AP (The Netherlands) - 31.05.2021
AP (The Netherlands) - n/a | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 31.05.2021 |
Published: | 07.07.2021 |
Fine: | n/a |
Parties: | Uitvoeringsinstituut Werknemersverzekeringen (UWV) |
National Case Number/Name: | n/a |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Autoriteit Persoonsgegevens (in NL) |
Initial Contributor: | n/a |
The Dutch DPA fined an administrative agency responsible for providing employment benefits €450,000 for failing to adequately secure personal data, including special categories of data, in messages that were erroneously sent to the wrong recipients on its website. Although the agency took certain organisational measures to secure user data, technical measures were only implemented after nine data security breaches affecting 15,000 individuals.
English Summary
Facts
The Employee Insurance Agency ('Uitvoeringsinstituut Werknemersverzekeringen', or 'UWV') is an independent administrative body, established under Article 2 of the Work and Income Implementation Structure Act (‘Wet structurur uitvoeringsorganisatie werk en inkomen’, ‘SUWI’). Individuals wishing to apply for employment benefits must register with the UWV as jobseekers. Every jobseeker has a personal environment on a section of the UWV website titled My Work Folder (‘Mijn Werkmap’).
Between August 2016 and the end of 2018, the sending of group messages in the ‘My Work Folder’ environment was not properly secured by UWV. As a result, files containing various personal data of job seekers ended up with the wrong recipients, namely in the My Work Folder environment of other job seekers. The personal data included: addresses, details about education, nationality, citizen service numbers, information about physical limitations, psychological and physical work ability, and whether people were too ill to work. The AP initiated an investigation after nine such data leaks had occurred at UWV, impacting more than 15,000 individuals.
Holding
The AP held that UWV had vailed to take appropriate technical and organizational measures to ensure a risk-appropriate level of protection for the processing of personal data in the My Work Folder environment, in violation of Articles 32(1) and (2) GDPR.
In particular, it considered that: the UWV had failed to sufficiently mapped out the risks involved in the processing personal data of jobseekers in advance; rather than taking organizational measures (for example, UWV had sent messages urging employees not to send attachments with group messages in the My Work Folder environment) the UWV should have implemented technical measures earlier (it was not until the end of 2018 that UWV took technical measures to prevent similar data leaks); and, the UWV insufficiently checked and evaluated its own security measures.
The AP emphasised that under Article 32(1) and (2) GDPR, the more ‘sensitive’ data are, the greater threat the data poses to individual privacy, and the greater the demand for security. Si nce the data leaked by UWV included special category health data, the consequences of a security incident relating to the personal data may be very serious for a wide group of individuals, and may relate to, for example, stigmatization or exclusion. The data leaked also included social security numbers, which can be used to link various data files on individuals and therefore pose a higher threat to privacy.
The UWV may still appeal the AP’s decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
AuthorityPersonal Data PO Box93374,2509AJ The HagueJ Bezuidenhoutseweg30,2594AV The Hague T0708888500-F0708888501 authority data.nl Confidential/Registered UWV Board of Directors Attn. Mr.M.R.P.M.Camps PO Box58285 1040HG AMSTERDAM Date Unidentified May 31, 2021 [CONFIDENTIAL] Contact [CONFIDENTIAL] Topic Decisiontoimposeafine Dear Camps, The Data Protection Authority (AP) has decided to join the Implementing Institute employee insurances (UWV) to impose an administrative fine of €450,000.UWV has insufficientarisk-adjustedsecuritylevelguaranteedandguaranteedwithin the framework of sending group messages via the MyWorkbook environment acted with article 13 of the Data Protection Act and article 32, first stone, second paragraph, of the General Data Protection Regulation. The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the facts. TheAPassessesinchapter3oferrespectofprocessingpersonaldata,the controller of the violation. Chapter 4 discusses the (height of) administrative fine elaborated and chapter 5 contains the operative part and the remedies clause. 1Date Unidentified May 31, 2021 [CONFIDENTIAL] 1 Introduction 1.1Government body concerned This decision relates to the Employee Insurance Agency Implementing Institute (hereinafter: UWV). august2016 nine data leaks have occurred at UWV that were similar in nature data leaks all happened when sending a group message to a group of job seekers. In doing so, a wrong (Excel) file with a multitude of sensitive and special personal data of a varying number of job seekers sent with them, such as in the 'My Work Folder'- environment of job seekers. The number of job seekers whose data between 2016and 2018 were leaked, ran from 10 to 11,062 persons per data leak. Because in a period of two years, nine similar data leaks had occurred despite that UWV had indicated that it had taken measures, it was suspected that UWV did not have an appropriate technical and organizational measures (as required by law) to be appropriate to achieve a level of security that could prevent new similar data breaches. That is why the AP has started an official investigation. This decision covers the period from 2012 to enwith2018. 1.2Process flow On 4 September 2018, an AP supervisor contacted the op by telephone data protection officer (hereafter: DPO) of UWV.Supervisors of the AP then have requested information several times from UWV on which UWV has supplied this information. UWV also has Further documents sent to the AP on its own initiative. On 31 October 2019, your WV was asked to respond to the facts as known to the AP until then. On 14 and 18 November 2019, UWV responded to that request. By letter of 11 March 2021, the AP sent to YOURVWanintentiontoenforcement.AlsowiththisletterbytheAPinthe given the opportunity, the UWV on April 8 and 19 gave an opinion on this intention in writing and the underlying findings report. 2/41Date Unidentified May 31, 2021 [CONFIDENTIAL] 2.Facts 2.1TasksUWVandcommunicationwithjobseekers YOURVissetupon the basis of article2, first paragraph, of theLaw structure implementing organization works 1 2 income(SUWI).UWVis an independent administrative body with its own legal personality. Within UWV, the WORK company division is engaged in job placement and reintegration they map supply and demand through supply and demand. The WORK company focuses primarily on job searches with a great distance from the labor markets to employers who are willing to hire these job seekers. Persons who wish to apply for a benefit under the Unemployment Insurance Act must register with UWV register as a job seeker. 3 Werk.nlisawebsiteofUWV.Since 2007,everyjobseekerandopwerk.nlhaspersonal 4 environment that helps him/her in the job search: MyWorkbook. Ifajobseekerandone benefits, you can do this via My Work Folder among other changes, tasks and job application activities 5 pass on and exchange messages with attachments with UWV. UWV can use group messages if you send the same message to several job seekers must send. These UWV messages come in the My Workbook environment of job seekers justly. 2.2Source systemwith saved data jobseekers:Sonar Sonaristhe main source system that the WORK companies and municipalities use for job seekers 6 to work mediation by linking job seekers to vacancies at employers. The system contains data from the end of 2016 to 2018 on an average of 4,500,000 persons, including job seekers, the sick and incapacitated for work. 7 Sonar contains 630 data fields containing all kinds of data about people. Not for everyone 8 person, all data fields are filled in. The data in Sonar include NAW, education (level), nationality, social security number, data about physical limitations, psychological and physical work ability and whether people feel sick or are too sick to work. 1 2See, among other things, article 4 paragraph 1 SUWI and the ZBO register of the Dutch central government. See article 2 paragraph 2 SUWI and article 4 paragraph 1 SUWI and the zbo register of the Dutch central government. 3See article 26, paragraph 1, sub, dene, Unemployment Insurance Act. 4See, among other things, file document98 (Reply by UWV, file "Additional questions AP2110", p.1). 5See, among other things, file piece120 (Pageswebsitewerk.nl'Manual:Using Workbook'). 6See, among other things, file document6(PresentationProgrammeraadaboutUWVapplications,p.2,3,6and11). 7See file document38 (Excel file, answer to question6 in the case of data leak1) and file document98 (Reply by UWV, file "Additional questionsAP2110",p.1). 8 See file 38 (Excel file, answer to question 6 in the event of a data leak1) and file 81 (Reply by UWV, appendix 1 (file "AnswerquestionsAPAugust2019",answerquestion9)andattachment4(file"Question9-attachment")). 3/41Date Unidentified May 31, 2021 [CONFIDENTIAL] this data could be the state of mind or perception of the job seeker, who is herself an online has completed the questionnaire. 9 Sonar has about 15,000 users. Half of the total accounts are from WORK companiesbedrijf municipalitiesandotherhalfisofotherdivisionswithinUWV.Allusershavetheoption createandsavesearches.Usershavebasedonfunctionandassociatedtasks access to this data. 10 2.3Group Messaging On 16 July 2012, the management of the WERKbedrijf, after data leaks via e-mail, group messaging functionality in Sonar required for sending group messages to several job seekers at the same time. This decision was also decided together with the QuickReference Card “send group sonar mail to workbook” into the executive's attention to bring employees of UWV. AQuickReferenceCardisbyUWVwithintheWORKcompany used to record procedures and communicate the direction of UWV employees of these procedures. Certain actions are required to send a group message or an invitation to a selection via Sona 13 send job seekers. First of all, an employee of UWV selects a certain group personsinSonarrequeststypesofdataabouttheminSonar.Thentheemployeeexports fromUWVthissetwithdataofspecificpersonsfromSonarensavethewineexporteddata Then this data is converted into an Excel/csv file. There is no limit on the number persons whose data can be exported. In addition, the files are not protected, because according to UWV this would complicate implementation. Then this file is used as a base 15 to determine the recipients of the group message. The group message is sent after the UWV then to the recipients in the MyWorkbook environment.Thisprocessfordistribution ofagroupmessagedescribesUWValdusintheQuickReferenceCard“SonarSendgroupmessages from Sonar to the workbook” (hereinafter: QRC group messages). 16 9See file document38 (Excel file, answer to question 2 for data leaks 1 to 7) and file document 81 (Reply by UWV, appendix1 (file"Question AnswerAPAugust2019",answertoquestion3) and attachment2(file"Question3 Attachment")). 10 See, among other things, file document81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019", answer to question 10)). 1See, among other things, file document98(Reply by UWV, file"Additional questionsAP2110",p.3andappendix6(file"29-12 action items listDT",p.3subpoint4)). 12See file document98(ReplybyUWV,file"Additional questionsAP2110",p.2andappendix4(file"28BV06Trailer banOutlookgroup messages0406212")andattachment5(file"28BV06Decisiondocumentforbidusegroupmailvia 13tlook")). See file document 66 (Reply by UWV, p.3). 14See file document38 (Excel file, under “Short description” with regard to all data leaks) and file document81 (Reply by UWV, attachment1(file"Answer questionsAPAugust2019",answer question11)). 