AP (The Netherlands) - AP: Boete orthodontiepraktijk vanwege onbeveiligde patiëntenwebsite
From GDPRhub
| AP - AP: Boete orthodontiepraktijk vanwege onbeveiligde patiëntenwebsite | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 04.02.2021 |
| Published: | |
| Fine: | 12,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | AP: Boete orthodontiepraktijk vanwege onbeveiligde patiëntenwebsite |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Autoriteit Persoonsgegevens (AP) (in NL) |
| Initial Contributor: | CBMPN |
A Dutch orthodontic practice was fined €12,000 for transmitting sensitive patient data over an unencrypted connection, contrary to healthcare security standards. The Dutch DPA also highlighted the issue of processing data of minors.
English Summary
Facts
An orthodontic practice in the Netherlands operated a website with an online registration form for new patients. The form collected sensitive personal data, including the Dutch citizen service number (BSN), names, contact details, and health-related information. The data was transmitted over an unencrypted HTTP connection, exposing it to potential interception. The lack of encryption exposed sensitive data to potential interception during transmission, posing a significant risk to data subjects, particularly minors.
The Dutch DPA received a complaint about this issue in November 2018 and investigated. The practice acknowledged the lack of encryption but claimed they were unaware of the requirement and had taken corrective action by replacing the website with a secure version in May 2019.
Holding
The Dutch DPA held that the practice violated Article 32(1) GDPR by failing to implement appropriate technical and organizational measures to ensure the security of personal data. Specifically, the lack of encryption for transmitting sensitive data (including BSNs and health-related information) over an unsecured connection (HTTP instead of HTTPS) did not meet the required security standards, particularly under the NEN 7510 healthcare security norm. The Dutch DPA emphasized that healthcare providers must ensure a high level of data protection, especially when processing sensitive data of minors.
Fine Calculation
The Dutch DPA initially categorized the violation under Category II (fines between €120,000 and €500,000) but decided to apply Category I (fines up to €200,000) due to the specific circumstances of the case.
Mitigating Factors:
a) the violation was limited to the online registration form and did not affect the entire patient administration system; b) the practice is a small-to-medium-sized enterprise (SME); c) the costs of implementing encryption were minimal. The fine was set at €12,000, considering the proportionality and the respondent's financial capacity.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Date 4 February 2021 Subject Our reference [confidential] Contact person [confidential] Decision to impose an administrative fine Dear [data subject], The Dutch Data Protection Authority (hereinafter: AP) has decided to impose an administrative fine of € 12,000.00 on you. The AP is of the opinion that you have not complied with your obligation to take appropriate technical and organizational measures when processing personal data in the period from 1 July 2018 to 29 May 2019 (Article 32, paragraph 1, of the General Data Protection Regulation; hereinafter: GDPR). The decision is explained below. Section 1 contains an introduction. Section 2 discusses the processing, processing responsibility and the violation found. Section 3 discusses the authority of the AP to impose a fine and the amount of the fine. Finally, paragraph 4 contains the decision (the dictum) and the legal remedies clause. 1. Introduction 1.1. About the offender The company “[company]” is run by [person concerned]. The website of the orthodontic practice states that the practice has eleven employees, in addition to [person concerned] as an orthodontist. The practice is located at [address] and the company is registered in the trade register of the Chamber of Commerce under number [Chamber of Commerce number]. Dutch Data Protection Authority Postbus 93374, 2509 AJ Den Haag Bezuidenhoutseweg 30, 2594 AV Den Haag T0708888500-F0708888501 autoriteitpersoonsgegevens.nl 1 Date Our reference 4 February 2021 [confidential] 1.2. Reason for the investigation and course of proceedings On 27 November 2018, the AP received a complaint as referred to in Article 77 of the GDPR. According to the complaint, sensitive data, such as the citizen service number (hereinafter: BSN), are requested via the registration form on the website of the orthodontic practice, but the data are then sent unencrypted. On 26 February 2019, the AP visited the website of the orthodontic practice and took screenshots of it. By letter dated 29 May 2019, the AP requested information from [data subject]. [Data subject] responded by letter