AP (The Netherlands) - Decision of 18 December 2023
AP - Decision of 18 December 2023 | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 35 GDPR Article 35(1) GDPR Article 35(7) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 23.06.2022 |
Decided: | 18.12.2023 |
Published: | 15.01.2024 |
Fine: | 150,000 EUR |
Parties: | ICS |
National Case Number/Name: | Decision of 18 December 2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | autoriteitpersoonsgegevens.nl (in NL) |
Initial Contributor: | co |
The Dutch DPA imposed a fine in the amount of €150,000 on ICS, a credit card company, for failure to carry out a DPIA under Article 35(1) GDPR.
English Summary
Facts
Following a series of reports and complaints against ICS, a subsidiary of ABN Amro, as a controller, the Dutch DPA, AP, decided to start an ex officio investigation into the processing operations carried out by the controller. The AP found that the controller never conducted a DPIA in 2018, prior to the introduction of its identification app ID&V. The controller claimed in this respect that it did not need to carry out a DPIA, since the same identification system was used by ABN AMRO before, and BAN AMRO had previously carried out a risk assessment of its own app, Mitek. Moreover, the controller argued that when its app ID&V was introduced, there were no risks of potential misuse of personal data, and strict security measures were in place. Also, the controller argued that the only criterion that suggested the need to carry out a DPIA, according to Article 35 GDPR, was the fact that the processing was large-scale, but no other criteria were given that would make it high risk processing. Lastly, the controller claimed that it does not process any special categories of personal data within the meaning of Article 9 GDPR.
Holding
The AP first of all assessed whether the controller’s processing operations present a high risk to the rights and freedoms of natural persons. The AP made this assessment in light of Article 29 Working Party Guidelines 248 rev.01 on “Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679”, and stated that in order for processing operations to be considered “high risk”, at least two of the criteria set out in Article 35 GDPR must be met. In the case at hand, the AP considered that the processing operations carried out by the controller meet two of these criteria, namely, processing of sensitive data and large-scale processing. As a matter of fact, the controller processes several data about its customers, including ID number and photograph and also that the controller has around 1,5 million customers, who have all been required to re-identify using their app. In light of this, the AP considered that the controller should have carried out a DPIA. With respect to the claim of the controller that its parent company, ABN AMRO, already assessed the risk of its authentication app and this exempted the controller to carry out its own DPIA, the AP again referred to the Article 29 WP Guidelines. The Guidelines foresee that a DPIA needs to comply with the minimum requirements of Article 35(7) GDPR. The AP evaluated the assessment carried out by ABN AMRO and found that it mainly concerned risks related to fraud and money laundering and only three data protection related risks were included. However, the assessment did not contain any description of processing, nor a proportionality and necessity assessment, nor did it refer to the measures adopted to address the risks. Hence, the AP concluded that the controller’s assessment of data protection risks in conjunction with ABN AMRO’s assessment cannot be considered to be equivalent to a DPIA under Article 35 GDPR. For this reason, the AP held that the controller violated Article 35(1) GDPR. In this, the AP considered it appropriate to impose a fine on the controller, in accordance with Article 83 GDPR. The AP made reference to the National Fine Policy of 2019 and to EDPB Guidelines 04/22 when calculating the amount of the fine to be imposed. In its considerations, the AP gave importance to the fact that not conducting a DPIA constitutes a GDPR violation in itself, but it also increases the likelihood of further GDPR violations, as there is no cognition of the risks. Last, taking into account the annual global turnover of the whole ABN-AMRO group, the AP decided to impose a fine in the amount of €150,000 on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dutch Data Protection Authority PO Box93374,2509AJ The Hague Bezuidenhoutseweg30, 2594AV The Hague T0708888500-F088-0712140 autoriteitpersoonsgegevens.nl Confidential/Registered InternationalCardServicesB.V. PO Box23225 1100DS DIEMEN Attn: the management Date Unmarked December 18, 2023 [CONFIDENTIAL] Contact [CONFIDENTIAL] Subject Decides to impose an administrative fine for violating the General Regulation Data protection Dear members of the management, The Dutch Data Protection Authority (AP) has decided to appoint InternationalCardServicesB.V. (ICS) to impose an administrative fine of €150,000 (in words: one hundred and fifty thousand euros) for violation of Article 35, first paragraph, of the General Data Protection Regulation (GDPR). This is because ICS has completed a data protection impact assessment (DataProtectionImpactAssessment; hereinafter: DPIA). This decision explains the administrative fine. This will be discussed in turn reasons, the course of the proceedings, the facts established, the violation and the amount of the fine. Finally follows the dictum. 1 Date Unmarked December 18, 2023 [CONFIDENTIAL] 1. BackgroundResearch 1. ICS is a company based in Amsterdam and active in offering financial products in in particular the issuance of so-called debit and credit cards. 1 2. The Customer Contact and Monitoring Investigation department of the AP has received signals and complaints about this consumers about ICS have started an investigation into a possible violation of the GDPR by ICS.Die complaints and signals were received by the AP after ICS started again (online) in 2019 identifying its customers with the 'identification and verification process' (ID&V). 