AP (The Netherlands) - Boete datalek PVV Overijssel
From GDPRhub
| AP - Boete datalek PVV Overijssel | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 9(1) GDPR Article 33(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 16.06.2020 |
| Fine: | 7,500 EUR |
| Parties: | Stichting Ondersteuning Provinciale Fractie Overijssel Partij voor de Vrijheid (PVV) |
| National Case Number/Name: | Boete datalek PVV Overijssel |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Danish |
| Original Source: | Dutch DPA (in DA) |
| Initial Contributor: | CBMPN |
PVV Overijssel sent an email to 101 recipients exposing all email addresses in the "To" field. It then failed to report this data breach to the Dutch DPA within the required 72-hour timeframe, as mandated by Article 33(1) GDPR.
English Summary
Facts
The Stichting Ondersteuning Provinciale Fractie Overijssel Partij voor de Vrijheid (PVV Overijssel), a political foundation supporting the PVV party in the province of Overijssel, sent an email on 10 January 2019 to 101 recipients inviting them to a political event to take place on 28 January 2019. The email exposed all recipients' email addresses in the "To" field, making them visible to everyone on the list.
These e-mail addresses contain combinations of a first and last name, initials and last name, first and/or last name with a number, letters and/or numbers that cannot be interpreted as a (personal) name, as well as information addresses, etc.
One recipient filed a complaint with the Dutch DPA, alleging a violation of the GDPR.
In response to this invitation, the complainant sent the PVV Overijssel the following day a request to remove them from the e-mail list and to confirm this as such. In an e-mail dated 11 January 2019, the PVV-Overijssel employee responded to this with an apology and confirmed that the complainant's details have been removed from the list. On 15 January 2019, the complainant received another message from the PVV Overijssel with the same invitation for the event on 28 January 2019, this time without the email addresses of the invitees being visible. Once again, the complainant requested that their contact details be removed.
Holding
The Dutch DPA held that (some of) the recipients of the email of 10 January 2019 could be directly identified or could be traced by a single search function. The personal data was revealed to all recipients of the email in a breach of security.
The Dutch DPA held that when a data breach involves personal data revealing political opinions, affected individuals are likely to suffer material or non-material harm, such as discrimination or reputational damage. The DPA determined that being a recipient of the 10 January 2019 email disclosed political views within the meaning of Article 9 GDPR#1. The recipients had previously contacted PVV Overijssel and expressed interest in receiving invitations, making it likely that they were politically aligned with the party. The DPA concluded that the breach posed a risk to the rights and freedoms of the affected individuals. Given the subject and target audience of the email—an invitation to a grassroots meeting of a political party—the DPA found it highly probable that the recipients were interested in PVV's ideology. Such exposure could have consequences for their social or professional standing.
The DPA further noted that political organisations process special categories of personal data, which increases the risk to individuals in the event of a data breach. This heightened risk imposes a greater responsibility on such organisations to maintain a high level of data protection. Additionally, the breach affected a significant number of people.
The Dutch DPA found that PVV Overijssel violated Article 33 GDPR#1 by failing to report the breach to the DPA without undue delay and within 72 hours of becoming aware of it. The organisation became aware of the breach on 11 January 2019 at the latest, when it responded to the complainant’s request for email removal with an apology. Consequently, PVV Overijssel should have reported the breach by 14 January 2019. PVV Overijssel never submitted the legally required notification.