dated 4 June 2019. On 4 July 2019, the AP visited the website of the orthodontic practice again and took screenshots of it. By letter dated 12 August 2019, the AP requested further information from [data subject]. [Data subject] responded by letter dated 19 August 2019. The findings and conclusions of the investigation are recorded in a report dated 27 August 2019. By letter dated 12 September 2019, the AP sent the investigation report to [person concerned]. In doing so, the AP expressed its intention to impose an administrative fine and gave [person concerned] the opportunity to provide an opinion on the matter. By letter dated 7 October 2019, supplemented by those of 9 and 12 December 2019, [person concerned] submitted an opinion. 2. Facts and assessment The relevant laws and regulations are stated in the appendix to this decision. 2.1. Processing of personal data At the time of the complaint, the orthodontic practice's website contained a form for registering new patients. This form contained fields for, among other things, name and address details, date of birth, citizen service number (BSN), telephone numbers of the patient and parents, information about the school, general practitioner, dentist and insurance company. This data concerns information about an identified or identifiable natural person, and is therefore personal data as referred to in Article 4, opening paragraph and under 1, of the GDPR. 2/20 Date Our reference 4 February 2021 [confidential] It follows from the letter from [data subject] dated 19 August 2019 that after sending the form, the completed data was stored online. The orthodontic practice received a notification of the new registration by e-mail. An employee of the practice logged in to the website, opened the registration data and created a new patient in its own patient file. The data stored online was then deleted, according to [data subject]. This set of processing operations, but also every part thereof, including the recording, storage and destruction of data, is a processing of personal data as referred to in Article 4, opening paragraph and under 2, of the GDPR. 2.2. Controller [Data subject] determines the purpose and means of the processing of personal data. The registration form is intended to obtain data from new patients of the orthodontic practice run by her as a sole proprietorship, required for the treatment and the financial settlement thereof. [Data subject] is thus the controller, as referred to in Article 4, opening words and under 7, of the GDPR. 2.3. Violation with regard to the security of the processing 2.3.1. Introduction The controller is obliged, pursuant to Article 32, first paragraph, of the GDPR, to take appropriate technical and organisational measures to protect the processing of personal data against, among other things, loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the implementation costs, the risks of the processing and the nature of the data to be protected. The question of whether the controller has taken the measures referred to in Article 32, first paragraph, of the GDPR is assessed as follows in cases such as the present one. The processing of a patient's BSN by a healthcare provider must comply with NEN 7510. This is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulation on the use of citizen service numbers in healthcare, read in conjunction with Article 8 of the Act on additional provisions for the processing of personal data in healthcare.1 Even outside this statutory obligation with regard to the BSN, NEN 7510 contains the generally accepted security standards for healthcare.2 NEN 7510 is further elaborated in NEN 7510-1 and NEN 7510-2. Chapter 10 of NEN 7510-2 discusses control measures with regard to cryptography. These measures are intended to ensure the correct and effective use of cryptography to 1 Article 8, first paragraph, of this Act relates to the provision of healthcare. It follows from Article 1, opening words and under b, of this Act that the financial and administrative settlement also falls under this. This settlement starts with the provision of the required data, such as the BSN. Compare the history of the creation of this provision (Parliamentary Papers II 2005/06, 30 380, no. 3, p. 20). 2 Compare the CBP Guidelines for the Security of Personal Data (Stcrt. 2013 no. 5174, p. 11). 