AP (The Netherlands) - 24.02.2022: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 7: | Line 7: | ||
|DPA_With_Country=AP (The Netherlands) | |DPA_With_Country=AP (The Netherlands) | ||
|Case_Number_Name= | |Case_Number_Name=Ministry of Foreign Affairs | ||
|ECLI= | |ECLI= | ||
Revision as of 14:25, 13 April 2022
| AP (The Netherlands) - Ministry of Foreign Affairs | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 13(1)(e) GDPR Article 24 GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 24.02.2022 |
| Published: | 06.04.2022 |
| Fine: | 565,000 EUR |
| Parties: | Dutch Minister of Foreign Affairs |
| National Case Number/Name: | Ministry of Foreign Affairs |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | autoriteitpersoonsgegevens.nl (in NL) |
| Initial Contributor: | ea |
The Dutch DPA issued a fine of EUR 565,000 against the Dutch Ministry of Foreign Affairs for having insufficient security measures and not providing data subjects with adequate information when processing visa applications, in violation Article 13(1)(e), 24 and 32 GDPR.
English Summary
Facts
The Dutch Ministry of Foreign Affairs handled personal data in processing visa applications. That data included fingerprints, name, address, place of residence, country of birth, purpose of visit, nationality and a photograph. The DPA carried out an investigation of the New Visa Information System that the Ministry used for visa processing operations.
Holding
The DPA held that the New Visa Information System lacks sufficient level of security, giving rise to a risk that unauthorised persons can view and change files. It also increases the risk that other errors go unnoticed. Some of the issues concerned were a lack of a security plan, insufficient physical security safeguards, lack of formal registration and deregistration procedures in relation to the access to the system, and weaknesses in the procedure for reporting security incidents. These errors and abuses would have major consequences on applicants' rights. Consequently, the Ministry violated Article 32 GDPR and Article 24 GDPR.
The DPA also found that visa applicants were insufficiently informed about how their data was shared with third parties. Consequently, the Ministry violated Article 13(1)(e) GDPR.
The Ministry of Foreign Affairs was held to be severely negligent as it had been aware of these deficiencies for years. The DPA ordered the Ministry to rectify the situation. It imposed a fine of EUR 565,000 for the past violations. It also imposed penalty payments payable for as long as the violations continue, namely EUR 50,000 per two weeks for security breaches and EUR 10,000 per week for lack of transparency.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
AuthorityPersonal Data
PO Box93374,2509AJ The Hague
Bezuidenhoutseweg30,2594AV The Hague
T0708888500-F0708888501
authority data.nl
Confidential/Registered
Minister of Foreign Affairs
Deheermr.W.B.HoekstraMBA
Rijnstraat8
2515XPDenHaag
Date Unidentified
24 February 2022 [CONFIDENTIAL]
Contact
[CONFIDENTIAL]
Subject
Decidingtoimposeafineandannuitycompensation
Dear Hoekstra,
The Data Protection Authority (AP) has decided to ask the Minister of Foreign Affairs (hereinafter:
the Minister) to impose an administrative fine of €565,000. TheAP has come to the conclusion that the
Minister, as controller in the process of issuing so-called Schengen visas,
data subjects provide insufficient information and security of the processing of personal data
insufficiently guarantees. With regard to the security of personal data, the AP relates to
until the New Visa Information System (NVIS) briefly determined that:
- a security plan is missing;
- insufficient measures have been taken or have been taken to protect personal data physically;
- incomplete procedures exist with regard to (control of) access rights to NVIS;
- there are shortcomings in the log files and regular checks on them; and
- the procedure for reporting security incidents was incomplete.
As a result, the Minister acts in conflict with article 13, paragraph 1, and article 32, paragraph 1, of the General
RegulationData Protection (GDPR). The AP has decided to also impose an injunction sum
to impose, who sees the reversal of these violations–that in determining this
still decides not to be terminated.
The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the
findings.Inchapter3the(amountofthe)administrative fine is elaboratedandinchapter4
the burdensubjectivesumdescribed.Chapter5finallycontainsthedictmentandremediesclause.
1,Date Unidentified
24 February 2022 [CONFIDENTIAL]
Contents
1.Introduction 4
1.1Background 4
1.2Target research 5
1.3Visa ProcessforSchengen Short Stay Visa 5
1.4 Legal framework 8
1.5Process flow 8
2.Findings 9
2.1Processing of personal data 9
2.1.1 Factual findings 9
2.1.2Legal assessment 9
2.2 Controller and processor(s) 10
2.2.1 Factual findings 10
2.2.2Legal assessment 12
2.3Security planNVIS 13
2.3.1 Legal framework 13
2.3.2 Factual findings 14
2.3.3Legal assessment 17
2.4PhysicalSecurityAccesstoNVIS 19
2.4.1Legal framework 19
2.4.2 Factual findings 19
2.4.3Legal Review 22
2.5AccessrightstoNVISandstaffprofiles 25
2.5.1 Legal framework 25
2.5.2 Factual findings 26
2.5.3Legal assessment 32
2.6 Monitoring NVIS usage: log files 36
2.6.1 Legal framework 36
2.6.2 Factual Findings 37
2.6.3Legal assessment 40
2.7 Control of NVIS usage: security incidents 42
2.7.1 Legal framework 42
2.7.2 Factual Findings 44
2.7.3Legal assessment 47
2.8Training staff on data protection 48
2.9 Information provision to visa applicants 48
2.9.1 Legal framework 48
2.9.2 Factual findings 49
2.9.3Legal Assessment 50
2.10 Conclusions 51
2/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]
3Fine 53
3.1Introduction 53
3.2.Finance policy rules Data Authority2019 53
3.3Penaltyforviolatingthesecurityofprocessing 53
3.3.1 Nature, seriousness and duration of the infringement 54
3.3.2 Negligent nature of the infringement 54
3.3.3Categories of data 55
3.4Amount of fines for violation of information provision to those involved 55
3.5 Blame and proportionality for both violations 56
3.6 Conclusion 56
4.Load forced sum 57
5.Directive 59
APPENDIX1 61
3/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
1 Introduction
1.1Background
1. The APis responsible for supervising the national part of a number of European
information systems, including the Visa Information System (hereinafter: VIS) and the Schengen
InformationSystem (hereinafter: SISII). Under the EU legal framework of these systems, the AP
to independently monitor the lawfulness of the processing of personal data by the
Member State concerned, including the transmission from and to the central European facility of VIS
and SIS. For visa applications, access to the European VIS takes place via a national system, to
know: N.VIS.The specific application that falls under N.VIS by the Ministry of Foreign Affairs
(hereinafter: BZ) is used for the purposes of Schengen visas, the New Visa Information System
(hereinafter: NVIS).
2. The NVIS contains the application data, including biometric data, of all applicants who
Dutch Consular Post AbroadWant to obtain a Schengen visa for their stay
in the Netherlands and/or in other Schengen countries.Schengen visa applications are made in countries
outside the Schengen areas where there is also no question of a special visa exemption
processing of the visa applications is also always checked whether the application appears in SIS II.SIS
IIincludes alerts imported by Member States in, among other things, the area of European arrest warrants and
declared undesired. The SISII check takes place automatically, in the background of a
visa application via NVIS.
3. In 2015, the Schengen evaluation took place, in which the supervision of the national carried out by the AP
part of the SISIIandVISwasassessed.IntheSchengenevaluationreport2015isexplicit
included that the AP must carry out regular checks at the Dutch consular posts
AP checks are also part of the police and justice multi-year plan that the AP follows within the framework
of its supervision of, among others, the above-mentioned SIS II and VIS (systems).
4. As a result of this, the AP has carried out a controlling investigation at BZen a number of parties
who have a role in the process of issuance of Schengen visas. The study included the following
organizations:
- the Netherlands Embassy to London, United Kingdom (hereinafter: Consular PostLondon);
- the Netherlands Embassy in Dublin, Ireland (hereinafter: consular post Dublin);
- the Consular Service Organization in The Hague, which functions as the back office of the
visa granting (hereinafter: the CSO);
- [CONFIDENTIAL](hereinafter: Processor1) of London, United Kingdom, which acts as
external service provider (hereinafter: EDP) in the visa process of the Consular Post London;
- [CONFIDENTIAL] (hereinafter: Processor2) in Utrecht, the executor of various IT tasks in
relation to the national visa information system; and
- [CONFIDENTIAL] (hereinafter: Processor3) in Amsterdam, the service provider for the benefit of the
NVIS servers.
4/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
1.2Target research
5. The research of the AP focused on the (selected) physical, organizational and technical
security aspects of NVIS in the context of the Schengen visa process and includes the
security plan, physical security, granting access rights to NVIS and logging of the
NVIS use. In addition, compliance with legal requirements was checked with regard to the
information provision to visa applicants and training of employees involved in the
visa process.
1.3Visa ProcessforSchengenShort Stay Visa
6. In this section, the AP explains the Schengen visa process in general, and specifically
with regard to the consular posts in London and Dublin.
Schengen short stay visa
A short-stay visa is referred to as a 'Schengen Visa'. This visa allows persons within a
period of 180 days, 90 days to stay in the Schengen area. ImmediatelySchengenvisumishet–short
summarized–for a personwithoutEU nationalityallowedfreetravelwithin26
Schengen countries. The country where one has to apply for the visa is determined by the main purpose
of the applicant's journey or main destination.
7. The visa process at the examined consular posts consists of the following steps : 1
1. [CONFIDENTIAL]
2. [CONFIDENTIAL]
3. [CONFIDENTIAL]
2
4. [CONFIDENTIAL]
5. [CONFIDENTIAL]
6. [CONFIDENTIAL] 3
7. [CONFIDENTIAL]
8. [CONFIDENTIAL]
9. [CONFIDENTIAL]
8. After the registrations are completed and the substantive steps have been completed, a decision can be made on the
visa application will be taken. This decision will be registered in NVIS. A positive decision
the visa sticker is printed in the applicant's passport, if a negative decision is taken
a refusal decision is created. In both cases, the decision is recorded in VIS. 5
1File document3, appendix1: NVISManualVisa application processingFebruary2018,p.19.
2During the processing of the visa application, it is always checked whether the application appears in the SISII system. SIS II includes
alerts imported by member states in, among other things, the area of European arrest warrants, and unwanted aliens.
takes place automatically, in the background of a visa application via NVIS.
3File document3, appendix3: Visio-SchengenFlowchart, p.6and7.
4File document3, appendix 3: Visio-Schengen Flowchart, p.7.
5File 3, appendix 3: Visio-Schengen Flowchart, p.9.
5/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
Apply for a Schengen visa at a consular postLondon
9. The Consular PostLondon cooperates with Processor 1 who fulfills a role of an EDP. The tasks of 7
the EDV include, among other things:
[CONFIDENTIAL]
10. Processor1 handles the intake of most visa applications that pass through the London Consular Post.
In the context of a visa application, the applicant downloads the application form via the BZ website
or via the website of Processor1.Then the requester makes an appointment with Processor1 via the
appointment system of Processor1. On the day of the appointment, the applicant reports to Processor1.
8
Processor1 successively performs the following tasks:
[CONFIDENTIAL]
11. The Consular PostLondon carries out the following tasks, among others:
[CONFIDENTIAL]
12. The tasks of the CSO include the following activities: 9
[CONFIDENTIAL]
6Recital13Visacode,article40lid3Visacode,article43Visacode.
7Article 43, paragraph 5, Visa code.
8File document3, attachment3:Visio Schengen visaFlowchart.
9File document3, appendix3:Visio Schengen visa Flowchart,p.4-5.
6/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
13. Where appropriate, submitting an application to the Immigration and Naturalization Service
10
(IND) necessary or necessary to consult or inform member states. In addition, it can
are necessary to interview the applicant. During the processing of the visa applications,
always checked whether the applicant appears in SISII. The SISII check takes place automatically, in the
background of a visa application through NVIS. After these steps have been completed, a decision can be made on the
visa application will be taken. This decision will be registered in NVIS. A positive decision
the visa sticker is printed in the applicant's passport, if a negative decision is taken
13
a refusal decision is created. In both cases, the decision is recorded in VIS.
Apply for a Schengen visa at consular postDublin
14. The consular postDublin worked during the investigation of the AP without the intervention of an EDV and
processes visa applications itself. Most of the same steps are taken here
visa application process followed by Processor1 and the Consular PostLondon.[CONFIDENTIAL].
[CONFIDENTIAL]. In the context of a visa application, the applicant downloads the application form
via the website of the embassy or BZ. An appointment for an intake at the consulate can be made
be on the embassy's website via a link to a system for appointments.
15. As part of the visa process, the consulate performs the following tasks, among others:
[CONFIDENTIAL]
16. In its role as back office, the CSO performs the same tasks as in the case of the consular post
London. In addition, the CSO has an important task in registering the visa application details
which the consular post takes Dublin as paper files by mail to the CSO in The Hague
sends.
ViewBZ
17. BZ has stated that since the investigation by the AP some changes have been made to the above visa process
have been implemented. Processor1 today takes live photos, the intake of the visa applications
no longer proceeds by mail(viatheconsularpostLondon).In addition,consularmailmakesDublin
14
meanwhilewelluseofanEDV.
1File document3, appendix3:Visio Schengen visa Flowchart,p.6.
1File document3, appendix3:Visio Schengen visa Flowchart,p.7.
1File document3, appendix3:Visio Schengen visa Flowchart,p.7.
1File document3, appendix3:Visio Schengen visa Flowchart,p.9.
1WrittenViewBZvan15October2021,p3.
7/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
1.4Legal framework
18. For the legal framework, the AP refers to APPENDIX1.
1.5Process flow
19. In the context of this research, the AP used various research methods. The AP carried out
desk research, requested in writing for information and has several locations in several locations
on-site investigations (hereinafter referred to as: OTPs). During the OTPs, the inspectors of the AP
conducted interviews and researched the information systems used in the
visa process. Following the OTPs performed, the AP has the additional documentation
requestedandwrittenquestions.Duringtheexamination,severalfileswererequested
relating to the granted access rights to NVIS, NVIS logging and selection from the NVIS
databases (in particular tables of the databases).
20. By letter dated August 13, 2021, the AP sent an intention to enforcement to the Minister.
On 15 October 2021, the minister gave a written opinion about this intention and about it
substantiatedreportwithfindings. On November 4, 2021 at the AP has a
opinion session took place at which BZook explained its view orally. at10
17
December 2021 has sent further documents on request.
1WrittenOpinionBZvan15October2021.
1LetterBZaanAPof19November2021withappendix1Conversation report.
1EmailBZaanAPvan10December2021.
8/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
2.Findings
2.1Processing of personal data
2.1.1 Factual Findings
21. The Visa Code defines what information the Member States must collect in order to be able to visa
The VIS Regulation lays down that the following information is required for the
handling and making decisions about visa applications for the Schengen area in the VIS
should be stored: alphanumeric data concerning the applicant and the requested,
visa issued, refused, annulled, revoked or extended, a photo of the applicant,
18
fingerprint data and links to other requests. Upon receipt of an application, the
visa authority without delay on the application file by entering various data into the VIS,
such as first and last name, gender, places, country of birth, nationality, type of visa that will be
19
applied for, purpose of travel, place of residence, current occupation, photo and fingerprints of the applicant.
22. Authorized personnel of the visa authorities have access to and can access the VIS
enter, change or delete data. For example, upon the issuance of a visa, upon the cancellation of
a visa application, in the event of a refusal of a 21 visa application, in the event of annulment/revocation of a
visa or an extension of a visa details added to the application file. Then it is
the data may be changed or deleted during the application process. BZ(service
consular posts) use the NVIS in which data is required from the
Schengen visa process are saved, modified and deleted.
2.1.2Legal review
23. The data of visa applicants that have been processed in the NVIS qualify as personal data in the sense
of article 4, under 1, GDPR, because it concerns information about identified natural persons. A 23
part of this data is biometric data within the meaning of article 4, under 14, and article 9 AVG
and thus qualify as special personal data.
24. Continue to enter, consult, save, view and change data in NVIS under the
scope of the concept of processing of personal data within the meaning of article 4, under 2, AVG.DeAP
establishes that data are processed through the NVIS when going through the
visa process for short-term stay.
1Article 5, paragraph 1, Regulation (EC) No. 767/2008 of the European Parliament and Council of 9 July 2008 on the Visa Information System
(VIS) and the exchange between Member States of data in the field of short-stay visas (‘VIS Regulation’), PB2008, L218/60.
1Article8, paragraph 1jo.9VIS Regulation.