15See file document81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019", answer question11)). 16SeeDocument Document38(Excel File,Appendix29(File"MicrosoftWord97-1003Document"withexplanationforanswertoquestion13 with data leak6 and 7)), file document 91 (Reply by UWV, appendices 1 to 4). 4/41Date Unidentified May 31, 2021 [CONFIDENTIAL] According to YOURViser, when sending a group message, there is a limitation on the number of persons to 17 whom the message can be sent. Since mid-2013 to the present, this number is limited to 100 every prevent technical problems in Sonarte, thereby improving its performance and stability 18 messaging is smoother. All used versions of the QRC group messages state that if a UWV employee nevertheless wants to approach more than 100 people via the My Work Folder environment, this at the FunctionalManagementcanberequested.FunctionalManagementcanthemaximumverytemporarily increase to a larger number of persons. Furthermore, the QRC group messages state that attachments can be are sent along with group messages via Sonar, but it is preferable not to do so. 20 In the period from January 2016 to September 2018, according to YOURVintotal61,214 group messages sent via the My Workbook environment, with an average of 215 recipients personspergroup message. 21 2.4Data leaks related to the group messages In total, nine data leaks have occurred since the beginning of 2016 related to the personal 22 23 environment of job seekers: MyWorkbook. UWV has reported eight of these data leaks to the AP. Before January 1, 2016 there is no obligation to report data leaks to the AP. With these data leaks, when creating the group message, the Excel file with the export from . is always Sonar added. This resulted in this export file (instead of a message that had been sent should be like for example a vacancy text) in the MyWorkbook environment of job seekers rightly so.So itcouldnotseesecurethefilewiththeindividualdataaboutall recipients of the message will reach all intended recipients. 24 The AP has shown in the table below the most important facts about the data leaks. 25 17See file document81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019", answer question11)). 18See file document 91 (Reply by UWV, appendices 1 to 4). 19See file document91 (Reply by UWV, appendices 1 to 4). 20See file document 91 (Reply by UWV, appendices 1 to 4). 21 See file document 86 (Reply by UWV, appendix 1 (file “numbers_messages_ap”)) and file document 91 (Reply by UWV,appendix5(file"numbers_messages_ap")). 22See, among other things, file documents8 to 12 and 15 to 21 (data leak (continued) notifications to AP) and file documents38 (Excel file, reply to question6mball data leaks). 23 The ninth data breach has not been reported to the AP, because UWV does not consider it likely that this is a risk to the rights and freedoms of persons. See, among other things, file document 81 (Reply by UWV, appendix 1 (file "Answering questions AP August 2019"), answer question8)) and file 83 (answer by UWV, answer question8). 24See also file document 45 (Reply by UWV, appendix “Decision memorandum FG research”, p.2). 25Source of this data: see file record8,9,10,11,12,15,16,17,18,19,20,21,38,51,81,86and98. 5/41Date Unidentified May 31, 2021 [CONFIDENTIAL] Date data breach Number Number Type data stakeholders involved who whose message het datahaveopened leaked Surname, Citizen Service Number (BSN), last occupation, 1 22-8-2016 195 14 education level and row ID 2 14-9-2016 151 20 Surname, place of residence, date of birth, social security number, first WW day, date on which WW expired of some whether they are sick or at work, that they not being reachable by text message or not being digitally skilled 3 15-9-2016 135 26 BSN 4 22-9-2016 11062 26 Surname, zip code, city, e-mail address, BSN, age, gender, profession (sector), education (level), first unemployment benefit day and date when WW ends, or status of cvactive or expiration, number of daysWW on which job seekerhas right, row ID 5 21-2-2017 189 10 BSN, initials, surname, gender, e-mail email address, age, WERKbedrijf location, first WW day, total score on the online questionnaires a brief description of barriers to regarding finding work (such as psychologically or physical work ability), including for 73 data subjects health data. This one health data do not concern a disease or medical reports, but, for example, whether someone is too sick to work. The first WW- day it can be deduced that all 189 involved receive unemployment benefits (not the amount de thereof). 6 26-3-2018 10 7 Name, zip code, place of residence, education (level) and social security number 7 28-3-2018 90 12 Surname, zip code, place of residence, professional sector and BSN 6/41Date Unidentified May 31, 2021 [CONFIDENTIAL] 8 3-8-2018 2503 70 Surname, gender, date of birth, social security number, telephone number, level of education, last occupation, last employer, categories driver's license, oral and written skills Dutch, first, second and third professional sector, registration/mediation profession, available hours per week, hours still working, first WW day, maximum last day WW- benefit, age group based on first unemployment benefit day, indication, whether there is an exemption and the ID. 9 5/9/2018 996 9 Last name enrow ID 2.5 Policy within UWV WithinUWV, in any case 2016, policy was drawn up to address risks in the processing of to detect and deal with personal data early on the basis of a careful risk assessment, where risks are neutralized or explicitly accepted by a director UWV to register the (outcomes of) risk assessments based on the policy. 26 Also, within YOUR VIN, at least from 2016 to 2020, a policy had been drawn up for technical and implement organizational security measures in a risk-driven manner and setzet check, evaluate and adapt. 27 2.6PracticewithinUWV 2.6.1Weighing the risks in practice The AP has asked UWV several times whether and if so what risk analyzes have been carried out in order to 28 protect personal data when sending group messages. HowandwhichrisksUWV has weighed precisely, partly in response to the data leaks that have occurred, to determine whether personal data when sending group messages via the My Work Folder environment sufficient than UWV did not mention being sufficiently secured. 29 YOURV turns out not to be clear in its answers, even sometimes to give a contradictory image about it (periodically) performing risk analyzes with regard to the security of personal data at the sending group messages via the My Work Folder environment. UWV has stated in any case that it 26See appendix 1 page 25 for the exact parts from the policy documents of the UWV. 2See appendix 1 page 25 for the exact parts from the policy documents of the UWV. 28See, among other things, file document27 (Letter to UWV, p.4-5) and file document69 (Letter to UWV, question 12) and file document 93 (E-mail to UWV). 29See, among other things, file document38 (Excel file, reply to 11 under data leak1 to 4) and file document81 (Reply by UWV, appendix1 (file"Answering questionsAPAugust2019",answertoquestion12)) and file 98(answer by UWV, file "Additional questionsAP2110",p.2). 7/41Date Unidentified May 31, 2021 [CONFIDENTIAL] did not perform a risk analysis prior to the 2012 decision to go into group messaging send via the My Work Folder environment. UWV has stated several times that from 2016 to and with the latest data leak in 2018 in the context of data security during transmission ofgroupmessagesthroughtheMyWorkbookenvironmenthasperformedrisk assessments answersfromYOURVandsubmissionsisnotshowedhowtheseriskconsiderationsare made and which risks have been weighed up at any open moment in that period. UWV has also risks not regularly weighed up. 30 2.6.2Measures, checks and adjustments in practice YOURSendofdataleaknotificationstotheAPofthesecondandthirddataleaktheyareinvestigating 31 was whether technical measures are possible to prevent these data leaks. Inthenotificationofthe fourth data leak at the AP gave YOU to investigate whether it was possible to place “such” 32 files” in the MyWorkbook environment. UWsetsenddataleaknotificationstotheAP of the third and fourth dates leaked at the end of September 2016 that the employee who made the mistake this was addressed by management and that awareness was being looked into. 33 After the first four data leaks in 2016, UWV decided to take organizational measures. 34 On 28 September 2016, UW first decided to take temporary organizational measures. And however UWV has stated that these temporary measures still apply, as a result of a decision of the District manager consultation (DMO) of UWV that the temporary measures to be taken on 28 September 2016 it was decided, in October 2016, to be replaced by other organizational measures AP established that UWV has drawn up the “Guideline for safe communication at WORK company” and that it intend not to investigate the possibilities of taking technical measures by YOURViscarried out.In addition,theAPconcludedthattherecommended after October 20th 2016 organizational measure(s) prior to the fifth data leak has not been checked nor evaluated by UWV. 35 UWV subsequently decided after the fifth data breach (February 21, 2017) to further organizational measures with regard to the sending of group messages via the My Workbook environment, namely by increasing awareness in doing so. UWV did that through workshops and a few visits to districts.UWVthendecidednottotaketechnicalmeasures.Otherwise,thereafter20 october2016theorganizationalmeasure(s)inforcewith regardtothesendingof group messages via the My Work Folder environment also not before the sixth data breach by UWV 36 neither checked nor evaluated. The statement of UWV that these measures have been checked and evaluated, UWV has not substantiated with documentation. 30See appendix1, page 26 and 27 for the exact answers of the UWV. 3See file documents9 and 10 (Data breach notifications). 32See file documents11 and 12 (Data breach (continued) notifications). 3See File Document 10 (Data Breach Report) and File Documents 11 and 12 (Data Breach (Continued) Reports). 34 35See appendix 1 page 28 and 29 for the exact measures of the UWV. See appendix 1, pages 30 to 34 for the exact measures and statements of the UWV. 36See appendix 1, pages 33 to 35 for the exact measures and statements of the UWV. 8/41Date Unidentified May 31, 2021 [CONFIDENTIAL] After the seventh data breach (March 28, 2018), UWV decided on several organizational measures. However, your WORK company have not checked as such whether these measures are actually have been introduced. Apart from two measures, YOURVook has no documents or a further substantiation provided on the basis of which it can be established or the organizational measures are secured in documentation and when they are implemented. After the eighth data leak(3August 2018), UWVdecidedtointroduceatechnical measure, which is to block the possibility of adding, among other things, Excel fileswhensendinggroupmessagesviatheMyWorkbookenvironmentfordataleakageinthere This technical measure was implemented in December 2018, so far after the ninth data breach, by UWV implemented. The abovementioned facts cover the period from 2012 to 2018. This concludes the investigation of the AP only relates to this period. In its view, UWV still has the following declared over the period after 2018. UWV has stated that in the process for sending group messages in the My Work Folder- environment next to the technical measure, which has the specific risk of sending Excel lists removed, also actively used to raise extra awareness among (new) employees in the implementation who have frequent (digital) contact with job seekers for the performance of their tasks are nowwithin WORKcompanytheprocessdescriptionsandQuickReferenceCards(QRCs)annually evaluated and adjusted if necessary. Furthermore, at the end of 2018, the FG carried out a study on behalf of the Board of Directors of UWW following the eighth data, a report of findings appeared to be prepared. Specifictothe mitigating the risks of sending group messages in the MyWorkbook environment, it DPO investigationthatthetechnicalmeasurethatuploadsExcelfilestotheMyWorkbook- environment, is an effective measure to prevent this type of data leakage. Partly as a result of the FG investigation, UWVWERK company has continued to be assigned to KPMG given to conduct a broader investigation into the source system SONAR. This to determine value vulnerabilities and risks are located in a technical, process as well as organizational area, in which the already existing organizational and technical measures have also been evaluated (check- phase). In 2020, this research resulted in four advisory reports with 77 recommendations 39 advisory report privacy is largely disclosed by UWV. As a result of the advisory reports, the large-scale improvement project SONARIB&P was started in 2020, which aims to address the findings of the survey and the SONAR IB&P risk level reduce strength (act->plan->do-phases).UWVwillbeanextratechnicalmeasure 3See appendix 1, pages 35 to 41 for the exact measures and statements of the UWV. 3The 'Step-by-step plan Sharing Safe Personal Data'whatUWVcommunicatedtoemployees on May 1,2018.Tevenshad UWVexpandedtheQRCgroupmessageswiththepassageaboutcleaning(Excel)filesandthe4-eyesprinciple. 