AP (The Netherlands) - 4.02.2021: Difference between revisions
From GDPRhub
No edit summary |
m (Ar moved page AP (The Netherlands) - Orthodontiepraktijk to AP (The Netherlands) - 4.02.2021) |
||
| (5 intermediate revisions by one other user not shown) | |||
| Line 53: | Line 53: | ||
}} | }} | ||
The Dutch DPA fined an unnamed orthodontic practice €12,000 for failing to implement appropriate technical and organisational measures to secure | The Dutch DPA fined an unnamed orthodontic practice €12,000 for failing to implement appropriate technical and organisational measures to secure personal data, including that belonging to children, on its website. | ||
== English Summary == | == English Summary == | ||
| Line 67: | Line 67: | ||
Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, ''inter alia'', the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected. | Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, ''inter alia'', the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected. | ||
Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare ('de Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg'). Section 10.1.1 of the NEN 7510 | Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare ('de Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg'). Section 10.1.1 and 13.2.1 of the NEN 7510 highlight that healthcare providers should develop a policy for the use of cryptographic management measures when storing and transmitting information, in order to ensure its confidentiality, integrity, and authenticity. | ||
The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption. | The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption. | ||
| Line 74: | Line 74: | ||
The DPA identified a violation of Article 32 GDPR. | The DPA identified a violation of Article 32 GDPR. | ||
It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It considered that the provisions of NEN 7510 when reaching this conclusion. | It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data, which is special category data under the GDPR, was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It considered that the provisions of NEN 7510 when reaching this conclusion. | ||
The DPA also highlighted that that the fact that no damage resulting from the lack of encryption was known to the orthodontic practice does not alter the fact that insufficient technical and organisational security measures were implemented. | The DPA also highlighted that that the fact that no damage resulting from the lack of encryption was known to the orthodontic practice does not alter the fact that insufficient technical and organisational security measures were implemented. | ||
| Line 80: | Line 80: | ||
The AP considered a fine of €12,000 appropriate and necessary for the violation. It applied the lowest penalty category, category I, under the Penalty Policy Rules 2019 ('Boetebeleidsregels 2019'). The base fine for category is € 100,000, which the AP can adjust to suit the specific case. In this case, the AP saw reason to reduce the fine to €12,000 in accordance with the principle of proportionality. | The AP considered a fine of €12,000 appropriate and necessary for the violation. It applied the lowest penalty category, category I, under the Penalty Policy Rules 2019 ('Boetebeleidsregels 2019'). The base fine for category is € 100,000, which the AP can adjust to suit the specific case. In this case, the AP saw reason to reduce the fine to €12,000 in accordance with the principle of proportionality. | ||
The AP | The orthodontic practice has objected to the fine imposed. The AP has declared this objection unfounded, and an appeal against this is open in court. | ||
== Comment == | == Comment == | ||
Latest revision as of 17:07, 12 December 2023
| AP (The Netherlands) - Orthodontiepraktijk | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 8 GDPR Article 9 GDPR Article 32 GDPR Regeling gebruik burgerservicenummer in de zorg Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 10.06.2021 |
| Published: | 04.02.2021 |
| Fine: | 12000 |
| Parties: | n/a |
| National Case Number/Name: | Orthodontiepraktijk |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Autoriteit Persoongegevens (in NL) |
| Initial Contributor: | n/a |
The Dutch DPA fined an unnamed orthodontic practice €12,000 for failing to implement appropriate technical and organisational measures to secure personal data, including that belonging to children, on its website.
English Summary
Facts
The Dutch DPA ('AP') received a complaint stating that a registration form on an unnamed orthodontic practice's ('the practice') website was requesting personal data, including name, address, date of birth, and telephone number, and social security number, as well as health data, from patients. The complainant alleged that this data was not adequately secured, as it was transmitted in an unencrypted format.
The DPA initiated an investigation in response to the complaint, in which it visited the relevant website, and took screenshots. The AP also wrote to the practice requesting information, which was provided to the AP in various letters from the orthodontic practice.
During its investigation, the DPA observed that, among other things, on the practice's website, a window was shown under the heading "Technical details", that displayed the message: "Not encrypted connection". The DPA also technically determined that communication by the patient with the website, including the sending of a completed registration form, took place over a non-encrypted and therefore unsecured connection. Between July 2018 and June 2019, the practice received "at most" ten online registrations via this mechanism.
Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, inter alia, the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected.
Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare ('de Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg'). Section 10.1.1 and 13.2.1 of the NEN 7510 highlight that healthcare providers should develop a policy for the use of cryptographic management measures when storing and transmitting information, in order to ensure its confidentiality, integrity, and authenticity.
The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption.
Holding
The DPA identified a violation of Article 32 GDPR.
It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data, which is special category data under the GDPR, was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It considered that the provisions of NEN 7510 when reaching this conclusion.
The DPA also highlighted that that the fact that no damage resulting from the lack of encryption was known to the orthodontic practice does not alter the fact that insufficient technical and organisational security measures were implemented.
The AP considered a fine of €12,000 appropriate and necessary for the violation. It applied the lowest penalty category, category I, under the Penalty Policy Rules 2019 ('Boetebeleidsregels 2019'). The base fine for category is € 100,000, which the AP can adjust to suit the specific case. In this case, the AP saw reason to reduce the fine to €12,000 in accordance with the principle of proportionality.