In determining the fine, the Dutch DPA considered the severity of the violation, the number of affected individuals (101), and the fact that the breach involved special category data revealing political opinions. The DPA concluded that PVV Overijssel committed a serious infringement, as it failed to take measures to mitigate potential harm to the affected individuals. A political organisation should be fully aware of the sensitivity of the personal data it processes and ensure a high level of protection. Only after the incident did PVV Overijssel indicate that someone internally would receive GDPR training.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The Dutch Data Protection Authority (hereinafter: AP) has decided to impose an administrative fine of €7,500 on the Stichting Ondersteuning Provinciale Fractie Overijssel Partij voor de Vrijheid (PVV) (hereinafter: PVV Overijssel). The AP is of the opinion that in the period from 14 January 2019 to the present, the PVV Overijssel has failed to report a breach in connection with personal data to the AP, without unreasonable delay and at the latest within 72 hours after the PVV Overijssel became aware of the breach on 11 January 2019. In doing so, the PVV Overijssel has violated Article 33, first paragraph, of the General Data Protection Regulation (hereinafter: GDPR). The decision is explained below. Chapter 1 contains the relevant facts and the course of the proceedings. Chapter 2 describes the legal framework. Chapter 3 contains the AP's assessment, after which the amount of the administrative fine is motivated in Chapter 4. Finally, Chapter 5 contains the dictum and the legal remedies clause. 1. Factual course of proceedings The Foundation for Support of the Provincial Faction Overijssel Party for Freedom (PVV) is statutorily established at Steenmeijerstraat 57, 7555 NV in Hengelo. The foundation aims to provide administrative and managerial assistance to the Faction (as referred to in Article 5 of the Rules of Procedure for the Meeting and Other Activities of the Provincial Council of Overijssel or a Data Protection Authority Postbus 93374, 2509 AJ Den Haag Bezuidenhoutseweg 30, 2594 AV Den Haag T0708888500-F0708888501 autoriteitpersoonsgegevens.nl 1 Date Our reference 16 June 2020 [CONFIDENTIAL] regulation that replaces it).1 The foundation also operates under the name ‘PVV Overijssel’.2 On 11 January 2019, the AP received a complaint about a possible violation of the GDPR by the PVV Overijssel.3 The complaint states, in short, that on 10 January 2019 the PVV Overijssel sent an e-mail message with “Invitation to the Constituency Evening on 28 January 2018” as the subject to a group of 101 recipients. The list of recipients was visible to all recipients of the email message, including the complainant, in the mailing list of the email program. Following this complaint, the AP started an investigation to determine whether the rules set out in the GDPR regarding reporting a breach in connection with personal data were complied with by the PVV Overijssel. By letter dated 15 May 2019, the AP requested information from the PVV Overijssel.4 The PVV Overijssel responded to this request in writing on 24 May 2019.5 The findings of the investigation are set out in the report ‘Investigation into failure to report breaches in connection with personal data to the AP by the PVV Overijssel’, an investigation report by the First Line Investigation Department (EL), dated 18 November 2019. By letter dated 11 December 2019, the AP sent the PVV Overijssel an intention to enforce together with the aforementioned investigation report and the underlying documentation, whereby the PVV was also given the opportunity to submit its views. The PVV Overijssel submitted its views in writing by letter dated 28 January 2020. Based on the report with findings, the underlying documentation and the views of the PVV Overijssel, the AP establishes the following relevant facts. On Thursday 10 January 2019, a PVV Overijssel faction employee sent an e-mail message with the subject ‘‘Invitation to the Constituency Evening on 28 January 2018’’ to 101 recipients. The e-mail addresses of all recipients of the e-mail message, including the complainant, were visible in the mailing list of the e-mail program.6 The text of the e-mail reads: “Dear friends of the PVV, 1 Extract from the Chamber of Commerce 14 March 2019, no. 52322017, appendix 7 to the investigation report. 2 See, among others, the print screen of the website, appendix 6 to the investigation report. 3 Notification form, appendix 2 to the investigation report. 4 Information request from the AP dated 15 May 2019, appendix 4 to the investigation report. 5 Response from PVV Overijssel of 24 May 2019, appendix 5 to the research report. 6 E-mail correspondence in the period from 10 to 15 January 2019, appendix 3 to the research report.. 2/16 Date Our reference 16 June 2020 [CONFIDENTIAL] On Monday 28 January 2019, the PVV Overijssel is organising a supporters' evening. On this evening, the candidates for the Provincial Council elections of 20 March 2019 will be presented. PVV members of the House of Representatives will also be present on this evening. During this evening, all candidates will introduce themselves to you and there will be a number of speakers. After the formal part, we would all like to talk to you and make it a pleasant evening! The evening starts at 19:30 and the supporters' evening will take place at Hotel van der Valk in Hengelo. The address: Bornsestraat 400, 7556 BN Hengelo. Because we want to know how many people we can expect, we request that you let us know by e-mail if you are coming and with how many people. Please send it to secretariaat@pvvoverijssel.nl stating your name and the number of people. We look forward to your arrival! See you on the 28th! Kind regards, PVV Overijssel.” In response to this invitation, the complainant sends the PVV Overijssel the following day a request to remove him from the e-mail list and to confirm this as such. In doing so, the complainant states – in summary – that making all e-mail addresses available demonstrates serious carelessness in view of the privacy rules. In an e-mail dated 11 January 2019, the PVV-Overijssel employee responds to this with an apology and confirms that the complainant's details have been removed from the list. On 15 January 2019, the complainant received another message from the PVV Overijssel with the same invitation for the event on 28 January 2019, this time without the email addresses of the invitees being visible. Once again, the complainant requested that his contact details be removed.7 The AP has not received any notification from the PVV Overijssel to date, so that the violation is still ongoing. 