3See https://www.uwv.nl/overuwv/Images/bijlage-1-bij-besluit-wob- Request-research report-sonar-privacy.pdf. 9/41Date Unidentified May 31, 2021 [CONFIDENTIAL] implement the export functionality from SONAR for employees in the implementation, except for someenkel authorized employees will be closed. Seeing the recommendations from the KPMG research according to YOUR V Also to improve the risk management process, including the Plan-Do-Check-Act cycle (hereinafter: PDCA cycle). this improvement in risk management and the implementation of control measures will WORKcompanythegrowthinimplementingthePDCAcycle–and therebyensuring that appropriate technical and organizational measures have been taken and are being continued. 3.Legal Review 3.1Processing of personal data As of May 25, 2018, the General Data Protection Regulation (GDPR) will apply. Given the facts in this investigation took place between 2012 and 2018, the AP will both personal data (Wbp) as the AVG keys. The concept of personal data is defined in article 1, sub, of the Wb and article 4, part 1, of the AVG.Inarticle 16 of the Wbp, data about health are considered special personal datamarked.TheGDPRmarkedinarticle9dataabouthealthas well as special data. Personal data within the meaning of the Wb and AVG are all information about an identified or identifiable natural person.Sonar contains data about natural persons such as names, addresses, the SSN and other information. This information allows the Sonar registered natural persons, among which job seekers are identified directly or indirectly.Sonar contains so personal data within the meaning of article 1, under a, of the Wb and article 4, part 1, of the AVG. Sonar also includes data on physical limitations and the mental and physical workabilityofpersons.Also statesinSonarofpersonsfeelingsicktowork.On under article 16 of the Wb and article 4, part 15, of the AVG, this is data about the health. From the above it follows that UWVwhen sending group messages via the MyWorkbook environment personal data, including the BSN and health data, processed within the meaning of the Wbpen the AVG. 4 On that date, pursuant to article 51 of the UAVG, the Personal Data Protection Act (Wbp) was withdrawn. 10/41Date Unidentified May 31, 2021 [CONFIDENTIAL] 3.2 Controller The term (controller) is defined in article 1, sub, of the Wb and article 4, part 7, of the AVG. In the case of independent administrative bodies at state level, the body charged with the duties and exercise of powers for which the data is processed, as a controller are notable. As stated in section 2.1, YOUR V is set under a law, namely the SUWI. U W V is a independent administrative body of the central government with its own legal personality. As above in the case of independent administrative bodies at state level, is the body charged with the tasks and exercise of powers for which the data is being processed, as responsible.UWVW has both legal and de facto control over the processing of data that are collected within the scope of group messaging through the workbook. Based on the above, the APUW marks Vaan as (controller) responsible as referred to in article 1, part, of the Wb and article 4, part 7, of the AVG for the processing of personal data in the context of sending group messages via the workbook. 3.3Securityofdataprocessing 3.3.1Legal framework From September 1, 2001 to May 25, 2018, the security of the processing of personal data, article 13 of the Wbp. The security obligation extends to all parts of the process of data processing. The term «appropriate» implies that the security in in accordance with the state of the art. This is firstly to no demand from professional ethics of persons in charge of information security. The standards of the sea ethics are applied in this provision of a legal capstone, in the sense that there is a legal obligation for the the responsible person is connected. The term «suitable» also indicates a proportionality between the security measures and the nature of the data to protect. For example, as the data have a more sensitive character, or the context in which they are used a greater threat to the privacy, strict requirements are placed on data security. The European Directive on the basis of which, among other things, Article 13 of the Wbp has been drafted under otherwith regard tothesecurityoftheprocessingofpersonaldata:“thatthe principles of protection (…) must be reflected in the obligations imposed on persons, public authorities, undertakings or other bodies that carry out the processing are imposed, and obligations that in particular relate to the quality of the data, the technical security, the registration with the supervisory authorities and the circumstances in which the processing may be carried out (…)”. It also includes with regard to the security of the processing of data: “that the protection of the rights and freedoms of data subjects in connection with the processing of personal data, both in design and in 41 See Directive 95/46/EC of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and with regard to the free movement of such data, recital 25. Underline of the AP. 11/41Date Unidentified May 31, 2021 [CONFIDENTIAL] in the execution of the processing requires appropriate technical measures, in particular to ensure safety guarantee and thus prevent any unauthorized processing;(…)”. 42 The Dutch DPA has in a case that concerned access to electronic medical records - with respect to of the taking of security measures in the context of article 13 of the Wbp is judged as follows: “A responsible person may only proceed to take purely organizational measures if he can demonstrate that it is not possible to take appropriate technical measures. This must be compensated for with additional 43 organizational measures and monitoring compliance with them”. In order to implement article 13 of the Wbp, the Dutch DPA has in 2013 guidelines with regard to security of the processing of personal data (hereinafter: Dutch DPA guidelines). When drafting the CBP guidelines have been sought to join the ISO27001. The guidelines set as necessary preconditions to ensure a continuous appropriate security level of processing of to obtain and guarantee personal data as required by law: “take measures based on risk analysis, security standards and applying and embedding in a plan-do-check-act cycle”. The CBP guidelines state about this PDCA cycle: ''After establishing the reliability requirements, the responsible measures with which he ensures that the reliability requirements are met. Then The person responsible checks whether the measures have actually been taken and have the desired effect. The total reliability requirements, measures and control are regularly evaluated and adjusted where necessary, so that a permanently appropriate level of security is achieved”.5 Like ISO27001, the CBP guidelines (as part of the PDCA cycle) also write before the controller takessecurity measures based on a risk analysis, whereby he identifies threats that could lead to a security incident, the consequences it securityincidentmayhaveandthechancethatthesuccessfollowsoccur.Wheninventoryand assessing the risks are relevant mainly to the consequences that those involved may experience from unlawful processing of their personal data. Depending on the nature of, these consequences may the processing and processing of the processed data, including stigmatization or 46 exclusion, harm to health or exposure to (identity) fraud. In the GDPR, Article 32 contains the requirements concerning the security of the processing of personal data The risk should be taken into account when determining appropriate measures privileges and freedoms of persons. 47 Recital 83oftheGDPRstatesaboutensuringthesecurityofprocessing personal data and assessment of the risks: “In order to ensure security and to prevent the 42See Directive 95/46/EC, Recital 46. Underlining the AP. 43See, among other things, caseZ2003-0145,p.3. 44 45See CBP Guidelines: Security of Personal Data, https://wetten.overheid.nl/BWBR0033572/2013-03-01. See CBP Guidelines: Security of Personal Data, https://wetten.overheid.nl/BWBR0033572/2013-03-01. 46See CBP Guidelines: Security of Personal Data, https://wetten.overheid.nl/BWBR0033572/2013-03-01. 47See also recital 75 of the GDPR. 12/41Date Unidentified May 31, 2021 [CONFIDENTIAL] processing infringes this Regulation, the controller or the processor shall processing to assess the inherent risks and take measures, such as encryption, to mitigate those risks. measures to ensure an appropriate level of security, including confidentiality, account taking into account the state of the techniques, the execution costs, the risks and the nature of the protection to be protected personal data. When assessing data security risks, attention should be paid to risks that occur in data processing, such as the destruction, loss, modification, unauthorized provision of or unauthorized access to the data transmitted, stored or otherwise processed, either by accident it is illegal, which in particular can lead to physical, material or immaterial damage.” Finally, in 2007 the Decree on information security government service (hereinafter: VIR) is in force become. In 2014, the Administrative Statement Information Security, UWV declares to go to the VIR 49 handle. With regard to the concepts used in the VIR, it is stated: “The concept framework of the Information Security Code (ISO17799:2005) is adopted in this regulation”. The PDCA cycle off 51 ISO17799:2005 has since been incorporated into ISO27001. This standard contains a number of steps that must be performed. The steps form a so-called Plan-Do-Check-Act cycle (hereafter: PDCA cycle) to respond to (ever-changing) threats in relation to the information. 52 Article 4 VIR identifies the responsibilities of line management notes to the VIRis about article 4 VIR includes the following: “Created deliberately to article 4 in to formulate terms of the Planning and Control cycle, in accordance with regular business operations. (…) Information security itself 53 takes place via the Deming quality circle (PDCA cycle)”. In the article-by-article explanation of the VIR is in addition, with regard to article 4: “For the effectuation of information security, we work through the PlanDo CheckActcycle(...).Afterdeterminingwhatisneeded(reliabilityrequirements),measuresaretaken checked whether these measures have the desired effect (control). This control can directly lead to adjustment in the measures. Also, the total of requirements, measures and control can be subject to revision (evaluation). 