The orthodontic practice has objected to the fine imposed. The AP has declared this objection unfounded, and an appeal against this is open in court.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
AuthorityPersonal Data
PO Box93374,2509AJ The HagueJ
Bezuidenhoutseweg30,2594AV The Hague
T0708888500-F0708888501
authority data.nl
Confidential/Registered
[CONFIDENTIAL]
Date Unidentified
February 4, 2021 [confidential]
Contact
[confidential]
Topic
Decision to impose an administrative fine
Dear [involved person],
The Data Protection Authority (hereinafter: AP) has decided to impose an administrative fine of € 12,000.00
The AP is of the opinion that in any case in the period from July 1, 2018 to May 29, 2019
has not met your obligation to apply appropriate technical information when processing personal data
and organizational measures (Article 32, first paragraph, of the General Ordinance
data protection; hereinafter: GDPR).
The decision is then explained. Section 1 contains an introduction. Section 2 deals with the
processing, processing responsibility and the detected violation. Paragraph 3 becomes
discussed the authority of the AP to impose a fine, and the amount of the fine. Section 4
finally contains the decision (the operative part) and the remedies clause.
1 Introduction
1.1. over the offender
The company “[company]” is driven by [data subject]. On the website of the
orthodontic practice it is stated that the practice has eleven employees, in addition to [the person concerned] as an orthodontist.
The practice is located at [address] and the company is registered in the trade register of the
Chamber of Commerce under number [Chamber of Commerce number].
1 Date Unidentified
February 4, 2021 [confidential]
1.2. Reason for the investigation process
On 27 November 2018, the AP received a complaint as referred to in article 77 of the GDPR. According to the
complaintbecome sensitive data via the registration form on the website of the orthodontics practice
requested, such as the citizen service number (hereinafter: BSN), but the data is thengegevens
sent unencrypted.
On 26 February 2019, the AP visited the website of the orthodontics practice in the morning of screenshots
made.
In a letter dated 29 May 2019, the AP requested [the person concerned] for information.
letter of 4 June 2019 replied.
On July 4, 2019, the AP visited the website of the orthodontics practice and screenshots there
made.
In a letter dated 12 August 2019, the AP has requested [the person concerned] for further information. [The person concerned]
responded to the letter dated 19 August 2019.
The findings and conclusions of the study were recorded in a report dated August 27, 2019.
By letter dated 12 September 2019, the AP sent the investigation report to [person concerned]. The AP
has thereby expressed the intention to impose an administrative fine and [the person concerned] in the
opportunity to comment on it.
By letter dated 7 October 2019, supplemented by those dated 9 and 12 December 2019, [the person concerned] has
opinion submitted.
2. Fact Assessment
The relevant laws and regulations are listed in the appendix to this Decree.
2.1. Processing of personal data
At the time of the complaint, the website of the orthodontic practice contained a registration form
of new patients. This form contained fields for, among other things, name and address details, date of birth,
BSN, telephone numbers of the patients and the parents, information about the school, general practitioner, dentist and
insurance company. This data concerns information about an identified or
identifiable natural person, and are thus personal data as referred to in article 4, preambles
under 1, of the AVG.
2/20 Date Unidentified
February 4, 2021 [confidential]
From the letter from [person concerned] dated 19 August 2019, it follows that after sending the form, the
completed data were stored online. The orthodontic practice received a notification by e-mail
of the new registration. An employee of the practice log on to the website, opened the data
of the registrations created a new patient in their own patient file
the data stored online will be deleted, according to [data subject]. This whole of processing, but also
every part of it, including capturing, saving and destroying data, is a
processing of personal data as referred to in article 4, opening words, under 2 of the AVG.
2.2. Controller
[Data subject] determines the purposes and means of the processing of personal data
After all, registration form serves to obtain data from new patients from her
orthodontic practice run as a sole proprietorship, required for the treatment and financial
processing thereof. [Data subject] is, according to the controller, referred to in Article 4, preamble
and under 7, of the AVG.
2.3. Processing Security Violation
2.3.1. preface
The controller is obliged under article 32, first paragraph, of the GDPR
to take appropriate technical and organizational measures to prevent the processing of personal data
against, among other things, loss or unlawful processing of the data. Thesemeasures
must ensure an appropriate level of security, taking into account the state of the art
the execution costs, the risks of the processing and the nature of the data to be protected.
The question whether the controller referred to in Article 32, first paragraph, of the GDPRAV
has taken measures, will be assessed as follows in case the present one
of a patient's BSN by a care provider must comply with NEN7510.Datisa
information security standard for health care. The obligation to comply with this standard
from article 2 of the Regulations for the use of citizen service number in healthcare, read in conjunction with article 8
of the Supplementary Provisions for the Processing of Personal Data in Healthcare. Also outside these legalwet
obligation with regard to the citizen service number, health care applies that NEN7510 the general
accepted security standards. NEN7510 is further elaborated in NEN7510-1and
NEN7510-2.
Chapter 10 of NEN7510-2 discusses control measures related to cryptography.
These measures are aimed at ensuring correct and effective use of cryptography in order to
1Article 8, first paragraph, of this Act relates to the provision of care. It follows from article 1, preamble under b, of that law that the
financial-administrative settlement is also part of this. That settlement begins with the submission of the required
data, such as the social security number. Compare the drafting history of this provision (Parliamentary PapersII2005/06, 30 380, no. 3, page 20).