2. Legal framework Pursuant to Article 2, first paragraph, of the GDPR, this regulation applies to the fully or partly automated processing, as well as to the processing of personal data contained in a file or intended to be contained in a file. Pursuant to Article 4 of the GDPR, the following definitions apply: 1. “Personal data”: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, [...]. 7 E-mail correspondence in the period from 10 to 15 January 2019, Annex 3 to the research report. 3/16 Date Our reference 16 June 2020 [CONFIDENTIAL] 2. “Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means [...]. 7. “Controller”: a [...] legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data; [...]. 12. “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. According to Article 33(1) of the GDPR, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of a personal data breach, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Recitals 75 and 76 of the GDPR provide, inter alia, that the risk to the rights and freedoms of individuals may result from processing of personal data resulting in material and non-material damage. This risk is felt in particular if the processing can lead to discrimination and reputational damage, among other things. This risk can also be felt if personal data is processed that shows someone's political views. When assessing risks, both the likelihood and the severity of the risk to the rights and freedoms of data subjects must be taken into account. The risk must be determined on the basis of an objective assessment. In addition, it must be determined whether the processing involves a risk or a high risk. The above considerations, for example, imply that appropriate protective measures must be taken, which are appropriate for the processing of personal data with such a load as a political view. 3. Assessment 3.1 Processing of personal data and material scope of the GDPR The aforementioned e-mail message of 10 January 2019 concerns an invitation to a supporters' evening on 28 January 20198 and is addressed to a group of 101 addressees, referred to therein as "friends of the PVV". The e-mail addresses are visible to all invitees in the address line of the e-mail.9 These e-mail addresses contain combinations of a first and last name, initials and last name, first and/or last name with a number, letters and/or numbers that cannot be interpreted as a (personal) name, as well as information addresses, etc. 8 The subject line of the email states ‘2018’. This is an apparent typo. 9 Email correspondence in the period from 10 to 15 January 2019, appendix 3 to the investigation report. 4/16 Date Our reference 16 June 2020 [CONFIDENTIAL] (Some of) the recipients of the aforementioned email can be directly identified or can be traced by a single search function. Since this data can be used to directly or indirectly identify a natural person, including the complainant, it can be qualified as personal data within the meaning of Article 4, opening sentence, and under 1, of the GDPR. As noted above, data on political opinions qualify under the GDPR as so-called ‘special categories of personal data’ as described in Article 9, first paragraph, of the GDPR. The AP has established that sending the email of 10 January 2019 involved the processing of personal data that reveal political views as referred to in Article 9, paragraph 1, of the GDPR. As the PVV Overijssel indicated in its letter of 24 May 2019, the recipients of the invitation to the supporters' evening had previously contacted the PVV Overijssel and indicated that they were interested in receiving invitations.10 The AP does not share the PVV Overijssel's view that the motives for interest in receiving email messages such as invitations to activities can be diverse. Being interested in a meeting of the PVV Overijssel does not rule out that there are also interested parties who wish to attend this meeting based on their political views. In this, the AP takes into account that this refers to the "supporters". Finally, the AP points out that the PVV Overijssel also does not rule out that there are interested parties among them who wish to attend this evening based on their political views. Based on the above, the AP concludes that personal data of individuals that demonstrate a political opinion are being processed. 3.2 Controller In the context of the question of whether Article 33, paragraph 1, of the GDPR is being complied with, it is important to determine who is to be regarded as the controller as referred to in Article 4, opening sentence, and under 7, of the GDPR. The determining factor for this is who determines the purpose of and the means for the processing of personal data. The PVV Overijssel is a foundation that aims to provide administrative and management assistance to the PVV faction in the Provincial States of Overijssel.11 The PVV Overijssel has no group relationship with another legal entity, such as the association Partij voor de Vrijheid. Only the board represents the foundation.12 10 Letter PVV Overijssel dated 24 May 2019, appendix 5 to the investigation report. 