3/20 Date Our reference 4 February 2021 [confidential] to protect the confidentiality, authenticity and/or integrity of information. Paragraph 10.1.1 states that a policy for the use of cryptographic management measures should be developed and implemented to protect information. These can be used, among other things, to ensure confidentiality by using the coding of information to protect sensitive or essential information during storage or transmission. Chapter 13 of NEN 7510-2 discusses management measures relating to communication security. Section 13.2 contains management measures with regard to information transport. The purpose of these management measures is to maintain the security of information that is exchanged within an organization and with an external entity. Section 13.2.1 states that when using communication facilities for information transport, consideration should be given to using cryptographic techniques, for example to protect the confidentiality, integrity and authenticity of information. With regard to the state of the art with regard to cryptographic techniques, it is also important that the National Cyber Security Center (hereinafter: NCSC) also points out on its website the importance of protecting communication when sensitive information is sent via a connection.3 According to the NCSC, TLS (Transport Layer Security) is the most widely used protocol for securing connections on the internet. TLS is applied to web traffic via the HTTPS protocol using a TLS certificate. A TLS certificate can be obtained free of charge,4 although costs must usually be incurred to have the certificate installed on the server by an IT specialist or renewed because the validity period has expired. These are short-term actions that only involve wage costs. 2.3.2. Facts [Data Subject] stated that the website of the orthodontic practice went online on 4 June 2010.5 Because a new website was already being worked on at the time of the AP's first request for information, it referred to the then existing website as the 'old website'. The AP visited the website - which has since been replaced by another - on 26 February 2019. It was noted that the website, as stated, contained a form for registering new patients. This form contained fields for, among other things, the contact details of the patient and their parents and the patient's BSN. The AP also noted that the website did not use an encrypted connection at all at the time of the visit. This is evident from the screenshots in appendix 9 of the investigation report, an excerpt of which is included below: 3 https://www.ncsc.nl/onderwerpen/verbindingsbeveiliging. 4 For example, at the non-profit certificate authority Let’s Encrypt, < https://letsencrypt.org/>. There are certificate authorities that offer expensive certificates (Extended Validation, or EV). Such certificates provide more information about the party to whom the certificate is issued, but do not lead to a different or better encryption of exchanged information. 5 Letter of 19 August 2019, appendix 8 to the investigation report. 4/20 Date Our reference 4 February 2021 [confidential] Figure 1: Section of the page formation of the website [url]. In the window shown, a message “Unencrypted connection” is included under the heading “Technical details”. This message reads: “The website [url] does not support encryption for the page you are viewing. Data sent over the internet without encryption can be viewed by others along the way.” [Data subject] has acknowledged that the old website did not use an encrypted connection.6 The developer of the old website never pointed out that possibility to her. Otherwise she would certainly have made use of it, according to [data subject]. It follows from the letter from [data subject] of 19 August 2019 that when a form was sent, the data was stored on the web server on which the old website was running. The orthodontic practice received a notification of this. After logging in to the website, the stored data was viewed, transferred to the practice's administration and finally removed from the web server. Between July 2018 and June 2019, the practice received a maximum of ten online registrations, according to [person concerned]. 6 Opinion of 7 October 2019 on the intention to impose an administrative fine. 5/20 Date Our reference 4 February 2021 [confidential] [Person concerned] had the old website taken offline on 29 May 2019.7 On 4 July 2019, the AP visited the orthodontic practice's website again and found that the website, which had now been renewed, did use an encrypted connection, but no longer included an online registration form. Instead, a registration form is now offered in the form of a PDF file, which can be downloaded, printed, completed and delivered to the practice. 