2Compare the CPPGuidelines for the protection of personal data (Government Gazette 2013 nr. 5174, p.11).
3/20 Date Unidentified
February 4, 2021 [confidential]
to protect confidentiality, authenticities/or integrity of information. In Section 10.1.1 is
mentionthattoprotectinformation,apolicyfortheuseofcryptographic
control measures should be developed and implemented. These may include
be used for the purpose of ensuring confidentiality, by decoding information
use to protect sensitive or critical information during storage or transmission.
Chapter 13 of NEN7510-2 deals with control measures with regard to
communications security. Section 13.2 contains controls related to
transport of information. The purpose of these control measures is to maintain the security of
information that is exchanged within an organization and with an external entity. In Section 13.2.1 is
mention that when using communication facilities for information transport, consideration must be given to
be taken to use cryptographic techniques, for example to protect confidentiality,
to protect the integrity and authenticity of information.
With regard to the state of the art with regard to cryptographic techniques is further from
importance that the National Cyber Security Center (hereinafter: NCSC) also points out the importance of its website
3
of protecting communication when sensitive information is sent over a connection.
According to the NCSC is TLS(TransportLayerSecurity), the most commonly used protocol for securing
connections on the internet. Application of TLS on web traffic is done via the HTTPS protocol on the
using a TLS certificate.
4
A TLS certificate can be obtained free of charge, provided that costs are incurred as a rule to
let an IT install or renew the certificate on the server because the validity period is
expired. These are short-term operations that only involve wage costs.
2.3.2. Facts
[The person concerned] has stated that the website of the orthodontic practice went online on 4 June 2010. 5
Because at the time of the first information request from the AP, a new website was being worked on,
silk then-existing website referred to as 'old website'.
The AP visited the website – which has since been replaced by another – on February 26, 2019.
It was noted that the website, as stated, contained a form for the registration of
new patients. This form contained fields for, among other things, contact details of the patients
the patient's parents and social security number. The AP has also noted that the website at the time of the
visitintothenotusedanencryptedconnection at all.Thisisshownfromthescreenshotsin
appendix 9 of the investigation report, of which an excerpt is included below:
3
4https://www.ncsc.nl/subjects/connection security.
For example, at non-profit certificate authority Let's Encrypt, < https://letsencrypt.org/>. There are certificate authorities that take precious
offer certificates(ExtendedValidation,orEV). Such certificates provide more information about the party to whom the certificate is
provided, but do not lead to a different or better encryption of the information exchanged.
5Letter dated 19 August 2019, appendix 8 to the investigation report.
4/20Date Unidentified
February 4, 2021 [confidential]
Figure 1: Cutout of the page formation of the website[url].
In the displayed window, under the heading “Technical details” there is a message “Unencrypted connection”
included. This message reads: “The website[url] does not support encryption for the page you
data that is sent over the Internet without encryption can pass through
others are seen.”
[Data subject] acknowledged that the old website did not use an encrypted connection. The 6
developer of the old website never pointed her out to that possibility
made use of, according to [person concerned].
It follows from [the person concerned]'s letter of 19 August 2019 that if a form was sent, the
data was stored on the web server on which the old website was running
received a notification about this. After logging into the website, the saved data was viewed,
taken over into the administration of the practice and finally removed from the web server.Between July 2018
and June 2019, the practice received no more than ten online registrations, according to [person concerned].
6Opinion of 7 October 2019 on the intention to impose an administrative fine.
5/20 Date Unidentified
February 4, 2021 [confidential]
7
[Data subject] had the old website taken offline on 29 May 2019.
On July 4, 2019, the AP visited the website of the orthodontics practice again and noted that the
website, now renewed, did use an encrypted connection, but no longer a
includes an online registration form.Instead, a registration form is now offered in the form
from a PDF file, which can be downloaded, printed, filled out, and delivered to the practice.
2.3.3. Rating
The question whether [the person concerned] the appropriate technical and referred to in article 32, first paragraph, of the GDPR
has taken organizational measures – as stated under 2.3.1 – must be answered to
the hand of NEN7510. This NEN standard is mandatory for the use of the BSN and for the care
This standard also includes the accepted security standards.
The AP notes that the old website of the orthodontics practice did not have a TLS certificate
as a result, did not use the HTTPS protocol. Communication with the website, including the
sending a completed registration form, therefore went over an unencrypted one and so
unsecured connection. This made some availability of the registration form
an increased risk of a “man-in-the-middle attack”, where information is sent
intercepted and/or modified, without the sending and receiving party knowing
It is thus established that [the person concerned] has not taken any control measures with regard to
communication security. That is not in accordance with the provisions of NEN7510 (including the
paragraphs 10.1 and 13.2).
It should be borne in mind that the patients of an orthodontic practice are usually minor children.
This follows from the nature of the treatment, the fields of the registration form (which asks for
the details of the parents) and the visual material on the website of the orthodontic practice
the data of these minor children who are on the unencrypted, unsecured connection
In addition, it is not only about the social security number, but also data that is closely related
are to the health of the patient concerned.
In view of the sensitive nature of the data that could be collected via the registration form
sent, and, on the other hand, the state of the techniques and the associated very low levels
execution costs of an encrypted connection, the conclusion is that [the person concerned] does not have an appropriate
has taken technical and organizational measures to prevent the processing of personal data
protect against loss or unlawful processing. With this, she has article 32, first paragraph, of the GDPR
violate.