11 Extract from the Chamber of Commerce, 14 March 2019, no. 52322017, appendix 7 to the research report. 12 See the deed of incorporation of the Foundation for Support of the Provincial Faction Overijssel Party for Freedom (PVV), deed date 15 March 2011, consulted on 29 August 2019, appendix 8 to the research report. 5/16 Date Our reference 16 June 2020 [CONFIDENTIAL] Every contribution placed on the website https://www.pvvoverijssel.nl/ relates exclusively to the provincial politics of the province of Overijssel. All contributions are placed on behalf of ‘Partij voor de Vrijheid Overijssel’. Various video fragments, originating from YouTube, about public appearances of the PVV Overijssel are shared on the website. All these published media have been placed on YouTube by the account ‘PVV Overijssel’. The website can also be used to contact only the PVV Overijssel. From this finding, the AP concludes that the website is managed by the PVV Overijssel. The PVV Overijssel's supporters are made up of donors, volunteers and sympathisers. In order to unite and mobilise them, the PVV Overijssel recruits volunteers. In addition, the PVV Overijssel has given substance to the active eligibility of the PVV in the province of Overijssel by, among other things, recruiting candidates for the PVV electoral list for the 2018 municipal elections in three municipalities of the province. In this, the PVV Overijssel has coordinated the participation of the PVV in municipal elections in Overijssel in the municipalities of Almelo, Enschede and Twenterand.13 The PVV Overijssel has given shape to the goal of recruiting volunteers and candidates for the 2018 municipal elections by placing a web form on its website in which, among other things, name and address details, e-mail address, availability for Municipal Council and/or volunteer, and the upload of a CV are mandatory processed by the PVV Overijssel.14 In its letter of 24 May 201915 in response to the AP's request for information16, the PVV Overijssel indicated that it organises various activities and works with various mailing lists. She sent the invitation for the supporters' evening to people who had previously contacted her and indicated that they were interested in receiving invitations. Due to a human error by a party employee, the e-mail addresses were visible to everyone who had received the invitation in question. The PVV Overijssel says that it has learned from this and has taken appropriate internal measures. The AP concludes from the above that the PVV Overijssel independently determines which resources it deems necessary to reach and activate its supporters in Overijssel. One of these resources is sending e-mail. The PVV Overijssel has control over the manner in which the personal data are processed and determines the purpose and resources of the data processing in the context of this activity. Based on the above, the AP designates the PVV Overijssel as the controller as referred to in article 4, opening sentence, and under 7, of the GDPR. 13 Print screen, appendix 6 to the investigation report. 14 Print screen, appendix 6 to the investigation report. 15 Letter PVV Overijssel dated 24 May 2019, appendix 5 to the investigation report. 16 Information request from AP dated 15 May 2019, appendix 4 to the investigation report. 6/16 Date Our reference 16 June 2020 [CONFIDENTIAL] 3.3 Duty to report personal data breaches to the AP 3.3.1 Personal data breach Pursuant to Article 33, paragraph 1, of the GDPR, the controller shall report the personal data breach to the supervisory authority competent in accordance with Article 55 without undue delay and, where possible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In order to determine whether there has been a breach of the notification obligation within the meaning of Article 33, paragraph 1, of the GDPR, it is first important to determine whether the sending of the email of 10 January 2019 constituted a so-called security breach within the meaning of Article 4, introductory phrase and under 12, of the GDPR. What should be clear is that a breach is a type of security incident. However, as indicated, Article 4, introductory phrase and under 12, of the GDPR only applies if there is a personal data breach. The consequence of such a breach is that the controller will not be able to ensure that the principles relating to the processing of personal data as set out in Article 5 of the GDPR are complied with. This emphasises the difference between a security incident and a personal data breach – essentially, all personal data breaches are security incidents, but not all security incidents are necessarily personal data breaches. It should be noted that a security incident is not limited to threat models in which an organization is attacked from outside, but also includes incidents resulting from internal processing.17 On January 10, 2019, a PVV Overijssel faction employee sent an email message with an invitation to a supporters' evening to a group of 101 addressees. The email address of the addressees was visible to all recipients of the email message, including the complainant, in the mailing list of the email program. In its response of May 24, 2019, the PVV Overijssel acknowledged to the AP that this was highly undesirable and should never have happened. In view of the above, the sending of the email with the subject “Invitation to the Supporters’ Evening on 28 January 2018” to a group of 101 recipients on 10 January 2019 by the PVV Overijssel can be regarded as a breach of security, which accidentally led to the unauthorised provision of personal data to all recipients of the email. In the opinion of the AP, this constitutes a breach of personal data as referred to in Article 4, section 12, of the GDPR.18 17 Guidelines for the notification of personal data breaches under Regulation 2016/679, p. 8. 