AP (The Netherlands) - Boete CP&A verzuimregistratie
From GDPRhub
| AP - Boete CP&A verzuimregistratie | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 9(1) GDPR Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 24.03.2020 |
| Published: | |
| Fine: | 15,000 EUR |
| Parties: | CP&A B.V. |
| National Case Number/Name: | Boete CP&A verzuimregistratie |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Dutch DPA (in NL) |
| Initial Contributor: | CBMPN |
The Dutch Data Protection Authority fined CP&A B.V. €15,000 for unlawfully processing employee health data and failing to secure it adequately.
English Summary
Facts
CP&A B.V., a company specializing in inspection and maintenance of public infrastructure, maintained an online absence registration system containing sensitive health data of 25 employees. The system, stored in a Google Drive file, was accessible without authentication or access controls from 12 March 2019, to 2 May 2019. The data included names, addresses, phone numbers, email addresses, BSN (Dutch citizen service number), dates of birth, and detailed health information such as reasons for absence, prognoses, and medical comments. The Dutch DPA found that CP&A violated the GDPR by processing special category data (health information) without adequate legal grounds and failing to implement appropriate security measures.
Holding
The Dutch DPA held that CP&A unlawfully processed health data, a special category of personal data, without a valid legal basis under Article 9 GDPR#1. The processing of such data is prohibited unless an exception applies, and CP&A failed to demonstrate that the processing was necessary for employee reintegration or other permissible purposes under Article 9 GDPR#2b and Dutch law.
Based on Article 9, paragraph 2, opening sentence and under b of the GDPR, the controller may process health data if this is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the field of employment law and social security and social protection law.
Under Article 9 GDPR#2b, health data can be processed if it is necessary for fulfilling obligations or exercising specific rights in employment, social security, or social protection law. Article 30 GDPR#1b further allows such processing if it is necessary for employee reintegration or guidance related to illness or disability. However, the Dutch DPA found that processing specific health details like illness names, complaints, or pain indications is not necessary for reintegration. Therefore, CP&A could not rely on Article 30 GDPR#1b to justify its processing of such data. Since no other exceptions under Article 30 GDPR applied, the Dutch DPA concluded that CP&A violated Article 9 GDPR#1 by unlawfully processing health data.
Furthermore, the Dutch DPA found that CP&A failed to implement appropriate technical and organizational measures to ensure the security of the health data. The absence of authentication or access controls exposed the data to unauthorized access, violating the requirement to maintain a risk-appropriate level of security.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1 Dutch Data Protection Authority PO Box 93374, 2509 AJ The Hague Bezuidenhoutseweg 30, 2594 AV The Hague T 070 8888 500 - F 070 8888 501 autoriteitpersoonsgegevens.nl Confidential/Registered CP&A B.V. Attn. the management PO Box 514 5600 AM Eindhoven Date March 24, 2020 Our reference [CONFIDENTIAL] Contact person [CONFIDENTIAL] Subject Decision to impose an administrative fine Dear management, The Dutch Data Protection Authority (AP) has decided to impose an administrative fine of € 15,000 on CP&A B.V. (CP&A). The AP is of the opinion that CP&A violated the prohibition of Article 9, paragraph 1, of the General Data Protection Regulation (GDPR) from 12 March 2019 to 2 May 2019 by processing health data of its employees. In addition, CP&A did not take sufficient appropriate security measures for this processing during the same period as referred to in Article 32, paragraph 1, of the GDPR. The decision is explained in more detail below. Chapter 1 provides an introduction and Chapter 2 describes the legal framework. Chapter 3 contains the facts and in Chapter 4 the AP assesses whether there is a processing of health data, the processing responsibility and the violations. In Chapter 5 the (amount of the) administrative fine is elaborated and Chapter 6 contains the operative part and the legal remedies clause. Date March 24, 2020 Our reference [CONFIDENTIAL] 2/17 1.Introduction 1.1 Legal entity involved and reason for investigation CP&A is a private limited company located at Maas 22E, 5684 PL in Best (North Brabant). CP&A is registered in the trade register of the Chamber of Commerce under number 54592526 and, according to the extract from the trade register, employs approximately 160 employees. According to the trade register and its website, CP&A performs, among other things, inspection and maintenance work on public objects. On January 11, 2019, the AP received a notification that CP&A processes health data of its employees. From the notification, supervisors of the AP concluded that CP&A maintains an online absence registration containing health data of sick employees. In response to this signal, the AP has initiated an (ex officio) investigation into CP&A's compliance with Articles 9 and 32 of the GDPR. The processing of special categories of personal data is prohibited under Article 9, paragraph 1, of the GDPR, unless a statutory exception applies. In the following, the AP will assess whether CP&A can successfully invoke the exception relevant to this case. In addition, the AP will assess whether CP&A has taken sufficient appropriate technical and organizational measures for the health data in its absence registration to ensure a level of security appropriate to the risk, as referred to in Article 32, paragraph 1, of the GDPR. 1.2 Process history On May 2, 2019, the AP contacted CP&A by telephone to indicate that CP&A's absence registration is accessible to unauthorized persons and requested