7Letter dated 19 August 2019, Appendix 8 to the investigation report.
6/20 Date Unidentified
February 4, 2021 [confidential]
2.3.4. ViewsandreactionAP
In its view, [the person concerned] intends to impose an administrative fine on the
next brought forward.
The developer of the old website never pointed out to [the person concerned] the possibility of a
the encrypted connection. If she knew about it, she would certainly have used it. Otherwise, she has been active
tried to comply with the AVG, by having an audit carried out by a every two years
DutchAssociationofOrthodontistsdesignatedcertificationbureau.Privacyispart of
the audit.The latest report, dated June 2017, shows that the website has been reviewed and that no
comments have been made.The same certification agency provided a roadmap in March 2018
to comply with the AVG. [Involved person] has completed this plan point by point, and although attention is
spent on privacy and information security, there is no mention that the website must use a
encrypted connection. Furthermore, [the person concerned] is visited every five years by colleagues
orthodontists. Nor did the last visitation report indicate the lack of an encrypted
website connection.No one has complained to [involved person] about the security and there is for
as far as she knows, no damage suffered. Finally, [the person concerned] took the old website offline immediately
andassignedtobettersecurethenewwebsite.
This view does not lead the AP to a different point of view on the detected violation. An audit
by a certification agency, a step-by-step plan in preparation for the application of the
GDPR and a peer review do not dismiss [data subject], as controller, not from the
article32, first paragraph, of the GDPR, the obligation laid down to comply with the technical requirements referred to in that provision
organizational measures. That others have not pointed out to her, while they
assumed that this would happen where necessary, does not absolve her of her own responsibility for being active
ensure a technically secure processing of personal data. An organization that
internet data of sensitive nature and much of children processes, has a large
responsibility to make sure that such data is also safe about the
be sent on the internet. Incidentally, the contents of the audit report and the report of the
peer reviewnotthatintheframeworkoftheauditandvisitattentionhasbeenpaidtoprotection
of personal data. That no one has complained to [the person concerned] that no damage is known to her,
also takes into account that they do not take sufficient technical and organizational security measures
has hit.
2.3.5. Conclusion
In view of the foregoing, the AP is of the opinion that [the person concerned] Article 32, first paragraph, of the AVG of
May 25, 2018 (when the GDPR came into effect) until May 29, 2019, because she
thewebsiteoftheorthodonticspracticeofferedaregistrationformthatnotuseda
encrypted connection while that form was intended to exchange sensitive data.
7/20 Date Unidentified
February 4, 2021 [confidential]
3. Administrative fine
3.1. Power of the AP to impose an administrative fine
Under Article 58, second paragraph, preamble below i, the AP is read in conjunction with Article 83 of the
GDPR, authorized to impose an administrative fine. According to article 83, first paragraph, an imposed
to be effective, proportionately deterrent.It follows from the fourth paragraph of that provision that
breaches of the obligations of the controller (including those mentioned in Article 32
of the GDPR) are subject to fines up to €10,000,000.00 or, for a company, up to 2% of
the total worldwide annual turnover in the previous financial year, if this figure is higher.
Pursuant to Article 14, paragraph 3, of the Implementing Act of the General Data Protection Regulation
(hereafter: UAVG) the AP may in the event of a violation of the provisions of article 83, fourth, fifth or
sixth paragraph, of the AVNot to impose an administrative fine on at the most endthese members mentioned
amounts.
In exercising its power to impose an administrative fine, the AP applies the 8
Fines Policy Rules of the Authority for Personal Data 2019 (hereinafter: Fines Policy Rules 2019).
3.2. Fine policy rulesAuthorityPersonal data2019
The relevant provisions of the Fines Policy Rules 2019 are listed in the appendix to this Decree
system of the Fine Policy Rules 2019 is as follows.
The violations for which the AP can impose a fine up to the amount stated above are in the
Finespolicy rules2019categorizedinthreefinecategories.Thesecategoriesareorderedby
gravityoftheviolationofthementionedarticles,wherebycategoryIdeleastseriousviolations
category III contain the most serious offences. The categories are subject to increasing monetary fines
connected. This follows from article 2, under 2.1 and 2.3 of the Fine Policy Rules 2019.
CategoryI Fine range between €0 and €200,000 Basic fine: €100,000
Category II Fine range between €120,000 and €500,000 Basic fine: €310,000
Category III Fine range between €300,000 and €750,000 Basic fine: €525,000
According to article 6 of the 2019 Fine Policy Rules, the AP determines the amount of the fine through the basic fine
up or down, depending on the extent to which the factors mentioned in Article 7
give cause to do so. Under Article 8, it is possible to assign the next higher or lower category
to apply if the fine category determined for the infringement is not appropriate in the specific case
punishmentallows.
8Published in Stcrt. 2019,14586, March 14, 2019.
8/20 Date Unidentified
February 4, 2021 [confidential]
3.3. fine amount
The AP considers a fine of €12,000.00 to be appropriate and appropriate for the violation found herein.
in the following paragraphs, this is substantiated as follows. First of all, the AP sees a reason for the lower
finecategoryIapply.Therearenofinereducingorincreasingfactorsapplicablethat
require the adjustment of the basic fine of €100,000.00 for that fine category.
culpability of the conduct does not give rise to this. The AP sees a reason to on the ground
from the principle of proportionality to moderate the fine and up to the aforementioned amount.