54 go through this quality circle and ensure the adequate level of security at all times”. 3.3.2Assessment From both article 13 of the Wb and article 32, first and second paragraph, of the GDPR it follows that the controller must take appropriate technical and organizational measures to security level of the processing of personal data appropriate to the risk guarantee/guarantee. These provisions are intended to guarantee the same (legal) interests and there is no (substantial) material change of the regulations on this point. To ensure a risk-adjusted level of security in the processing of personal data guarantee/guarantee, a controller should therefore analyze risk, appropriate 48Government Gazette28 June 2007, no.122. https://zoek.officielebekendmakingen.nl/stcrt-2007-122-p11-SC81084.html. 49Government Gazette2014,15447,https://zoek.officielebekendmakingen.nl/stcrt-2014-15447.html. 50Government Gazette28 June 2007, no.122, p.12. 51ISO/IEC27001:2013chapters6t/m10. 52 53See, among others, ISO/IEC27001:2013,Chapters 6 to 10 and ISO/IEC27001:2017. Government Gazette28june2007, no.122,p.12. 54Government Gazette28 June 2007, no.122, p.15-16. 13/41Date Unidentified May 31, 2021 [CONFIDENTIAL] take measures and evaluate the move. These steps form the preconditions for a continuous ensure an appropriate level of security for the processing of personal data in line with the law, namely by embedding in a plan-do-check-act cycle (PDCA cycle). This cycle is in line with the procedure mentioned in article 32, first paragraph, of the GDPR, namely a procedure for periodically test, assess and evaluate the effectiveness of the technical and organizational measures to protect the processing. Also the VIR, where your WV is located has conformed, is based on ISO 27001 and writes a PDCA cycle. This general accepted security standard takes into account the AP in this case. The AP works the different steps of the PDCA cycle below. Weighing the risks for persons before determining measures Thestartingpointthatisperformedunderthesecureoftheprocessingof personal data is a weighing up of the risks of that processing. Based on this, it is determined what measures are necessary to counter these risks. It follows from the WB and the AVG explanation that when considering data security risks attention should be paid to risks that arise in the processing of personal data. Such as unauthorized disclosure of or unauthorized access to processed data and assessing the risks are relevant mainly to the consequences that persons may experience from a unlawful processing of personal data. The more sensitive the data is, or the context in which they are used a greater threat to privacypersoonlijk mean, stricter requirements are placed on the security of personal data. When sending group messages via the MyWorkbook environment, as stated in section 2.4, there have been several (accidental) unauthorized disclosures or unauthorized disclosures access of processed personal data of job seekers. UWV is therefore expected that they, to arrive at a security level appropriate to the risks, continuously inventory and assessesthatmayleadtoasecurityincident.UWVexistedfromatleast2016 policy to detect and tackle risks in the processing of data early on the basis of a careful risk assessment. The VIR also obliges UWV to carry out an explicit risk assessment determining appropriate security measures. As concluded in section 3.1 the AP, YOUR Vin Sonar processes a multitude of different personal data of a highly sensitive nature, including data about the health of persons andthe BSN.UWVprocessedat the end of the period from 2016 to 2018, data on an average of 4,500,000 persons. Jobseekers, the sick and incapacitated for work and who are legally obliged to register with UWMust provide therefor their personal data,must be able to rely on UWV properly weighs the risks that these persons run security incident with regard to the data that UWV processes may be serious for a large group of persons. Thus, it may not sufficiently secure the processing of these personal data lead to stigmatization or exclusion. Now UWVookthe BSNprocessingwhatinthe 14/41Date Unidentified May 31, 2021 [CONFIDENTIAL] practicesignificantly facilitateslinkingofdifferentfiles,moreexistingforpersons whose data in Sonar represents an additional risk of a threat to privacy. The policy of UWV contains measures, including an explicit risk assessment as part of a PDCA cycle. Contrary to this policy, it appears that UWVin their answers regarding the sendinggroupmessagesviatheMyWorkbookenvironmentprovidesacontroversialimageaboutthe performing such risk assessments with regard to the security of personal data. UWV has in any case stated that prior to the decision in 2012 to only send group messages sendviatheMyWorkbookenvironmentnoriskanalysishasbeenperformed.UWV thenasked thatfrom2016tothelastdataleakin2018underthesecurityof personal data when sending group messages via the My Work Folder environment has carried out risk assessments showed how UWV has made these risk assessments and what risks are involved at any time in that period have been weighed up and how they have considered the possible consequences for job seekers insofar as UWV is of the opinion that the proposed measures of October 2016 do represent a risk assessment contains, the AP notes that there is a balancing of risks in the sense of the (explanation of the) law It only contains a proposal for measures without further substantiation. It also shows this document does not indicate that risks to persons have been taken into account when proposing measures. Stronger yet, UWV only talks about risks that YOURV itself runs in its customer communication. organization such as UWV, which processes so many particularly sensitive data of so many people, and the consequences for them when sending group messages via the Myworkbook environment can be far-reaching, it does not or does not take sufficient account of the risks for job seekers extra careless when determining security measures. Based on the above, the AP concludes that UWV with regard to the impact of security measuresin the context of sending group messages via the MyWorkbook- environment the risks for job seekers, who, in view of the sensitivity of the data that UWV processes can be drastic, in any case in the period from 2012 to 2018 not/insufficiently mapped with this.UWVinsufficientlyhas a risk-adjusted level of security guaranteedandguaranteed. Taking technical and organizational measures Aftermappingandweighingtherisksforpersonsofdataprocessing the determined measures should then be implemented and carried out. Both article 13of the Wbp as article 32, first paragraph, of the GDPR, obliges the controller to the takingtechnicalandorganizationalmeasurestoprotecttheprocessingof to safeguard personal data. Paragraph 2.6 shows that UWV only has organizational measures until December 2018 implemented in the context of sending group messages via the My Workbook environment to theom to ensure the security of the processing of personal data. An example of a 55 See appendix1page30. 15/41Date Unidentified May 31, 2021 [CONFIDENTIAL] organizational measureisthemessagewhereemployeesarecalledpreferablyno Sending attachmentswithgroupmessagingthroughSonar.Themeasuresregardingarestrictiononthe number of job seekers to whom the message can be sent further, as YOURVook puts it, to avoid technical problems in Sonart that would improve its operation and stability themessaging traffic is smoother.Thisisnotforthesecurityoftheprocessingof personal data. This limitation only applies to the number of recipients of a message, but does not limit the number of job seekers whose data can be obtained by UVW In addition, the limitation to 100 recipients could be bypassed by a request to do so to dowithFunctionalManagement.Fiveoftheninedataleaksisthesamegroupmessagetomore than 100 job seekers sent simultaneously via the My Work Folder environment. UWV had decided on 20 October 2016 (after the fourth data breach) to conduct an investigation in the short term start to the possibility of taking technical measures, including the technical make it impossible to add Excel files to a workbook message.It then has until after the eighth date in September 2018 lasted before UWV subsequently decided to take a technical measure, namely blocking the possibility of adding, among others Excel files when sending group messages via the Myworkbook environment.However, it turns out UWV only in December 2018 (before the ninth date on September 5, 2018 and after the 2016 announced investigation into the introduction of technical measures) has proceeded to the three months earlier decision to actually carry out. Taking this technical measure is therefore possible. The data leaks do not seem urgent for UWV to initiate the research suggested in 2016U to the possibility of carrying out technical measures soon. By not (also) implementingatechnicalmeasurehasyourVinadequatelyadaptedtoarisk securitylevelguaranteedtherebyacceptedariskofdata leaks for more than two years with a lot of data concerning a large group of citizens. Checkingandadaptingmeasures Technical and organizational security measures should be based on both the Wb and the AVG to ensure a level of security appropriate to the risk.This is necessary in any case to check whether the measures have been implemented, correctly applied or carried out and what theeffectofthemeasuresisontheinitiallyidentifiedrisks.Basedonthischeckofthe measures are then determined whether the measures are still appropriately tailored to the risk security level or whether additional measures are required. WithinUWVmoneyfrominanycase2016to2020policytotakemeasures check and, if necessary, adjust as part of a PDCA cycle UWV does not have a generic policy in which it checks whether UWV central measures are in place implemented in practice by the responsible division(s) and that regional offices to some degree can give your own interpretation to central policy.UWV also reports about this that no formally protocolled procedure is within UWV, within which is 16/41Date Unidentified May 31, 2021 [CONFIDENTIAL] checked whether such agreed organizational and process measures are takenword implemented, because that would be impractical given the size of the organization and quantity decisions that UWV takes. YOU also indicate that it has not checked or measures decided upon as a result of data leaks have actually been introduced. UWV has also entered into force after 20 October 2016 being the organizational measure(s) prior to the fifth (2017) and sixth (2018) data breach checkednorevaluated.Finally,UWVhasnotshownthatithasopenmoment checked whether the organizational measures that were in place prior to the eighth data breach (2018) have been introduced.UWV has also not evaluated these organizational measures. As previously concluded, the consequences for job seekers are insufficiently secured sending of group messages through the workbook. Especially at an organization like UWV, which is so much sensitive and special personal data of so many persons are processed, it is necessary to check whether measures are actually (correctly) implemented evaluate the move and adjust it where necessary fit.JobseekersandotherswhoarelegallyobligatedregisterwithUWVTherefor must provide their data, must be able to rely on UWV measures checks, evaluates and adjusts if necessary. Based on the above, the AP concludes that UWV has implemented the security measures in the framework of the sending of group messages via the My Workbook environment does not have/insufficiently auditedandevaluated,makingUWVinadequatearisk-adjustedsecuritylevel hasguaranteedandguaranteed. 