20Article 6, paragraph 1, VIS Regulation.
2Article 10 to 14VIS Regulation.
22Article24and25VIS Regulation.
23Because, among other things, name and address data and also the social security number are processed, the identity of the persons is fixed and therefore
identified persons.
9/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
2.2 Controller and processor(s)
2.2.1 Factual Findings
Ministry of Foreign Affairs
25. The AP establishes that for the Netherlands the Minister of Foreign Affairs is the designated person responsible for
processing of the data in the VIS. 24
26. The AP establishes that an important part of the tasks in the field of NVIS services
organisationally, it is entrusted to the Directorate-General for European Cooperation. UnderthisDirectorate
a number of directorates, two of which have a particular role in the granting of visas.
Firstly, the board of directorsConsular Business and Visa Policy (DCV).
providing consular services to Dutch nationals in foreign countries by directing the
26
consular function at the departments and at the posts. Second, the Consular Service Organization
(CSO) in The Hague. CSO is a shared service organization whose primary task is back office
to shape processes related to the issuance of visas and travel documents. TheAPhas
established,andBZconfirmed,thattheconsulatebackofficeLondonandtheconsulateDublin
is located at CSO. In addition, CSO provides back office work for a number of
other consular services and products. 27
Processor1
27. Processor1 is an outsourcing and technology services company that serves the Netherlands in various countries
arranges executive affairs with regard to visa and passport issuance. The head office,
[CONFIDENTIAL] is located in Dubai, United Arab Emirates.
28. Processor1 is designated as an external service provider to facilitate visa application facilities
company directs physical visitor centers to which data subjects can submit their applications.InLondon
handles Processor1for BZthefrontofficeforthevisaapplicationsintheUnitedKingdom
be submitted. With regard to this work, on March 21, 2019, a
29
concession agreement concluded between Processor1 and BZ. Based on this assignment, Processor
1process visa and biometric information.EmployeesofProcessor1takethese
data received from the applicant. At the location of [CONFIDENTIAL] in London are ICT
30
facilities made[CONFIDENTIAL]. Processor1 does not have access to NVIS, this happens at
the CSO. At Processor1, applicants can hand in and collect their passports.
24
Listofthecompetentnationalauthorities to which they belongauthorizedstaffhaveaccesstotheVisaInformation
25steem(VIS)toenter,change,deleteorconsult data(2012/C79/05).
26rtikel7, paragraph2, subd, Organizational DecreeForeign Affairs2019.
27rtikel7, paragraph2, subc, Organizational DecreeForeign Affairs2019.
28rtikel7, paragraph2, subd, Organizational DecreeForeign Affairs2019.
29rtikel40, paragraph 3, Visa code.
30esss piece3, appendix 4a:[CONFIDENTIAL].
File3,Appendix4d:Appendix1tothestandardcontractualclauses.
10/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
29. For the transfer of processed personal data by BZ to Processor1 there is an intermediary
arrangement made on the basis of the European Commission, in accordance with article 46, paragraph 2, subparagraph, GDPR
established standard contractual clauses for data protection (´StandardContractual
Clauses'). Article1,subbenc,is put down as follows:
(b)´thedataexporter´meansthecontrollerwhotransferthepersonaldata;
(c)´thedataimporter´meanstheprocessorwhoagreestoreceivefromthedataexporterpersonaldataintendedfor
processingonhisbehalfafterthetransferinaccordancewithhisinstructionsandthetermsoftheClausesandwhoisnot
subjecttoathirdcountry´ssystemssuringadequateprotectionwithinthemeaningofChapterVofRegulation(EU)
2016-679.
30. Article 4 of the Standard Contractual Clauses contains obligations laid down by the dates
exporter´.UnderArticle4,subb,StandardContractualClauses,the´dataexporter´connects
the obligation 'thatithasinstructedandthroughoutthedurationofthepersonaldataprocessingservices
willinstructthedataimportertoprocessthepersonaldatatransferredonlyonthedataexporter'sbehalf
andinaccordancewiththeapplicabledataprotectionlawandtheclauses'.
31. Inappendix1totheStandardContractualClausesstatesthatBZthe´dataexporter´isen
[CONFIDENTIAL]the´dataimporter´. 32
Processor2
32. The investigation of the AP has shown that Processor 2 plays an important role within the
visa granting process. Processor2 is a consultancy company that focuses on providing consultancy and advice
of information technology.
33. The services for NVIS are provided by the following organizational units of Processor2
performed: [CONFIDENTIAL] as part of [CONFIDENTIAL] and [CONFIDENTIAL].
[CONFIDENTIAL] (and therefore Processor2NederlandBV)uses the services of the
33
[CONFIDENTIAL]inIndiathatispartofProcessor2[CONFIDENTIAL].
34. Processor2 entered into an agreement with BZ on 31 August 2010 for the delivery of
support services for NVIS. The service includes application and technical
management, making available (including hosting), maintaining, developing and renewing
of the functionality for and advice for the benefit of, among others, the NVIS. Processor2 delivers in this framework
including custom applications specifically developed for the visa issuance process
34 35
support. Processor2 reports to the Director of Consular Affairs and Visa Policy of the Ministry of Foreign Affairs.
35. In Article 2.1 of the Processing Agreement (Appendix to the Agreement Making available,
MaintainanddevelopNVISfromAugust31,2010)statesthatrelatingtoprocessing
31File 3, appendix 4b:Standardcontractualclauses(processors).
32File3,Appendix4d:Appendix1tothestandardcontractualclauses
33File 23, appendix05:OrganogramProcessor2worldwideforNVIS
34File piece14, appendix02.1: AVGChange agreementProcessor2–MinBZNVIS20180529,p.14.
35File document14, appendix02.1: AVGChange agreementProcessor2–MinBZNVIS20180529,p.1.
11/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
personal dataof BZbyProcessor2underthisProcessing Agreement,BZde
controller require Processor2 to be the processor. 36
36. It follows from article 4.1 of the Processor Agreement between Processor2 and BZ that Processor2 sub-
processors can engage for the processing of personal data when there is a question of
prior written specific or general permission from BZ. Processor2 must be based on the
agreement with BZ to impose the same obligations on sub-processors with regard to the
processing of personal data as that to which Processor2 itself is bound by this
Processing Agreement.
37. In article 5.1 of the processing agreement between BZ and Processor 2 it is established that BZ has the right
has been audited once per contract year by a certified internal or external auditor
perform to Processor2's compliance with its obligations under the processor agreement. The AP
has determined that BZ evaluates the compliance of Processor2 by the desire of so-called
assurance statements from Processor2. The AP has received two assurance reports from BZ with
37
related to Processor2 for the period 1 November 2017-31 October 2018.
38. The AP has established that Processor2 in the context of its services on behalf of NVIS it
companyProcessor3deploysassubprocessor.Processor3(formerly[CONFIDENTIAL])developed
operates worldwide data storage centers. In the Netherlands, Processor 3 has a data center in
Amsterdam.Processor3providesservicestoProcessor2,namelymakingtheavailabilityof
the data center, including physical facilities.
[CONFIDENTIAL] 39
2.2.2Legal review
Controller
39. In accordance with the VIS Regulation (Article 41(4)), each Member State shall designate for the processing of
personal data in the VIS to the authority that must be regarded as the responsible person who
has central responsibility for data processing by this Member State. The responsible person
has been notified to the European Commission and published in the Official Journal of the European
40
Union. Based on this, the Minister of Foreign Affairs has been noted
3File piece14, appendix02.1:GDPRChange agreementProcessor2–MinBZNVIS20180529.
3File 14, attachment 12.2:[CONFIDENTIAL].
3File 20:[CONFIDENTIAL].
3File 20:[CONFIDENTIAL].
4ListofthecompetentnationalauthoritiesandtowhichtheauthorizedpersonnelmembershaveaccesstotheVisaInformation
System (VIS) to enter, modify, delete or consult data, PB2012, C79/05.
12/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
NVIS controller. This is also confirmed by the Ministry to the AP
documents issued.1
40. The Minister (with the support of his ministry) decides on how to apply for visas
should be treated and also make the final decision on visa applications
the Minister determines the objectives and the means for the processing of data within NVIS.
41. The AP establishes that the Minister of Foreign Affairs is the controller, in the sense of
article4, preamble to 7, AVG, for the processing of personal data in the context of NVIS.In which
this decision is called the Ministry of Foreign Affairs, the AP makes this equivalent to the Minister of Foreign Affairs.
Processors
42. According to Article 43 Visa Code, Member States may cooperate with an external service provider that
controllersupportsinthevisaprocess.Memberstatesaremandatoryagreements
42
create in a legal instrument where the minimum requirements are determined in the Visa Code.
43. The AP finds that BZenengages a number of parties to the data processing and in the visa process
to support, namely Processor1 (the third-party service provider that is processing the visa applications
takes), Processor2 (for the application and technical management of NVIS) and Processor3 which acts as a processor
provides support for Processor2's processes. There are with these parties
processing agreements. From the various processing agreements concluded between
thesepartiesandBZfollowsthattheMinisterisdesignatedascontrolleristhe
said parties as processors.
44. The AP therefore establishes that Processor2 and Processor1 are processors as referred to in article 4, under 8,
GDPR.Processor3isaprocessorthat has been engaged byProcessor2,asreferred to in article28,
member2andlid4,AVG(sub-processor).
2.3Security planNVIS
2.3.1Legal framework
45. Article 32, paragraph 2, VIS Regulation prescribes that each Member State provides the necessary technical and organizational
establishes security measures, including a security plan. This plan is one of the
security measures it must take to secure the data before and during transmission
to the NVIS. Such an obligation also arises from article 32 and 24 AVG. Article 24 AVG writes
more in general for the responsible measures in the field of compliance with the
GDPR should take and that they should be periodically evaluated.
46. Article 32(3) VIS Regulation further states that the managing authority must take the necessary measures
to achieve the objectives referred to in paragraph 2 with regard to the functioning of the VIS,
including the adoption of a security plan. The strategic principles and
41
42iexample filepiece12,appendix44a:piaapplicationstationsignedandfilepiece12,appendix 44b:nvispiasigned.
AppendixXVisa code.
13/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
preconditions that BZ uses for information security in relation to NVIS must be clear
the security plan. In concrete terms, this means that BZe must have drawn up a security plan
for the NVIS, where at least attention is paid to the points to which I mentioned in article 32, paragraph
2,VIS Regulation are included.
47. AlsotheBaselineInformationsecurityGovernment(BIO)writesthepresenceofa
information security plan for periodic assessment, the following standards are relevant:
5.1.1 Information Security Policies
For information security, a set of policies should be
defined, approved by management, published and communicated to
employees and relevant external parties.
5.1.1.1 There is an information security policy established by the organization. This policy is
determined by the management of the organizations and contain at least the following points:
a.The strategic principles and preconditions that the organization uses for
informationsecurityintheparticularembeddinginandalignmentwiththegeneral
security policy and the information provision policy.
b. The organization of the information security function, including responsibilities,
duties and powers.
c. The assignment of responsibilities for chains of information systems to
line managers.
d.Thecommonreliabilityrequirementsandstandardsthatontheorganizationof
apply.
e.The frequency with which the information security policy is evaluated.
f.Promoting security awareness.
5.1.2.1 The information security policy is updated periodically and in line with the (existing)
governance and P&C cycles and external developments and assessments adjusted if necessary.
2.3.2 Factual Findings
48. During the investigation, the AP asked BZ in writing about the security plan with
relating to data in NVIS. The AP also has the existence of a security plan and
contentchecked in practice during the on-site investigation at the consular posts in
London and Dublin. Furthermore, the AP requested written documentation relating to the
existing content of a security plan.
Ministry of Foreign Affairs
49. The AP establishes that the Ministry of Foreign Affairs, at the request of the AP, established a security plan(N) during the investigation
provide, replied with three documents, namely:
- Vulnerability analysis and IB planDCV 44
- PIA Request station 45
43
44File document3, appendix 5a: Vulnerability analysis and IB planDCV.an29May2019.
45File 3, attachment 5b: PIA Request station.
14/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
- QuickscanSchengen VisaFebruary2019 46
50. The “Vulnerability analysis and IB plan DCV” of January 2015 contains a risk assessment, with regard to
to the business processes for visa granting of DCV and the posts, which the board of directors has left
to comply with the obligations of the DecreeRegulationInformation Security
Rijksdienst2007.Thereportcontainsareportoftherelevantthreatsand
vulnerabilities of the information systems. The report also contains measures that the identified
risks to an acceptable level.The reportqualifies theseproposedmeasures
as an “information security plan” including prioritization.
51. The “PIA Request Station” concerns a PrivacyImpactAssessment of the Request Station.
end resultofthePIAisasetofrisksandrecommendationsforthesecuritymeasuresthat
DCV's sub-responsibility should be realised.
52. The“QuickScanSchengenVisaFebruary2019”isaQuickScanthatisperformedondemandfromDCVisto
the security requirements imposed by the business processes on the process Schengen visa where
special data are included. The purpose of the QuickScani is as objective as possible
determine the security requirements for the Schengen visa
whether these requirements fall within the baseline information security or whether they exceed it
QuickScanfollowsthattheSchengenVisaprocessfallsoutsideofBZBaseline Information Security
an additional risk analysis is required. This is instructed in the QuickScan.
53. Based on these three documents, the AP finds that B has a number of different documents,
in which (intended) security measures are mentioned. A number of those measures have
directly related to NVIS.
Consular PostLondon
54. During the on-site investigation on 2 July 2019 in London, the AP asked for completeness
access the security plan related to NVIS.The Consular PostLondon has a
standard format security planprovided by BZ and locally by the consular post
filled in. Two inspectors of the AP and FG of BZ have had a look at the most recent version
of the security plan.[CONFIDENTIAL]:
[CONFIDENTIAL]
The documents mentioned relate to the security of the Consular Post in London, in particular
[CONFIDENTIAL], and are not focused on the information security of NVIS and the visa process. The AP
notes that she has seen documentation at the consular post in London that does not appear on the
information security related to NVIS.47
46
47Order Document3,Appendix5c:QuickscanSchengenVisaFebruary2019.
File 8:ReportofOfficial ActionsSecurity PlanOTPConsular PostLondon.
15/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
Consular PostDublin
55. The AP also checked in Dublin or in practice a security plan related to NVIS
was available. During the on-site investigation on January 22, 2020 at the consular post in Dublinis
declared that a security plan is present. It is a standard format security plan that
BZisdeliveredandfilledlocallyatthepost.Anadjustmentofthesecurityplanwillbe
48
Done once a year by the deputy chief of post.
56. On 23 January 2020, two inspectors from the AP and FG of the Ministry of Foreign Affairs, also during the investigation
on site at the consular post in dublin, if requested, received access to a security plan with
49
regarding NVIS. [CONFIDENTIAL]:
[CONFIDENTIAL]. 50
The AP establishes that the documentation submitted at the consular post in Dublin does not appear on the
information security related to NVIS. 51
CSODenHaag
57. The AP has checked with CSO whether a security plan in the sense of the VIS Regulation is available
is.The AP determines that the CSO upon the request of the AP to provide a security plan(N)VIS
53
replied with 9 documents, namely:
- Baseline information securityBZ2018, version1.00final; 54
55
- SecuritySecurityManagementPackage,version0.2final;
- Security PlanRisk Analysis Reporting–[CONFIDENTIAL]; 56
57
- Security analysis stolensecurepostCSO;
- Security analysis burglary building; 58
- Security analysis intrusion measurement; 59
- Security exampleUnauthorized[CONFIDENTIAL]; 60
- Security preview info on unexpected visit; 61
48File document27:ReportofOfficial ActsConsular PostDublin.
49File document28:ReportofOfficial ActionsSecurity PlanOTPConsular PostDublin.
50On the spot, the AP inspectors established that in the end, this document was not necessary for the investigation.
51File document27:ReportofOfficial ActsConsular PostDublin.
52File document13:Information requestAPfrom25july2019.
53File piece14:ReactionBZvan8August2019onInformationAPvan25July2019.
54
55File document14, appendix14.1Baseline information securityBZ2018v1.00Final.pdf.
56File 14, attachment 16.1: SecuritySecurityManagementPackage0.2final.
57File document14, appendix 16.2: Security planRisk analysis report-[CONFIDENTIAL].
File 14, appendix 16.3: Security analysis theft and secure post CSO.
58File 14, appendix 16.4: Security analysis burglary building.
59File piece14, appendix16.5:Security analysispenetratemoreser.