3.3.1. Fine categories basic fine
The violation of article 32 of the GDPR (Processing Security) is, according to appendix I to the
Fines Policy Rules 2019, classified in category II. As follows from the table for this, applies to this
category a penalty bandwidth of €120,000.00 and €500,000.00 and a basic fine of €310,000.00.
In this case, this fine bandwidth and basic fine cannot lead to an appropriate penalty of the
detected violation. In doing so, the AP takes into account that the investigation sees the violation
on the registration form on the practice's website, and not on the patient administration as such.
Technically, the registration form forms a separate system from that administration
thereforeapply under article 8 of the Fine Policy Rules 2019 category I(for which a
fine range applies from €0.00 to €200,000 and a basic fine of €100,000.00), and also within that
category the fine is moderate and on the basis of what is not in this and the following paragraphs
considered.
The basic fine is based on a neutral starting point, and should be increased or decreased as far as the
Article 7 of the Fines Policy Rules 2019, the factors mentioned give rise to this
the amount of the fine must be proportionate and attuned to the seriousness of the violations to the extent to which
this can be blamed on the offender (compared articles 3:4 and 5:46 of the General Law
administrative law; hereinafter: Awb). The factors mentioned in Article 7 give rise to
notes. The factors not discussed are not applicable in this case.
a.Nature, seriousness, duration of the infringement
According to [person concerned], the website with the registration form went online on October 27, 2010 and on
Taken offline May 29, 2019. Although the form was available for eight years and seven months for
use, the AP's research focused on the period from May 25, 2018 to May 29, 2019.
the AP aligns with the date on which the GDPR became applicable. That means the violation, for
9
as far as taken into account, has lasted approximately one year. TheAPrespectsthatthe
violation was structurally of a long duration, all the more so because [person involved] also applied before it
9Article 13 of the Personal Data Protection Act (hereinafter: Wbp) is materially comparable to Article 32, first paragraph, of
the GDPR: both provisions oblige the taking of technical and organizational measures to ensure an appropriate
ensure security levels. The interpretation of article 13 of the Wbp is no different from that of article 32 of the GDPR, described
in paragraphs 2.3.2 and 2.3.3. Also in the period that the Wbp was valid, [the person concerned] was therefore in violation.
9/20Date Unidentified
February 4, 2021 [confidential]
of the AVG, on the basis of the Personal Data Protection Act, was mandatory and appropriate
security level.That obligation did not arise first when it applies
become of the AVG.
The A reckons the [person concerned] that she as a professional care provider in the run-up to the
the period examined did not take care of the . referred to in article 32, first paragraph, of the GDPR
appropriate technical and organizational measures, through a correct implementation of
NEN7510. It applies to the BSN that it is obligated to do so on the basis of the Use Regulation
social security number in health care. For the other data that were sent via the form,
that NEN7510 contains the end-care generally accepted security standards. [Data subject] had here
must be informed by virtue of its capacity as a healthcare provider.
[Involved person] has furthermore not only created the theoretical possibility that the form
are used to transmit sensitive data over an unsecured connection
after all, that the form has actually been used
that the violated standard was intended to protect, has been called into question. Although the exact number
submissions of the form can no longer be determined, the AP considers it not improbable that it
form was also used when the Wbp was applicable, including only appropriate
security level was required.
The AP reckons the [person concerned] that the violation took a long time and was contrary to the norms
that apply specifically to her profession (care). That the violation also actually led
to the ability to send sensitive data over an unsecured connection, consider the APextra
sorry.
g.The categories of data to which the infringement relates
First of all, you were asked for the BSN via the registration form. That in itself is only sensitive,
but this is more true if the data is viewed in conjunction with the other data requested
sensitivity is also apparent from the legal obligation to comply with
NEN7510. Viewed together, the data provide so much information about the patient to be written, that
the risk of identity fraud exists if the data were intercepted.
also taking into account that it often concerned the data of minors, as stated in paragraph 2.3.3.
Furthermore, the other data requested are just as sensitive, because they are related to you
with the health of the patient to be registered. This also applies to the registration with a
orthodontist as such. The AP has not investigated, partly because the processing no longer takes place
or this qualifies as special personal data as referred to in article 9 of the AVG, but is sufficient with
the finding that the form has been used to send sensitive data.
The AP reckons the [person concerned] that the violation relates to sensitive data of
minors.
10/20 Date Unidentified
February 4, 2021 [confidential]
Increase or decrease basic fine
In view of the foregoing, the AP in the factors listed in the 2019 Fine Policy Rules, to the extent
application in the present case, no reason to reduce the basic fine
fine amount is also not in question.
3.3.2. culpability of the conduct
On the basis of article 5:46, second paragraph, of the Awb, the AP keeps the AP when imposing an administrative fine
take into account the extent to which they can be blamed on the offender. Because in this case it concerns
a violation, is for the imposition of an administrative fine in accordance with established case law does not require that
it is shown that intent may presuppose the AP culpability if it
criminality is established.10
As stated in paragraph 2.3.4, [Data Subject] has, in its opinion, pointed to an audit report,
step-by-step planer preparation for the AVG and a report of a collegiate visitation. According to [person involved]
did she not point in any of these pieces of the shortcoming with regard to the online
registration form. Insofar as [the person concerned] means that this is a question of reduced culpability,
the AP does not follow her.As a health care provider she should have been familiar with the care for that care
applicable security standards. It does not alter the fact that others have not pointed out the shortcoming to her
its own obligations as a controller.