3. The purpose of the investigation was to determine whether ICS complied with the rules laid down in Article 35 GDPR, when she did not carry out DPIA in preparation for the ID&V process. 2. Findings research reports process flow 4. The findings of the investigation have been recorded in a report. It follows that upon the introduction of ID&Vspeaked of a processing of data that probably entails a high risk for the rights and freedoms of natural persons. ICSC also preceded the processing had to carry out a DPIA. The report concluded that ICS failed to carry out a DPIA In doing so, she acted in violation of Article 35, first paragraph, GDPR, according to the report. 3 5. The report was signed on 23 June 2022 and sent to ICS on 7 July 2022. ICSheeftop September 14, 2022 gave an opinion on the report. On October 20, 2022, ICS gave its opinion explained verbally. 6. The AP asked ICS further written questions on 2 December 2022 and 13 February 2023, to which ICS responded on 21 December 2022 and 24 March 2023 respectively. 3. Legal framework 7. To improve the readability of this decision, the relevant legal framework is included in Appendix 1. legal framework is part of this decision. 1 Appendix 21 to the research report:. 2Research report of 23 June 2022. 3File document1. 2/20 Date Unmarked December 18, 2023 [CONFIDENTIAL] 4. ICS view 8. ICS has given the following view on the report. 9. IC has set up an extensive risk process, called ChangeRiskAssessment (CRA process). In the CRA process, risks are identified, mitigated and monitored. A Privacy Impact Assessment is part of the CRA process and, when appropriate, becomes a DPIA executed. 10. ICS is a 100% subsidiary of ABNAMRO. ABNAMRO has been using a application from MitekSystemsB.V. (Mitek app), to determine the identity of its customers. ABN AMRO also uses the CRA process to analyze and use risks Mitek app, ABNAMRO has done an extensive analysis of the use of the Mitek app. IC has the same technique was used to re-identify its customers. There was none for ICS reason to carry out another analysis, because ABNAMRO has already had an analysis executed. 11. ICS further states that it has investigated whether additional measures have been included in the CRA process should be for ID&V. A Privacy Officer was involved in this at an early stage the nature and purpose of ID&V are determined. It has also been determined which data are processed, who has access to these data, which retention periods apply or are not applicable transfer outside the EU and measures taken for this transfer. 12. Moreover, ICS states, when ID&V was introduced, there was no high risk of misuse of personal data. The personally identifiable data used at ID&V are not inherent sensitiveandnecessarytocomplywiththelegalrequirements.Whenprocessingthe citizen service number applies to the strictest security level, which is partly based on legislation financial sector. Furthermore, when collaborating with third parties, strict requirements are imposed on encryption using secure connections, carrying out penetration testing and meeting audit requirements controlofpersonaldata. 13. ICShe has acknowledged that the PIA triage of August 28, 2018 incorrectly concluded that there was no large-scale processing of data. The PIA form has been available since 2020 adjusted so that such an error will not occur again. 14. According to ICS, there is no inequality of power between its customers and ICS, because ICS is legal obliged to identify its customers, the customers have the option to become non-digital identifyandacreditcardisnotanessentialpaymentservice. 3/20 Date Unmarked December 18, 2023 [CONFIDENTIAL] 15. The Data Protection Officer (FG) of ICS has been directly involved via the Privacy Office data protection risks.ICS has not clearly communicated this circumstance before. 16. The Decree on the list of processing and processing of personal data for which a DPIA is mandatory provides a number of criteria and of only one criterion, namely large-scale processing, is this case according to ICS in order to be able to draw the conclusion that processing probably poses a high risk to the involved, there must be two elements that are mentioned in the Decree. Now this was not the case, and ICS was also not obliged to carry out a DPIA the said decision was published after the start of the introduction of ID&V. 5. Assessment 5.1 Controller and authorityAP 17. It is established and not in dispute that ICS is responsible for the processing (Article 4, opening paragraph 7, GDPR). and that the AP is the competent supervisory authority (Article 56, first paragraph, GDPR). 5.2 Obligation to implement DPIA 18. In summary, it follows from the GDPR that a DPIA must be carried out before any processing where such processing is likely to involve a high risk to the rights and freedoms of natural persons (Article 35, first paragraph, GDPR). 19. The Guidelines WP248rev.01 (hereinafter: the Guidelines) describe which criteria apply to question whether a DPIA should be carried out. The AP has taken into account the provisions in the GDPR (Article 35) and 5 in view of the aforementioned Guidelines and the Decree on the list of processing of personal data established (the Decree). That Decree stipulates, among other things, that for the processing of biometric data data aDPIA is mandatory. 20. It is not in dispute that ICS did not carry out DPIA in 2018 prior to the introduction of ID&V. obligation to carry out a DPIA flows directly from Article 35, first paragraph, GDPR read in connection with the aforementioned Guidelines. The circumstance that it decides to stop November 27, 2019, established and published by the AP, does not mean that ICs for that reason DPIA should have been implemented. The Decision contains requirements that are also included in the GDPR Guidelines mentioned and result from it. 4Guidelinesfordataprotectionimpactassessmentsanddeterminationwhetheraprocessing“islikelytohighrisk entails” within the meaning of Regulation 2016/679 (WP248rev.01). TheEDPB has endorsed these Guidelines. 