60File 14, appendix 16.6:Security exampleUnauthorized[CONFIDENTIAL].
61File document14, appendix16.7:Security example infoforunexpectedvisit.
16/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
- Overview accessCSO. 62
58. These documents describe aspects of information security. The AP notes that these aspects
are not specifically aimed at or related to NVIS. There are also no concrete references to the
visa process found.
2.3.3Legal Review
59. The AP notes that the Ministry of Foreign Affairs has included certain security measures in various documents.
Some of these documents have been provided to the AP in response to information requests
to the minister.Other documents have been brought forward at or following the visit of AP
toCSO.
60. With regard to the documents submitted, the AP establishes the following.
The “Vulnerability analysis and IB plan DCV” contains a number of security measures, but not
current (dating from 2015). The local security measures, which were put in place during the investigation
For the sake of completeness, the consular post in Dublin, London, has seen the documents attached to the
CSO are requested, are not specific to NVIS and only see on a limited number
security measures (and not on information security) that pursuant to Article 32VIS Regulation
are prescribed. The measures in these documents mainly focus on the broad security of
buildings and systems, including related potential security risks. The AP notes that
an overarching security plan with regard to NVIS, with attention to the measures, such as
laid down in article 32, paragraph 2, under a note with k of the VIS Regulation, however, is not present.
61. In its view, BZ states that the AVG, the VIS regulations and the BIR/BIO do not impose any requirements on the form
ofasecurityplananddoesnotrequireasecurityplanonlyonthenationalvisa
informationsystem.BZconsideranumberofdocumentsincoherenceassecurityplan
for NVIS :3
- PrivacyImpactAssessmentSchengenenCaribbeanVisafrom25October2018.
- Baseline testNVIS
- QuickscanSchengen VisaFebruary2019andRisk Analysis‘Vulnerability AnalysisandIB plan
DCV'.
62. BZ has indicated in its view that BZ has noted with regret that in the previous
information request from the AP the first two documents have not been provided to the AP. BZ notes later
that the external auditor, commissioned by the AP, has judged in the context of the VIS audit that the Ministry of Foreign Affairs
the Baseline test, PIA and risk analysis comply with the standard that a security plan has been established.
63. The AP does not follow the opinion of the Ministry of Foreign Affairs. During the investigation, the AP has
asked about the security plan of NVIS. BZ had several options to obtain the relevant documents
The APis, for its own sake,investigatingtheVISauditbytheexternalparty
performed if two separate processes that did not take place at the same time. The VIS audit was
62
63ossspiece14,appendix16.8:OverviewAccessCSO.
WrittenOpinionBZvan15October2021,p.4.
17/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
broader scope and made use of a different testing framework. In addition, the external auditor
only established that1) not he but BZ the combination of the baseline test, PIA and risk analysis together
regarded as information security plans2) a concrete information security plan around the
Visa process is missing.
64. The AP has assessed the newly delivered documentation from BZ. The AP determines that the 'Privacy
ImpactAssessmentSchengenenCaribbeanVisafrom25 October 2018', as the title suggests, a
PrivacyImpactAssessmentconcerning.Thisisaveryusefultooltoconsidertheprivacyrisksofa
data processing, but does not form a plan that focuses on information security in
are complete. The submitted 'Baseline test NVIS' is a kind of completed questionnaire/checklist.
enumeration of BIO standards with resulting commands for making and taking
security measures, in which it is not understandable to the AP how the given answers must be
based on these documents, it is unclear to the AP which policy measures and
BZ has specifically taken control measures for NVIS.
65. The form of a security plan is free but the strategic principles and preconditions that BZ
uses for information security in relation to NVIS must be clear from the security plan
In addition, article 32, paragraph 2, VISOrdinance requires that BZe must have a security plan
drawn up for NVIS, where at least attention is paid to the points at to and with k uitarticle
32, paragraph 2, VISOrdinance. In the opinion of the AP, BZ has demonstrated this insufficiently. BZ has
for example, not submitted a security plan stating what preconditions apply to the
physical security of NVIS that ensures the appropriate protection of personal data
is. Nor has the AP received a formal procedure from BZ that describes how and
when BZ checks performs top logging. The general procedure BZ has at the time of the investigation
provided for reporting security incidents by BZ employees, did not comply.Ende
procedures about granting and checking access rights to NVIS environment are only by BZin
January 2022. The AP refers to paragraphs 2.4, 2.5, 2.6 and 2.7 for the comprehensive review
oftheseprocedures.TheAPconcludesthatthedocumentsthatBZpresentedas-inareentirely
viewed-an information security plan, does not meet the preconditions set therein.
66. In view of the BIO standards, the AP further establishes that due to the lack of (essential components in)
information security policy, not this policy at scheduled intervals (or if it becomes significant
changes occur) assessed by BZ to ensure that it is always appropriate, adequate
and effective. Securing information is a process where there is always a Plan-Do-Check-Act
cycle must be completed, as laid down, among others, in BIO standard 5.1.2.1.
67. In its view, BZ has provided some documents about the PDCA cycle it has gone through. 64
The AP notes in this regard that BZin the 'Baseline information security BZ2021' is on a high
abstraction level has determined who is responsible for implementation and execution of BIO standards
is responsible.The Data Protection Policy describes the PDCA cycles
with regard to the protection of data, but does not contain the security aspects about it.
The same applies to the document Gripopprivacy, the AVG manual, in-control statements and the
submitted follow-up memo. BZ has developed a plan of measures with risk analysis from 2015 and 2020
6Written ViewBZof 15 October 2021, p.4.
18/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
November 2021 show that it only occasionally has security measures related to NVIS
evaluated and acted on it.
68. Based on the above, the AP comes to the conclusion that BZ has no security plan (and this
also has not evaluated) that meets the requirements of article 24 and 32, paragraph 1, AVG and further elaborated in
article32, paragraph2, preamble, FISHOrdinancesBIO standards5.1.1,5.1.1.1and5.1.2.1.
2.4PhysicalSecurityAccesstoNVIS
2.4.1Legal framework
69. Article 32, paragraph 2, undera, VIS Regulation prescribes before measures must be adopted to
protect physical data, including preparing emergency plans for the physical
infrastructure. This requirement is also laid down in general terms in article 32 AVG. being furtherin
BIO-standardsincludedthatillustratewherethephysicalsecuritycanbecontrolled
The BIO does not literally describe goals that need to be realized (the “what”) how
must be arranged. The AP has checked the physical security against a checklist (see
explanation in the next section). The following provisions from the BIO are for the assessment of this
checklist relevant:
11.1.1 Physical Security Zone
Security zones should be defined and used to areas
protect those sensitive or essential information and information processing facilities
contain.
11.1.2 Physical Access Security
Secure areas should be protected by appropriate access security to
ensure that only authorized personnel have access.
11.1.3 Securing offices, rooms and facilities
Front offices, rooms and facilities should be designed and physically secured
applied.
11.1.4 Protecting against outside threats
Againstnatural disasters,malicious attacksoraccidentsbelongtophysicalprotection
to be designed and applied.
11.1.5 Working in secure areas
For working in secure areas, procedures should be developed
applied.
11.2.2 Utilities
Equipmentshouldbeprotectedagainstpowerfailureandotherdisruptionsthat
are caused by disruptions in utilities.
2.4.2 Factual Findings
70. The AP examined the physical security at the consular posts in London and Dublin, the CSO in Den
Haag,Processor2inUtrechtProcessor3inAmsterdam.Duringthechecks,theAPperlocationhas
19/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
used two (identical) checklists. The first checklist was focused on physical security
ofthebuildingthesecondchecklistonthephysicalsecurityoftheroomsin whichaccesstothe
NVIS environment and/or whether the intake process for Schengen visas takes place. Below is per
location described the situation encountered during the on-site investigation.
Consular PostLondon
71. [CONFIDENTIAL] 66
Processor1London
72. [CONFIDENTIAL] 67
65
[CONFIDENTIAL]
66File 7:ReportofOfficial OperationsOTP Consular PostLondon.
67File 9:ReportofOfficial OperationsOTP Processor1London.
20/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
Consular PostDublin
68
73. [CONFIDENTIAL]
CSODenHaag
69
74. [CONFIDENTIAL]
68File document27:ReportofOfficial OperationsOTPConsular PostDublin.
69File document11:ReportofOfficial ActsOTPCSO18July2019and12September2019.
21/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
Processor2Utrecht
75. [CONFIDENTIAL]
Processor3Amsterdam
70 71 72
76. [CONFIDENTIAL]
2.4.3Legal Review
77. The AP first establishes that measures have been taken in the area of at all sites surveyed
physical security. The AP concludes that measures have been taken to protect the buildings and space(s)
in which data of visa applicants are processed and physically protected, including with cameras
and motion sensors. Furthermore, the AP concludes that the spaces in which data of
visa applicants are processed and marked as secure areas.
70File document19:ReportofOfficial OperationsOTP Processor38November2019.
7File document[CONFIDENTIAL]
72File piece21:EmailBZof13November2019withdocumentsfollowing OTP8November.
22/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
78. However, the AP notes that the Ministry of Foreign Affairs has not explicitly determined which parts of the IT infrastructure
should be regarded as critical infrastructure of the visa process
can comply witharticle32AVGjo.32,lid2,ondera,VISRegulationisthisonlyrequirement.BZhas
in her opinion stated that in the spring of 2020 she went different systems as critical
During the opinion session on 4 November 2021, BZ has an (undated) list of
information systems handed over to the AP, on which BZ indicated which systems are considered critical
infrastructure have been identified. NVISisoneofthosesystemsontheselistssoisbyBZby now
classified as critical infrastructure.
79. The AP also established during an on-site investigation that the Ministry of Foreign Affairs has no emergency plans
designed to protect the physical infrastructure of the visa process.The Consular PostLondon,
the consular postDublin and CSO do not have an emergency power supply while section 11.2.2 of
the BIO determines that equipment should be protected against power failure. This means that BZ,
when it comes to drawing up emergency plans and protecting equipment against disruptions
in utilities, in the opinion of the AP, does not meet the provisions of article 32, paragraph 1, GDPR
further elaborated in article32, paragraph2, suba,VISOrdinancesBIO standards11.1.4and11.2.2.
80. BZ has indicated in its view that BZ has concluded from its own threat analyzes that
flood detectors and emergency power supplies at the stations London and Dublin are not needed.
The AP partly follows this view. Flood detectors can be dispensed with after a
explicit risk assessment. With regard to power failure, the BIO requires equipment to be
protected against power failures and other disturbances caused by disturbances in
utilities. Critical infrastructure such as NVIS must be highly secured, with the
business interruption should be avoided as much as possible. BZ has insufficient
explained why NVIS as a critical system does not need an emergency power supply.
81. Furthermore, the AP notes that with regard to the rooms and rooms at the consulate in London, where
is with visa stickers and the NVIS system, there were shortcomings in the field of physical
security.[CONFIDENTIAL]. In practice, there were no security guarantees when entering
of the zone that must be extra secured, the AP determines that the physical security of the rooms in which
the visa process in london is not complied with article 32, paragraph 1, AVG, further elaborated
inarticle32, paragraph2, suba,VISOrdinancesBIO standards11.1.1t/m11.1.5and11.2.2.
82. BZ has stated in its opinion (and provided supporting documents) which show that in the past
two-year measures have been taken to secure access to the consular section. 73
[CONFIDENTIAL].The AP notes that the shortcomings in the area of physical security in the
ConsulateLondonthereforehavebeenremedialated.
7Written ViewBZof 15 October 2021, p.5.
23/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
83. The AP has further established that with regard to the activities of Processor2 in the context of the
visa process, it is important that employees of Processor2 are largely independent of place and time
are allowed to work. As soon as work is done outside Processor2's buildings, the physical
ensuring security at Processor2's locations, of course, no help. The legal requirement that
personal data of visa applicants may only be processed in spaces with adequate physical
security, however, remains unaffected. For the AP, it is unclear how data within databases of
NVIS are physically protected in case of place and time working independently by employees of
Processor2 who are stationed in both the Netherlands and [CONFIDENTIAL]. The AP has during the
investigation did not receive any documentation from BZ that sees to the physical protection of NVIS data at
work independent of place and time. BZ, as the controller, must ensure
appropriate security measures in the field of physical protection of NVIS data, and
verify the effectiveness of these security measures.
84. BZ maintains in its view that there is sufficient security where arcs apply to employees of
Processor2thatworksfromhome.First of all,unauthorizedandnottrue Processor2employeeslive
and the connection to the network and the management VPN is immediately disconnected as a laptop from a
home is stolen. Setting up the VPN connection works through multi-factor authentication and
There is a strict employee policy. The Ministry of Foreign Affairs has issued two regulations in this context. 74
85. The AP has assessed these regulations with regard to the place-and-time-independent working state
states that the employee must take all necessary precautions when using the
personal device in a public place, so that the screen cannot be viewed by others.
However, it is not clear which precautions an employee is expected to take
the AP asked BZ the question whether and under what conditions employees of Processor2
inpublic placeswithNVISmaywork withNVIS,howBZassessedthehomeworkpolicyof Processor2
which written agreements between BZenProcessor2aboutthephysicalsecurityofNVISplaceand
time-independentworkerapplies.Finally, the AP requested some audit statements.
86. BZ has stated that all employees of Processor2 involved in the NVIS services
apply office policy for remote work, which in theory can also take place outside one's own home
75
find. BZ has assessed Processor2's home work policy as satisfactory on the basis of it already
previously provided employee policy. However, the AP establishes that in the . submitted by BZo
control statements, audit statements and the processing agreement the subject place and time
work independentlynot treated/assessed. It is therefore unclear to the AP based on
which considerations BZ has assessed the place-and-time-independent working as sufficient.
7WrittenViewBZof15October2021,Appendices19and20.
7E-mailBZof10December2021.
7E-mailBZfrom December 10, 2021, attachment 11.1 to 13.3.
24/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
87. On the basis of the above, the AP is of the opinion that BZ has not shown that there is sufficient
guarantees apply to physical security when working in NVIS in public places. As stated
in section 2.1.2 BZ processes very much-also-special data in NVIS. This makes that the
nature of processing is sensitive and negative consequences for data subjects in the case of unlawful
processing and can be drastic. In addition, BZ has the NVIS system as a critical infrastructure
while at the consular posts and CSO there is a pass access system and camera surveillance
is applied, such guarantees are not present in public areas.
88. NuBZhasnotshownthatsufficientguaranteesapplyforphysicalsecurityinthe
workinginNVISinpublicplacesandBsevenhastheeffectivenessofthepolicyonthis
checked, the AP concludes that there is an infringement of article 32, paragraph 1, GDPR
further elaborated in article 32, paragraph 2, subaenk, VIS Regulation.
2.5AccessrightstoNVISandstaffprofiles
2.5.1Legal framework
89. Article 6, paragraph 1, VIS Regulation provides that only duly authorized personnel of the
visa authorities have access to the VIS to enter, modify or delete
visa data.Article 32, paragraph 2, subparagraph, VIS Regulation prescribes before the necessary measures are taken
determined to ensure that those authorized to consult the VI, access only
have access to the data to which their authorization of access relates and only with
personal and unique user identities (control of access to data).
90. Article 32, paragraph 2, sub, VIS Regulation prescribes before the necessary measures are adopted to
ensure that all authorities with access rights to the VIS draw up profiles in which the tasks and
responsibilities are described of the persons authorized to access data, on
take, update, delete and search these profiles and if requested and without delay
to make available to the national supervisory authorities, as referred to in Article 41
(staff profiles). This is also described in article 28, paragraph 4, subc, VIS Regulation which states
that “each Member State is responsible for managing the arrangements under which they belong”
authorizedstaffmembersofthecompetentnationalauthorityinaccordancewiththisregulation
access the VIS, the setups regularly update a list of such
staff members and their profile”.
91. Article 32, paragraph 2, subparagraph, VISRegulation prescribes before the necessary measures are adopted to
verify the effectiveness of the security measures referred to in this paragraph and with regard to
the internal control to take the necessary organizational measures to ensure that these
regulationiscomplied(internalcontrol).Thisisjoiningthegenerallydeterminedin
article32 of the AVG.
Internally allocate theBIObligation management and implementation measures
information security policy should show which roles within an organization are responsible for
25/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
themeasures to be taken. It is important that security procedures are carried out by the relevant
person responsible are determined. Concretely, the following provisions are relevant to the BIO:
9.2.1 User registration and logout
A formal registration and unsubscribe procedure should be implemented by
to enable allocation of access rights.