3.4Opinion of UWVenreactionAP In this paragraph, the AP briefly summarizes your view of UWV with the response of the AP. YOURV notice first stop that it regrets that it has not been sufficiently fulfilled different phases of the PDCA cycle. UW strongly supports the findings of the AP to improve this process. 3.4.1View on factual findings YOURFISH believes that the analysis of the eighth data leak shows that the eighth data appeared to be directly affected measures have been analyzed as well as evaluated by UWV, whereby measures are also proposed. The AP notes about this that UWV has indeed analyzed and evaluated the eighth data, but this analysis does not show that UWV is processing personal data in the context of sending ofgroupmessagesthroughtheMyWorkbookenvironmenthasevaluatedonitself.Theevaluationofa loosedata leakinsufficient fulfillment of a risk-adjusted security level with associated PDCA cycle. In addition, it cannot be deduced from the analysis that UWV has taken immediate action. The introduction of the technical measure has been discussed by UWV, but this measure has only been 17/41Date Unidentified May 31, 2021 [CONFIDENTIAL] introduced later. In addition, the AP considers it to evaluate measures that should have been introduced useless. YOURFleshnotbackinthefindingsthatitindicatedAugust2019thattheWORKcompanyanexternal would conduct research into the export functionality from Sonars to the sending of group messages via the work folder. The AP did not take your plan to have an external investigation carried out as a fact because this was only an intention of UWV yet. In addition, this intention does not refer to the period of the established violation. However, the AP did mention this investigation in paragraph 2.6 of the present decision. 3.4.2Viewpointonlegalframeworkandassessment The norm that a responsible person may only proceed to take purely organizational measures if he can demonstratethatitisnotpossibletotakeappropriatetechnicalmeasures,according toUWVissufficientlyfollowedfromthe CBP- 2013 security guidelines, a CBP case and the other sources cited in the report. The AP does not follow this view of UWV. First, the AP did not refer only to a CBP case, but also to the Directive 95/46/EC of 24 October 1995 on the protection of natural persons in connection with the processing of personal data and with regard to the free movement of those data, considerations 25 and 46. Secondly, both article 13 of the Wbp and article 32 of the AVG that the controller must take appropriate technical and organizational measures. Technical and organizational measures must be taken cumulatively. The standard in article 13 oftheWbpenarticle32oftheAVGisconsistentlyclear, according to theAP.UWVhasnomore argued that it was allowed to limit its impact solely by organizational measures, since it was not possible to take appropriate technical measures would also have been untenable, now that YOU will find in December 2018 just in the end and technical measure has been implemented. It is possible that not all measures were equally effective and may have been misjudged the conclusion cannot be drawn from YOURV that the implementation of appropriate measures. And from the single data that has been sitting for some time between the evaluation moments and the According to the UWV, on the basis of the findings, the introduction of the technical measure cannot be concluded that from the eighth date there has been no or insufficient completion of the implementation of appropriate measures, if as a result of insufficient risk management. The AP does not follow this view of UWV and motivates this as follows. The AP has assessed the whole whether UWV has a security level appropriate to the risk for the processing concerned guaranteedandguaranteed.ThatUWVhastakensomeorganizationalmeasuresdoesn't matter the determination that UWV has insufficient risk analyses, technical measures and checks As a result, as stated by YOUR Vook itself, the security measures are not effective 56 https://www.autoriteitpersoonsgegevens.nl/nl/nieuws/arbodienst-handelt-niet-slagen-met-wbp-%C2%A0 18/41Date Unidentified May 31, 2021 [CONFIDENTIAL] In addition, UWV did not come up with the recommendation until after the eighth data breach (August 3, 2018) to take technical measures, while in October 2016 it was already decided in the District Manager consultation that in the short term, the possibility of technical possibilities had to be explored In the intervening period of almost 2 years, UWVal thus failed to conduct this research. YOU further believe that an evaluation has taken place after the eighth date of the leak. above, UWV does not follow the duration of the detected violation. According to UWV, after the eighth data leakage is applied to an appropriate level of security. TheAPisevaluatedwithUWandthattheeighthdataleakhasbeenevaluated.However,thisevaluationcontainsonlyone data breach. The AP would like to emphasize again that UWV the measures taken are not in periodic has fully evaluated and has not sufficiently analyzed the risks in advance moreover, the investigation only took place from November 2018 and the technical measure was by UWVin introduced in december 2018. The AP therefore also does not follow the view that UWV from the eighth data breach (August 3, 2018)guaranteedandguaranteedarisk-adaptedsecuritylevel. In hindsight, with today's knowledge, according to UWV, the process has not been followed sufficiently and is insufficient documented.UWV notes here that the findings do not show that they have not been filled in at all at the different phases of the PDCA cycle or during the entire period from 2012 to the end of 2018. The AP agrees that the findings do not indicate that the different phases of the PDCA cycle, but notes that this has not been sufficiently specified. It appears from what YOUR Vwel has documented that only the jamming was taken into account of the systems of UWV where the risks for those involved were not mentioned. UWV has furthermore some organizational measures taken, but not the necessary (and technical) measures resulting in an insufficient level of security. 3.5 Conclusion The AP concludes that UWVinsufficientlyasecurityleveladjustedtotherisk guaranteed and guaranteed in the context of sending group messages via the My Workbook environment. As a result, there was a continuing violation where YOUFIND period from 2012 to May 24, 2018 has acted contrary to article 13 of the Wbp from 25 May 2018 to December 2018 has acted contrary to article 32, first stone, second paragraph, of the AVG. 19/41Date Unidentified May 31, 2021 [CONFIDENTIAL] 4.Penance 4.1 Introduction UWV has acted in conflict with article 13 of the Wb and article 32, first stone and second paragraph, of the AVG. For the established violation, the AP uses its power to fine your layfortheperiodfrom1january2016(startpenaltyauthorityAP)untilDecember2018.Consideringseverity of the violation and the extent to which it can be blamed on UWV, the AP considers the imposition of a fine. The AP motivates this in the following. Considering that in this case, there is a continuing violation that is subject to both the Wbp and the GDPR occurred, the AP has checked against the substantive law as it applied at the time when the behavior took place. In this case, both article 13 of the Wb and article 32, first stone, second paragraph, of the AVG. These provisions are intended to guarantee the same legal interests and there is no (material) material change of the regulations on this point. Given that the gravity of the infringement is at the time of the Wbp, the AP sees reason in this case to join the 'Penance policy rules' Dutch Data Protection Authority2016'. 4.2 Fine policy rules of the Dutch Data Protection Authority 2016 In this case, DeAPusesthe‘Finance Policy RulesAuthority of Personal Data2016’ (Fine Policy Rules) for the fulfillment of the power to impose an administrative fine, including determining 57 from the height of it. In the Fine policy rules, a category formats bandwidth has been chosen systematically. Violationofarticle13oftheWbpisingpartincategoryII.CategoryIIhasafinebandwidth between €120,000 and €500,000. Within the bandwidth, the AP sets a basic fine. As a starting point applies that the AP sets the basic fine at 33% of the bandwidth of the violation linked to fine category. In this case, the basic fine is set at €245,400. 4.3 Fine amount The amount of the fine adjusts the AP to the factors mentioned in article 6 of the Fine policy rules, by decreasing or increasing the base amount. It is about an assessment of the seriousness of the violation in the specific case, the extent to which the violation may affect the offender be blamed and, if there is reason to do so, other circumstances such as the (financial) circumstances in which the offender finds himself. 5Policies of the Data Authority of December 15, 2015, as last amended on July 6, 2016, with regard to the imposition of administrative fines (Finance Policy Rules of the Data Protection Authority 2016), Stcrt.2016,2043. 5Finance Policy Rules, p.10-11. 20/41Date Unidentified May 31, 2021 [CONFIDENTIAL] 4.3.1Seriousnessoftheviolation Any processing of personal data must be done properly and lawfully organizationswithprocessingdatainfringetheprivacyofcitizensitof it is very important that they apply a level of security appropriate to risk. When determining risk for the data subject include the nature of the personal data and scope of the processing important: these factors determine potential damage for the individual involved in, for example, loss, alteration or unlawful processing of the data. As the data becomes more sensitive character, or the context in which they are used, is a greater threat to personal privacy, stricter requirements are imposed on the security of personal data. The APconcludedthatUWVinsufficientlyhasarisk-adjustedsecuritylevel guaranteedandguaranteedwithin the context of sending group messages via the MyWorkbook- surroundings. With regard to the nature of the data, the AP has determined that YOURVinSonar has a multitude of processes various data of a highly sensitive nature, including data about the health of persons and the BSN. Jobseekers, the sick and incapacitated for work and who are legally are required to register with UWVandthereforemustprovidetheirpersonaldata,must can be confident that YOURV properly weighs the risks that these people run. TheimpactofasecurityincidentwiththepersonaldatathatUWVprocesscanbemajor for a sizable group of persons. Thus, it may be insufficiently secure of this data leadtostigmatizationorexclusion.NowUWValsotheBSNprocesseswhatinpracticealink of different files considerably easier, is more available for persons whose data in Sonar is an additional risk of a threat to privacy. In addition to the sensitive nature of the data, UWV also processes data from a great many citizens. UWVprocessedinSonarintheperiodfrom2016to2018dataaboutan average of 4,500,000 persons. All these people were at risk because of the insufficient security level of UWV.In addition, YOURVal has leaked personal data on several occasions. Out of a total of 15.331 people has leaked YOUR data when sending group messages via the workbook.Finally the AP notes that the violation lasted 2 years and 11 months. The AP considers this very serious. In view of the above, the AP sees, on the basis of the degree of seriousness of the violation, reason to to impose a fine on YOU and increase the basic amount of the fine to €450,000. 