2.3.3. Assessment The question of whether [data subject] has taken the appropriate technical and organizational measures referred to in Article 32, paragraph 1, of the GDPR must – as stated under 2.3.1 – be answered on the basis of NEN 7510. This NEN standard is mandatory for the use of the BSN and for healthcare this standard also contains the accepted security standards. The AP determines that the old website of the orthodontic practice did not have a TLS certificate and therefore did not use the HTTPS protocol. Communication with the website, including sending a completed registration form, therefore took place over an unencrypted and therefore unsecured connection. As a result, the mere availability of the registration form created an increased risk of a “man-in-the-middle attack”, in which sent information is intercepted and read and/or changed, without the sending and receiving party being aware of it. It has therefore been established that [data subject] has not taken any management measures with regard to communication security. This is not in accordance with the provisions of NEN 7510 (including paragraphs 10.1 and 13.2). It should be noted that the patients of an orthodontic practice are usually minor children. This follows from the nature of the treatment, the fields of the registration form (in which the parents' details are requested) and the images on the website of the orthodontic practice. It is therefore the data of these minor children that were sent over the unencrypted, unsecured connection. In addition, it concerns not only the BSN, but also data that is closely related to the health of the patient in question. Given, on the one hand, the sensitive nature of the data that could be sent via the registration form, and, on the other hand, the state of the art and the associated very low implementation costs of an encrypted connection, the conclusion is that [data subject] has not taken appropriate technical and organizational measures to protect the processing of personal data against loss or unlawful processing. In doing so, she violated Article 32, paragraph 1, of the GDPR. 7 Letter dated 19 August 2019, appendix 8 to the investigation report. 6/20 Date Our reference 4 February 2021 [confidential] 2.3.4. AP's opinion and response [Data subject] put forward the following in her opinion on the intention to impose an administrative fine. The developer of the old website never informed [data subject] of the possibility of an encrypted connection. If she had known about it, she would certainly have used it. Furthermore, she actively tried to comply with the GDPR by having an audit carried out every two years by a certification agency appointed by the Dutch Association of Orthodontists. Privacy is part of the audit. The latest report, from June 2017, shows that the website was viewed and that no comments were made about it. The same certification agency provided a step-by-step plan to comply with the GDPR in March 2018. [Data subject] completed this plan point by point, and although attention was paid to privacy and information security, it did not mention that the website must use an encrypted connection. Furthermore, [data subject] is inspected every five years by fellow orthodontists. The last inspection report also did not point out the lack of an encrypted connection of the website. No one complained to [data subject] about the security and, as far as she is aware, no damage was suffered. Finally, [data subject] immediately took the old website offline and gave instructions to better secure the new website. The opinion does not change the AP's position on the violation found. An audit by a certification agency, a step-by-step plan in preparation for the application of the GDPR and a peer review do not release [data subject], as the controller, from the obligation laid down in Article 32, paragraph 1, of the GDPR to take the technical and organisational measures referred to in that provision. The fact that others did not point this out to her, while she assumed that this would be done where necessary, does not release her from her own responsibility to actively ensure the technically secure processing of personal data. An organisation that processes personal data of a sensitive nature via the internet, often of children, has a major responsibility to ensure that such personal data are also sent securely over the internet. Moreover, the content of the audit report and the report of the peer review do not show that attention was paid to the protection of personal data in the context of the audit and review. The fact that no one has complained to [data subject] and that she is not aware of any damage does not alter the fact that she has not taken sufficient technical and organisational security measures. 2.3.5. Conclusion In view of the foregoing, the AP is of the opinion that [data subject] violated Article 32, paragraph 1, of the GDPR from 25 May 2018 (the moment the GDPR became applicable) to 29 May 2019, because she offered a registration form on the website of the orthodontic practice that did not use an encrypted connection, while that form was intended to exchange sensitive personal data. 7/20 Date Our reference 4 February 2021 [confidential] 3. Administrative fine 3.1. Authority of the AP to impose an administrative fine The AP is authorised to impose an administrative fine on the basis of Article 58, paragraph 2, opening sentence and under i, read in conjunction with Article 83 of the GDPR. According to Article 83, paragraph 1, an imposed fine must be effective, proportionate