9.2.2 Granting user access
A formal user access procedure should be implemented
to allow access rights for all types of users and for all systems and services
pointing or withdrawing.
9.2.5 Assessment of user access rights
Asset owners belongaccess rightsofusersregularly
judge.
9.2.6 Revoke or modify access rights
The access rights of all employees and external users for information and
information processing facilities associated with the termination of their employment,
contractoragreementtoberemoved,andtobeclosedwithchanges
adjusted.
2.5.2 Factual findings
92. During the investigations, the AP asked BZ questions about the setting up of access rights to
NVIS has the internal control on this. For this, the AP has the current authorization lists,
personnel profiles, authorization procedures and other relevant documentation requested regarding
to granting access rights to the NVIS environment. The AP's research focused on the
following questions regarding access rights:
-Has BAsestablishedprocedures for granting and checking access rights
toNVIS?
- Has BZ drawn up personnel profiles with regard to NVIS in which the tasks and
responsibilities are described of the persons authorized to transfer data in the
view, record, update, delete, and search the system?
personnel profiles updated regularly?
- Are the assigned access rights (authorization lists) regularly assessed?
93. The AP has only examined this component with the parties that have access to the NVIS environment.
26/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
2.5.2.1ProceduresongrantingandcheckingaccessrightstoNVIS
Consular PostLondon
94. BZ has provided the AP with three documents relating to authorization procedures in connection with
withNVIS:(1)‘Data Management ManualNVIS’ ,(2)a document titled ‘Authorization Procedure
NVISEmbassyLondon' and (3)'Work instruction/procedure: logging authorization applications'. 79
95. The first document is in the form of a practical user manual, where it is not clear
which person responsible within BZ has determined this manual. In chapter 3 of the document
there is a short line about granting access rights to NVIS, stating all
practical steps in the system related to the assignment and removal of NVIS roles and
the change of the authorization period. It is further stated that the management of tasks at the NVIS
rolesinthedepartmentbymanagementConsularBusinessandVisapolicy,cluster
Information Management and Management (hereinafter: DCM/MB-IB) is performed. The document shows
not who is responsible for allocating, changing and checking
authorizations.
96. The second document is one page, undated and not (at a management level)
it has not become clear to the AP whether this piece has been prepared in response to its request
for information, whether it existed before. The document describes how
employeesoftheconsularpostLondonobtainaccesstoNVIS. Please state it
document:“in addition to theannualcheckbyfunctionalmanagementfindad-hocchecks(ofthe
authorisations) at the postal location.”.
97.Thethirddocumentconsistsoftwopagesandseethecheckofauthorizations.Itcontainsthe
next stated: “For the purpose of the control log requests authorizations DCV/MB-IBdeposts
RSOs once a year (after the annual transfer round) to carry out a check on which
collaborators which should have roles in certain applications...”.The document further contains
flowcharts that schematically depict a 'checkup logging authorization applications'
documentisgenericandnotspecificallyfocusedonthecontrolofaccessrightstoNVIS.Thedocumentis
undated has not been established (at a management level).
98. The AP finds on the basis of the check at the consular post in London that the Ministry of Foreign Affairs is not over-formal
establishedproceduresavailableforassigning, changing and terminating accessrightsto
77File 3, appendix 1: ManualData managementNVISFebruary2018.
78File document12, appendix04: Authorization procedureNVISConsular PostLondon.
79File 3, appendix 6b: Work instruction logging and authorization applications.
80File piece3, appendix1: ManualData managementNVISFebruary2018,p.<16: “..NVISautomatically transfersnumbersofemployees
from [CONFIDENTIAL]. ICT manages this technical functionality. So no employees can be added manually in NVIS.
An employee can only access NVIS if they are authorized for a particular role. Roles determine what an employee can and cannot do
dowithinNVIS.Aroleconsistsofseveraltasks.EachtaskgivesaccesstoaspecificNVIScomponent.Managethetasksatthe
rolling is performed at the department by [CONFIDENTIAL].”.
8File3,Appendix1:ManualData ManagementNVISFebruary2018:“AccesstoNVISislinkedtotheBZaccountofthe
employeeandpostvaluetheemployeeisworking.Whentheemployeeleavethestation,accesstoNVISisautomatic
terminated due to the employee's BZ account being closed at the post or transferred to another post. [CONFIDENTIAL]
27/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
NVIS. Nor does BZo have established procedures to change the access rights granted to NVIS
to check.
Consular PostDublin
99. Prior to the investigation in Dublin, the APBZ in writing requested 83
authorization proceduresNVISandotherrelevantdocumentationrelatingtothedeviceof
accessrightstoNVIS.BZhasadocumenttitled‘Authorisation procedureNVISEmbassy
Dublin' to the AP provided.
100. The document consists of half a page of text, undated and not at (management level)
it has not become clear to the AP whether this piece has been prepared in response to its request
for information, whether it existed before. The document submitted describes that the
supervisor will be granted an application to [CONFIDENTIAL].Access to NVISis
linked to [CONFIDENTIAL].The [CONFIDENTIAL] controls transactions of the NVIS accounts
roles. Furthermore, the annual check of the assigned authorizations is carried out by [CONFIDENTIAL]
executed.
101. As a result of its investigation at the consular postDublin, the AP establishes that BZ does not
procedures available for granting, changing and terminating access rights to NVIS and for
checking the authorizations granted to NVIS.
CSODenHaag
102. During the investigation of the AP, the interviewed CSO employees gave an explanation
85
about the procedure that the CSO follows in obtaining access rights to NVIS.
[CONFIDENTIAL]
103. When granting access rights to NVIS, the CSO uses the 'Manual'
Data managementNVIS' (the description of this document can be found in section 2.5.2). Also
does the CSO have a work instruction [CONFIDENTIAL]. The (undated) work instruction exists
from 13 unnumbered pages. It is unknown whether the document has been established at management level.
It is not clear from the document who is formally responsible for the granting of authorizations, the
making changes to accounts, assigning NVIS roles and checking on them. The AP
concludes as a result of its investigation at the CSO that it has not been shown that BZ has
8File document27:ReportofOfficial OperationsOTPConsular PostDublin.
8File document25: AnnouncementOTP ConsulateDublinenInformation requestAPvan19December2019.
8File piece26, appendix4.1:Employee-Roles–Dublin.
8File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019.
8File piece3, appendix1:ManualData managementNVISFebruary2018.
8File piece14, appendix 23.1:Assign work instructionrolesNVISatCSO.
28/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
formal procedures related to granting, changing and terminating access rights and
control of the granted access rights to NVIS.
Processor2
88
104. As a result of the investigation that the AP has carried out at Processor2, the following are
documents related to authorizations issued: (1) a procedure for the internal access
89
management system, (2-4) authorization procedure of CloudInfrastructureManagement,consisting of
three documents , and an authorization list with names of employees of Processor2 who
have access authority to the NVIS platform and databases.
105. The submitted authorization procedures (1 to 4) describing the method used by Processor2
applied when creating, modifying and/or deleting employee accounts
the procedures, schematic representations of the (practical) steps that are relevant for the application,
change and remove access rights to the systems that Processor2 works with. In addition
ingoing authorization procedures in the types of accounts that employees may have at their disposal. By
a further explanation by BZ during the opinion phase it has become sufficiently clear for the AP
what the relationship is between these types of accounts and responsibilities on the one hand and the NVIS environment
92
on the other hand.
2.5.2.2Staff profiles
Consular PostLondon Consular PostDublinenCSO
93
106. BZ has provided a generic document entitled 'NVIS profiles'. It is a table in which the
know NVIS roles are related to tasks that fall under the assigned NVIS role. The tasks are
summarily indicated, it is unclear with which concrete actions (e.g. view data,
record, update, delete, and search) in the NVIS context are associated.
between the function of the staff members and the assigned NVIS roles and tasks not defined.
107. The AP has requested BZ to provide personnel profiles relating to the
employeesoftheCSO.BZsubmittedatemplatetextwithresultareasand
competences, which may be used for the purpose of the description of vacancies at the CSO. The
descriptionincludedinthisdocumentdoesnotseethetasksandresponsibilitiesinrelationto
actionsinNVIS.
108. During the investigation, the AP established that BZ has not drawn up any personnel profiles in which the
tasksand responsibilities are described of the staff at the consular postLondon,
88
89 dossier 17:ReportofOfficial ActsOTP Processor21November2019.
90ossspiece17, appendix8:[CONFIDENTIAL].
File 18, attachment3:[CONFIDENTIAL];File 63:[CONFIDENTIAL];andFile 18, attachment1:
91CONFIDENTIAL].
92ossspiece21,appendix4:Authorization listNVIS.
93ienswijsBZ14October2021,p.8andletterBZaanAPvan19November2021,appendix1Conversation report,p.33and34.
94ossspiece5,appendix1:NVISprofiles.
95 file4:Information requestAPfrom13June2019.
File16, appendix 2.1: Function profilesCSOvisa, version 15October2019.
29/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
consular postDublin and CSO who are authorized to view, update, delete and delete data in NVIS
to search.
2.5.2.3CheckingaccessrightstoNVIS
Consular PostLondon 96
109. BZ has an up-to-date authorization list of all employees of the Consular Post in London at the AP
submitted.
110. At the time of the survey, 17 staff were working with the at the Consular Post in London
access rights to NVIS. These employees are assigned the following (several) NVIS roles:
[CONFIDENTIAL].
Most employees had more than two NVIS roles, with a maximum of six NVIS roles
which one employee had.
111. The AP has checked the role [CONFIDENTIAL] more closely. On the authorization list that BZ has the AP
providedwasoneemployee(hereafter:employeeX)listedwiththisNVIS role.[CONFIDENTIAL].
Employee X hadn't worked in the Consular department for a long time, but did as
[CONFIDENTIAL]withanotherdepartmentoftheembassy.Forcurrentactivities,
employeeXnoaccesstoNVISnecessary.During the AP check it was found that logging into the
system underroleof[CONFIDENTIAL]wasstillpossible.Afterlogin,employeeX
view and update current NVIS data.
112. The authorization list provided also shows that some employees of the London Consular Post
97
possessed authorization with mutually incompatible NVIS roles, such as those of
[CONFIDENTIAL].NVIS did not include a justification in the award of this
conflicting roles had been explained.
113. At the time of the inquiry at the Consular Post in London, the BZ also stated that the NVIS
Authorizations granted are checked once a year by [CONFIDENTIAL]. At the consular
postLondon[CONFIDENTIAL]responsible for transmitting all mutations in the NVIS
98
access rights. The operational manager was not present during the investigation and it was unknown
how often the changes related to NVIS access rights to [CONFIDENTIAL] become
passed on. BZ has not provided any documents proving when the last check of the
authorizationsand NVIS roles at the Consular PostLondonhas taken place.
114. The AP determines that at the time of its check at the consular post in London an employee was wrongly
had access rights to NVIS. This employee was at the time of the AP investigation
appointed to another position at the embassy, which did not require the use of NVIS. Further
9File document3, appendix7:OverviewNVIS authorizationsZMAlonden.
9 The mutually incompatible NVIS roles are listed in File Document 12, Appendix 06a: Tasks-roles-incompatible-NVIS.
9File 7:Report of the official acts and consular postLondon.
9File document10:Information requestAPvan12july2019.
30/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
several employees of the Consular Post in London had NVIS roles that mutually
are incompatible. During the investigation, the AP has no justification for the incompatible roles in
NVISaffectedandreceiveddocumentationprovingwhenthelastcheckofthe
authorizations and NVIS roles has occurred.
Consular PostDublin
115. BZ has submitted an overview of the authorizations granted to the consular post in Dublin to the AP. 100
At the consular post, at the time of the investigation, there were six employees working on
had access rights to NVIS, in the following assigned NVIS roles:
[CONFIDENTIAL].
Two employees had NVIS [CONFIDENTIAL] roles that are mutually incompatible.
The assignment of these conflicting roles in NVISist times of the investigation by or on behalf of BZ
unmotivated.
116. During the investigation of the AP, employees of the consular postDublin stated that one
The list of all authorized authorizations is checked at the consular post every year.
101
The Functional Management department in The Hague carries out checks on the assigned authorizations.
CSO
117. The CSO stated during the investigation that the assigned NVIS roles are focused on the
segregation of duties.The roles of registration and decision making are mutually incompatible according to the
functional design of the NVIS application. 102
103
[CONFIDENTIAL]
The AP found no justification in NVIS with regard to [CONFIDENTIAL].
104
118. The overview provided to the AP 'NVIS role distribution per function' shows that at the CSO79
employees have access to NVIS. The following positions are listed:
[CONFIDENTIAL].
Three or more NVIS roles have been assigned to these roles.
it appears from the research of the AP that these rollers have not been in use for several years. 105
119. The above overview also shows that some NVIS roles, over which some employees
of the CSO, are marked as mutually incompatible. 10This is about the next one
NVIS Roles:[CONFIDENTIAL].
10File 26, Appendix 4.1:Employee-Roles–Dublin.
10File document27:ReportofOfficial OperationsOTPConsular PostDublin.
10File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019.
10File document16, attachment3.1:ProcessDescriptionDepartmentRegistration,version1August2019.
10File 14, appendix 23.2: NVISrole division by function.
10File piece5, appendix2and3andfilepiece11.
10File 14, appendix 23.2: NVISrole division by function.
31/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
The CSO did not submit any documents to the AP during the investigation that provided the substantive motivation
contain about the conflicting NVIS roles.
120. During the investigation on July 18, 2019, the CS clarified that the control of the granting of
authorizations according to an internal control plan
year-by-year[CONFIDENTIAL].In addition, an audit is performed once a year by
[CONFIDENTIAL].
107
[CONFIDENTIAL]
The CSO also submitted the management report to the AP on 8 August 2019.
evidencing that the assigned authorizations to NVIS, including the NVIS roles, have been verified
last check took place in 2018.
121. The AP establishes that the granted authorizations for access to NVIS are checked at the CSO.
Furthermore, the AP notes that several employees at the CSO are under the award of
mutually incompatible NVIS roles, and that [CONFIDENTIAL] employees default over
have access rights with [CONFIDENTIAL] in NVIS
there is no incompatible roles in NVIS. Finally, some CSO employees did not have a role
was more in use.
Processor2
122. At the time of the investigation, the AP concluded that BZ did not provide any documentation
which shows (sufficiently) which agreements have been made with Processor2 about the procedures and respect
of access rights between the controller and a processor.
123. In its view, BZ states that the agreements between it and Processor2 about the access rights to NVIS
followfromagreementsbetweenBZenProcessor2.BZalsohasaquarterlyreportinthat context
109
submitted about the control of these access rights of Processor2. The AP has these documents
assessed and comes to the conclusion that on this point no violation of article 32, paragraph 2 can be established
subk,VISOrdinanceswillnotcoverthiswithinthelegal review below.
2.5.3Legal review
Consular postsLondonDublinenCSO
124. As a result of its investigation, the AP notes that the consular posts in London and Dublin
CSO have access to NVIS.
[CONFIDENTIAL]
107
File14:BZ response of August 8, 2019 to the AP information request of July 25, 2019. Written answer to the AP's question: 'Wieis
10File piece14, appendix24.1:Management reportingvisapril2018,version30may2018.andseBusinessandspecificattheCSO?'
10Written ViewBZof15October2021,p.8.
32/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
Procedures about granting and checking access rights to NVIS environment
125. When allocating access rights, including NVIS roles, the Ministry of Foreign Affairs uses the method
the practice is almost identical for the staff of the investigated consular posts and the CSO in
The Hague.The AP notes that the Ministry of Foreign Affairs did not have formal registration and deregistration procedures
regarding the assignment of access rights to NVIS employees
although a manual is used to the system, which contains all kinds of practical
steps have been explained, but that this is an unformally established user access grant procedure
111
includes with regard to registering and unsubscribing from authorizations
authorization procedures have been provided by BZ, concerning an undated, summary description of the
working method that BZ uses when authorizing employees of the consular posts and are no
formally established registration and deregistration procedures. The AP determines that BZ conflicts with this point
acts with article 32, paragraph 1, AVG and further elaborated in BIO standards 9.2.1 and 9.2.2.
126. In its view, BZ has indicated that the existing work instructions will be formally
be determined. The AP has received that document on January 9, 2022, and is of the opinion that it
the procedure for applying for, changing and canceling access rights in NVIS is sufficient
described.113
Personnel profiles
127. During the investigation, the AP established that the Ministry of Foreign Affairs has not drawn up any personnel profiles in which the
tasksand responsibilities are described of the staff of the consular posts
LondonandDublindareauthorizedtosee,record,update,delete in NVIS data
and search. With regard to the provided personnel profiles of the employees at the CSO,
the AP considers that these profiles do not provide sufficient insight into the tasks and responsibilities of
the CSO staff who are authorized to process data in NVIS.