18 Cf. example direct marketing email, Guidelines for the notification of personal data breaches under Regulation 2016/679, p. 39. 7/16 Date Our reference June 16, 2020 [CONFIDENTIAL] 3.3.2 Notification obligation to the AP The notification obligation as laid down in Article 33, paragraph 1, of the GDPR is primarily aimed at encouraging controllers to take immediate action in the event of a breach, to limit the breach, to restore the compromised personal data if possible and to ask the supervisory authority for advice. By reporting the breach to the supervisory authority within the first 72 hours, the controller can ensure that decisions on whether or not to notify individuals are correct.19 3.3.2.1 The moment at which the PVV Overijssel became aware of the breach Following the sending of the email from the PVV Overijssel on 10 January 2019, the complainant responded on 11 January 2019 and requested the PVV Overijssel to remove his email address from its address file. The complainant also informed the PVV Overijssel that making all email addresses and traceable personal data available demonstrates serious carelessness. The PVV Overijssel responded to this with an email on 11 January 2019 with apologies. Therefore, the PVV Overijssel became aware of the breach on 11 January 2019 at the latest.20 3.3.2.2 Risk assessment of breach in connection with personal data The GDPR imposes a reporting obligation on all controllers, unless it is unlikely that a breach poses a risk to the rights and freedoms of natural persons. This must be assessed on a case-by-case basis.21 According to the PVV Overijssel, in section 3.4.222 of its investigation report, the AP, referring to the ‘Guidelines for the notification of personal data breaches under Regulation 2016/679’, wrongly assumes the concept of ‘that the personal data breach poses a risk to the rights and freedoms of natural persons.’ However, the Guidelines (page 26) use the concept of ‘that the breach poses a high risk to the rights and freedoms of natural persons.’ According to the Guidelines, a normal risk is therefore not sufficient; it must be a high risk, according to the PVV Overijssel. The AP believes that the PVV Overijssel is assuming an incorrect interpretation of the Guidelines. They make a distinction between reporting to the AP and reporting to the data subject(s): “IV. Assessment of risk and high risk A. Risk as a reason for reporting/communications 19 Guidelines for reporting personal data breaches under Regulation 2016/679, p. 18. 20 See e-mail correspondence in the period from 10 to 15 January 2019, appendix 3 to the investigation report. 21 Guidelines for reporting personal data breaches under Regulation 2016/679, p. 9. 22 This refers to 3.5.2 Risk assessment. 8/16 Date Our reference June 16, 2020 [CONFIDENTIAL] Although the GDPR introduces the obligation to report a breach, this is not mandatory in all circumstances: A breach must be reported to the competent supervisory authority, unless it is unlikely to pose a risk to the rights and freedoms of natural persons. A breach is only communicated to the person if it is likely to pose a high risk to the rights and freedoms.”23 In the investigation report, the AP found that the PVV Overijssel was obliged to report the breach to the AP. In that context, it must therefore be assessed whether it is unlikely that the breach poses a risk to the rights and freedoms of natural persons. In its opinion, the PVV Overijssel also disputed that there is such a risk. To this end, it argues, among other things, that the processing only concerns the processing of ordinary, non-special personal data. The PVV Overijssel states that it is therefore unlikely that physical, material or immaterial damage will occur and that it rightly determined with regard to the infringement that it is unlikely that the infringement poses a risk to the rights and freedoms of natural persons. According to the PVV Overijssel, it was not obliged to report the infringement to the AP. The AP considers the following in this regard. The Guidelines, with reference to recitals 75 and 76 of the GDPR, mention factors that are important in assessing risks, namely: nature of the infringement; nature, sensitivity and scope of the personal data; ease with which persons can be identified; seriousness of the consequences for persons; special characteristics of the person; special characteristics of the controller; the number of persons affected; and general points. The nature and sensitivity of the personal data that have been compromised by the infringement are an important factor in this. The more sensitive the data, the greater the risk of harm to the data subjects.24 Where the breach concerns personal data revealing a political opinion, material or non-material harm (such as discrimination and reputational damage) to the persons whose data are the subject of the breach must be considered likely.25 The email sent on 10 January 2019 to 101 addressees contains email addresses with personal data of the data subjects. For this purpose, the AP considered that personal data revealing political opinions were being processed. Given the subject and target group of the email, an invitation to a grassroots meeting of a political party, as well as the content of that meeting, it is most likely that the addressees include persons interested in the ideology of the PVV. Such information could have consequences for an existing or future social position. Furthermore, the Guidelines on the 23 Guidelines on the notification of personal data breaches under Regulation 2016/679, p. 26. 24 Guidelines on notification of personal data breaches under Regulation 2016/679, p. 28 et seq. 25 Guidelines on notification of personal data breaches under Regulation 2016/679, p. 26 and 27. 