Now that the violation [the person concerned] can be fully blamed, the culpability of the
violation is no reason to reduce the amount of the fine.
3.3.3. proportionality
Finally, the AP will assess on the basis of articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality)
or the application of its policy for determining the amount of the fine, given the circumstances
of the concrete case, does not lead to a disproportionate outcome.
In the light of the proportionality of the imposition of the fine, the AP considers it important that the violation,
as stated in paragraph 3.3.1, see the non-secure use of a registration form on the
website of the practice, and not on the entire patient administration. The AP has about the use of the
unsecured connection received one complaint. The AP has no . about the patient administration itself
received signals and therefore has not conducted any research. Furthermore, the use of the
registration formremained limited in the eligibility period.
10Compared rulings of the CBb of 29 October 2014(ECLI:NL:CBB:2014:395, ow. 3.5.4), 2 September 2015(ECLI:NL:CBB:2015:312,
ow. 3.7) and March 7, 2016 (ECLI:NL:CBB:2016:54, ow. 8.3). Also compare the rulings of the Administrative Jurisdiction Division of
August 29, 2018(ECLI:NL:RVS:2018:2879,ow.3.2) and December 5,2018(ECLI:NL:RVS:2018:3969,ow.5.1). Finally, see Parliamentary PapersII
2003/04,29 702,no.3,p. 134.
11/20 Date Unidentified
February 4, 2021 [confidential]
In addition, it is important that the company of [the person concerned] must be counted among the middle and
small business(SME). Also, given the low cost associated with secure shipping
from a form (compare paragraph 2.3.1), it is not plausible that as a result of the violation financial
profits have been made or losses have been avoided.
In all the circumstances mentioned, the AP sees reason to apply the basic amount of € 100,000.00
to moderate. The AP considers, also in view of the seriousness of the violation, the substantial capacity of the
companiesthe target group whose personal data are processed, a fine of €12,000.00
suitable provided.
Finally, the AP should consider whether what [the person concerned] has put forward in its view on
the intention to enforce it is reason to assume that this fine will result in a
would lead to a disproportionate outcome.
[The person concerned] has stated in her opinion that she is a finer of the basic amount of
fine category II (€ 310,000.00) would never be able to pay. She has a
provisional assessment of income tax for 2018 submitted. However, it is stated in paragraph 3.3.1 that
not fine category II is applied, but fine category I. The corresponding base amount is
moreover, hereby moderated to €12,000.00. It does not follow from the documents submitted by [the person concerned] that
this fine would have disproportionate consequences, for example because the orthodontic practice in the
continued existence would be threatened. The AP therefore sees no reason in the capacity of [person involved]
to further moderate the fine.
3.4. Conclusion
The AP sets the fine for the violation of article 32, first paragraph, of the AVG, in view of the
previous fixed at €12,000.00.
12/20 Date Unidentified
February 4, 2021 [confidential]
4. dictum
fine
The AP explains to [the person concerned], acting under the name of [company], for violation of article 32,
first paragraph, of the AV No administrative fine, amounting to €12,000.00 (in words: twelve thousand euros). 11
Yours sincerely,
AuthorityPersonal Data,
drs.C.E.Mur
board member
Remedies Clause
If you do not agree with this decision, you can within six weeks of the date of shipment of the
decide to submit an objection digitally or on paper to the Data Protection Authority
Article 38 of the AVG Implementation Act suspends the submission of an objection to the operation of the
decision to impose the administrative fine. Mention in your notice of objection at least:
your name and address;
the date of your notice of objection;
the reference (case number) mentioned in this letter, or enclose a copy of this decision;
the reason(s) why you do not agree with this decision;
your signature.
You can submit the notice of objection digitally via the website. Go to www.autoreitinformatie.nl, en
click at the bottom of the page, under the heading “Contact with the Data Authority”, on the link
“Objection to a decision”. From there, use the “Objection Form”.
Do you prefer to send the notice of objection by post? Then you can send it to the following address:
AuthorityPersonal Data
Legal Affairs & Legislative Advice Department, Objection Department
PO Box93374
2509AJ THE HAGUE
11The AP will hand over the claim to the Central Judicial Collection Agency (CJIB).
13/20Date Unidentified
February 4, 2021 [confidential]
APPENDIX–Legal Framework
General Data Protection Regulation (GDPR)
Article 2 (Material scope
1. This Regulation applies to wholly or partly automated processing,
as well as to the processing of data that are included in a file or that are intended
are to be included.
[…]
Article 3(Territorial scope
1. This Regulation applies to the processing of personal data in the context of the
activities of an establishment of a controller or processor in the Union,
regardless of whether the processing takes place in the Union or not.