4.3.2 Blame According to article 6, second paragraph, of the Policy Rules, the AP takes into account the extent to which the violation can be blamed on the violator. If the violation was committed intentionally or it as a result of serious culpable negligence as referred to in article 66, fourth paragraph, of the Wbp, assuming that there is a significant degree of culpability on the part of the offender. According to the parliamentary history of 'serious culpable negligence' as referred to in Article 66, fourth paragraph, of the Wbp, applies if “the violation is the result of serious culpable negligence, i.e. 21/41Date Unidentified May 31, 2021 [CONFIDENTIAL] the result of gross, considerably careless, negligent or injudicious action.” In this connection 60 it is noted that by “acting” as referred to herein, is also meant an omission. YOURFISH believes that the findings of the AP do not follow that there are serious culpable negligence. The first four data leaks were for YOUR reason to make serious adjustments in the process to implement and invest in awareness of the risks associated with manual processing. According to YOURViserbetweenthefifthandtheeighthdataleakdeployedonstrengtheningthisorganizational measures(such as workshops).According to UWVdate,thismeansintheprocessforsending groupmessagesintheMyWorkbookenvironmentalrightisdeployedforsecurity measures to improve. The AP does not follow this view of UWV and motivates this as follows. YOUR Fish is obligated to use a security level that matches the nature and scope of the processing and that UWV now that YOURV has not ensured an adequate level of security for years, the AP believes that YOU have been seriously negligent in failing to weigh up the risks to citizens, in taking appropriate security measures and check and adjust these measures. For the organizational measures that have been implemented in accordance with YOURVwelfare, UWV has not based these measures on risk assessments and how they have considered the possible consequences for those involved YOURVindicatedthatithasnotcheckedorthemeasurestakenafterthedataleak have actually been introduced and evaluated. The Wbp, the AVG and the CBP guidelines regarding the security of the processing of personal data have expressly described that organizations are risk-adjusted security level.UWVmaybecomeconsideringthesensitivegroundandlargesize the processing is expected to be aware of the standards that apply to it there acts accordingly. In addition, the AP considers it very negligent and negligent that UWV only leaks no data in December 2018has proceededtoimplementtechnicalmeasures.Namelyblockingthe ability to add, among others, Excel files, when sending group messages via the Myworkbook environment.Citizenswhobecomeobligedtoprovidepersonaldata assume that the UW will take the necessary measures to their to protect personal data. The AP considers the fact that YOURVook has not complied with its own policy rules. that the policy of UWV indicates that measures must be taken on the basis of explicit risk assessments as part of a PDCA cycle, UWV did not take sufficient account with the risks and consequences for job seekers. In addition, UWV did not have a technical measureintroducedwhileUWVon20October2016alreadydecidedonshortterma to start an investigation into the possibility of taking technical measures. It also has UWV 59 60Parliamentary PapersII2014/15.33662,no.16,p.1. ActsII2014/15,51,item9,p.11. 22/41Date Unidentified May 31, 2021 [CONFIDENTIAL] not checked whether the measures that were taken in response to the data leaks were have actually been introduced into the organization. The violation is therefore the consequence ofgrofen Significantly negligent actions by UWV. In the opinion of the AP, all of the above shows that UWV grossly, considerably careless or acted negligently, resulting in serious culpable negligence on the part of UWV. In view of the circumstances of this case and the criterion of seriously culpable negligence Under the Wbp, however, the AP sees no reason to reduce or further increase the fine. 4.3.3Proportionality Finally, the AP assesses on the basis of article 5:46 of the General Administrative Law Act codifiedproportionalityprincipleortheapplicationofitspolicytodeterminealtitude of the fine, given the circumstances of the specific case, does not lead to a disproportionate outcome. The AP believes that, given the seriousness of the violation and the extent to which it can be charged to UWV accused, (the amount of) the fine is proportional. The organizational measures that according to UWVwel are affected, according to the AP, the present infringement of article 13 of the Wb and article 32, first and the second paragraph, of the AVG, not removed. Not weighing the risks for citizens, the lack of have appropriate security measures and fail to check and evaluate these measures after all, led to an insufficiently risk-adjusted security level in addition, it took almost 3 years with the privacy of 4,500,000 persons not being sufficiently guaranteed. In view of all the circumstances of this case, the AP sees no reason for the amount of the fine based on the circumstances mentioned in proportion and at the end of the Fine Policy, as applicable in the present case, further increase or decrease. 4.4 Conclusion The AP sets the total fine at €450,000. 6For the justification, see paragraphs 4.3.1 and 4.3.2. 23/41Date Unidentified May 31, 2021 [CONFIDENTIAL] 5.Dictum The AP submits to the Implementing Institute Employee Insurance for Violation of Article 13 of the Wbpen article 32, first stone, second paragraph, of the AV No administrative fine on the amount of €450,000 (say four hundred and fifty thousand euros). Yours sincerely, AuthorityPersonal Data, w.g. drs.C.E.Mur board member Remedies Clause If you do not agree with this decision, you can within six weeks of the date of shipment of the decide to submit an objection digitally or on paper to the Data Protection Authority. Submit it of an objection suspends the effect of this decision. To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading 'Objection', at the bottom of the page under the heading ‘Contact with the Data Authority’. The address for submission on paper is: Authority Personal data, P.O. Box93374,2509AJDenHaag. Mention on the envelope 'Awb-objection' and put in the title of your letter 'objection'. Write your objection at least: Your name and address The date of your notice of objection The reference (case number) mentioned in this letter; you can also receive a copy of this decision attach The reason(s) why you do not agree with this decision Your signature For more information, see: https://autoriteitpersoonsgegevens.nl/nl/bezwaar-maken 6The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). 24/41Date Unidentified May 31, 2021 [CONFIDENTIAL] Attachment 1 1. Policy of UWV UWV has in its policy documents “Strategic Policy Information Security and Privacy (IB&P)”, which apply for the period 2016-2020, included: “that management takes decisions based on careful consideration of the risks”. It also states the following: “Depending on the results of the analyses, risks are an adequate system of measures neutralized or explicitly accepted by a director central registration. UWV continues to ensure that continuity, quality and safety are guaranteed. means that risks are detected early and dealt with in a professional manner”. 64 VoorsthasUWFindpolicydocuments“TacticalPolicy,Information SecurityandPrivacy(IB&P)Legal Framework”, which was valid from April 2016 to at least January 2019, included the following: processing and storage of data are required technical and organizational security measures 65 a risk-driven way selected and realized, in accordance withUWVTacticalIB&PPolicySectionB‘BIRUWV’.” UWV has in its policy documents, which are valid from April 2016 until at least January 2019, the following is included: “In the processing and storage of data, the required technical and organizational security measures selected and realized in a risk-driven manner, in accordance with UWV 66 TacticalIB&PPolicySectionB'BIRUWV'. With regard to checking, evaluating and adjusting measures, YOU put in her 67 policy document, valid from December 2015 to at least January 2019: “4.2.The organizational units: primary actors IB&P risk management is primarily invested in the organizational units themselves. reported, in accordance with the own agreements. From the central monitoring of the IB&P risks, the organizational units were asked to report on the UWV-widetop IB&P risks. The organizational units have the following responsibilities: • Reporting from the executive responsibility on the progress of the victorious prioritized measures and improvement actions (using a format) and any new IB&P risks through the divisional reporting; • Periodically reassess the (BIR) improvement plans with improvement actions based on the UWV-wide identified IB&P risks; 63 See file 38 (Excel file, attachment 6 (file “UWVBZIBP Strategic Policyv190”, p.7)) and attachment 11 (file "UWVBZIBP" StrategicPolicyv202(AVG version)", p7-8).These attachmentsarepartoffile“Document”inanswertoquestion4below data breach1). 64 Ditto. 65See file document38(Excel file, attachment7(file“UWVBZIBPSectionAWelijkFrameworkv100.docx”,p.11)andappendix10(file "YOURVBZIBPSectionAuthorizedFrameworkv102(AVG version)",p.12).Theseattachmentsarepartoffile“Document”inresponseto question4onderdata leak1). 66See dossier document38(Excel file, attachment 7(file“UWVBZIBPSectionAWelijkFrameworkv100.docx”,p.11)andappendix10(file "YOURVBZIBPSectionAuthorizedFrameworkv102(AVG version)",p.12).Theseattachmentsarepartoffile“Document”inresponseto question4onderdata leak1). 67Seefiledocument38(Excel file,appendix9(file“UWVBZIBPSectieCBorgingBIRControlv200”whichispartof file“Document”foranswertoquestion4underdatalek1,p.7-8)). 25/41Date Unidentified May 31, 2021 [CONFIDENTIAL] • Implementing own risk inventory measures based on the prioritized UWV-wide IB&P risks and maintained (via the improvement plans). 4.3. Administrative affairs: coordinating role The substantive support and monitoring for IB&Pis centrally invested in Administrative Affairs. Governance is responsible for the coordination and the overall picture of the IB&P risks. obtaining the overall picture, the Board of Directors carries out the following activities: • Monitoring the progress in the realization of actions and measures in the field of IB&P, such as progress on the improvement plans; • Periodically conducting a substantive qualitative investigation (Quality Assurance) into the status of the IB&P improvement actions and management of the top IB&P risks at the organizational units; • Delivery of an IB&P report to the Coalition IB&P and the Board of Directors, periodically or at particularities; • Coordinating the annual exercise of the assessment of the UWV-wide risks and (BIR) improvement plans; • Providing substantive support about the improvement plans and actions to be carried out; 68 • Keeping the overview of the most important UWV-wide IB&P risks up-to-date”. 2.PracticewithinUWV 2.1 Weighing the risks in practice UWV indicates that it is: “an organization that generally and is also pragmatic in investigating and preventing data leaks. UWV opts for a pragmatic approach with concrete improvements instead of bulky reports. Documents that we, for example, as 'risk analysis' can be called 'research' by the department, which makes it understandably only 69 wrong may give the impression that we are not complete”. To the question whether before the decision in 2012 to group messages in any other way than through Outlook sending a risk analysis has been carried out, UWV reports: “There is a risk of sending group messages via the workbook no risk analysis prepared”. 70 When asked howYOURVin2012determinedthatsendinggroupmessagesviatheMyWorkbook- environment is an acceptable risk, what security measures have been considered and what the trade-off is has been created, UWV replies: “The work folder has a link with SONARenwerk.nl, and the customer must ofhis/herDigiDintlogintoopenandseemessages.In addition,–unlike-can access sending via outlook - once sent messages will be deleted if a message is sent incorrectly. the workbook as one of the secure channels to exchange data and messages with”. 71 68Seefiledocument38(Excel file,appendix9(file“UWVBZIBPSectieCBorgingBIRControlv200”which is part of file“Document”foranswertoquestion4underdatalek1,p.7-8)). 