and dissuasive. The fourth paragraph of that provision states that infringements of the obligations of the controller (including those referred to in Article 32 of the GDPR) are subject to fines of up to €10,000,000.00 or, for an enterprise, up to 2% of the total worldwide annual turnover in the preceding financial year, whichever is higher. On the basis of Article 14, third paragraph, of the Implementation Act General Data Protection Regulation (hereinafter: UAVG), the AP may impose an administrative fine of up to the amounts mentioned in these paragraphs in the event of infringement of the provisions of Article 83, fourth, fifth or sixth paragraph, of the GDPR. When exercising the power to impose an administrative fine, the AP applies the Fine Policy Rules of the Dutch Data Protection Authority 2019 (hereinafter: Fine Policy Rules 2019).8 3.2. Fine Policy Rules Dutch Data Protection Authority 2019 The relevant provisions of the Fine Policy Rules 2019 are listed in the appendix to this decision. The system of the Fine Policy Rules 2019 is as follows. The violations for which the AP can impose a fine up to the amount stated above are divided into three fine categories in the Fine Policy Rules 2019. These categories are ranked according to the severity of the violation of the aforementioned articles, with category I containing the least serious violations and category III the most serious violations. The categories are subject to increasing fines. This follows from Article 2, under 2.1 and 2.3 of the Fine Policy Rules 2019. Category I Category II Category III Fine range between €0 and €200,000 Fine range between €120,000 and €500,000 Fine range between €300,000 and €750,000 Basic fine: €100,000 Basic fine: €310,000 Basic fine: €525,000 According to Article 6 of the Fine Policy Rules 2019, the AP determines the amount of the fine by adjusting the basic fine upwards or downwards, depending on the extent to which the factors mentioned in Article 7 give reason to do so. Under Article 8, it is possible to apply the next higher or lower category if the fine category determined for the offence does not allow for appropriate punishment in the specific case. 8 Published in Stcrt. 2019, 14586, 14 March 2019. 8/20 Date Our reference 4 February 2021 [confidential] 3.3. Fine amount The AP considers a fine of € 12,000.00 appropriate and necessary for the violation noted above. This is substantiated as follows in the following paragraphs. First of all, the AP sees reason to apply the lower fine category I. There are no mitigating or increasing factors applicable that require an adjustment of the basic fine of € 100,000.00 applicable to that fine category. The culpability of the conduct also gives no reason to do so. The AP does see reason to reduce the fine to the aforementioned amount on the basis of the principle of proportionality. 3.3.1. Fine category and basic fine The violation of Article 32 of the GDPR (security of processing) is, according to Appendix I to the Fine Policy Rules 2019, classified in category II. As follows from the table above, a fine range of €120,000.00 and €500,000.00 and a basic fine of €310,000.00 applies to this category. This fine range and basic fine cannot lead to an appropriate punishment for the violation found in this case. In doing so, the AP takes into account that the investigation and the violation relate to the registration form on the practice's website, and not to the patient administration as such. The registration form technically forms a system that is separate from that administration. The AP will therefore apply category I (for which a fine range of €0.00 to €200,000.00 and a basic fine of €100,000.00) on the basis of Article 8 of the Fine Policy Rules 2019, and will also moderate the fine amount within that category on the basis of what has been considered in this and the following paragraphs. The basic fine serves as a neutral starting point, and must be increased or reduced to the extent that the factors mentioned in Article 7 of the Fine Policy Rules 2019 give reason to do so. The final amount of the fine must be proportionate and tailored to the seriousness of the violation and the extent to which it can be attributed to the offender (compare Articles 3:4 and 5:46 of the General Administrative Law Act; hereinafter: Awb). The factors mentioned in Article 7 give rise to comments on the following points. The factors not discussed do not apply in this case. a. Nature, seriousness and duration of the infringement According to [data subject], the website with the registration form went online on 27 October 2010 and was taken offline on 29 May 2019. Although the form was available for use for eight years and seven months, the AP's investigation focused on the period from 25 May 2018 to 29 May 2019. The AP thus aligns itself with the date on which the GDPR became applicable. This means that the infringement, to the extent that it is taken into account, lasted approximately one year.9 The AP considers it serious that the infringement was structural and of long duration, especially since [data subject] also used the GDPR before it became applicable 9 Article 13 of the Personal Data Protection Act (hereinafter: Wbp) is materially comparable to Article 32, paragraph 1, of the GDPR: both provisions require technical and organisational measures to be taken to ensure an appropriate level of security. The interpretation of Article 13 of the Wbp is no different from that of Article 32 of the GDPR, described in paragraphs 2.3.2 and 2.3.3. [Data Subject] was also in violation during the period in which the Wbp was in force. 