[…]
Article 4 (Definitions)
For the purposes of this Regulation:
1) "personal data": any information about an identified or identifiable natural person
("the data subject"); if identifiable is considered a natural person who directly or indirectly
can be identified, especially by an identifier such as a name, anaam
identification number, location data, an online identifier or of one or more elements that
are characteristic of the physical, physiological, genetic, psychological, economic, cultural or
social identity of that natural person;
2) "processing" means any operation or set of operations relating to personal data or
a set of data, whether or not carried out via automated processes, such as the
collect, capture, organize, structure, save, update or change, retrieve, consult,
use, provide by transmission, distribute or otherwise make available
set, align or combine, shield, delete or destroy data;
[…]
7) "controller" means a natural or legal person, a public authority,
a service or other body which, alone or together with others, is the purpose of the means
for the processing of data; when the objectives of the means
for this processing is laid down in Union or Member State law,
are determined who the controller is or according to what criteria it will be
designated;
[…]
Article32(Processing Security)
1. Taking into account the state of the art, the implementation costs, as well as the nature, the
size, the context, the processing purposes, and the probability and severity
various risks to the rights and freedoms of persons,
14/20Date Unidentified
February 4, 2021 [confidential]
controller and processor appropriate technical and organizational
measures to ensure a level of security appropriate to the risk, which, where appropriate,
include the following, among others:
a) the pseudonymisation and encryption of data;
b) the ability to stand on the basis of confidentiality, integrity, availability and
ensure resilience of processing systems and services;
c) the ability to alter the availability of access to in the event of a physical or technical incident
restore the personal data in a timely manner;
d) a procedure for the regular testing, assessment and evaluation of the
effectivenessofthetechnicalandorganizationalmeasurestosecurethe
processing.
2. In the assessment of the appropriate level of security, particular account is taken of the
processing risks, especially as a result of the destruction, loss, modification or
unauthorized disclosure of or unauthorized access to transmitted, stored, or
otherwise processed data, either accidental or unlawful.
[…]
Article 58(Powers)
[…]
2. Each supervisory authority shall have all of the following powers to take corrective
measures:
[…]
i) according to the circumstances of each case, in addition to or instead of the . referred to in this paragraph
measures, impose an administrative fine under article 83; and
[…]
[…]
Article 83 (General conditions for the imposition of administrative fines)
1. Each supervisory authority shall ensure that the administrative fines charged under
thisarticleareimposedbeforetheendparagraphs4,5and6indicatedinviolationsofthisordinancein
each case be effective, proportionately deterrent.
2. Administrative fines are, depending on the circumstances of the specific case,
imposed in addition to or instead of the referred to in Article 58, paragraph 2, under a) to h) and under j),
measures. When deciding whether an administrative fine will be imposed on the
the following is duly taken into account for each concrete case:
a) the nature, seriousness and duration of the infringement, taking into account the nature, extent or
purpose of the processing in question as well as the number of affected data subjects and the extent of
the damage caused by fishing;
b) the intentional or negligent nature of the infringement;
15/20Date Unidentified
February 4, 2021 [confidential]
c) the measures taken by the controller or processor to
limiting the damage suffered by those involved;
d) the extent to which the controller or processor is responsible in view of the
technicalandorganizationalmeasuresthathehascarriedoutinaccordancewiththe
articles25and32;
e) previous relevant breaches by the controller or processor;
f) the extent to which the supervisory authority has cooperated to prevent the infringement
remedy and limit possible negative consequences;
g) the categories of data to which the infringement relates;
h) the manner in which the supervisory authority became aware of the infringement, in particular
whether, and if so, to what extent, the controller or processor has committed the infringement
reported;
(i) compliance with the measures referred to in Article 58(2), as far as they are concerned
from the controller or processor in question with regard to the same
matter taken up;
j) adherence to approved codes of conduct in accordance with article 40 or of approved goed
certification mechanism accordinglyarticle42;and
k) any other aggravating or mitigating
factor, such as financial gains made, or losses avoided, which may or may not be directly
the infringement arise.
[…]
4. Violations of the following provisions shall be subject to administrative law accordingly
fines up to EUR 10,000,000 or, for a company, up to 2% of the total worldwide
annual turnover in the previous financial year, if this figure is higher:
a) the obligations of the controller and the processor in accordance with the
articles8,11,25to39,and42and43;
[…]
[…]
Implementing ActGeneral Data Protection Regulation
Article 14 (Taking powers)
1. The Data Authority is authorized to perform the tasks and exercise the powers
exercises assigned to the supervisory authority by or pursuant to the Regulation.
[…]
3. The Data Authority may, in the event of a violation of the provisions of Article 83, fourth,
fifth or sixth paragraph of the ordinance to impose an administrative fine from at the most endthese
member amounts.
[…]
16/20Date Unidentified
February 4, 2021 [confidential]
Supplementary Provisions for the Processing of Personal Data in Healthcare 12
Article8
1. The healthcare provider records the client's citizen service number in his administration at the
recording data relating to the provision of care.
[…]
Article10
A ministerial regulation can be determined to which security requirements the data processing is intended
in articles 8 and 9, is sufficient.
Scheme for use of citizen service number
Article 1
In this regulation is understood by:
a. Minister: Minister of Health, Welfare and Sport;
13
b. law: Use of citizen service number in health care;
c. decision: Decree on use of citizen service number in healthcare;
d. NEN: standard issued by the Netherlands Standardization Institute;
e. NEN7510: NEN7510 and its elaboration in NEN7511 and NEN7512;
[…]
Article2
The data processing referred to in Articles 8 and 9 of the Act[…] complies with NEN7510.
NEN7510-2: Medical informatics – Information security in healthcare –
Part2:Control Measures
10.1.1PolicyOnUsingcryptographic Controls
Control measure
To protect information, there should be a policy for the use of cryptographic
control measures are developed and implemented.