5 List of decisions on processing and personal data for which a data protection impact assessment (DPIA) is mandatory, from the Dutch Data Protection Authority of 19 November 2019, Government Gazette 2019, 64418. This decision is based on the GDPR and the Guidelines WP 248rev.01. 4/20 Date Unattribute December 18, 2023 [CONFIDENTIAL] 21. The first question that needs to be answered in this case is whether there is a type of processing that is likely to pose a high risk to the rights and freedoms of natural persons. When If this is the case, ICS is obliged to carry out a DPIA prior to implementation fromID&V. 22. From processing likely to result in a high risk to the rights and freedoms of natural persons are the rules when two (of the nine) criteria are met the Guidelines are listed. In this case there are three criteria that are the Guidelines listed. This concerns: 1) sensitive data or data of a very personal nature; 2) on a large scale processed data; and 3) data relating to vulnerable data subjects. 23. It has been found that for ID&V the first and last name, date of birth, place of birth, address details, e-mail address, telephone number, gender, BSN, number of the ID document as well as the photo in it 6 and a (liveness) photo of a data subject is processed. These data are, as follows Guidelines together qualify as sensitive data and data of a highly personal nature. 24. It has also emerged that ICS has approximately 1.5 million customers in the Netherlands who have had to register again identify and whose data ICS stores for as long as an involved customer remains with ICS. This in the opinion of the AP, this also means large-scale processing of personal data. 25. Contrary to what is described in the investigation report, the AP is conducting a further study of the facts of considers that in this case there is no question of vulnerable data subjects whose personal data are collected processed. Vulnerable persons involved can be children, but also employees or part of the 9 population that requires special protection, as follows from the Guidelines. It's basically because one unbalanced relationship between data subjects and controller. ICHS has that It has been rightly argued that a credit card is not an essential financial product for everyday life of a data subject. A credit card does not have the function of a bank account cannot be equated. This means that there is no question of an unbalanced relationship between ICS and her customers and therefore ICS customers cannot be regarded as vulnerable data subjects such as described in the Guidelines. Furthermore, it is not excluded that other providers of credit cards use a different method to identify their customers who are interested in a credit card over the choice of using services from other providers to make. 6Appendix3,p.5, research report. 7Guidelines mentioned above, p.11. 8Appendix3,p.4, research report. 9Guidelines mentioned above, p.12. 5/20 Date Unattribute December 18, 2023 [CONFIDENTIAL] 26. Since in any case two criteria from the Guidelines apply, there is a kind of processing that is likely to pose a high risk to the rights and freedoms of natural persons persons. This means that carrying out a DPIA by ICS was mandatory. 27. According to ICS, she did not have to carry out a DPIA because the CRA process risks abuse of personal data have been analyzed and this process according to ICS to the extent that it can be compared to a DPIA. In view of this, the next question that needs to be answered is whether to equate the ICS CRA process isonaDPIA. 28. The AP assessment follows. The Guidelines provide criteria for an acceptable DPIA (not to be confused with criteria for assessing whether a DPIA should be carried out). It is then together controller must choose a method by which the set criteria are met. The controller is obliged to meet the (main and sub) criteria. This must be done: 1. a systematic description of the processing is given; 2. the necessity and proportionality of the processing are assessed; 3. the risks to the rights and freedoms of data subjects are managed; 4. the interested parties (their representatives) and the data protection officer (FG) be involved. For example, the advice of the FG must be won or must be sent to the opinions of those involved are asked. 29. ICS has used ABN-AMRO's CRA process. ABN-AMRO's CRA process consists of 22 risks (threats) with associated code. The vast majority of the described risks are directly or indirectly related to combating fraud and complying with the Prevention Act of Money Laundering and Financing of Terrorism (Wwft). Only three risks (riskkeyr007, r011, r025) relate to the protection of personal data. ICS therefore complies with one of them main criteria from the Guidelines mentioned above in edge number 28, namely the third criterion: “management of risks to the rights and freedoms of those involved”. The CRA process of ABN- AMRO was not sufficiently focused on the protection of personal data on the other three criteria, so that the CRA process is not complete enough to comply with GDPR. 30. ICS, in addition to ABN-AMRO's CRA process, does not have its own CRA process in April 2020 executed. This CRA process also provides a systematic description of the processing it has not appeared that the necessity and proportionality of the processing has been assessed, in particular measures that contribute to the protection of the rights of those involved. That is not in addition it has become apparent that interested parties, their representatives and not the official data protection are involved in the processing. The FG of ICS was therefore unable to provide advice 1Guidelinesabovementionedp.28-29. 1Appendix9b,research report. 1 Appendix 9a, research report. 