69See file document 46 (Reply by UWV, appendix 2 (file “Letter AP information request 29042019”, p.1)). 70See file document98(Reply by UWV, file"Additional questionsAP2110",p.2,appendix4(file"Explanation note meetingExecutive teamWORKcompany”) and attachment5(file“28BV06DecisiondocumentforbidusegroupmailviaOutlook”)). 71See file document98 (Reply by UWV, file "Additional questions AP2110", p. 2). 26/41Date Unidentified May 31, 2021 [CONFIDENTIAL] To the question whether the specific data leaks have led to the carrying out of a risk analysis indicates UWVaan:“YOURVeninthespecialdivisionWORKcompanyhasareasonofthefourleaksin2016a risk analysis has been carried out. This risk analysis can be found in the document: 'Proposer DMOWERKbedrijf' and its appendices, containing guidelines for employees”. Inthisoctober2016submitteristhenext included: “To face the unrest and disrupt the service as little as possible, but at the same time to conduct a thorough analysis of where we run our customer communication risks, we propose the following measures in front of(…)". 73 In response to the question whether a risk analysis was carried out after each data, UWV stated the following: “During 2016, UWV saw no need to carry out a PIA as such. The Business Security Officer (BSO) of Werkbedrijf has made an evaluation (sic) for the District Managers regarding the data leaks in August September2016.See hereforthesubmitter-aproposalfordecision-making-of the 4quarter2016 of the BSO WORKING company with which to take decisions/impact analysis/measures and conclusions and recommendations. appendixaguidelineSafeCommunicationatWERKbedrijf.Duedatein2017oneleakwassawUWVnonecessary to adjust the policy and to carry out a PIA. After the two leaks in 2018, the Board of Directors has Data protection requested to start an investigation”. 74 UWV indicates on the question why the leak in 2017 saw no need to carry out a risk analysis the following to:“UWVhasconsideredandofcoursegivenweighttotherightsand 75 freedoms of those involved. Now, with today's knowledge, this trade-off may be different”. UWVhas on request, no documents were supplied in which the assessment made at the time is recorded. With regard to the data leaks, five to eight UWV reports: “The risk of more leaks became low considered measures from October 2016 to work sufficiently, as explained again in the answer of the information request. At that moment, a number of other ICT measures in the systems have a high priority. 76 In hindsight, it was a misjudgment that the technical measures should have been taken sooner.” UWV has not substantiated what the estimate was based on that the risk should be considered low considered. UWV has stated in relation to the eighth data breach: “The Data Protection Officer (DPO) has As a result of this data, an investigation was conducted into export functionality within the workbook. After that (sic) performs the Data Protection Officer (DPO) on behalf of the Board of Directors is currently conducting a risk analysis on Sonar”.77 72See file document 46 (Reply by UWV, appendix 2 (file “Letter AP information request 29042019”, p.1)). 73See, among others, file document38(Excel file, attachment27(file“MicrosoftWord97-2003 document”in response to11underdataleak1 to 4, p.2)) and file 102 (Reply by UWV, appendix 2 (file “42DMO-B04.161017ESNotitieDMOWB", p.2)). 74See, among other things, file document38 (Excel file, reply to 11 under data leak1 to 4). 75 76See file document 81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019", answer to question 12)). See file documents65 and 66 (Reply by UWV, p.2). 77See, among other things, file document38 (Excel file, reply to 11 under data leak7). 27/41Date Unidentified May 31, 2021 [CONFIDENTIAL] 2.2Measures, checks and adjustments in practice Temporary measures of 28 September 2016 UWV states that it was necessary the measures that were in place before the fourth data leaked evaluate and that it has decided to take measures. 78 With regard to the measures taken after the four data leaks in 2016, UWV reported: “Then are immediate 79 organizational and process measures taken to mitigate the risks and recurrence”. from the submitter from 18 October 2016 it appears that the “DTWERK company” on 28 September 2016-after the fourth data breach-until the had decided on the following temporary measures, which relate to the sending of messages with attachments via the MyWorkbook environment to multiple job seekers at the same time: 80 On 30 September 2016, these temporary measures and instructions were communicated to the managers 81 from the WORK company via the following WORK message: 78See, among other things, file document38(Excel file,answertoquestion18underdataleak1t/m4). 79See file documents65 and 66 (Reply by UWV, p.1). 80See file documents 65 and 66 (Reply by UWV, appendix, answer to question2) and file document 102 (Reply by UWV), 81jlage2(file“42DMO-B04.161017ESNotitieDMOWB",p.1). See file document 98 (Reply by UWV, appendix 2 (file "Work message 30 September 2016", p. 2 and 3)). 28/41Date Unidentified May 31, 2021 [CONFIDENTIAL] UWV states that these temporary measures and instructions were communicated to . on 4 October 2016 all (then employed) employees via a newsletter WORK In Performance with the following text: 82 UWVindicatesonthepreviouspagementionedtemporarymeasuresthattheywillbecompleted asap came into effect after 28 September 2016. UWV also states that in view of the importance of these measures andtherelevantforthetypeofrisksmainlyinvolved inthistypeofdataleaks,thesetemporarymeasures would still be in effect at this time. However, UWV has not substantiated this with documents. 82See file document98 (Reply by UWV, appendix 3 (file “WIU4October 2016”)). 8See file documents65 and 66 (answer by UWV, appendix, answer to question 2). 29/41Date Unidentified May 31, 2021 [CONFIDENTIAL] Measuresproposed in October 2016 In the submission of October 18, 2016, which has been drawn up in preparation for the District Managers' Meeting (DMO) on October 20, 2016, the following is stated about the temporary measures mentioned above: 84 Therefore, in October 2016, DMO was asked to agree to the measures below, in order to replacement of the temporary measures decided on 28 September 2016: 85 84See file document102 (Reply by UWV, appendix 2(file“42DMO-B04.161017ESNotitieDMOWB",p.2)). 85See file document102 (Reply by UWV, appendix 2(file“42DMO-B04.161017ESNotitieDMOWB",p.2)). 30/41Date Unidentified May 31, 2021 [CONFIDENTIAL] During the DMO of October 20, 2016, it was noted that the measures proposed above 86 followingdecided: It follows from these minutes that the DMO on October 20, 2016 only with the (mentioned on page 30) measures 1 to 6 has agreed. In addition, it has been decided that measures 7 to 10 - including an investigation into concrete technical measures in the short term. UWV indicates that all measures (mentioned on page 30) have been implemented. UWV has 87 not (sufficiently) substantiated if the implementation has taken place. Of the measures 1 to 6 has YOURV only shown that the “Guideline safe communication at WORK company” is drawn up. As seen below, these undated-Guideline principles for 89 safe communication: 86 See file document 102 (Reply by UWV, appendix 1 (file “42DMO-A04. Decisions and action points overview 20Oct.2016”, p.3 and4)). 87 See file 38 (Excel file, answer to question 14 under data leak1). 88Seefiledocument38(Excel file,attachment33(file"161020AttachmentADDataLeaksWB",whichispartoffile"Microsoft Word document"in response to question15underdata leak1)). 89Seefiledocument38(Excel file,attachment33(file"161020attachmentADDataLeaksWB",whichispartoffile"Microsoft Word document"in response to question15underdata leak1)). 31/41Date Unidentified May 31, 2021 [CONFIDENTIAL] From page 30 and 31 it follows that the DMO decided on 20 October 2016 to conduct an investigation into the to postpone the possibilities of technical measures until further notice. To the question whether this investigation 90 took place, UWV answered: “No, this investigation did not take place”. UWV reports with regard to the question of how it has been checked or proposed measures after each data breach have also actually been introduced: “YOURVandWORKcompanyhavenotas suchcheckedormeasuresthat have been taken as a result of data leaks have actually been implemented. UWV has no generic policy in which it checks whether UWV central measures have been implemented by the responsible division(s). 90 See file documents65 and 66 (answer by UWV, appendix, p.1, answer to question 3). 32/41Date Unidentified May 31, 2021 [CONFIDENTIAL] WORKcompanyoperating throughoutthe country can give regional offices to a certain extent their own interpretation 91 central policy, for example awareness campaigns”. UWV also reports about this: “There is no formalform protocolled procedure within UWV, which is checked or agreed upon at a central level organizational and process measures are carried out. That would be impracticable given the size of the organization and the amount of decisions that UWV takes”. UWV mentions its response to the actual findings, however, that she would have checked whether the measures taken in practice have been brought. Your statement has not been substantiated with documentation. On the question whether and in what way the measures to which UWV in response to the first four data leaks had decided have been evaluated, what the results of that evaluation were and whether the desired effect of that measures had been achieved, UWV reports: “No, given the absolute limited number of leaks from 2017 compared to 2016, UWV saw no reason to assume that the mitigating measures did not correctly address the risks addressees”. And: “In 2017, given the relatively small number of leaks(1), UWV saw no reason to exist 95 evaluate measures”. UWVstatesthe following about the way in which it carries out evaluation:“There is no formal protocolledevaluationprocessaftereachofthesevendataleaks.ThatisnotthewayYouWVinalle casesworks.Involveddepartmentsconcludedovera long time in close consultationthatthetakenin2016 measures were sufficient. Unfortunately, this conclusion turned out to be incorrect”. UWV mentions its response to the actual 97 findings, however, that evaluations have been carried out with regard to measures taken. This one Your statement has not been substantiated. Fifth data breach UWVindicatedthatafterthefifthdataleak,itiscontinuedtoincreaseawarenesswiththe 98 sending messages via the MyWorkbook environment. InthatframeafterthedataleakheadedJuly 20,2017 The following WORK message sent to WORK company managers by UWV: 99 91See file 38 (Excel file, answer to question 16 under data leak 1 to 7). 92See file documents65 and 66 (Reply by UWV, appendix, p.2, answer to question 4). 93See file documents109 and 116 (UW's response to factual findings, p.3). 94See, among other things, file document38 (Excel file, answer to question 18 under data leak6). 95 See, among other things, file document38 (Excel file, answer to question 18 under data leak1 to 4). 96See file documents65 and 66 (Reply by UWV, appendix, p.2, answer to question 5). 97See file documents109 and 116 (UW's response to factual findings, p.3). 98See, among other things, file document38 (Excel file, answer to question 13 under data leak5). 99See file 38(Excel file, attachment31(file"MicrosoftWord document"inanswertoquestion14underdataleak5)). 33/41Date Unidentified May 31, 2021 [CONFIDENTIAL] UWV also states with regard to this data leak: "UWV/WERKbedrijf has as a result of this leak the Directive 'Safe communicating'”and UWV has adopted the “Guideline for safe communication at WORK company” with the answering questions about the fifth data breach. 