9/20 Date Our reference 4 February 2021 [confidential] becoming of the GDPR, under the Personal Data Protection Act, was obliged to ensure an appropriate level of security. This obligation therefore did not first arise when the GDPR became applicable. The AP holds it against [data subject] that, as a professional healthcare provider, she did not take care of the appropriate technical and organizational measures referred to in Article 32, first paragraph, of the GDPR during and in the run-up to the period under investigation, by means of a correct implementation of NEN 7510. For the BSN, it is obliged to do so under the Regulation on the use of citizen service numbers in healthcare. For the other data sent via the form, NEN 7510 contains the security standards generally accepted in healthcare. [Data subject] should have been aware of this in her capacity as a healthcare provider. [Data subject] did not merely create the theoretical possibility that the form would be used to send sensitive data over an unsecured connection. After all, it has been shown that the form was actually used. For each submission, the interest that the violated standard aims to protect was compromised. Although the exact number of submissions of the form can no longer be determined, the AP does not consider it unlikely that the form was also used when the Wbp applied, under which an appropriate level of security was also required. The AP holds it against [data subject] that the violation lasted a long time and was in conflict with the standards that specifically apply to her professional group (healthcare). The AP considers it particularly reprehensible that the violation actually led to the repeated sending of sensitive data over an unsecured connection. g. The categories of personal data to which the infringement relates The registration form first requested the BSN. This is a sensitive piece of data in itself, but this is even more so when the data is viewed in conjunction with the other requested data. The sensitivity is also evident from the legal obligation to comply with NEN 7510 when processing the BSN. Viewed in conjunction, the data provide so much information about the patient to be registered that there is a risk of identity fraud if the data were to be intercepted. The AP also takes into account that this often involved data from minors, as stated in paragraph 2.3.3. Furthermore, the other requested data are equally sensitive in nature, because they are closely related to the health of the patient to be registered. This also applies to the registration with an orthodontist as such. The AP has not investigated whether this qualifies as special personal data as referred to in Article 9 of the GDPR, partly because the processing no longer takes place, but suffices with the observation that the form was used to send sensitive personal data. The AP holds it against [data subject] that the violation relates to sensitive data of minors. 10/20 Date Our reference 4 February 2021 [confidential] Increase or decrease of basic fine In view of the foregoing, the AP sees no reason to reduce the basic fine in the factors stated in the Fine Policy Rules 2019, insofar as applicable in the present case. Nor is there any reason to increase the fine amount. 3.3.2. Culpability of the conduct On the basis of article 5:46, paragraph 2, of the General Administrative Law Act, the AP takes into account the extent to which it can be attributed to the offender when imposing an administrative fine. Because this case concerns an infringement, it is not required to demonstrate intent in order to impose an administrative fine in accordance with established case law, and the AP may assume culpability if the perpetrator has been established.10 [Data subject], as stated in paragraph 2.3.4, referred in her opinion to an audit report, a step-by-step plan for preparing for the GDPR and a report of a peer review. According to [data subject], none of these documents pointed out the shortcoming with regard to the online registration form. To the extent that [data subject] means that this means there is reduced culpability, the AP does not follow her. As a healthcare