6/20 Date Unmarked December 18, 2023 [CONFIDENTIAL] about carrying out a DPIA. This means that ICS has three out of four (main) criteria for one acceptableDPIAhas not been tested. 31. From the foregoing it follows that the criteria mentioned in the Guidelines for an acceptable DPIAhave not been applied in the CRA process of ICS. The CRA process of ICS, viewed in conjunction with that of ABN-AMRO, in the opinion of the AP, therefore cannot be equated with a DPIA. The CRA- processes of ICS and ABN-AMRO were mainly aimed at preventing and combating (identity) fraud and are not (also) specifically aimed at the protection of data.3 32. Furthermore, the PrivacyImpact Assessment Triage of 18 June 2019, as part of the CRA process This did not result in a DPIA being carried out because those triages and injustices were not recognised it concerns large-scale processing. 33. The AP is of the opinion that ICS should have carried out a DPIA. By failing to do so, ICS has Article 35, first paragraph, GDPR violated. The AP sees reason to impose a fine. 6. Administrative fine 34. The AP is based on Article 58, second paragraph, at the beginning and under i, in conjunction with Article 83 GDPR read in conjunction with Article 14, third paragraph, UAVG, the authority to impose an administrative fine. 35. It has been concluded in paragraph 33 that ICS has wrongly carried out a DPIA and has therefore violated Article 35, first paragraph, GDPR. This means that there has been one conduct for which a fine will be imposed. 6.1 Systematics for determining the amount of the fine 36. When exercising the power to impose an administrative fine, the APight applies to both Policy rules of the AP regarding determining the amount of administrative fines (Stcrt.2019, 14586)(hereinafter: Fine policy rules) as theGuidelineonthecalculationofadministrativefinesundertheGDPR (hereinafter: Guidelines). This is in accordance with what is stated in the explanation Fine policy rules on establishing joint principles regarding the calculation of fines and temporary nature of the AP's policy on this. 1Appendix3,p.12, research report. 1There is currently no Dutch translation of the Guidelines available. The Guidelines can be consulted at< https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en>. 7/20 Date Unattribute December 18, 2023 [CONFIDENTIAL] 37. The amount of the fine will be determined as follows: 1. Determining the starting amount of the fine based on the Fine Policy Rules 2019; 2. Consideration of the circumstances based on the Penalty Policy Rules; 3. Consideration of the circumstances based on the Guidelines; 4. Determining the amount of the fine and assessing effectiveness, proportionality and deterrence. 38. These parts are discussed in turn below. 6.2 Determine the starting amount based on Fine Policy Rules 2019 39. As mentioned above, in this case the starting point is the applicable bandwidth of the Fine policy rules. The AP is responsible for determining the amount of the fine, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act, take into account the factors mentioned in Article 7 of the Fine policy rules. These factors are also described in Article 83, second paragraph, GDPR in the Guidelines appointed. 40. For a violation of Article 35, first paragraph, GDPR, the AP may impose an administrative fine up to amount of €10,000,000. In the case of a company, a fine of up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher. The AP notes that the total worldwide annual turnover of the parent company of ICS will amount to €7.841 billion in 2022, and that the maximum legal fine therefore amounts to €156.8 million. 41. Under the Fine Policy Rules, an infringement is classified into a category according to the violation of the provision, ranging from category I to IV. The following applies: how important the provision is for the protection of personal data, the higher the category of infringement Fine policy rules state that violations of Article 35, first paragraph, GDPR fall into category II. The bandwidth of this category runs from €120,000 to €500,000, with a basic fine of € 310,000. This amount will be taken as a starting point for the further calculation of the final fine, after considering the relevant factors. 6.3 Consideration of the circumstances based on the Penalty Policy Rules 42. When determining the amount of the fine, the relevant circumstances will be discussed in this case assessed on the basis of the factors mentioned in Article 7 of the Fine Policy Rules. 15 A calculation based on the worldwide turnover of €7.841 billion of ABN-AMRO, as parent company of ICS. See 16ijkenshetIntegratedAnnual ReportABN-AMRO2022, p.237. See Fine policy rules 2019, appendix 1. 8/20 Date Unattribute December 18, 2023 [CONFIDENTIAL] 43. One of these factors is the severity of the violation. In determining this, each case is taken into account taken into account the nature, severity and duration of the infringement. Other circumstances that in any case is taken into account, are the categories of data concerned and whether there is a infringement which is inherently intentional or negligent. 44. The following is relevant for this purpose. The obligation to carry out a DPIA is intended for the process to describe the processing of data, so that not only the necessity and proportionality of the processing are mapped, but also the risks for the rights and freedoms of those involved in the processing of personal data. Failure to carry out a DPIA is an end to this itself (therefore) a violation of the GDPR, while it also increases the chance of violation again violations of the GDPR because risks of possible (other) violations of the GDPR are not identified in time recognized. 