128. In its view, BZ states that the access rights assigned to the functions are determined on the basis of
of tasks and responsibilities. As a result of this, the AP again has documentation
requested what this should be shown. BZ has issued an authorization matrix dated 7 January 2014. 116
On the basis of this, the AP concludes that BZ still has personnel profiles that are sufficient
provide insight into the tasks and responsibilities of authorized employees. It follows that
In the opinion of the AP, BZ has acted on this point in accordance with article 32, paragraph 2, under
g,VIS Regulation. This provision also prescribes that personnel profiles must be available and
must be provided at the request of the AP. The AP must conclude that BZ at the time of
the investigation by AP has not provided the complete personnel profiles, at the moment that the AP
so requested. It follows that B Zo has acted contrary to article 32, paragraph 2, sub,
FISH Regulation.
111 case piece3, appendix1 and file piece26, appendix1.1:ManualData ManagementNVISFebruary2018.
File document12, appendix 4: Authorization procedure NVIS consular postLondon; and File document 26, annex 3.1: Authorization procedure NVIS
112sulairepostDublin.
113Christian ViewBZof October 15, 2021, p.6.
114-mailBZaandeAPvan9jan2022,BZprocessNVISauthorization.
115ossspiece16,appendix2.1:Function profilesCSOvisa.
116ScripturalViewBZof15October2021,p.7.
117-mailBZfrom December 10, 2021, attachment 14.
In view of Article 41, paragraph 1, VIS Regulation, the AP is the competent supervisor
33/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
ControlaccessrightstoNVIS
129. First of all, the AP established that the Ministry of Foreign Affairs did not have formal procedures with regard to
periodic check of 118 assigned access rights to NVIS and NVIS roles
documentation provided shows that the granted authorizations are issued once a year by [CONFIDENTIAL]
are checked. In addition, it has been stated that internal checks are carried out at the consular
posting in London and Dublin at the CSO. 119
130. The AP considers that during the investigation it did not receive any documents showing the frequency
appears from the checks by [CONFIDENTIAL]. Nor has BZ shown when the most recent
control has been performed. With regard to the internal controls, the AP considers that in the case of the
consular postLondonnodocumentswereprovidedthatseetheinternalcontrolsof the assigned
authorizations. With regard to the CSO and the consular post Dublin, the AP concludes from the
120
information provided that some internal controls related to authorizations in the past
have taken place. The late stein internal audit at the CSO took place in April 2018. Deconsular
postDubl carries out a check at least once a year; the last check was done in 2019. 121
131. Furthermore, the AP has established that several employees of CSO and one employee of the consular
postLondon had NVIS role(s) that were not needed and some of the roles turned out to be
hadn't been in use for some time. This indicates that the assigned access rights to
NVIS and NVIS roles have been insufficiently checked.
132. During the hearing, BZ stated that [CONFIDENTIAL] at consular posts
are responsible for the control of access rights to NVIS. The one-time annual control of
[CONFIDENTIAL] acts as a safety net. 12BZfurtherindicatedtheprocedureforchecking
will formally determine access rights.
133. In response to this, the AP requested documentation from BZ of the checks that [CONFIDENTIAL]
oftheconsularpostLondonandDublinhaveperformedonaccessrightstoNVISfrom2018toten
with 2021. BZ has provided the following in response: authorization lists (from 2019, 2020 and 2021),
the withdrawal of access rights of one employee in 2019 and two evaluation reports that no longer
to give a general picture of the screening of consular posts (from 2018 and 2019).
documents submitted do not lead the AP to any other judgment. The AP establishes that BZ has not
demonstratedthattheoperationalmanagersoftheconsularpostLondonandDublinregularchecks
have performed on the access rights to NVIS.
11File document3, appendix1: ManualData managementNVISFebruary2018;File document12,appendix4: Authorization procedureNVISConsular post
London; and File 26, Annex 3.1: Authorization procedure NVIS Consular Post Dublin.
11File document7:ReportofOfficial OperationsConsular PostLondon;File Document27:ReportofOfficial OperationsConsular PostDublin;
enDossierstuk11:Report ofCSOCSO18July2019and12September2019.
12File piece14, appendices24.1and24.2:Managementreportingvisaapr2018enManagementreportagevisasep2018;enFile piece27,appendix
6:6.CorrespondenceaboutcustomizingrolesNVIS.
12File document27:ReportofOfficial OperationsOTP ConsulateDublin.
12BZ to AP of 19 November 2021, appendix 1 Interview report, p.30.
34/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
134. With regard to the procedure provided by BZ regarding the control of access rights, the AP notes
that the process surrounding the one-time annual audit of [CONFIDENTIAL] is described herein. 12The
AP notes that no clarity is provided in this procedure as to how BZ takes care of it
that access rights are checked regularly. The one-off annual check functions, like BZ
sets,as a safety net.Considering the type of data processing in NVIS considers the APan annual audit
insufficient to ensure that only authorized personnel have access to this system
working methodmitigatestheriskinsufficientlydateachangeoffunctionandemployeeformonths
incorrectly accesses NVIS,[CONFIDENTIAL].
135. The AP further determined that an employee at the consular post in London was wrongly
accessrightstoNVIShastheroleof[CONFIDENTIAL],andthiscouldbeinNVISdata
view and change. This employee was appointed to another position at the embassy, for which it was
use of NVIS was not necessary. BZ stated in its view that the [CONFIDENTIAL]-
application showed flaws at the time of the investigation, so that the role [CONFIDENTIAL] still
should be kept in case the [CONFIDENTIAL] application should not function. This
argument fails. An employee who has not worked in the consular department for some time,
should not have access to NVIS. With regard to the role [CONFIDENTIAL], the AP follows
opinion of BZ that the finding about this had an incorrect source
finding related to employees of CSO and does the AP above match the correct
source corrected.
136. Finally, during the investigation, the AP has established that a statement of reasons for incompatible
roles within NVIS is missing. BZ states in its view that in appropriate cases does not occur
may be that conflicting roles are assigned to a person. For example, this may concern
smaller posts where an employee suddenly drops out. According to BZ, the motivation of conflicting
roleswelldocumented.As a result of this, the AP has requested documentation about the
responsibility and justification for assigning incompatible roles. Based on this
the AP notes that BZ has shown several examples showing that BZincompatible roles in
124
the past has motivated. On this point, the AP follows the opinion of the Ministry of Foreign Affairs. The AP has
however, unable to see a policy that shows how BZo deals with incompatible roles and how BZ
defines incompatible roles. The NVIS Data Management Guide only states that the incompatible
125
roles in NVIS are not currently set. Job segregation policy is ideally suited to
include in the security policy as referred to in section 2.3.
137. In view of the above, the AP is of the opinion that BZ, with regard to procedures regarding access rights
until the NVIS environment and its control violates article 32, paragraph 1 AVGGennader
elaboratedin32, paragraph2, subch,VISOrdinancesBIO standards9.2.1,9.2.2,9.2.5and9.2.6.(en
relevant standards from the BIO about the Plan-Do-Check-Actcycle). 126
123
124-mailBZaandeAPofJanuary9,2022,BZprocessNVISauthorization.
12File piece3, appendix 1: ManualData managementNVISFebruary2018,p.16.Zvan15October2021,appendix22.
12This means that there should be regular checks on whether the security policy is still being adhered to in the practices or the measures
should any imperfections come to light, the principle Plan-Do–Check-ActfromtheBIO–in short-that errors
35/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
2.6 MonitoringNVIS usage:log files
2.6.1Legal framework
138. The obligation to maintain and regularly check log files is an essential
part of the regulations for information security. In this way an organization can see
keep which employee when, for what purpose, consults or changes certain information
in addition, it is necessary that periodic monitoring of the recorded log files takes placetom
detect unusual patterns and, for example, check whether unauthorized
access takes place to the data.
139. Article 32, paragraph 2, including the VIS Regulation stipulates that the Ministry of Foreign Affairs must be able to verify and determine
which data when, by whom and for what purpose have been processed in NVIS. BZ must also
check the effectiveness of these security measures and with regard to the internal control
take necessary organizational measures. Article 32, paragraph 2, sub, VIS Regulation prescribes before
those who are authorized to consult the VI, have access only to the data on which
their access authorization relates, and only to personal and unique
user identities and secret access procedures (control of access to data).
140. Write the BIO standards before BZlog files with the registration of activities of NVIS
users should keep and review these logs regularly. The BIO standards
specify which information about NVIS usage should be kept in a log file as a minimum
registered. BZshould also have an overview of all log files that are placed in the context of NVIS
generated. In the BIO, the following rules are particularly relevant:
12.4.1 Log events
Logs of events that user activities, exceptions
and record information security events, belonging
be made, kept and regularly reviewed.
12.4.1.1 A log line contains at least:
a. the event;
b.thenecessaryinformationnecessarytoconfirm theincident with a high degree of certainty
trace back to a natural person;
c.the device used;
d. the result of the action;
e. a date and time of the event.
12.4.2.1 There is an overview of log files that are generated.
be corrected and that the policy is adjusted in such a way that the related problems will not recur next time.
abovedescribedresultsofthespotcheckbyinspectorsoftheAPshowthatthishasnothappenedconsistingof
authorizationsandrolemanagement.This means that an appropriate internal control in the field of access security is missing.
the risk of access to NVIS for unauthorized persons, as referred to in article 32 paragraph 2 under b VIS Regulation.
36/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
2.6.2 Factual Findings
141. To check compliance with legal requirements regarding log files, the
APrequested a sampleofthelogsatBZ.Theselogscontainlogsofthe
consular posts, of CSO and of Processor 2. Also, during the investigation, the AP has 127
questions about the setup of the logging and internal control of this by the Ministry of Foreign Affairs. Furthermore, the AP
checked the requested log files and compared them with the corresponding
authorization lists that relate to the same period.
Logging of NVIS usage at consular posts London and Dublin
142. [CONFIDENTIAL]
143. [CONFIDENTIAL] 128
Analyzesoflogfiles
144. The AP requested two log files related to the NVIS usage by the employees
fromtheconsularpostLondon.Thefirstfile(hereaftername:Log1)concernsthelogfileof4
July2019,between9.00am and 12.00pm.ThistimeslotcoincideswiththeresearchoftheAPtersite.It
second file (hereafter: Log2) sees the period from April 1 to July 4, 2019.
145. [CONFIDENTIAL] 129
146. [CONFIDENTIAL] 130
12In-placeInvestigationsat the Consular PostLondon(2and4July2019),theCSODenHaag(18July and12September2019), Processor2(1
November 2019) and the Consular Post Dublin (22 and 23 January 2020).
12WrittenOpinionBZof15October2021,appendix2undernumber6.3.
12File document12, appendices40a and 40b: Logging useNVIS, version 25 July 2019 and Explanation.
13File piece16, appendix8.1:LON_01April2019_04July2019_Overview.
37/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
Logging of NVIS usage at CSO The Hague
147. During the on-site survey at the CSO, the AP conducted interviews with the employees of
B As far as the various aspects of security in relation to NVIS, where the subject
‘logging of NVIS’ has been investigated. The AP also has additional documentation on this subject at BZ
queried and analyzed. In addition, the AP has performed log file analysis.
Processofloggingandcheckinglogfiles
133
148. [CONFIDENTIAL]
149. [CONFIDENTIAL] 134 135
13File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019.
13File document13:Information requestAP of 25 July 2019; and File document17:Information requestAP of 1 October 2019.
13File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019.
13File document13:Information requestAPfrom25july2019.
13File document14, appendix18.1:Responsibility controlNVIS usage.
38/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
150. The AP has requested (extensive) documentation in the field of security from BZ
analyzedforrelevantinformationaboutlogging.HeretheAPhasfocusedoninformationabout
the logging of the actions within the NVIS platform, in particular how the logging process and control on this
are configured, which log files are generated, and how log files are checked
concerns the following documents: [CONFIDENTIAL]; 136[CONFIDENTIAL]; 13[CONFIDENTIAL]; 138
139 140 141
[CONFIDENTIAL]; [CONFIDENTIAL]; [CONFIDENTIAL].
151. [CONFIDENTIAL]
Analyzesoflogfiles
152. Furthermore, the AP requested NVIS from BZlog files in which the NVIS actions of the
employees of the CSO have been recorded. BZ has submitted the following log files to the AP that
relate to the following periods:
142
(1) September 1, 2018 to November 30, 2018; (hereinafter: Log3);
(2) April 1 to July 18, 2019, (hereinafter: Log4); 143
144
(3) on September 12, 2019 (hereinafter: Log5).
153. [CONFIDENTIAL]
154. [CONFIDENTIAL] 145
13File 14, attachment[CONFIDENTIAL]
13File document12, attachment[CONFIDENTIAL]
13File 14, attachment[CONFIDENTIAL]
13File 14, attachment[CONFIDENTIAL]
140
File 14, attachment[CONFIDENTIAL]
14File 14, attachment[CONFIDENTIAL]
14File piece16, appendix9.1:CSO_01Sept2018_30Nov2018_Overview.
14File piece16, appendix9.2:CSO_01April2019_18Juli2019_Overview.
14File document16, appendix9.3:CSO_12Sept2019_Overview.
14WritingViewBZof15October2021,p.10and11.
39/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
Processor2
155. [CONFIDENTIAL]
156. [CONFIDENTIAL] 146
157. [CONFIDENTIAL] 147
158. The AP has analyzed down to some of Processor2's logs. The AP determines that, by
lack of sufficient evidence about the actual situation in combination with the explanation of the Ministry of Foreign Affairs, for what
regardingthecontentoftheselogfilescannotidentifyviolenceandsowillnotcontinue
deal with the legal assessment below. 148
2.6.3Legal review
159. The AP has assessed how far BZ has taken appropriate measures in the field of logging
of the NVIS environment.
160. The AP notices that log files are kept related to NVIS. In the log files
standing names of employees registered only a very limited amount of other data with
relating to actions in NVIS, such as an indication of some steps in the context of the
visa process(eg [CONFIDENTIAL]).
14File document13:Information requestAPof 25 July 2019;andFile document15:Information requestAPof1October2019andannouncementOTP
Processor2on1November2019.
14File document17:ReportofOfficial OperationsOTP Processor21November2019,p.7and8.
14WritingViewBZof15October2021,p.11.
40/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
161. Log1 does not show which actions in NVIS by the staff of the Consular Post in London are
performed at whatever time that happened. With regard to Log2, AP determines that it is not going
which data of visa applicants the consular post staff have processed, with which
target, when this happened and what device was used here. The AP sets
in addition, there are discrepancies between the two log files. Since Log1 is about July 4, 2019 and
Log2 over the period 1 July 2019 up to 3 July 2019, Log 2 and Log 1 close chronologically.
149
However, both files differ in their structure.
162. InLog3,Log4andLog5 is next to the employee's name also the visa application number and a
global designation of the part of the visa process that has been performed and the time at which
part has been completed. However, these log files do not show which data of
visa applicants have processed the employees of the CSO, for what purposes at what time this
occurred.
163. In view of the above findings, the AP notes that the Ministry of Foreign Affairs does not have an adequate overview of the
logfilesgeneratedintheNVISenvironment.TheNVISuseistrueloged,
butshowthesubmittedlogfilesin terms of buildupandtypedatathatisincluded
inconsistencies. The log files that the AP has received and assessed also show that
not all mandatory actions are logged.[CONFIDENTIAL] 151
164. In its opinion (to the extent that it is relevant to the violation) BZ sets out in its opinion on the log files
next.As to log file1, according to BZ, it was located on the road from the AP to
point out that not only the access log data was requested, but also what actions in NVIS
performed and at what time. This argument fails. In its request for information, the AP has a log file
152
asked about the use of NVIS at the embassy in London. It needs the AP's judgment
little argues that when using NVIS, in which-undisputedly personal data is processed, the
AP is not only interested in information about logging in to this system.
165. With regard to log file2, BZ states that article 32 paragraph 2 under the VIS Regulation, to which AP
logging tests,requiresthatwhichdataisprocessedberecorded.Butthisarticledoesnotrequire
that any data being processed is logged. An indication of which data is being processed
can therefore, according to BZ, suffice without an exact representation of that data.
article32AVG.The purpose of the logging is to verify the legitimate use of access rights. Because
BZ determines which application data is processed, therefore it is sufficiently precise which
data have been processed. According to BZ, the visa application number is also known from which person concerned
personal data have been processed
For example, NVIS employee has processed only the name or only the date of birth or both.