10Based on what it says on page 31, it seems following, however, that this guideline had already been drafted after the fourth data breach. And as already mentioned, UWV has not provided any proof that the measure has actually been introduced or checked. UWV further states with regard to the fifth data leak in 2017: “Important for the decision on less time, after this leak, no additional technical measures to take was only for a full release agenda, in combination with a far-reaching change assignment for WERKbedrijf”. UWV has not supplied any documents in which this decision is contained. UWV has with regard to the question of how it has been checked that the measures mentioned are also have actually performedansweredthatYOURVandWORKcompanyhavenotassuch checked whether measures taken in response to data leaks are real 102 implemented. 10See, among other things, file document38 (Excel file, answer to question 18 under data leak5). 10See file document 81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust 2019"), answer to question 12). 10See file 38 (Excel file, answer to question 16 under data leak 1 to 7). 34/41Date Unidentified May 31, 2021 [CONFIDENTIAL] To the question whether and in what way the measures that UW had decided upon after the fifth data leak evaluated, what the results of that evaluation were and whether the desired effect of those measures was reached, UWV reports: "No evaluation has taken place after this because it was considered an incident for which mitigating measures seemed effective at the time". 103 With regard to the way in which it carries out evaluations of measures, UWV states the following: “There is no formally protocolled through the evaluation process after each of the seven data leaks. That is not the way UWV works in all cases.Involveddepartmentsconcludedovera long time in close consultationthatthetakenin2016 measures were sufficient. Unfortunately, this conclusion turned out to be incorrect”.10UWV states its reaction to the actual 105 findings, however, that evaluations have been carried out with regard to measures taken. This one statement that there would have been evaluated is not substantiated with documentation from which the evaluation actually turns out. Sixthtotenwithninthdata breach(2018) UWV has indicated that there are no measures due to the sixth data leak on March 26, 2018 affected.106According toUWVisaftertheseventhdateheadedMarch 28th,2018andtheeighthdataheadedAugust 3rd 107 2018,decided onthefollowingmeasures: "-WorkshopPreventionData Leaks This concerns a workshop aimed at raising awareness about working with personal data and performing risk assessments together. The workshop has been transferred to representatives from all through the ‘train the trainer’ labor market regions, which subsequently rolled out the training across the branches. -Frequently used toolkit page on DWU Due to the introduction of AVG, the toolkit page of the IB&P is further expanded and there is a lot of material offered. This part supports the above workshop. -Step-by-step plan Safe Personal data sharing In light of the entry into force of the GDPR, the old directive 'Safer Digital Communication' has been replaced by the guideline 'Step-by-step plan for Safe Sharing of personal data' -Attentiononmanagement An annual consultation meeting Information Security & Privacy and Security takes place with the regional management. currently running a UWVwide IB&Ptrainingformanagerswithin itabreakoutsession‘data leaksandrole management therein' -RolloutSLIM In the roll-out of SMARTWork, there is much more focus on working safely and preventing data leaks. MT sessions, as well as during branch wide kick-offs. Technical measure: 10See, among other things, file document38 (Excel file, answer to question 18 under data leak5). 10See file documents65 and 66 (Reply by UWV, appendix, p.2, answer to question 5). 10See file documents109 and 116 (UWV's response to factual findings, p.3). 10See file document 81 (Reply by UWV, appendix 3 (file "Question 7 appendix 2")). 10See, among other things, file document38 (Excel file, answer to question 13 under data leak 6 and 7). 35/41Date Unidentified May 31, 2021 [CONFIDENTIAL] Attachments block WERKbedrijf made it impossible through an early release on the weekend of 15/16 December 2019(sic) made to attach noglangero.a.Excel files in the Workbook to messages.” With the exception of the measures regarding the “Step-by-step plan Safe Sharing of Personal Information” and the technical measure has not supplied any documents or further substantiation on the basis of of which it can be established how the above measures are secured in documentation. Furthermore, it has not become clear when the above measures have been implemented. UWV has supplied a version of the “Step-by-step plan for Safe Sharing of Personal Information”. That step-by-step plan is dated 26 April 2018 and thus drafted after the seventh date. UWV declares about this: “In hetlicht of the entry into force of the GDPR, the old directive 'Safer Digital Communication' has been replaced by the directive "Step-by-step plan for Safe Sharing of personal data". This step-by-step plan looks like this: 108 See file 38 (Excel file, answer to question 13 under data leak 6 and 7). 36/41Date Unidentified May 31, 2021 [CONFIDENTIAL] 37/41Date Unidentified May 31, 2021 [CONFIDENTIAL] The step-by-step plan is on May 1, 2018 via the newsletter to employees of the WERKbedrijf communicated: 109 To the question whether there are technical measures between the first stone and the eighth date on August 3, 2018 implemented, UWV replied: “UWV did not implement any technical measure during that period, but several organizational and process-related measures have been implemented.However, we are of the opinion that this fact must be viewed in the light of the risk assessment that UWV made at the time and the earlier outlined the area of IB&P measures as a result of targets, which is described in the letter”. 110 After the eighth data leak, UWVanalyzed on August 20, 2018 how the data leak could have been take place and how specific data leak direction involved is handled. This analysis is described 111 in a document containing the following recommendations: 109 See file documents 109 and 116 (UWV response to factual findings, appendix “WORK in progress”, item 07). 11See file documents65 and 66 (Reply by UWV, appendix, p.1, answer to question 1). 11See file document38(Excel file, attachment42(file“MicrosoftWord document”in response to question18underdataleak7),p.3). 38/41Date Unidentified May 31, 2021 [CONFIDENTIAL] Furthermore, about the above-mentioned analysis, UWV stated: “First of all, WERKbedrijf in September 2018based onananalysisofwaterfailurewentinAlkmaar(…)-notfollowingtheorganizationaland process-basedsecurityrules-onnewinstructionsent toemployeesforhandlingbulkmessagesvia the Briefcase to prevent this type from leaking. More research in the sense of a comprehensive report is not here basisbecausethecausewasclear.(…)BasedonthisanalysisUWVookdecidedtotaketechnicalmeasures take-whereasbeforedeterminedthatorganizationalandprocess-relatedsecuritymeasuresweresufficient-i.e.a block in the work folder that prevents ero.a. no longer sending excel files, which means mid 112 December has happened”. On September 3, 2018, so one month after the eighth dates, it seemed two days before the ninth data breach,the QRCgroupmessagesextendedwithaframethepassagewithinstructionstodataleak prevent: 113 11See file document 46 (Reply by UWV, appendix 2 (file “Letter AP information request 29042019”), p.1). 11See file document91 (Reply by UWV, appendix 4(file "QRCSonarSend group message to the Werkmap22072013", p.1)). 39/41Date Unidentified May 31, 2021 [CONFIDENTIAL] At the first point in the above-mentioned passage from QRC group messages of September 3, 2018 states that the export lists for the sending of group messages must first be carried out by the employees be cleaned by removing data from the file, leaving only the row ID about.Furthermore, this version of the QRC group messages states that the 4-eyes principle must be used In earlier versions of the QRC group messages provided, these instructions about the clean and the row ID and the 4-eye principle are not included. On September 4, 2018, the AP had a telephone consultation with the FG of UWV. others considered whether technical measures had meanwhile been introduced. In that conversation the FG has indicated that, to his knowledge, no technical measures had been introduced. He further indicated that the four-eyes principle had been introduced. He thought thatthemethodinherentisnotsecurewhendataisextractedfromasystemandina office application continue to be processed. He was of the opinion that employees of UWV immediately system must work that does not have sufficient guarantees. 114 In response to the eighth data, the FG of UWV has been requested by the Board of Directors of UWVinvestigatedanddescribedthisinthe“FGreportoffindings:DatalekAlkmaar”of30 115 November2018. The results of that investigation presented to the Council of on 22 January 2019 Board of Directors Work company presented. Indie presentation includes: 11See file document22 (Telephone note FGUWV). 11See file document81, appendix5 (file "Question16_ConceptFG report") and file documents109and116(ReactionUWVtofactual findings, p.3). 11See file document38(Excel file,answertoquestion11underdataleak7)andfilepiece51(file“ResultsFG investigation Werkbedrijfv010”, p.7en9). 40/41Date Unidentified May 31, 2021 [CONFIDENTIAL] “Measure to disable the upload of Excel files to the workbook is working for this specific leak. (…) “Plasters Paste: Process agreements are not ‘hard’ enforced”(…) “Policy Doesn't Come to the Workplace: Understanding process agreements Awereness does not reach all employees” Finally, in mid-December 2018, UWV introduced a technical measure, namely blocking of the ability to add, among other things, Excel files, when sending group messaging through the Myworkbook environment. 117 UWV has with regard to the question of how it has been checked whether measures are actually enteredansweredthatYOUVandWERKcompanyhavenotcheckedassuchormeasuresthat 118 have been taken as a result of data leaks have actually been introduced. When asked whether UW had external parties investigated the data breaches, yourWV replies with regard to the first eight data breaches:“YourV did not see any added data at the time value in having an external investigation carried out because given the measures taken, the risk is mitigated 119 seemed”. UWVhasconsideredtheeighthdataleak:“UWVInternal InvestigationbyAdministrative Affairs commissioned by FG where external expertise was gained from a consultant”. 120 UWVstatesthe following about the way in which it carries out evaluation:“There is no formal protocolledevaluationprocessaftereachofthesevendataleaks.ThatisnotthewayYouWVinalle casesworks.Involveddepartmentsconcludedovera long time in close consultationthatthetakenin2016 measures were sufficient. Unfortunately, this conclusion turned out to be incorrect”. UWV mentions its response to the actual 122 findings, however, that evaluations have been carried out with regard to measures taken. This one statement that there would have been evaluated is not substantiated with documentation from which the evaluation actually turns out. 11See file document38 (Reply by UWV, letter), file document38 (Excel file, answer to question 13 under data leak6 and7), file documents 65 and 66 (Reply by UWV, p.2 and appendix, p. 1, answer to question2) and file document 81 (Reply by UWV, appendix 1 (file "Answering questionsAPAugust2019", answer to question 17)). 11See, among other things, file document38 (Excel file, answer to question 17 under data leak1 to 7). 11See file document38(Excel file,answertoquestion12underdataleak1t/m6). 120 121iefilepiece38(Excel file,answertoquestion12underdataleak7). See file documents65 and 66 (answer by UWV, appendix, p.2, answer to question 5). 12See file documents109 and 116 (UWV's response to factual findings, p.3). 41/41