45. It is further relevant to determine the seriousness of the violation that ICS personal data of a large number of parties involved, namely 1.5 million customers. This fact contributes to the seriousness of the violation.The AP has marked the data that ICS has processed as sensitive data and data of a very personal nature. At the same time, the AP takes into account the circumstance that ICS has started the process of re-identifying its customers based on a obligations arising from the Wwft. When complying with them, the AP did not find that ICS the DPIA referred to has not been carried out on purpose. In the opinion of the AP, there is a case of negligence. The failure to carry out a DPIA was due to an incorrect assessment by ICS combating fraud and complying with the Wwft as guiding principles, but in that context ICs also had to independently assess GDPR compliance. The AP weighs the element negligence in this case as “neutral”, because it cannot be said that ICS by not executing a DPIA has not been compliant at all, in which context the AP ascribes significance to the circumstance that ICS does meet one of the main criteria in the application of the CRA process aforementioned Guidelines for an acceptable DPIA, namely the management of risks for the rights and freedoms of those involved. To this extent, ICS has paid (some) attention to the aforementioned risks that may arise when processing data. 46. It has been established that ICS has wrongly carried out a DPIA. To determine the severity of the violation, the AP does take into account the circumstance that ICs the aforementioned CRA process carried out at the start of re-identifying its customers. Part of that process is, as ICS has put forward in its views, a Privacy Impact Assessment, in which Privacy Officer is involved. During data assessment it is determined which data are processed, who has access to these data, what retention periods apply and whether they apply of transfers outside the EU and measures taken for this transfer. IC, like the AP has also considered this and has taken into account the risks to the rights and freedoms those involved in the processing of personal data, but have not sufficiently recognized that this should have led to the execution of a DPIA. 9/20 Date Unmarked December 18, 2023 [CONFIDENTIAL] 47. The AP has the other circumstances as mentioned in Article 7, underk, Fine Policy Rules taken into consideration. The AP has taken into account other circumstances during the long period of time in between publishing the investigation reports and issuing an enforcement decision. This section has been designated as a mitigating factor with regard to the amount of the fine. 48. Furthermore, no other circumstances mentioned in Article 7 of the Fine Policy Rules have emerged and views on the infringement by ICS, have occurred. 49. Taking the foregoing circumstances into account, the AP is of the opinion that this case is serious this infringement must be qualified at a low level. 6.4 Consideration of the circumstances based on the Guidelines 50. The European Data Protection Committee adopted the final text of the Guidelines. As mentioned above, the EDPB has established common principles regarding the calculation of fines for violations of the GDPR. 51. The Guidelines describe a methodology in which the following is considered: 1. What and how many acts and infringements are under assessment; 2. Which starting amount is the starting point for calculating the fine for this; 3. Whether mitigating or aggravating circumstances arise, it is open to adjustment amountexit2; 4. What maximum amounts apply to the violations and any increases from the previous ones stepnotexceedthisamount; 5. Whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, and if necessary, adjusted accordingly. 52. The number of actions that resulted in infringements of the GDPR and the starting amount for penalty calculation are already qualified under paragraph 6.2. 53. As well as the Fine Policy Rules, write the Guidelines before the AP considers whether to soften or are aggravating circumstances that may lead to an adjustment in the classification of the infringement. This must be done on the basis of the circumstances stated in Article 83, second paragraph, salutationsunderatotenwithk,AVG. 10/20 Date Unmarked December 18, 2023 [CONFIDENTIAL] 54. First of all, attention should be paid to the gravity of the infringement. Here is an account taken into account the nature, severity and duration of the infringement, as well as the intentional or negligent nature of the infringement infringements and categories of the processed personal data. These are in marginal numbers 43 to 46 factors have already been discussed. This has led to the fact that in edge number 49, the severity of the infringement is not low gets qualified. 55. The Guidelines are written before taking into account the size of the company from the point of view of fairness must be taken into account when calculating the amount of the fine. The size of the company is determined based on turnover. According to the case law of the Court of Justice of the European Union, the turnover of the entire group is used to determine the upper limit of the fine. ICSis a wholly owned subsidiary of ABN-AMRO. Therefore, the size of the company will become determined on the basis of ABN-AMRO's worldwide turnover. ABN-AMRO has a turnover in 2022 achieved €7.841 billion. Since ABN-AMRO's turnover is higher than €156.8 million20, he writes AVNo maximum fine of 2% of the total worldwide annual turnover for. 56. Then write the Guidelines for the other circumstances from Article 83 GDPR are taken.As already mentioned, the partsctoandwithfthepartshtoandwithj Article 7 of the Fine Policy Rules was not found to be relevant in the case of ICS. These parts correspond to the prescribed components that must be observed under the Guidelines and are therefore not relevant in the case of ICS. 57. The AP has the other circumstances as mentioned in Article 7, underk, Fine Policy Rules taken into consideration. This provision corresponds to Article 83, second paragraph, subsection, GDPR As other circumstances, AP has taken into account the long period of time between publishing it investigation reports and the issuance of an enforcement decision. This section is under paragraph 6.2 classified as mitigating with regard to the amount of the fine. 6.5 Determining the amount of the fine and assessing effectiveness, proportionality and deterrence 58. In this case, the amount of the fine will, however, be determined by applying the basic fine from the concerningcategoryoftheFinepolicyrules.Otherwiseandasoutlinedabove,thiswill specific case, the amount of the fine on the basis of both the Fine Policy Rules and the Guidelines, up to lead to the same outcome. 