when the objectives of the means for this processing is laid down in Union or Member State law, are determined who the controller is or according to what criteria it will be designated; […] Article32(Processing Security) 1. Taking into account the state of the art, the implementation costs, as well as the nature, the size, the context, the processing purposes, and the probability and severity various risks to the rights and freedoms of persons, 14/20Date Unidentified February 4, 2021 [confidential] controller and processor appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which, where appropriate, include the following, among others: a) the pseudonymisation and encryption of data; b) the ability to stand on the basis of confidentiality, integrity, availability and ensure resilience of processing systems and services; c) the ability to alter the availability of access to in the event of a physical or technical incident restore the personal data in a timely manner; d) a procedure for the regular testing, assessment and evaluation of the effectivenessofthetechnicalandorganizationalmeasurestosecurethe processing. 2. In the assessment of the appropriate level of security, particular account is taken of the processing risks, especially as a result of the destruction, loss, modification or unauthorized disclosure of or unauthorized access to transmitted, stored, or otherwise processed data, either accidental or unlawful. […] Article 58(Powers) […] 2. Each supervisory authority shall have all of the following powers to take corrective measures: […] i) according to the circumstances of each case, in addition to or instead of the . referred to in this paragraph measures, impose an administrative fine under article 83; and […] […] Article 83 (General conditions for the imposition of administrative fines) 1. Each supervisory authority shall ensure that the administrative fines charged under thisarticleareimposedbeforetheendparagraphs4,5and6indicatedinviolationsofthisordinancein each case be effective, proportionately deterrent. 2. Administrative fines are, depending on the circumstances of the specific case, imposed in addition to or instead of the referred to in Article 58, paragraph 2, under a) to h) and under j), measures. When deciding whether an administrative fine will be imposed on the the following is duly taken into account for each concrete case: a) the nature, seriousness and duration of the infringement, taking into account the nature, extent or purpose of the processing in question as well as the number of affected data subjects and the extent of the damage caused by fishing; b) the intentional or negligent nature of the infringement; 15/20Date Unidentified February 4, 2021 [confidential] c) the measures taken by the controller or processor to limiting the damage suffered by those involved; d) the extent to which the controller or processor is responsible in view of the technicalandorganizationalmeasuresthathehascarriedoutinaccordancewiththe articles25and32; e) previous relevant breaches by the controller or processor; f) the extent to which the supervisory authority has cooperated to prevent the infringement remedy and limit possible negative consequences; g) the categories of data to which the infringement relates; h) the manner in which the supervisory authority became aware of the infringement, in particular whether, and if so, to what extent, the controller or processor has committed the infringement reported; (i) compliance with the measures referred to in Article 58(2), as far as they are concerned from the controller or processor in question with regard to the same matter taken up; j) adherence to approved codes of conduct in accordance with article 40 or of approved goed certification mechanism accordinglyarticle42;and k) any other aggravating or mitigating factor, such as financial gains made, or losses avoided, which may or may not be directly the infringement arise. […] 4. Violations of the following provisions shall be subject to administrative law accordingly fines up to EUR 10,000,000 or, for a company, up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher: a) the obligations of the controller and the processor in accordance with the articles8,11,25to39,and42and43; […] […] Implementing ActGeneral Data Protection Regulation Article 14 (Taking powers) 1. The Data Authority is authorized to perform the tasks and exercise the powers exercises assigned to the supervisory authority by or pursuant to the Regulation. […] 3. The Data Authority may, in the event of a violation of the provisions of Article 83, fourth, fifth or sixth paragraph of the ordinance to impose an administrative fine from at the most endthese member amounts. […] 16/20Date Unidentified February 4, 2021 [confidential] Supplementary Provisions for the Processing of Personal Data in Healthcare 12 Article8 1. The healthcare provider records the client's citizen service number in his administration at the recording data relating to the provision of care. […] Article10 A ministerial regulation can be determined to which security requirements the data processing is intended in articles 8 and 9, is sufficient. Scheme for use of citizen service number Article 1 In this regulation is understood by: a. Minister: Minister of Health, Welfare and Sport; 13 b. law: Use of citizen service number in health care; c. decision: Decree on use of citizen service number in healthcare; d. NEN: standard issued by the Netherlands Standardization Institute; e. NEN7510: NEN7510 and its elaboration in NEN7511 and NEN7512; […] Article2 The data processing referred to in Articles 8 and 9 of the Act[…] complies with NEN7510. NEN7510-2: Medical informatics – Information security in healthcare – Part2:Control Measures 10.1.1PolicyOnUsingcryptographic Controls Control measure To protect information, there should be a policy for the use of cryptographic control measures are developed and implemented. […] The implementation of the cryptography policy should take into account the regulations and national restrictions that may apply to the use of cryptographic techniques in different parts of the world and with problems with cross-border 1Until 1 July 2017, this act was called the Citizen Service Number Act in healthcare. 