[…]
The implementation of the cryptography policy should take into account the
regulations and national restrictions that may apply to the use of cryptographic
techniques in different parts of the world and with problems with cross-border
1Until 1 July 2017, this act was called the Citizen Service Number Act in healthcare.
1As stated in the footnote above, this law is now called the Wet Supplementary Provisions for the Processing of Personal Data in
the care.
17/20Date Unidentified
February 4, 2021 [confidential]
streams of encrypted information (see 18.1.5).
Cryptographic controls can be used for various
information security objectives, e.g.:
a) confidentiality: use encryption of information to protect sensitive or essential information,
during storage or shipment, to protect;
[…]
Other information
Decision making about whether a cryptographic solution fit, should be
considered part of the overall process of risk assessment and choosing control measures.
[…]
For choosing the correct cryptographic control measures that meet the objectives
of information security policy should be sought expert advice.
13.2.1Information transport policy procedures
Control measure
To protect the information transport, which takes place through all kinds of communication facilities,
Formal transport policies, procedures and controls should be in place.
Implementation guideline
Atprocedurestobefollowedandcontrolmeasurestobecarried outwith
theuseofcommunicationfacilitiesforinformationtransportcorrelatingfollowingpointsin
to be considered:
a) procedures designed to protect transmitted information against interception,
copy,modification,misrouting,destruction;
[…]
f) use of cryptographic techniques, e.g. for confidentiality, integrity, authenticity
from information to protect (see chapter 10);
[…]
CARE-SPECIFIC IMPLEMENTATION GUIDELINE
Organizations should ensure that the security of such exchange of information
subject of policy developments and audits of compliance (see chapter 18).
[…]
18/20Date Unidentified
February 4, 2021 [confidential]
Fine policy rulesPersonal Data Authority2019
Article2.Category Classifications of Fine Bandwidths
2.1 The provisions concerning violations of which the Data Protection Authority is an administrative
can impose a fine of up to the amount of €10,000,000 or, for a company, up to 2%
of the total worldwide annual sales in the previous financial year, if this figure is higher, in
annex 1 classified in category I, category II or category III.
[…]
2.3 The Data Protection Authority sets the basic fine for violations for which a statutory
fine maximum applies from € 10,000,000 or, for a company, up to 2% of the total worldwide
annual turnover in the previous financial year, if this figure is higher, or € 20,000,000 or, for a
company, up to 4% of total worldwide annual sales in the previous financial year, if
number is higher, fixed within the following fine ranges:
CategoryI Fine range between €0 and €200,000 Basic fine: €100,000
Category II Fine range between €120,000 and €500,000 Basic fine: €310,000
Category III Fine range between €300,000 and €750,000 Basic fine: €525,000
[…]
2.4 The amount of the basic fine is set at the minimum of the bandwidth incremented
with half the bandwidth of the fine category linked to a violation.
Article 6. The basic fine and a possible increase or reduction
The Data Protection Authority determines the amount of the fine by the amount of the basic fine
above(uptothemaximumofthebandwidthoftheviolationlinked
fine category) or down (to the minimum of that bandwidth).
basic fine is increased or decreased depending on the degree to which the factors mentioned in
article 7 give rise to this.
Article7.Relevant factors
Without prejudice to articles 3:4 and 5:46 of the General Law, administrative law keeps the Authority
Personal data account with the factors mentioned under ato and with k, insofar as it is concrete
case applicable:
a) the nature, seriousness and duration of the infringement, taking into account the nature, extent or purpose of
the processing in question as well as the number of affected persons involved and the extent of the by them
damages suffered;
b) the intentional or negligent nature of the infringement;
c) the measures taken by the controller or processor to
limit the damage suffered by those involved;
d) the extent to which the controller or processor is responsible in view of the
technicalandorganizationalmeasuresthathehasperformedin accordance with the articles25
en32 of the General Data Protection Regulation;
e) previous relevant breaches by the controller or processor;
19/20Date Unidentified
February 4, 2021 [confidential]
f) the extent to which the supervisory authority cooperated to remedy the infringementbreuk
and limit the possible negative consequences thereof;
g) the categories of data to which the infringement relates;
h) the manner in which the supervisory authority became aware of the infringement, in particular whether,
and if so, to what extent, the controller or processor has reported the infringement;
i) compliance with Article 58, paragraph 2, of the General Data Protection Regulation
the aforementioned measures, to the extent that they are prior to the controller or the
processor in question have been taken with regard to the same matter;
j) adhere to approved codes of conduct in accordance with article 40 of the GeneralAl
data protection regulation or of approved certification mechanism accordingly
Article 42 of the General Data Protection Regulation; and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial gains made, or losses avoided, whether or not directly from the infringement
result.
Article8.Out-of-bandwidth and increased fine maximums for a company
8.1 If the fine category defined for the infringement is not an appropriate
sanction allows, the Data Authority may, in determining the amount of the fine,
finebandwidthofthenexthighercategoryrespectivelythefinebandwidthofthenext
apply lowercategory
Appendix1,associatedwitharticle2
Violations with a statutory fine of maximum €10,000,000 or, for a company, up to 2% of
the total worldwide annual turnover in the previous financial year, if this figure is higher:
Legislative article Description Category
General Data Protection Regulation
[…] […] […]
article32 processing security II
[…] […] […]
20/20