59. In this case it concerns an infringement for which category II of the Fine Policy Rules applies. The fine bandwidth for category II is between €120,000 and €500,000. 1Guidelines,p.17. 1GroupeGascogneSA v European Commission (Case C-58/12P, judgment of 26 November 2013), ECLI:EU:C:2013:770, §52-57. 1A calculation based on the worldwide turnover of €7.841 billion of ABN-AMRO, as parent company of ICS. See according to the Integrated Annual Report ABN-AMRO 2022, p.237. 2See Article 83(5) of the GDPR. 11/20 Date Unmarked December 18, 2023 [CONFIDENTIAL] 60. Finally, it must be assessed whether the fine is effective, proportionate and deterrent. Based on Article 49 of the Charter of Fundamental Rights of the EU may impose an administrative fine, given that circumstances of the concrete case do not lead to a disproportionate outcome. This has also been stated in Articles 3:4 and 5:46, second paragraph, General Administrative Law Act. 61. Pursuant to Article 83, fifth paragraph, opening words under b, GDPR, the AP can apply for the above violations to impose an administrative fine. The purpose of imposing an administrative fine can be are located on the one hand in punishing unlawful behavior and on the other hand in promoting it compliance with applicable regulations. 62. Considering the nature, severity and duration of the infringement, as well as other factors from Article 83, second paragraph, GDPR, as assessed in this chapter, includes the imposition of an administrative fine under this circumstances have an effective and deterrent effect. Furthermore, it has not been established that the violation ICS cannot be blamed. 63. In view of all the above circumstances, the AP concludes that a fine of €150,000 for a violation of failure to execute a DPIA (Article 35, first, GDPR), in which case appropriate andcommandment. 7. Dictum 64. DeAPlies to InternationalCardServicesB.V. due to violation of Article 35, first paragraph, GDPRNo administrative fine in an amount of €150,000 (in words: one hundred and fifty thousand euros). 21 Yours faithfully, Dutch Data Protection Authority, w.g. mr.A.Wolfsen Chair 2The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). 12/20Date Unmarked December 18, 2023 [CONFIDENTIAL] Remedies clause If you do not agree with this decision, you can do so within six weeks after the date of dispatch of the letter decides to submit an objection digitally or on paper to the Dutch Data Protection Authority. Article 38 of the UGDPR suspends the submission of an objection to the effect of the decision imposition of the administrative fine. The AP will only proceed to recovery after the decision has become irrevocable. To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, below the heading Objection against a decision, below page under the heading Contact the Dutch Data Protection Authority. The address for submitting and on paper is: Dutch Data Protection Authority, PO Box 93374, 2509AJTheHague. Please state 'Awb objection' on the envelope and put 'objection notice' in the title of your letter. Write in your objection letter at least: -your name and address; -the date of your objection; - attach the reference (case number) mentioned in this letter; or a copy of this decision; -the reason(s) why you do not agree with this decision; -your signature. 13/20Date Unmarked December 18, 2023 [CONFIDENTIAL] Attachment 1 General Data Protection Regulation Article4 Definitions For the application of this Regulation the following definitions apply: 1) 'personal data' means any information relating to an identified or identifiable natural data person ("the data subject"); is considered identifiable as a natural person who is directly or can be identified indirectly, in particular by means of an identifier such as a name, a identification number, location data, an online identifier or one or more elements that characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person; […] Article9 Processing of special categories of personal data 1.Processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or membership of a trade union, and processing of genetic data, biometric data for the purpose of uniquely identifying a person, or data about health, or data relating to a person's sexual behavior or sex life targeting are prohibited. 2.Paragraph 1 shall not apply where any of the following conditions is met: a) the data subject has given explicit consent to the processing personal data for one or more specific purposes, except where provided for in Union or Member State law the law stipulates that the ban referred to in paragraph 1 cannot be lifted by the person concerned; b) the processing is necessary for the performance of obligations and exercise of specific rights of the controller or data subject in the field of labor rights, social security and social protection law, insofar as this is permitted Union law or Member State law or a collective agreement based on Member State law provides appropriate guarantees for the fundamental rights and interests of the data subject; c) the processing is necessary to protect the vital interests of the data subject another natural person if the data subject is not physically or legally capable of giving his consent to give; 14/20Date Unmarked December 18, 2023 [CONFIDENTIAL] d) the processing is carried out by a foundation, association or other body without profit motive that is active in the political, philosophical, religious or trade union field within the framework of its legitimate activities