1As stated in the footnote above, this law is now called the Wet Supplementary Provisions for the Processing of Personal Data in the care. 17/20Date Unidentified February 4, 2021 [confidential] streams of encrypted information (see 18.1.5). Cryptographic controls can be used for various information security objectives, e.g.: a) confidentiality: use encryption of information to protect sensitive or essential information, during storage or shipment, to protect; […] Other information Decision making about whether a cryptographic solution fit, should be considered part of the overall process of risk assessment and choosing control measures. […] For choosing the correct cryptographic control measures that meet the objectives of information security policy should be sought expert advice. 13.2.1Information transport policy procedures Control measure To protect the information transport, which takes place through all kinds of communication facilities, Formal transport policies, procedures and controls should be in place. Implementation guideline Atprocedurestobefollowedandcontrolmeasurestobecarried outwith theuseofcommunicationfacilitiesforinformationtransportcorrelatingfollowingpointsin to be considered: a) procedures designed to protect transmitted information against interception, copy,modification,misrouting,destruction; […] f) use of cryptographic techniques, e.g. for confidentiality, integrity, authenticity from information to protect (see chapter 10); […] CARE-SPECIFIC IMPLEMENTATION GUIDELINE Organizations should ensure that the security of such exchange of information subject of policy developments and audits of compliance (see chapter 18). […] 18/20Date Unidentified February 4, 2021 [confidential] Fine policy rulesPersonal Data Authority2019 Article2.Category Classifications of Fine Bandwidths 2.1 The provisions concerning violations of which the Data Protection Authority is an administrative can impose a fine of up to the amount of €10,000,000 or, for a company, up to 2% of the total worldwide annual sales in the previous financial year, if this figure is higher, in annex 1 classified in category I, category II or category III. […] 2.3 The Data Protection Authority sets the basic fine for violations for which a statutory fine maximum applies from € 10,000,000 or, for a company, up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher, or € 20,000,000 or, for a company, up to 4% of total worldwide annual sales in the previous financial year, if number is higher, fixed within the following fine ranges: CategoryI Fine range between €0 and €200,000 Basic fine: €100,000 Category II Fine range between €120,000 and €500,000 Basic fine: €310,000 Category III Fine range between €300,000 and €750,000 Basic fine: €525,000 […] 2.4 The amount of the basic fine is set at the minimum of the bandwidth incremented with half the bandwidth of the fine category linked to a violation. Article 6. The basic fine and a possible increase or reduction The Data Protection Authority determines the amount of the fine by the amount of the basic fine above(uptothemaximumofthebandwidthoftheviolationlinked fine category) or down (to the minimum of that bandwidth). basic fine is increased or decreased depending on the degree to which the factors mentioned in article 7 give rise to this. Article7.Relevant factors Without prejudice to articles 3:4 and 5:46 of the General Law, administrative law keeps the Authority Personal data account with the factors mentioned under ato and with k, insofar as it is concrete case applicable: a) the nature, seriousness and duration of the infringement, taking into account the nature, extent or purpose of the processing in question as well as the number of affected persons involved and the extent of the by them damages suffered; b) the intentional or negligent nature of the infringement; c) the measures taken by the controller or processor to limit the damage suffered by those involved; d) the extent to which the controller or processor is responsible in view of the technicalandorganizationalmeasuresthathehasperformedin accordance with the articles25 en32 of the General Data Protection Regulation; e) previous relevant breaches by the controller or processor; 19/20Date Unidentified February 4, 2021 [confidential] f) the extent to which the supervisory authority cooperated to remedy the infringementbreuk and limit the possible negative consequences thereof; g) the categories of data to which the infringement relates; h) the manner in which the supervisory authority became aware of the infringement, in particular whether, and if so, to what extent, the controller or processor has reported the infringement; i) compliance with Article 58, paragraph 2, of the General Data Protection Regulation the aforementioned measures, to the extent that they are prior to the controller or the processor in question have been taken with regard to the same matter; j) adhere to approved codes of conduct in accordance with article 40 of the GeneralAl data protection regulation or of approved certification mechanism accordingly Article 42 of the General Data Protection Regulation; and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made, or losses avoided, whether or not directly from the infringement result. Article8.Out-of-bandwidth and increased fine maximums for a company 8.1 If the fine category defined for the infringement is not an appropriate sanction allows, the Data Authority may, in determining the amount of the fine, finebandwidthofthenexthighercategoryrespectivelythefinebandwidthofthenext apply lowercategory Appendix1,associatedwitharticle2 Violations with a statutory fine of maximum €10,000,000 or, for a company, up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher: Legislative article Description Category General Data Protection Regulation […] […] […] article32 processing security II […] […] […] 20/20