14The differences concern the number of the logged variables and their names in the log files.
15 For example, compare the type of actions that are recorded in Log1 with the type of actions that are recorded in Log 2.
1InformationprovidedbyBZduringOTPsCSOon16July2019and12September2019(see file document11:Report of Official ActsOTP
CSO16July2019and12September2019).
15File piece10, appendix1under point40.
41/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
166. The AP does not follow the BZ's view. Article 32 paragraph 2 under the VIS Regulation requires that it
it should be possible to check and determine which data when, by whom and for what purpose
the VIS have been processed. Logging a visa application number does not provide sufficient indication which
data is being processed. This makes it impossible to see afterwards which data has been processed when.
The more sensitive the personal data that is being processed, the higher the requirements for logging in this regard
In this context, in which a great deal–also–special data are processed, it is
It is very important that changes in data are traceable. BZshould be able to check which data
who have changed, not only after an incident. This information may also be from a combination of
(log) files are derived. The purpose of logging is therefore not limited, as BZ states, only to the
checklegitimateuseofaccessrights.
167. BZ further states in its written opinion that the conclusion of the AP, that checks on the NVIS
usethatBZperformstargetthegrantedauthorizationsandnotlogfilesandactions
carried out in NVIS by staff members is incorrect and premature. BZ believes that it
information request about this was formulated in general by the AP.According to BZ, there are many
opportunities to report on the actual use of NVIS. Finally, BZ states that the
question from the AP was unclear about logging and how control of this was in the security policy
tuned.
168. Although the AP is of the opinion that it is on the road to the Ministry of Foreign Affairs in due time–and not only in an opinion–
to make known that an information request raises questions, the DPS again has the opportunity
askedtoconsultproceduresthatdescribehowBZregardingNVISlogs
carries out checks on this.3BZreactedtothiswithanundateddocumentwithseveralparagraphs
154
provided with where 155 actual description water is logged when using NVIS.
[CONFIDENTIAL]
169. Given the shortcomings in log files in combination with the fact that BZ the log files do not
regularly assesses and there is no procedure in this regard, the AP concludes that BZin
acts contrary to article 32, paragraph 1, AVG and further elaborated in article 32, paragraph 2, sub f, each of the VIS
RegulationsandBIOstandardsconcerninglogfiles(namestandard12.4.1).
2.7 Control of NVIS usage: security incidents
2.7.1Legal framework
170. Article 32, paragraph 2, subcend, of the VIS Regulation provides, respectively, that BZ has appropriate
take measures to prevent data carriers from being illegally read, copied,
153
15EmailBZaanAPvan10December2021, attachment16.
15See paragraph 2.6.2 and letter from the Ministry of Foreign Affairs to AP of 19 November 2021, appendix 1 Interview report, p.36.
42/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
changed or deleted, and that data is illegally viewed, changed or deleted. If
there is unauthorized (external or internal) access to data carriers and/or personal data
stored in the NVIS environment, then there is talk of a security incident. Under the requirements of
article32, subsection2, subsection, VISRegulation applies that the necessary organizational measures have been taken
should be used for the follow-up of such security incidents
before placing internal controls on NVIS data carriers and storage of NVIS data
and that the effectiveness of the security measures should be checked.
Chapter 16.1 of the BIO describes the mandatory standards for the management of the
security incidents and improvements. These include the following BIO standards from
application:
16.1.11 Responsibilities and procedures:
Management responsibilities and procedures should be established with a
rapid, effective and orderly response to information security incidents
accomplish.
16.1.2 Reporting information security events:
Information security events should be sent as soon as possible via the correct
managerial levels are reported.
16.1.2.1 There is a reporting desk where security incidents can be reported.
16.1.2.2 There is a reporting procedure that includes tasks and responsibilities of the reporting desk
described.
16.1.2.3 All employees and contractors have demonstrably taken note
of the incident reporting procedure.
16.1.2.5 The process owner is responsible for resolving security incidents.
16.1.2.6 Follow-up of incidents is reported monthly to the responsible person.
16.1.3 Reporting of information security vulnerabilities:
From employees and contractors who use the information systems and -
servicesoftheorganizationshouldberequiredthatsideinsystemsorservices
observed or alleged vulnerabilities in information security record and
report.
16.1.6 Lessons learned from information security incidents:
Knowledge acquired by analyzing information security incidents
andsolveshouldbeusedtotheprobabilityor
reduce the impact of future incidents.
16.1.6.1 Security incidents are analyzed with target learning and
prevent future security incidents.
171. The above BIO standards indicate that a consistent approach should be an effective approach
be effected of the management of information security incidents, including
communication about security events and security vulnerabilities
responsibilities and procedures are established, a reporting desk is set up, in which
security incidents are reported, including the reporting procedure. Information security incidents and
the follow-up of this is reported to the responsible person on a monthly basis
43/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
security incidents analysed, among others, metals targeting and future
prevent security incidents.
2.7.2 Factual Findings
172. As part of its investigation, the AP has checked whether BZo has a procedure for the
reporting and following up on security incidents/data breaches in relation to NVIS and the visa process
In connection, the APBZ has requested an extract from the notification register for 2018 and 2019, in which all
NVIS-related security incidents are recorded. During the investigation, the AP
inspectors asked about this relevant documentation about security incidents
requested.
Consular posts:LondonDublin andCSODenThe Hague
Procedural security incidents
173. The Consular PostsLondon andDublinandCSOnextsame BZ-wide method with regard to
until reporting security incidents/data breaches: a security incident is reported directly to
[CONFIDENTIAL] reported, and if there is a data breach, a [CONFIDENTIAL]
created and sent digitally to [CONFIDENTIAL]. This procedure is set to [CONFIDENTIAL],
consultation by employees of the Ministry of Foreign Affairs [CONFIDENTIAL].
174. On site at the consular posts, employees also make use of 'Factsheets data leaks' which are
Dutch and English have been prepared. These fact sheets are a schematic representation of the procedure
a listing of all steps that employees must follow in the event of a data breach.
During the investigations, the aforementioned fact sheets data leaks were shown to the AP inspectors
[CONFIDENTIAL].
156
175. As a result of the investigation in London, the DPS asked for the procedure report
provide data leaks. BZ has submitted the following documents:
157
- Factsheets dated August2018, in both Dutch and English.See these factsheets
on the schematic representation of the method in case of data leaks, as described above and
shown at the consular posts.
- Instructional videos about data leaks : these short films provide information about
data leaks.
- Printout of the information material about data leaks on [CONFIDENTIAL], with examples
of data leaks 15 and description of the working method for BZ employees in case of
160
data breaches .This last document contains a description of the steps that employees of
15File document10:Information requestAPvan12july2019.
15Dossier12,appendix11a:FactsheetdatalekNLaug2018;Dossier12,appendix11b:FactsheetdatalekENAug2018;en
Dossier 12, attachment 11d: Sharepoint data breach.
15File Document12,Appendix11c: Instructional video-Help,adata breach;andFilepiece12,Appendix11f:Databreachmovie.Thesefilepiecesare
video files.
15File document12, attachment11e:Data leaksexamplesandsharepoint.
16File document12, appendix 12c: Data leak information for BZ employees.
44/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
BZshould take submitters of data leaks, in accordance with the procedure used during the
InvestigationsinLondonandDublinisexplained.
176. The AP notes that the staff of the consular posts in London and Dublin and the CSO, with
regarding the reporting of security incidents/data breaches, follow the procedure for all
employeesofBZapplies.Thisprocedureisapracticalmanualonthestepsthat
employees must act in the event of security incidents: they must report as soon as possible
[CONFIDENTIAL] be reported in the event of data leaks, a report will be made to
[CONFIDENTIAL]. The procedure mentioned is not established at a management level, and gives
furthermore no insight into the steps that are followed after a report about a security incident/
data breach has occurred. The procedure also does not describe the tasks and responsibilities of the
hotline chainwhoseprocessownerisresponsibleforresolvingsecurityincidentsand
the reporting on this.
Security Incidents
177. [CONFIDENTIAL]
178. The AP has requested a security incident register from BZe in which all security incidents in
relationship to NVIS and the visa process are stated, with respect to the following periods: (1) October 1
2018 to December 31, 2018, and(2) April 1, 2019 to July 1, 2019. The AP has nine notifications
of incidents 16 received at the Consular Post in London.[CONFIDENTIAL].Due to the lack of
a further explanation on these reports was the AP during the investigation assuming that BZ
did not provide a copy of the Security Incidents Register.
179. [CONFIDENTIAL] 163
180. [CONFIDENTIAL] 164
16File document10:Information requestAPfrom12july2019.
16[CONFIDENTIAL]
16[CONFIDENTIAL]
16File piece11:ReportofOfficial OperationsOTPCSO18July2019and12September.
45/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
181. An employee of [CONFIDENTIAL] stated during the investigation that BZVereen
incident register has in which security incidents are registered. The AP has requested
to provide a security incidents register with regard to NVIS and concerning the year 2018
165
and the first half of 2019. [CONFIDENTIAL]. BZ did not supply any (blank) incident register.
In addition, the AP also requested six-monthly reporting on security incidents. This
documentisprovided.166Itdescribesdataleaksrelatedtotraveldocuments.
182. During the opinion phase, BZ gave, among other things, the following explanation about the process of
security incidents. Notifications are handled by [CONFIDENTIAL] in [CONFIDENTIAL].
All actions necessary for handling a report are recorded here
saved. These reported incidents/violations, regardless of whether they had reported to the AP
must be, after complete completion, are closed, logged, and stored in a
protected, only accessible to [CONFIDENTIAL] environment behind the [CONFIDENTIAL]
(the data leak register). All executed (continued) steps are recorded in the individual
report files in the central register of incident reports that is filled by
[CONFIDENTIAL].Finally, the Ministry of Foreign Affairs has stated that all incidents are now in one central place
are tracked and preserved.
183. As a result of the foregoing, BZ has answered further questions from the AP about the design
of the central register of security incidents. Based on this and on the basis of the above
explanation, the AP considers it plausible enough that BZwel has a
security incident registerin which security incidents in relation to NVIS are registered.
Processor2
184. On November 1, 2019, the AP carried out an investigation at Processor 2. In doing so, the AP
167
procedure that Processor2 uses in case of security incidents. In this
escalation procedure describes which steps need to be taken within the organization
when a security incident occurs, which roles/functions should be assigned to Processor2
informed and what roles/functions should be escalated to. Processor 2 also has a policy
168 169
submitted that covers security incidents and data breaches .
185. With regard to security incidents, Processor2 stated during the investigation dated in 2018
en2019 have been no incidents in relation to the NVIS environment. This saw specific on incidents
[CONFIDENTIAL]
16File 14, appendix 20.1: Explanation.
16File 14, attachment 21.1:[CONFIDENTIAL].
16File document17, attachment3:IncidentEscalationProcedure.
16File 17, attachment 4: [CONFIDENTIAL].
16File document17, attachment5:ProcedureDataBreachController.
46/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
186. When asked if Processor2 keeps a log or registry of security incidents, Processor2 has
stated that they use different registers depending on the incident. Processor2 explained that
two incident registers are used.
[CONFIDENTIAL] 170 171
187. [CONFIDENTIAL]. Processor2 has indicated that there are no security incidents at Processor2
have been related to NVIS in the study period. There were no internal reports because of this
172
dieProcessor2 to AP.
188. On the basis of the above and the explanation of BZ during the opinion phase, the AP considers the
division of tasks between BZenProcessor2 with regard to security incidentssufficiently clear.
2.7.3Legal assessment
189. The AP concludes that the general procedure provided by the Ministry of Foreign Affairs at the time of the investigation
does not meet the requirements for reporting security incidents by BZ employees. This procedure is a
no more than a manual on the steps that employees should take when
security incidents: they must be reported to [CONFIDENTIAL] as soon as possible in case
data leaks are reported to [CONFIDENTIAL]. The procedure mentioned is not on
management level established and provides no further insight into the specific steps that are followed
after a report about a security incident/data breach has occurred. The procedure describes
alsonotthetasksandresponsibilitiesofthereportingdeskchainwheelprocessownerresponsible
is for resolving security incidents and reporting about them.
190. During the opinion phase, BZ reacted to this with an AVG manual (approved on 13 October
2021)andaProcessdescriptionIncidentmanagementsecurityincidentsanddata breaches(July2020)
provided to the AP. The AP has assessed this documentation and comes to the conclusion that BZ from 13
October 2021 does provide full insight into the steps to be followed after a notification about
a security incident/data breach has occurred. Also, the duties and responsibilities of
mentioning the reporting desk has established who the process owner is responsible for
resolving security incidents and reporting about them.
170
17File piece23, appendix06.1:-AP-z2019-12207-06-Incidentenregisterextract.enmet1November2019.
17WritingViewBZof15October2021,p.13.
47/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
191. On the basis of the above, the AP comes to the conclusion that BZ, with regard to the defects in the
procedure for reporting security incidents, until 13 October 2021 insufficiently appropriate
has taken organizational measures to prevent unlawful data processing
in NVIS. As a result, BZ has breached the requirements laid down in article 32, paragraph 1, AVG
elaborated in article 32, paragraph 2, subcend, VIS Regulations and BIO standards 16.1.1 and 16.1.2.2.
As of 13 October 2021, the aforementioned defects have been repaired by BZ, the infringement is thus
point ended.
2.8Training staff on data protection
192. Article 28(5) VIS Regulation prescribes that the personnel of the authorities with access rights to
the VIshouldbecompletedequaltrainingondatasecurityandprotectionrules.
Staff are also informed of the relevant criminal offenses and sanctions. The AP
however, has not tested the content of these courses nor the manner in which they are offered
during the investigation. Article 38, paragraph 3, Visa Code continues to write before the 'central authorities of'
Member States should train and train both the posted and the local staff in a careful manner
provide them with complete, accurate and up-to-date information on the relevant legislation.”
193. The AP establishes on the basis of the statements of employees and documents provided by BZ
with regard to the training of employees who have access to data in the NVIS dater
of training in data protection and security. In addition, the training
offered for both employees who are recently employed and employees who have been with BZ for a long time
work. The training courses include, among other things, the systems to be used (including NVIS), relevant laws and
regulations and security. The AP also notes that training of both broadcast and
localemployees.
194. This is, with regard to the question of whether attention is paid in training to
information securityandregulationsontheprocessingofpersonaldata,meettherequirements
they are deposited in BIO objective 7.2.2 and article 38, paragraph 3, Visa code.
2.9 Information provision to visa applicants
2.9.1Legal Framework
195.Transparencyaboutdataprocessingandisoneofthegeneralprinciplesforaproper
data processing. Informing the data subject about data processing contributes to
transparency.Article 37VIS Regulation prescribes that visa applicants are informed about the
responsible person, the purposes of the processing of the data of the visa applications, the
categories of recipients of processed data, the retention period, the obligation of the
collect this data and the rights of the person concerned. This means that BZ the visa applicants
48/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
informs in writing b173 collecting the data for the purpose of the application form, the photo
andfingerprints. This obligation also arises from article 13 of the AVG.
2.9.2 Factual Findings
196. The AP has conducted an investigation at the consular post in London and Dublin. From these investigations
and the information obtained follows, that data subjects can be informed in three ways about
processing their photos, fingerprints and personal data for the purpose of a visa application.
Information is provided through (1) a “Privacy Statement Regarding Short-StayVisa”
174
Applications” (hereinafter: Privacy Statement) , (2) an appendix to the application form for the
visa application (hereinafter: Annex), and (3) a folder 176 at the location of the consular post.
197. The first option of providing information is the Privacy Statement. On the (in English
written)websitesoftheembassiesinIrelandandtheUnited Kingdomstateinformationaboutthe
177
ask how a (Schengen) visa application works. The websites refer to thisPrivacy
Statement, which can be found on the BZ website. 178
198. In the Privacy Statement, various privacy components are treated like the goals for the
processing the data of the visa applications, the controller, the
retention period of 5 years, the obligation to collect the data and rights of
stakeholders.In a separate document, the risk countries are listed that could influence the
179
visa process on risk analysis. ThePrivacyStatement further states that there may be
sharing data with third parties such as other European authorities within the Schengen area
areasinstancessuch asEuropol.InthePrivacyStatementthere isno mention of the possible
processors of data, such as, for example, private parties that may be involved in the
process of the visa application. The AP further establishes that the national “DataProtectionAuthority”,
including the address details, is mentioned in the privacy statement as the designated authority in the
case the data subject would like to exercise her/his rights. 180
181
199. The second possibility of providing information takes place via the Annex. TheAppendixbecomes
provided in writing to the person concerned at the time the details of the application form are
collected.In the Annex, BZ is named as the controller for the
data processing, the purposes of the processing of data are stated, the
retention periods and is referred to as the obligation to collect the data
17Article 37, paragraph 2, Regulation “The information referred to in paragraph 1 will be communicated in writing to the applicant when collecting the
data of the application form, the photo and fingerprint data as referred to in article 9, paragraphs 4, 5 and 6.”