and with appropriate guarantees, provided that the processing is exclusive relates to the members or former members of the body or to persons associated with her purposes to maintain regular contact with her, and not without data permission from those involved is provided outside that agency; e) the processing relates to personal data that is apparently made public by the data subject are made; f) the processing relates to personal data that is apparently made public by the data subject are made; g) the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law, ensuring proportionality to the aim pursued, the The essential content of the right to the protection of data is respected and appropriate and specific measures are taken to protect fundamental and fundamental rights interests of the data subject; h) the processing is necessary for preventive or occupational medicine purposes assessment of the employee's fitness for work, medical diagnoses and the provision of health care or social services or treatments or the management of health care systems -services or social systems and services, under Union or Member State law, or under a agreementwithahealthcareworkersubjecttotheconditionsmentionedinparagraph3 safeguards; i) the processing is necessary for reasons of general interest in the field of public health, such as protection against serious cross-border dangers to health or ensuring high standards of quality and safety of health care medicines or medical devices, on the basis of Union or Member State law where appropriate and specific measures have been taken to protect the rights and freedoms of the person concerned, in particular with regard to professional secrecy; j) the processing is necessary for the purpose of archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1)op on the basis of Union or Member State law, whereby proportionality with the aim pursued is ensured is guaranteed, the essential content of the right to protection of data is guaranteed respected and appropriate and specific measures are taken to protect the fundamental rights and interests of the data subject. 3. The data referred to in paragraph 1 may be processed for the purposes of paragraph 2(h) purposes when those data are processed by or under the responsibility of one professional who is authorized under Union or Member State law or under national law rules governing professional secrecy laid down by authorities, or by another person who also under Union or Member State law or under national competent authorities established rules of confidentiality are kept. 15/20Date Unmarked December 18, 2023 [CONFIDENTIAL] 4. Member States may impose additional conditions, including restrictions, regarding the processing genetic data, biometric data or health maintenance data or enter. Article35 Data Protection Impact Assessment 1. Whena type of processing, in particular a processing that involves new technologies used, given its nature, size, context and purposes, is probably a high risk the rights and freedoms of natural persons are carried out by the controller before processing, an assessment of the effect of the intended processing activities on the protectionofpersonaldata.Oneassessmentcancoveraseriesofcomparableprocesses that entail similarly high risks. 2. When a data protection officer is appointed, the controller when carrying out a data protection impact assessment advicein. 3. A data protection impact assessment referred to in paragraph 1 shall be required in particular in the following fallen: a) a systematic and comprehensive assessment of personal aspects of natural persons, which is based on automated processing, including profiling, and on which decisions are made based on which legal consequences are attached to the natural person or that natural person to achieve in a similar way; b) large-scale processing of special categories of personal data as referred to in Article 9(1) or of data relating to criminal convictions and offenses such as referred to in Article 10; or c) systematic and large-scale monitoring of publicly accessible spaces. […] Article58 Powers […] 2.Each supervisory authority shall have all the following powers to take corrective action measures: […] (i) as appropriate to the circumstances of each case, in addition to or instead of that referred to in this paragraph measures, imposing an administrative fine on the basis of Article 83; 16/20Date Unmarked December 18, 2023 [CONFIDENTIAL] […] Article83 General terms and conditions for imposing administrative fines 1. Each supervisory authority shall ensure that any administrative penalties imposed pursuant to this article are imposed for the end of paragraphs 4, 5 and 6, infringements of this regulation are mentioned in each case be effective, proportionately deterrent. 2. Administrative fines are imposed, depending on the circumstances of the specific case in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). it decides on whether an administrative fine will be imposed and on its amount the following shall be duly taken into account in each concrete case: (a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the processing in question as well as the number of data subjects affected and the extent of the processing by them damages suffered; b) the intentional or negligent nature of the infringement; c) the measures taken by the controller or processor to limit damage suffered by those involved; d) the extent to which the controller or processor responsible is seen technical and organizational measures he has implemented in accordance with Articles 25 and 32; e) previous relevant infringements by the controller or processor; (f) the extent to which you cooperated with the supervisory authority to commit the infringement to remedy and limit possible negative consequences; g) the categories of personal data to which the infringement relates; h) the manner in which the supervisory authority became aware of the infringement, in particular whether, and if so to what extent, the controller or processor has reported the infringement; (i) compliance with the measures referred to in Article 58(2), to the extent that they previously concern of the controller or processor in question in relation to the same matter have been taken; j) joining approved codes of conduct in accordance with Article 40 or approved ones certification mechanism in accordance with Article 42; and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made, or losses avoided, whether or not directly resulting from the infringement ensue. 