provider, she should have been professionally familiar with the security standards applicable to that care. The fact that others did not point out the shortcoming to her does not detract from her own obligations as controller. Since the infringement can be fully blamed on [data subject], the culpability of the infringement does not give rise to a reduction of the fine. 3.3.3. Proportionality Finally, the AP will assess on the basis of Articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality) whether the application of its policy for determining the amount of the fine, given the circumstances of the specific case, does not lead to a disproportionate outcome. In light of the proportionality of the fine to be imposed, the AP considers it important that the violation, as stated in paragraph 3.3.1, relates to the unsecured use of a registration form on the practice's website, and not to the entire patient administration. The AP has received one complaint about the use of the unsecured connection. The AP has not received any signals about the patient administration itself and has therefore not investigated this. Furthermore, the use of the registration form remained limited during the period in question. 10 Compare the judgments of the CBb of 29 October 2014 (ECLI:NL:CBB:2014:395, ow. 3.5.4), 2 September 2015 (ECLI:NL:CBB:2015:312, ow. 3.7) and 7 March 2016 (ECLI:NL:CBB:2016:54, ow. 8.3). Also compare the judgments of the Administrative Jurisdiction Division of 29 August 2018 (ECLI:NL:RVS:2018:2879, ow. 3.2) and 5 December 2018 (ECLI:NL:RVS:2018:3969, ow. 5.1). Finally, see Parliamentary Papers II 2003/04, 29 702, no. 3, p. 134. 11/20 Date Our reference 4 February 2021 [confidential] In addition, it is important that [data subject]'s company must be considered a small and medium-sized enterprise (SME). Also, given the low costs associated with securely sending a form (compare paragraph 2.3.1), it is not plausible that financial profits were made or losses were avoided as a result of the violation. The AP sees reason to moderate the basic amount of € 100,000.00 in the context of all the circumstances mentioned. The AP considers, also in view of the seriousness of the violation, the substantial financial capacity of the company and the target group whose personal data are processed, a fine of € 12,000.00 to be appropriate and necessary. Finally, the AP must consider whether what [data subject] has put forward in her opinion on the intention to take enforcement action gives reason to assume that this fine would lead to a disproportionate outcome. [Data subject] stated in her opinion that she would never be able to pay a fine of the basic amount of fine category II (€ 310,000.00). In support of this statement, she submitted a provisional income tax assessment for 2018. However, paragraph 3.3.1 explains that fine category I, rather than fine category II, is applied. The associated basic amount has also been reduced to €12,000.00 for this purpose. The documents submitted by [the person concerned] do not show that this fine would have disproportionate consequences, for example because the orthodontic practice would be threatened in its continued existence. The AP therefore sees no reason in [the person concerned]'s ability to pay to reduce the fine further. 3.4. Conclusion In view of the foregoing, the AP sets the fine amount for the violation of Article 32, first paragraph, of the GDPR at €12,000.00. 12/20 Date Our reference 4 February 2021 [confidential] 4. Dictum Fine The AP imposes an administrative fine of € 12,000.00 (in words: twelve thousand euros) on [data subject], trading under the name [company], for violation of Article 32, first paragraph, of the GDPR.11 Yours sincerely, Dutch Data Protection Authority, drs. C.E. Mur Board Member Remedies clause If you do not agree with this decision, you can file an objection with the Dutch Data Protection Authority digitally or on paper within six weeks after the date of dispatch of the decision. In accordance with Article 38 of the GDPR Implementation Act, filing an objection suspends the effect of the decision to impose the administrative fine. In your objection, state at least: your name and address; the date of your objection; the reference number mentioned in this letter (case number), or attach a copy of this decision; the reason(s) why you disagree with this decision; your signature. You can submit the notice of objection digitally via the website. Go to www.autoreitpersoonsgegevens.nl, and click on the link “Objection to a decision” at the bottom of the page, under the heading “Contact with the Dutch Data Protection Authority”. From there, use the “Objection form”. Would you rather send the notice of objection by post? You can do so to the following address: Dutch Data Protection Authority Legal Affairs & Legislative Advice Department, Objection Department PO Box 93374 2509 AJ THE HAGUE