9/16 Date Our reference 16 June 2020 [CONFIDENTIAL] factor ‘special characteristics of the controller’ indicates that the nature and role of the controller and its activities may influence the risk that a breach poses to individuals. For example, a political organisation processes special categories of personal data, which means that there is a greater threat to individuals if their personal data is breached. This implies a greater responsibility of the political organisation to maintain a high level of protection. Finally, it should be noted in this context that the breach affects a relatively large number of people, namely (some of) the data subjects behind the mailing list of people interested in invitations to activities of the PVV Overijssel. Given these circumstances, it is not likely that the breach poses a risk to the rights and freedoms of the data subjects. The PVV Overijssel was therefore obliged to report the breach to the AP. 3.3.2.3 Latest date on which PVV Overijssel should have reported the breach to the AP Since the PVV Overijssel became aware of the breach in connection with the personal data on 11 January 2019 at the latest, it should have reported it to the AP as the competent supervisory authority without unreasonable delay and within 72 hours at the latest. The PVV Overijssel should therefore have reported it to the AP by 14 January 2019 at the latest, but has failed to do so to date. In view of the foregoing, the AP is of the opinion that PVV Overijssel has violated Article 33, paragraph 1, of the GDPR by failing to report the personal data breach to the AP without unreasonable delay and at the latest within 72 hours after PVV Overijssel became aware of the breach on 11 January 2019. 4. Fine 4.1 Introduction If a controller fails to notify the supervisory authority of a personal data breach, despite the fact that the requirements of Article 33 of the GDPR have been met, the supervisory authority is offered a choice in which all corrective measures at its disposal must be considered, as well as the imposition of a fine. In its opinion, PVV Overijssel has explained and substantiated why it believes that it was not obliged to report to the AP. It is therefore of the opinion that there are no grounds for imposing a measure or administrative fine. To the extent that the AP does not follow the positions of the PVV Overijssel, it makes an explicit and motivated appeal to Article 7 ‘Relevant factors’ of the Fine Policy Rules.26 26 Policy Rules of the Dutch Data Protection Authority of 19 February 2019 regarding the determination of the amount of administrative fines (Fine Policy Rules Dutch Data Protection Authority 2019), Government Gazette No. 14586, 14 March 2019. 10/16 Date Our reference 16 June 2020 [CONFIDENTIAL] The AP notes the following in this regard. By sending an invitation to a supporters' evening in which all recipients of the e-mail message can see the list of addressees in the mailing list of the e-mail program, the PVV Overijssel has provided unauthorized insight into all e-mail addresses and all names of the recipients, being persons with an interest in the ideology of the PVV. By sending the e-mail, personal data showing political views have therefore been shared with all recipients of the e-mail and the right to respect for personal privacy and the right to protection of personal data of a large number of data subjects has been violated, who have lost control over their personal data as a result. In the opinion of the AP, the failure to report this infringement in connection with personal data to the AP in a timely manner is a serious violation. The fact that the PVV Overijssel did not report this, because it concerned people who had indicated that they wanted to receive periodic mail,27 does not change this. The AP sees reason to use its authority to impose a fine on the basis of Article 58, paragraph 2, opening sentence and under i and Article 83, paragraph 4, of the GDPR, read in conjunction with Article 14, paragraph 3, of the UAVG, on the PVV Overijssel. Pursuant to Article 83, paragraph 4, under a, of the GDPR, infringements of Article 33 of the GDPR in accordance with paragraph 2 are subject to administrative fines of up to € 10,000,000 or, for a company, up to 2% of the total worldwide annual turnover in the preceding financial year, if this figure is higher. 4.2 Fine Policy Rules of the Dutch Data Protection Authority 2019 (Fine Policy Rules 2019) The AP has established Fine Policy Rules 2019 regarding the implementation of the aforementioned authority to impose an administrative fine, including determining the amount thereof. Pursuant to Article 2, under 2.1, of the Fine Policy Rules 2019, the provisions regarding violations for which the AP can impose an administrative fine of up to €10,000,000 [...] are classified in Annex 1 as category I, category II or category III. In Annex 1, the violation of Article 33, paragraph 1, of the GDPR is classified in category III. Pursuant to Article 2.3 of the Fine Policy Rules 2019, the AP determines the basic fine for violations for which a statutory maximum fine of €10,000,000 [...] applies within the fine ranges specified in that article. For violations in category III of Annex 1 of the Fine Policy Rules 2019, a fine range between €300,000 and €750,000 and a basic fine of €525,000 applies. In accordance with Article 6 of the Fine Policy Rules 2019, the AP determines the amount of the fine by increasing the amount of the basic fine (up to a maximum of the bandwidth of the fine category linked to an offence) or decreasing it (down to a minimum of that 27 Letter from PVV Overijssel dated 24 May 2019, appendix 5 to the investigation report. 