3.If a controller or a processor intentionally or negligently with regard to to the same or related processing activities, an infringement commits several provisions of this regulation, the total fine is not higher than that for the serious infringement. 17/20Date Unmarked December 18, 2023 [CONFIDENTIAL] 4. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2 fines up to EUR 10 000 000 or, for an undertaking, up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher: a) the obligations of the controller and the processor Articles 8, 11, 25 to 39, 42 and 43; (b) the obligations of the certification body under Articles 42 and 43; (c) the obligations of supervision in accordance with Article 41(4). 5. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2 fines up to EUR 20 000 000 or, for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher: a) the basic principles of processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9; (b) the rights of the data subject in accordance with Articles 12 to 22; c) the transfer of personal data to a recipient in a third country or an international country organization in accordance with articles 44 to 49; (d) all obligations under law established by the Member States under Chapter IX; e) non-compliance with an order or a temporary or permanent processing restriction or suspension of data flows by the supervisory authority in accordance with Article 58(2) or failure to grant access in violation of Article 58(1). 6. Non-compliance with an order of the supervisory authority referred to in Article 58(2) is in accordance with paragraph 2 of this article, subject to administrative fines of up to EUR 20 000 000 or, for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this grade higher. 7. Without prejudice to the powers to take corrective measures of the supervisory authority authority, in accordance with Article 58(2), each Member State may lay down rules concerning the question whether and to what extent administrative fines can be imposed on persons established in that Member State government agencies and government bodies. 8. The exercise by the supervisory authority of its powers under this Article is subject to the appropriate procedural guarantee in accordance with Union and Member State law law, including an effective remedy and a fair administration of justice. 9. Where the legal system of the Member State does not provide for administrative fines, this Article may are applied in such a way that fines are initiated by the competent supervisory authority and imposed by the competent national courts, ensuring that these remedies are available are effective and have the same effect as those imposed by supervisory authorities administrative fines. The fines are effective, proportionate and deterrent in every case Member States shall communicate to the Commission by 25 May 2018 at the latest the legislative provisions it adopts on the basis of 18/20Date Unmarked December 18, 2023 [CONFIDENTIAL] adopt this paragraph, as well as all subsequent amendments thereto and all matters affecting it amending legislation. Implementation Act of the General Data Protection Regulation Article14 DutiesandauthoritiesAP […] 3. The Data Protection Authority may, in the event of a violation of the provisions of Article 83, fourth, fifth or sixth paragraph of the regulation imposes an administrative fine on at most these members mentioned amounts. General Administrative Law Act Article3:2 When preparing a decision, the administrative body gathers the necessary knowledge about the relevant issues factsandweighinginterests. Article3:4 1. The administrative body shall weigh the interests directly involved in the decision, insofar as not specified a limitation arises from a legal requirement or from the nature of the authority to be exercised. 2. The adverse consequences of a decision for one or more interested parties may not be disproportionate relationship to the goals to be served by the decision. Article4:8 1. Before an administrative body issues a decision against which an interested party takes the decision has not requested it is expected that he or she will have reservations, it puts the interested party to an end opportunity to submit his views if: (a) the decision would be based on information about facts and interests concerning the interested party, and b) that data has not been provided by the interested party itself. 2.The first paragraph does not apply if the interested party has not fulfilled a legal obligation to provide data. Article 5:46 1. The law determines the maximum administrative fine that can be imposed for a specific violation imposed. 19/20Date Unmarked December 18, 2023 [CONFIDENTIAL] 2. Unless the amount of the administrative fine has been determined by statutory regulation, it votes administrative body administrative fine depending on the seriousness of the violation and the extent to which it occurred offender can be blamed. The administrative body will take this into account if necessary circumstances under which the violation was committed. 3. If the amount of the administrative fine has been determined by statutory regulation, it shall be imposed administrative body shall nevertheless impose a lower administrative fine if the offender can demonstrate that this is the case established administrative fine due to special circumstances is too high. 4. Article 1, second paragraph, of the Criminal Code applies accordingly. 20/20