17File 7, attachment 2: PrivacyStatementre.Shortstayvisapplications.
17File 7, attachment 6:SchengenVisaApplication(sample form),provided to the OTP Consular PostLondon.
17File document 7, appendix 4: Information sheet about SISII; and File document 27, appendix 10: Leaflet public information about SISII.
17SeeforIreland:https://www.netherlandsandyou.nl/your-country-and-the-netherlands/ireland/travel-and-residence/applying-for-a-short-
stay-schengen-visa(before last consulted on 14 August 2020) and for the United Kingdom:
https://www.netherlandsandyou.nl/your-country-and-the-netherlands/united-kingdom/travel-and-residence/applying-for-a-short-stay-
schengen visa (last consulted on 14 August 2020).
17https://www.netherlandsandyou.nl/documents/publications/2017/12/06/privacystatement-regarding-short-stay-visa-applications-en(for
it was last consulted on February 23, 2022).
17Conformarticle22Visa code.
18Article37, paragraph 1, sub, VIS Regulation.
181
File 7, Attachment 6: SchengenVisaApplication(sample form), provided to the OTP Consular PostLondon.
49/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
explained.TheCollegeProtection of Personal Information is also referred for complaint handling.
The AP also notes that permission is requested from the data subject. In the list of categories
Recipients of personal data are not referred to as third-party private parties.
200. The third possibility of providing information has been shown in the study in Dublin, 18 when by the
employeesoftheconsularposta folderSISII 18isdisplayedwhichwillbemadeavailabletothe
visa applicants in the waiting area. This leaflet relates to SISII and does not contain any information about
rights of data subjects with regard to a visa application and the exercise of rights of data subjects
during the visa application process.Although the folder itself contains information about SISII vs
background of the visa application, the leaflet is not applicable to the practice of
rights of those involved in the visa process.
2.9.3Legal Review
201. The AP establishes that BZindePrivacyStatementsintheAppendix(1)theobjectivesofthedataprocessing
mentions, (2) makes clear that collecting the person is mandatory, (3) includes retention periods,
and (4) mention the competent (privacy) supervisor. However, with regard to both documents,
not all (categories of) recipients of data are listed by BZ.The AP determines
that only a few categories of recipients have been mentioned, such as other European authorities and Europol.
ThePrivacyStatementandAttachmentdonotnotstatethesharingofpersonaldatawiththird
private parties, such as the processors, Processor2 and Processor3, who are involved in the process of the
visa application. This does not meet the requirement of article 37, paragraph 1, sub, VIS Regulations article
13, paragraph 1, below, AVG.
202. In its view, BZ argues that it is not a foregone conclusion that those involved should be informed
about the provision of data to a processor. BZ is of the opinion that Processor2 only if
processor does not qualify as a recipient of personal data. Without obligation to do so
acknowledging BZindePrivacystatements/ortheAppendixincludethatBZleavespersonaldata
processing processors.
203. The AP does not follow the statement of BZ. It follows from article 13, paragraph 1 sube, AVG that the
controller informs the data subject about the recipients or categories of
recipientsofthedata.Article4,section9,GDPRdefinesarecipientasa
natural or legal person, a public authority, a service or another body, whether or not
one-third, to whom/to whom the data is provided. Processors as Processor2and
Processor3 are legal persons who receive the data about the data subjects. The
185
Also specify guidelines on transparency that a recipient may be a processor.
18File document27:ReportofOfficial OperationsOTPConsular PostDublin.
18File document7, appendix 4: Information sheet about SISII; and File document27, appendix 10: Leafletpublic information about SISII..
18In the Appendix, however, reference is still made to theCollegeProtection of Personal Data.
18Group data protectionarticle29Guidelinesontransparencyaccording toRegulation(EU)2016/679,p.18.
50/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
2.10 Conclusions
204. The AP comes to the following conclusions with regard to the established violations.
Security plan
205. The AP comes to the conclusion that BZ has no security plan with regard to NVIS (and therefore also
has not evaluated).
article 24 and 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2, preamble, VISOrdinances BIO-
standards5.1.1,5.1.1.1and5.1.2.1.
Physical Security
206. BZ has not explicitly determined which parts of the IT infrastructure should be marked
be as critical infrastructure of the visa process, from at least September 1, 2018, until any time
case the spring of 2020 acted contrary to article 32, paragraph 1, AVG, which is further elaborated in article
32,lid2,ondera,VISRegulation.
207. The AP further concludes that BZ, where it concerns drawing up emergency plans and
protection of equipment against disruptions in utilities, from at least September 1, 2018
until now does not comply with the provisions of article 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2
suba,VISOrdinancesBIO standards11.1.4and11.2.2.
208. Furthermore, the AP is of the opinion that due to the lack of security guarantees when entering the
zone that must be extra secured, the physical security of the rooms in which the is being worked on
visa process in London was not satisfactory. As a result, BZ has at least September 1, 2018 to April 2020 in
acted contrary to article 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2, suba, VIS
RegulationsBIO standards11.1.1t/m11.1.5and11.2.2.
209. Finally, since the Ministry of Foreign Affairs has not shown that sufficient guarantees apply for the physical protection of
working in NVIS in public spaces and B Seven less has the effectiveness of the policy on this matter
checked, the AP comes to the conclusion that BZ is in conflict with at least September 1, 2018
acts with article 32, paragraph 1, AVG, which is further elaborated in article 32, paragraph 2, suba and k, VIS Regulation.
Access rights to NVIS
210. The AP concludes that BZ is not over-formal from at least September 1, 2018 to January 1, 2022
registration-and-logoutprocedureshavetoviewtheassignmentofaccessrightsto
NVIS.BZ has acted in conflict with article 32, paragraph 1, AVG, which is further elaborated in BIO-
standards 9.2.1 and 9.2.2.
211. The AP is further of the opinion that the Ministry of Foreign Affairs, with regard to the procedure for the control of access rights to
the NVIS environment and control of this in practice, from at least September 1, 2018 to the present in
acts contrary to article 32, paragraph 1, GDPR, which is further elaborated in 32, paragraph 2, subject, VIS Regulations
BIO standards9.2.1,9.2.2,9.2.5and9.2.6.
51/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
ControlNVIS usage:logging
212. Given the deficiencies in log files in combination with the fact that BZ the log files do not
regularly assesses and there is no procedure in this regard, the AP concludes that BZ van
at least 1 September 2018 until now does not act in accordance with article 32, paragraph 1, GDPR that
further elaborated in article 32, paragraph 2, sub f, each of the VIS Regulations and BIO standards
concerning log files (name standard 12.4.1).
ControlNVIS usage:security incidents
213. With regard to the deficiencies in the procedure for reporting security incidents, the AP comes to
the conclusion that BZ from at least September 1, 2018 to October 13, 2021 insufficiently appropriate
has taken organizational measures to prevent unlawful data processing
in NVIS. As a result, B has infringed article 32, paragraph 1, GDPR, which is further elaborated in article 32,
lid2,ondercend,VISRegulationsandBIOstandards16.1.1and16.1.2.2.
Information provision for visa applicants
214. The AP finally concludes that BZin the framework of the information provision
visa applicants do not mention sharing personal data with third private parties,
such as Processor2andProcessor3.This violatesBZvanatleastSeptember1,2018todate
Article 13, paragraph 1, sub, GDPR, which is further elaborated in article 37, paragraph 1, sub c, VIS Regulation.
52/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
3Fine
3.1Introduction
215. BZ has acted contrary to article 32, paragraph 1, AVG and article 13, paragraph 1, sub, GDPR.
not acted in accordance with the basic principles of data processing
as referred to in article 5 AVG. The AP makes use of its for the established violations
authority to impose a fine on BZ. In its view, BZ has stated that by several
transition processes and improvement measures the imposition of a fine and/or burden under coercion at all
is reasonable. Because of the seriousness of the violations, the extent to which they can be blamed on the Ministry of Foreign Affairs and
the fact that the violations are still going on after the AP, other than BZ, the imposition of a fine and a
load under duress if appropriate. The AP motivates this in the following.
3.2.Finance Policy RulesData Authority2019
216. Pursuant to article 58, second paragraph, preamble and article 83, fourth paragraph, of the AVG, read in
in connection with article 14, third paragraph, of the UAVG, the AP is competent to the Ministry of Foreign Affairs in the event of an infringement
ofArticle32oftheGDPRNottoimpose anadministrativefineupto€10,000,000.
217. Pursuant to article 58, second paragraph, preamble and article 83, fifth paragraph, of the AVG, read in
in connection with article 14, third paragraph, of the UAVG, the AP is competent to the Ministry of Foreign Affairs in the event of an infringement
ofarticle13oftheGDPRNottoimpose anadministrativefineupto€20,000,000.
218. The AP has established Penalty policy rules regarding the fulfillment of the above-mentioned authority to
imposing an administrative fine, including determining the amount thereof. 186Inde
Penaltypolicyruleischosenforacategoryclassificationbandwidthsystem.Violationof
article32oftheAVGisingpartincategoryII.CategoryIIhasafinebandwidthbetween€
120,000 and €500,000 and a basic fine of €310,000.Violation of article 13 of the AVG is shared
incategoryIII.CategoryIIIhas a finebandwidthbetween€300,000 and €750,000 and a basic fine
from€525,000
219. The amount of the fine adjusts the AP to the factors mentioned in article 7 of the
Fine policy rules, by decreasing or increasing the base amount. It is about an assessment of the
seriousness of the violation in the specific case, the extent to which the violation can affect the offender
be blamed and, if there is reason to do so, other circumstances.
3.3Penalageforviolatingthesecurityofprocessing
220. Any processing of personal data must be done properly and lawfully
organizationswithprocessingdatainfringetheprivacyofcitizensitisof
18Stcrt.2019,14586,14March2019.
53/64, Date Unidentified
24 February 2022 [CONFIDENTIAL]
It is very important that they apply a level of security appropriate to risk. When determining risk
for the data subject include the nature of the personal data and the extent of the processing
important: these factors determine potential damage for the individual involved in, for example,
loss, alteration or unlawful processing of the data. As the data becomes more sensitive
character, or the context in which they are used, pose a greater threat to personal
privacy, stricter requirements are imposed on the security of personal data. The
APconcludedthatBZonhassufficientlyrisk-adjustedsecuritylevel
guaranteed and guaranteed in the context of processing Schengen visa applications.
3.3.1 Nature, seriousness and duration of the infringement
221. The AP has established that BZ processes a great deal of (sensitive) data of those involved.
Examples of this are the combination of name and address details, country of birth, purpose of the trip,
nationalities photo. Those involved are obliged to provide all these details to BZ in order to
obtain a Schengen visa. In such a dependent and unequal position is of
it is very important that BZ guarantees and guarantees a sufficient level of security adjusted to risk
consequences and the resulting damage for those involved are large in the event of loss,
modification or unlawful processing of the data. For example, unauthorized persons may
view and change personal data, but also authorized employees can during the treatment
of the application make input errors. This can cause applications to be incorrectly refused, which again
an infringement results in the freedom of movement of those involved. The AP therefore concludes that as a result
due to the fact that the Ministry of Foreign Affairs has failed to take appropriate technical and organizational measures
the confidentiality and integrity of the personal data are insufficiently guaranteed.
222. In addition, the AP takes into consideration that BZ processes personal data of very many involved parties.
It is established that BZ processes hundreds of thousands of applications per year(682,484in2018,739,248in2019and
169,926in2020).187The personal details of all these applications are therefore insufficiently secured.
the AP notices that the violation has been going on for 3.5 years and is still going on.
extremely serious.
223. In view of the above, the AP, pursuant to Article 7, preamble and under a, of the Penalty Policy Rules
reason to impose a fine and increase the basic amount of the fine from €310,000 to €
390,000.
3.3.2 Negligence of the infringement
224. BZisobligedtouseasecuritylevelthatfitstheearthandsizeofthe
processing and that BZ performs. Now B will not ensure an adequate level of security for years, the AP of
judge that B has been seriously negligent still is in meeting appropriate
security measures and checking and adapting these measures. Citizens who are required
to hand over personal data, we must be able to assume that the Ministry of Foreign Affairs, as a government agency,
has taken the necessary measures and taken appropriate steps to protect personal data.
18https://ec.europa.eu/home-affairs/policies/schengen-borders-and-visa/visa-policy_en,under 'Statisticsonshort-stayvisasissuedbythe
Schengen States', last consulted on February 23, 2022.
54/64, Date Unidentified
February 24,2022 [CONFIDENTIAL]
225. The AP also considers that BZin own analyzes (from 2015 and 2020) already pose risks in the
areaofinformationsecurityrelatingtoNVIShasdetectedandnotintime/or
has taken insufficient action. For example, 188BZ has the risk in 2015 and in 2020
definedthatas a result ofpower failure equipment can break down and that unauthorized persons
may make changes in NVIS due to insufficient governance with regard to authorizations. The AP
points to this point in addition to the Accountability investigations by the General Court of Auditors
2017, 2018 and 2019, which means that the imperfections in the information security for BZ also on
were already known for this. The Court of Audit has established that BZ risks are
focus areas governance, organization design and risk management
General Court of Audit held that BZ has no management framework for the implementation and implementation of
to initiate and control the information security within the organisation.
226. In view of the above, the AP, pursuant to article 7, preamble under b, of the Penalty Policy Rules
reason to increase the fine even further, to an amount of €440,000.
3.3.3Categories of personal data
227. The AP has established that the Ministry of Foreign Affairs in the context of processing Schengen visa applications
processes special data, such as fingerprints. Such data qualifies as
biometric data. For special personal data, an even higher protection is required. The AP
has established that the Ministry of Foreign Affairs has determined that there is insufficient risk for a very large group of involved
coordinated level of security applies for this category of special data.
228. In view of the above, the AP, pursuant to Article 7, preamble, subsection, of the Penalty Policy Rules
reason to increase the fine to €465,000.
3.4 Amount of fines for violation of information provision to those involved
229. The controller must provide the data subject with information that is necessary for
to guarantee a proper and transparent processing towards the data subject, taking into account
of the specific circumstances and context in which the personal data is processed. 18TheAP
has established that the Ministry of Foreign Affairs does not report within the framework of the information provision to visa applicants
makes the sharing of personal data with third private parties and with this article 13, paragraph 1, sub,
GDPR violating.
230. As mentioned above, BZ processes a lot of (special) data. It must be for those involved
be transparent with which (categories of) recipients BZ shares this data
personal data, the fact that hundreds of thousands of data subjects are insufficiently informed and
violation has lasted for 3.5 years and still continues, the AP considers the imposition of an administrative fine
appropriate.
188
189 file3, appendix 5a: Vulnerability analysis and IB plan DCV; Written ViewBZ of 15 October 2021, appendix3.
See recital 60 of the AVG.
55/64, Date Unidentified
February 24,2022 [CONFIDENTIAL]
231. With regard to the amount of the fine, the AP considers that the consequences of this violation
are limited
reduce the fine from €525,000 to €100,000.
3.5 Blame and proportionality for both violations
232. Pursuant to article 5:46, second paragraph, of the Awb, the AP reserves the right to impose an administrative fine
take into account the extent to which they can be blamed on the offender
violation, is not required for the imposition of an administrative fine in accordance with established case law that
it is shown that intent may presuppose the AP culpability if it
criminal record.
233. The Ministry of Foreign Affairs is obliged to take a risk by means of appropriate technical and organizational measures
to use a coordinated security level. In addition, the Ministry of Foreign Affairs must be sufficiently clear
make which parties provide the data to. It is the BZ's fault that it does not
meets two obligations. The AVG, but also the VISOrdinances BIO with which BZ must comply
have emphatically described the security of the processing of personal data
that organizations must maintain a risk-adjusted level of security. Furthermore, the AVG(s)
providetheguidelinesontransparency)sufficient explanationastowhichinformationwith
those involved must be shared. The Ministry of Foreign Affairs may be expected to apply itself to the
standards that act accordingly.