11/16 Date Our reference 16 June 2020 [CONFIDENTIAL] bandwidth). The basic fine will be increased or decreased depending on the extent to which the factors mentioned in article 7 of the Fine Policy Rules 2019 give reason to do so. In accordance with article 7 of the Fine Policy Rules 2019, the AP takes into account, without prejudice to articles 3:4 and 5:46 of the General Administrative Law Act (Awb), the following factors derived from article 83, paragraph 2, of the GDPR, mentioned in the Policy Rules under a to k: a. the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of affected data subjects and the extent of the damage suffered by them; b. the intentional or negligent nature of the infringement; c. the measures taken by the controller [...] to mitigate the damage suffered by data subjects; d. the extent to which the controller [...] is responsible in view of the technical and organisational measures implemented in accordance with Articles 25 and 32 of the GDPR; e. previous relevant breaches by the controller [...]; f. the extent of cooperation with the supervisory authority in remedying the breach and mitigating its possible adverse effects; g. the categories of personal data to which the breach relates; h. the manner in which the supervisory authority became aware of the breach, in particular whether, and if so to what extent, the controller [...] notified the breach; i. compliance with the measures referred to in the second paragraph of Article 58 of the GDPR, insofar as they have been taken previously in relation to the controller [...] in question in relation to the same matter; j. adherence to approved codes of conduct pursuant to Article 40 of the GDPR or approved certification mechanisms pursuant to Article 42 of the GDPR; and k. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made or losses avoided, whether or not directly resulting from the infringement. Pursuant to Article 8.1 of the Fines Policy Rules 2019, if the fine category determined for the infringement does not allow for an appropriate penalty in the specific case, the AP may, when determining the amount of the fine, apply the fine range of the next higher category or the fine range of the next lower category, respectively. Pursuant to Article 9 of the Fines Policy Rules 2019, the AP shall, when determining the fine, take into account the financial circumstances of the offender, if necessary. In the event of reduced or insufficient financial capacity of the offender, the AP may further reduce the fine to be imposed if, after application of Article 8.1 of the policy rules, the determination of a fine within the fine range of the next lower category would, in its opinion, nevertheless lead to a disproportionately high fine. 12/16 Date Our reference 16 June 2020 [CONFIDENTIAL] 4.3 Amount of the fine According to the AP, the following factors mentioned in Article 7 are particularly relevant in this case for determining the amount of the fine: a. the nature, seriousness and duration of the infringement; b. the intentional or negligent nature of the infringement (culpability); c. the measures taken by the controller or processor to limit the damage suffered by data subjects. 4.3.1 Nature, seriousness and duration of the infringement Pursuant to Article 7, opening paragraph and under a, of the Fine Policy Rules 2019, the AP takes into account the nature, seriousness and duration of the infringement. The protection of natural persons in the processing of personal data is a fundamental right. Under Article 8, paragraph 1, of the Charter of Fundamental Rights of the European Union and Article 16, paragraph 1, of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of personal data. The principles and rules relating to the protection of natural persons with regard to the processing of their personal data must respect their fundamental rights and freedoms, in particular their right to the protection of personal data. The GDPR aims to contribute to the creation of an area of freedom, security and justice and of an economic union, as well as to economic and social progress, the strengthening and convergence of the economies within the internal market and the well-being of natural persons. The processing of personal data must serve the human being. The right to protection of personal data is not an absolute right, but must be considered in relation to its function in society and must be weighed against other fundamental rights in accordance with the principle of proportionality. Any processing of personal data must be fair and lawful. Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Personal data must be processed in a manner that ensures appropriate security and confidentiality of the data, including to prevent unauthorised access to or use of personal data and the equipment used for processing. The GDPR aims to ensure effective protection of personal data. Breach notification must be seen as a means of improving compliance with the rules on the protection of personal data. If a breach of personal data occurs or has occurred, this may result in physical, material or non-material damage to natural persons or any other economic or social disadvantage for the person concerned. Therefore, the controller must, as soon as he becomes aware of a personal data breach, notify the supervisory authority of the personal data breach without delay and, if possible, within 72 hours. This enables the supervisory authority to properly perform its tasks and powers, as laid down in the GDPR. 13/16 Date Our reference 16 June 2020 [CONFIDENTIAL] The PVV Overijssel believes that the nature and scope of the breach is limited, as it concerns a single e-mail message with a general indication without any information being processed regarding the data subject other than the e-mail address. The AP does not follow the PVV Overijssel in this. It should be noted that the PVV Overijssel has not submitted the legally required notification of this breach to the AP from 14 January 2019 to the present. In its assessment, the AP takes into account that the infringement concerns 101 persons, and that a special category of personal data is involved, namely those that reveal political views. In view thereof, the AP considers the infringement serious, but sees no reason to increase or decrease the basic fine amount. 