234. Finally, pursuant to articles 3:4 and 5:46 of the Awb, the AP assesses the application of its policy for
determining the amount of the fines in view of the circumstances of the specific case, not until
disproportionate outcome.
190
235. The AP is of the opinion that (the amount of) both fines is proportional. In this judgment, the AP has
otherthe seriousness of the infringements and the extent to which they can be blamed on the Ministry of Foreign Affairs.
Due to the nature of the data, the duration of the violations, the fact that the violations
have not yet ended and the risks involved and run, the AP qualifies the relevant
violationsoftheGDPR.serious.With regard tothelevelofthefinefortheviolationforthe
information provision to those involved, the AP has already motivated in paragraph 3.4 why the
determined fine and its judgment is proportionate.
236. In view of the foregoing, the AP sees no reason for the amount of both fines on the basis of the
proportionalityandendFinancepolicy rulesmentionedcircumstances,ifapplicableinthe
present case, further increase or decrease.
3.6Conclusion
237. The AP sets the total fine at €565,000.
1See also paragraph 3.3 and 3.4 for the justification.
56/64, Date Unidentified
February 24,2022 [CONFIDENTIAL]
4. Compulsory charge
238. Now it concerns a continuous violation of article 32, paragraph 1, GDPR and article 13, paragraph 1, sub, GDPR
BZ should end these violations as soon as possible.
article58, paragraph2, preamble, AVGjo.article16, paragraph1,UAVGenarticle5:32,lid1,Awbaande
Minister also a burden order sum.
239. The AP instructed the Minister of Foreign Affairs in the context of handling applications from
Schengen visa:
1. to end the violation of article 32, paragraph 1, GDPR by appropriate technical and organizational
to take measures to ensure a security level appropriate to the risk.
The Minister serves that purpose for the national information system for the purpose of treating
fromSchengen visas:
a. draw up an information security policy that also states how BZ this policy
will periodically review and adjust if necessary.
b. draw up emergency plans and protect equipment against disruptions in
utilities.
c.takesufficientguaranteeforphysicalsecuritywhenworkinginthisnational
system in public areas.
d.defining how BZ ensures the regular checks on access rights to this system.
This also means that access rights should be checked and checked regularly
be adjusted without delay when a check shows that an employee is wrongly
authorized to have access to personal data.
e.ensure that it is possible to check and determine which data when, by
who have been processed for what purpose.
f.recordinghowBZloggingandregularcheckonthisinthissystem
This also means that BZ should check log files regularly.
It is up to the Minister, as controller, to ensure the exact completion of
to determine the above remedial measures.
2. to end the violation of article 13, paragraph 1, subparagraph e, GDPR.
The Minister should achieve this through information about the recipients or categories of
recipients of the data of data subjects (when obtaining the
personal data).
57/64, Date Unidentified
February 24,2022 [CONFIDENTIAL]
Beneficiary terms and level of coercion with regard to part 1
240. The AP connects to part 1 of the ass a stone beneficiaries term that ends at 24 October 2022.
241. If the Minister for Foreign Affairs does not charge before the end of this beneficiary period
complies, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of
€50,000 for every two weeks after the end of the last day of the term set by which the minister
van Foreign Affairs fails to comply with part 1 of the burden, up to a maximum of
€500,000.
Beneficiary terms and level of coercion with regard to part 2
242. With regard to part 2 of this burden, the AP is of the opinion that with its implementation less
efforts are involved. The AP therefore connects to part 2 a beneficiary period that ends
March 24,2022.
243. If the Minister for Foreign Affairs does not charge before the end of this beneficiary period
complies, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of
€10,000 for each (whole) week, after the expiry of the last day of the stipulated period, on which the
Minister of Foreign Affairs fails to comply with part 2 of the burden, up to a maximum of
€300,000.
244. In the judgment of the AP, the above amounts are for both parts of the burden
in reasonable proportion to the gravity of the interests violated by the violations, namely the
protection of (special) data and transparency about processing to
In addition, the AP considers the amounts to be sufficiently high to move the BZ into action
to end.
245. The above measures are in BZ's power to take the time limit for these measures
considering the AP realistic. In doing so, the AP took into account that a large part of the
measuresthatBZmusttakewithpart1primarilyincludesthedraftingdocumentation.Andfor
with regard to part 2, BZ only needs to adjust the information provision on a small part.
Follow-up
246. If BZ wanted to forfeit the penalty payments immediately after the beneficiary's term
prevent, the DPSZ considers the documents–with which the BZ can demonstrate that it complies
aandeburden–on time, but within a week before the end of the beneficiary term at the APter
send assessment.
247. Finally, the AP regularly informs the Ministry of Foreign Affairs on the basis of a concrete planning
inform the AP about the progress of the measures it is taking to comply with part 1
of the imposed load.
58/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]
5.Dictum
TheAP has come to the conclusion that the Minister of Foreign Affairs, as
controller in the process of issuance of Schengen visas, data subjects
insufficientinformedandsecurityoftheprocessingofdatainsufficient
guarantees. In view of the fact that the Minister of Foreign Affairs very much (sensitive) data
processed from hundreds of thousands of data subjects and violations still continue after 3.5 years,
the AP qualifies the relevant infringements of the AVG as serious.
That is why the AP opens an administrative fine to the Minister of Foreign Affairs in addition
a foreclosure order.
- The AP explains to the Minister of Foreign Affairs for violation of article 32, paragraph 1, AVG
and article 13, subsection 1 below, AV No administrative fines, an amount of: € 565,000 (in words:
five hundred and sixty-five thousand euros).1
- The AP ordered the Minister of Foreign Affairs in the context of processing applications
fromSchengen visas:
1.take appropriate technical and organizational measures for a risk-adjusted
to ensure a security level and thus to prevent the violation of article 32, paragraph 1, GDPR
end;and
2. information about the recipients or categories of recipients of the data to
data subjects (when obtaining the personal data) and thereby
violation of article 13, paragraph 1, subparagraph, GDPR.
IftheMinisterofForeign Affairsforpart1notbefore24October2022tothe
If the order is complied with, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of
€50,000 (in words: fifty thousand euros) for every two weeks after the last day of the
term within which the Minister of Foreign Affairs fails to comply with part 1 of the order, until
maximum of €500,000 (in words: five hundred thousand euros).
If the Minister for Foreign Affairs with regard to part 2 not before 24 March 2022 at the
If the order is complied with, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of
€10,000 (in words: ten thousand euros) for each (entire) week, at the end of the last day of the
term, by which the Minister of Foreign Affairs fails to comply with part 2 of the order, until
maximum of €300,000 (in words: three hundred thousand euros).
19The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).
article 4: 87, first paragraph, Awb to be paid within six weeks. For information and/or instructions about the payment can contact
be recorded with the aforementioned contact person at the AP.
59/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]
Yours faithfully,
AuthorityPersonal Data,
w.g.
ir.M.J.Verdier
Vice President
Remedies Clause
If you do not agree with this decision, you can within six weeks of the date of shipment of the
decide to submit an objection digitally or on paper to the Data Protection Authority. In accordance with
Article 38 of the UAVG suspends the submission of an objection to the effect of the decision
imposition of the administrative fine. Filing an objection suspends the effect of the charge
under duress not opposing this decision. For submitting a digital objection, see
www.autoriteitpersoonsgegevens.nl,onderhetkopjeBezwaarmakentegeneenbesluit,bottom
page under the heading Contact with the Data Authority. The address for submission on paper
is: Authority for Personal Data, PO Box93374, 2509AJDenHaag. Mentioned on the envelope 'Awb-objection'
and put 'objection' in the title of your letter. In your letter of objection, write at least:
- your name and address;
- the date of your notice of objection;
- the reference (case number) mentioned in this letter; or attach a copy of this decision;
- the reason(s) why you do not agree with this decision;
-your signature.
60/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]
ATTACHMENT 1
The following legislation forms the basis of the legal framework for the present Decree:
The General Data Protection Regulation (GDPR) determines the overall general legal framework
for the processing of personal data, and the supervision of the AP.
The Regulation on the Visa Information System (VIS) and the exchange between the
192
Member States of data in the field of short-stay visas (hereinafter: the VIS Regulation) gives
the specific frameworks regarding the European Visa Information System that the member states
use for mutual cooperation in the issuance of visas.This Regulation regulates
including which authorities are responsible for data processing via the VIS
VIS Regulation prescribes for which data of persons involved who obtain a visa for the
Schengen area applications must be included in the (national)
visa information system.193
The VIS Regulation further describes, among other things, the objectives of the functions of VIS and sets requirements for
194
the parties responsible for using the VIS. This includes
safeguards in the field of integrity, confidentiality of the visa information. 195
The Regulation establishing a Common Visa Code (hereinafter: Visa Code) 196
outline the general framework which Member States must comply with in the context of the application and
issuanceofvisa.9Thisframeworkdeterminesamongotherwhichdatamustbeprocessedforthe
applying for and issuing a visa for the Schengen areas various preconditions
value Member States must comply with this process.
The AP has thereby assessed the following provisions:
Explanation
The AVG contains the general legal framework for the processing of personal data
relevant standards from the AVG are:
Definitions
Article 4GDPR defines a number of basic concepts from data protection law that are used in this decision
have been applied. Specifically the notion “personal data198”, the processing of
personal data, the controller and the processor.
19Location:https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=celex%3A32008R0767
19See Article 9 of the VIS Regulation
19See, for example, Articles1and47VISRegulation
19See, for example, Articles1and28VISRegulation
19Location:https://eur-lex.europa.eu/legal-content/NL/ALL/?uri=CELEX%3A32009R0810
19Article 1Visa Code: This Regulation establishes the procedures and conditions for the issuance of visas for transit through the
territory of the Member States or an intended stay in the territory of the Member States for a maximum of three months within a period
ofsix months.
19Article4,part1,2,7and8.
61/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]
Principles
Article 5 GDPR describes a number of basic principles that must generally be met in order to
process personal data in accordance with the Regulation. In particular the principles
transparency, integrity, confidentiality play a role in this case. These principles from article 5 paragraph 1,
bottom and bottom f, of the AVG, are further elaborated by the more specific provisions in the AVG, in the
context of this Decree, in the specific legal framework with regard to
visa information systems.
Processing security
Article32AVGwrites-briefly-before the controller and the processor
must take appropriate technical and organizational measures in order to match the risk
to ensure the level of security. The general standards regarding the securing of
personal data in article 32 GDPR means that the controller, taking into account
with the state of the art, the implementation costs, as well as with the nature, scope, context and
processing purposes and in terms of probabilities and serious risks to the rights and
freedomsofpersons,shouldtakeappropriatetechnicalandorganizationalmeasuresonthe
risk-adjusted security level.
The term 'appropriate' also indicates a proportionality between security measures and the nature of
the data to protect. The more sensitive data is, or the context in which it
are used, mean a greater threat to privacy, become more serious
requirements for the security of this data. 199
To further determine which security measures are appropriate in most sectors
more specific standards for information security. The master relevant security standards for the
governmentarecontainedinTheBaselineInformationsecurityGovernment(BIO). 200TheBIOiswhole
structured according to NEN-ISO/IEC27001:2017, appendixAandNEN-ISO/IEC27002:2017.HetForum
Standardization has included these standards in the 'apply-or-explain' list of mandatory standards
for the public sector, according to the complyor explain principle. This means that the government
applied they are explicitly formulated reasons for not doing so.
The AP hereby notes that the Baseline information security government has been in effect since January 1, 2020.
are various baselines and standards from various public sectors united into an overarching standard
for the whole government. At the start of the investigation in 2019, the relevant security aspects were
further elaborated in the BaselineInformation SecurityNational Service (hereinafter: BIR).
based on the ISO27002 standards and valid until the end of 2019.
The APhasthestateofdataprocessingsecuritythroughthenational
visa information system also specifically tested against article 32, paragraph 2, VIS Regulation. This article looks at the
taking security measures, including a security plan. These provisions from the VIS
19Authority of Personal Data: Policy Rules for the Security of Personal Data, February 2013, page 10 and Parliamentary Papers II1997-1998, 25892,
2003, p.99.
For the government, the Baseline Information Security Government (BIO) is the leading standard, in this case its predecessor is also the
ISO27000 standards in the field of information security. and the research up to the end of 2019. Both standards are based on the
62/64,Date Unidentified
February 24,2022 [CONFIDENTIAL]
Regulation is a lex specialist, of what is described in Article 32AVG as 'appropriate'
measures'.
The AP has considered the scope of this decision on the following aspects of this article
tested:
- Article32,paragraph2,VISRegulationwritefirstbeforeasecurityplanmustbeto
the confidentiality and integrity of data processing through NVISte
guarantee.
- Member States must take measures to protect data physically, including
drawing up emergency plans for the protection of critical infrastructure, according to article 32 paragraph 2
suba,VISRegulation.
- According to article 32, paragraph 2, under f, VIS Regulation, Member States must take measures to
ensure that those who are authorized to consult the VI only have access
to the data to which their access authorization relates, and only with
personal and unique user identities and secret access procedures (control of the
access to the data) This means that an appropriate authorization policy must be in place for the
access to NVIS and that the roles assigned in that framework must be managed.
- To monitor in the organization which persons can qualify for authorizations
for the use of NVIS, article 32, paragraph 2, subject, VISOrdinanceasadditionalguarantee
that all authorities with right of access to the VIS draw up personnel profiles in which the tasks
and responsibilities are described of the persons authorized to transfer data in
to view, record, update, delete, and search. These profiles must be
can be made available to the AP without delay upon request.
- Article 32, paragraph 2, sub i, VIS Regulation prescribes that each Member State with regard to
its national system, adopts the necessary measures to ensure that it is possible to
to check and determine which data are in the VIS, when, by whom and for what purpose
processed. That means BZ must keep log files.
- In article32, paragraph 2, subparagraph, VIS Regulation it is determined that the efficiency of the
security measures is checked and related to this internal control the
necessaryorganizationalmeasuresaretakentoensurethattheregulations
of this Regulation are complied with (checking the log files).
security regulations of article 32 AVG.
Integrity in the processing of visa information
Article 28(5) VIS Regulation prescribes that personnel who want to process data that are in the VIS
stored,received the same trainingontherulesofdatasecurityand
protection.Only after receiving this training, can personnel be authorized to enter the VIS
to process stored data. This article can be seen as a concrete elaboration of the
principle of integrity, which is laid down in article 5 paragraph 1, sub f, GDPR. Based on this principle, a
controllerorganizationalguaranteesimplementandensureintegrity
and confidentiality of data processing.
Providing information to the person concerned
Being transparent about data processing is, as mentioned above, one of the general
principles for proper data processing. Informing the data subject about a
63/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]
data processing contributes to transparency. In this context, article 13 AVG and in particular article 37
VISRegulationrelevant.Article 37VISRegulation is a specialization of what is
laid down in article 13 AVG. The AP has checked whether at the start of the procedure for applying for
aSchengen visa is satisfied with the obligation to provide adequate information about it to the
person who is applying for a visa.
This produces the following picture of relevant norms, arranged from general to specific for the
visa process.
Figure 1: Schematic representation of the legal framework:
General Special
Confidentialities and Data Security Security Plan: BIO Version 1.0.4, Part2, Chapter 5
integrity of NVIS: Art32lid2 preambleVISVo (p.27):
data processing Art.32lid2VISVo standardssubsection 5.1.
Art5lid1(f)AVG
Art24AVG
Art.32AVG
Physical Security: BIOversion1.0.4,part2,chapter
Art32lid2subaVISVo 11(p.43):
standardssubsection 11.1and
11.2.
Access rightsand BIOversion1.0.4,part2,chapter9
personnel profiles (p.37):
Art6lid1VISVo standardssubsection9.2.
Art32lid2subfenkjo
VISVo
ArtArt32lid2subgVIS
fo.
Logging(internal BIOversion1.0.4,part2,chapter
control): 12(p.50):
Art32lid2 subf, ienk standards subsection 12.4.
VISVo.
Security Incidents BIO version 1.0.4, part2, chapter
(internal control): 16(p.63):
Art32lid2subc,think standardsundersection16.1.
VISVo.
Art.5lid1(f)(guarantee Training staff
intheorganizationon regarding
area of data protection integrity:
confidentiality) Art28lid5VisVo
Art38lid3Visa code.
Information to Upright Information:
data subjects Art.37VISVo.
Art.5lid1(a)GDPR
Art.13AVG
64/64