4.3.2 Intentional or negligent nature of the infringement (culpability) In accordance with article 5:46, paragraph 2, of the General Administrative Law Act, the AP takes into account the extent to which the infringement can be attributed to the offender when imposing an administrative fine. Since this concerns an infringement, it is not required to demonstrate intent in order to impose an administrative fine in accordance with established case law28 and the AP may assume culpability if the perpetrator has been established.29 The PVV Overijssel believes that the infringement is not intentional or negligent. Upon discovery, it immediately made the assessment that it should make in accordance with Article 33 of the GDPR and has legitimately judged that there is no obligation to report the infringement to the AP. The AP notes that, to the extent that such an assessment had already taken place, the PVV Overijssel did not do so correctly. As grounds for not reporting the infringement to the AP, it stated: “it concerns an invitation that was sent to people who previously contacted us and indicated that they were interested in receiving our invitations.” And “we did not report this because it concerned people who indicated that they wanted to receive mail from us periodically.” Furthermore, the PVV Overijssel stated in that context that it “does not concern an involuntary group of people”.30 However, this is not a criterion on the basis of which it could be concluded that this would be an infringement that is not reportable. At the time that PVV Overijssel became aware of the incident, it should have made a risk assessment based on the nature of the personal data that had been wrongly provided and then reported the infringement to the AP. PVV Overijssel nevertheless failed to report this to the AP. 28 Cf. CBb 29 October 2014, ECLI:NL:CBB:2014:395, r.o. 3.5.4, CBb 2 September 2015, ECLI:NL:CBB:2015:312, r.o. 3.7 and CBb 7 March 2016, ECLI:NL:CBB:2016:54, r.o. 8.3, ABRvS 29 August 2018, ECLI:NL:RVS:2018:2879, r.o. 3.2 and ABRvS 5 December 2018, ECLI:NL:RVS:2018:3969, r.o. 5.1. 29 Parliamentary Papers II 2003/04, 29702, no. 3, p. 134. 30 Letter PVV Overijssel dated 24 May 2019, appendix 5 to the investigation report. 14/16 Date Our reference 16 June 2020 [CONFIDENTIAL] In view of the foregoing, the AP considers it reprehensible that the PVV Overijssel did not report to the AP, but on the basis of this established culpability sees no reason to increase or decrease the basic fine amount. 4.3.3 Measures taken to limit the damage suffered by those involved The PVV Overijssel has indicated that it has adjusted its working methods and processes immediately after discovery to prevent such an error from being made again and that these measures have been proven to be effective. The AP considers that no measures have been taken to limit the damage (possibly) suffered by the parties involved. A political organisation such as the PVV Overijssel may be expected to be fully aware of the sensitivity of the personal data it processes and to ensure an appropriate level of protection. It was only after the incident that it indicated that someone internally would become proficient in the GDPR. The AP therefore sees no reason in the circumstances put forward to reduce the basic amount of the fine on the basis of Article 7, under c of the Policy Rules 2019. 4.3.4 Proportionality Finally, the AP assesses on the basis of Articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality) whether the application of its policy for determining the amount of the fine does not lead to a disproportionate outcome given the circumstances of the specific case. Applying the principle of proportionality means, according to the Fine Policy Rules 2019, that the AP, when determining the fine, takes into account the financial circumstances of the offender if necessary. The PVV Overijssel has indicated that, as a non-profit political foundation, it has very limited financial resources. The AP considers the following in this regard. Based on article 3 of the articles of association of the Foundation Support Provincial Faction Overijssel Party for Freedom, the assets intended to achieve the foundation's objective are formed by the financial contribution from the province of Overijssel, and that which is obtained in other ways. According to the Regulation for official assistance and faction support of the province of Overijssel, the factions receive an annual financial contribution as compensation for the costs of the functioning of the faction. This compensation amounts to a maximum of €3,570 for each member of the States belonging to that faction, plus €26,460 per faction (as of 1 January 2019).31 31 Regulation on official assistance and faction support for the province of Overijssel 2016, Provincial Gazette no. 33, 2 January 2017 and no. 2734, 11 April 2019. 15/16 Date Our reference 16 June 2020 [CONFIDENTIAL] In view of this, the AP considers the financial capacity of the PVV Overijssel to be limited and concludes that the PVV Overijssel cannot financially bear the fine of €525,000. On this basis, the AP sees reason to reduce the fine. In this case, the AP considers a fine of €7,500 appropriate and necessary. In this context, the AP considers that it has not been demonstrated that the PVV Overijssel would not be able to bear this fine. 4.3.5 Conclusion The AP sets the total fine at € 7,500.--. 5. Judgment Fine The AP imposes an administrative fine of € 7,500.-- (in words: seven thousand five hundred euros) on the PVV Overijssel for violating Article 33, first paragraph, of the GDPR in the period from 14 January 2019 to the present.32 Yours sincerely, Dutch Data Protection Authority, mr. A. Wolfsen Chairman