CP&A to end the violation as soon as possible. On 2 May 2019, the AP sent a standard-conveying letter in response to the telephone conversation and explained the legal framework regarding the reporting obligation for breaches in connection with personal data to the AP. In a letter dated 7 May 2019, CP&A confirmed receipt of the letter and indicated that the absence registration had been removed. On 7 May 2019, CP&A submitted a data breach notification regarding the breach in connection with personal data. In a letter dated 29 July 2019, the AP asked CP&A questions, to which it responded in a letter dated 7 August 2019. On 21 August 2019, the AP requested further information from CP&A by email. CP&A responded to this by email dated 28 August 2019. By letter dated 30 October 2019, the AP sent CP&A an intention to enforce and the investigation report on which it was based, giving CP&A the opportunity to submit a Date 24 March 2020 Our reference [CONFIDENTIAL] 3/17 opinion. On 12 November 2019, CP&A submitted a written opinion. Finally, on 30 January 2020, the AP added additional documents to the file and gave CP&A the opportunity to respond to these documents. CP&A did not make use of this opportunity. 2.Legal framework 2.1 Scope of the GDPR Pursuant to the first paragraph of Article 2 of the GDPR, this Regulation applies to the processing of personal data wholly or partly by automated means and to the processing of personal data which form part of a filing system or are intended to form part of a filing system. Pursuant to the first paragraph of Article 3 of the GDPR, this Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not. Pursuant to Article 4 of the GDPR, for the purposes of this Regulation, the following definitions shall apply: 1. “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); […]. 2. “Processing” means any operation or set of operations which is performed on personal data or a set of personal data, whether or not by automated means […]. 7. “Controller” means a […] legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data; […]. 2.2 Prohibition on processing data concerning health Article 4(15) of the GDPR defines data concerning health as personal data relating to the physical or mental health of a natural person, including data relating to the provision of health care services, which reveal information about his or her state of health. Pursuant to the first paragraph of Article 9 of the GDPR, the processing of data concerning health is prohibited. Exceptions to the prohibition on processing special categories of personal data are set out in the second paragraph of Article 9 of the GDPR. To the extent relevant, that provision reads: […] b) processing is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or the data subject in the field of labour law, social security and social protection law, insofar as this is permitted by Union or Member State law or by a collective agreement under Member State law which provides adequate safeguards for the fundamental rights and interests of the data subject; Date 24 March 2020 Our reference [CONFIDENTIAL] 4/17 […] Pursuant to Article 30 of the Implementing Act of the General Data Protection Regulation (GDPR), in view of Article 9, paragraph 2, point b, of the GDPR, the prohibition on processing health data does not apply if the processing is carried out by administrative bodies, pension funds, employers or institutions working on their behalf, and insofar as the processing is necessary for: […] b. the reintegration or support of employees or benefit recipients in connection with illness or incapacity for work. […] 2.3 Security of processing Pursuant to the first paragraph of Article 32 of the GDPR, the controller […], taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals, shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […]. Pursuant to the second paragraph of Article 32, when assessing the appropriate level of security, account shall be taken in particular of the risks posed by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 2.4 Administrative fine Pursuant to Article 58, paragraph 2, introductory phrase and under i, in conjunction with Article 83, paragraphs 4 and 5, of the GDPR and Article 14, paragraph 3, of the UAVG, the AP is authorised to impose an administrative fine for infringements of the GDPR. 2.4.1 GDPR Pursuant to Article 83, paragraph 1, of the GDPR, each supervisory authority shall ensure that the administrative fines imposed pursuant to this Article for the infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each case effective, proportionate and dissuasive. Pursuant to the second paragraph, administrative fines shall, depending on the circumstances of the specific case, be imposed in addition to or instead of the measures referred to in Article 58, paragraph 2, points (a) to (h) and (j). It follows from the fourth paragraph, introductory phrase and under a, that an infringement of the obligations of the controller and the processor as set out in Article 32 of the GDPR pursuant to paragraph 2 Date March 24, 2020 Our reference [CONFIDENTIAL] 5/17 is subject to an administrative fine of up to €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. It follows from the fifth paragraph, introductory phrase and under a, that an infringement of the basic principles of processing as set out in Article 9 of the GDPR pursuant to paragraph 2 is subject to an administrative fine of up to €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. 2.4.2 UAVG Pursuant to Article 14, paragraph 3, of the UAVG, the AP may impose an administrative fine of up to the amounts stated in these paragraphs in the event of a violation of the provisions of Article 83, paragraphs 4, 5 or 6, of the regulation. 3. Facts The AP has established that CP&A kept an absence registration in a Google Drive file on the internet from at least 12 March 2019 to 2 May 2019, containing the following data of 25 (sick) employees1 : - Branch; - Name; - Surname; - Start date; - End date; - Number of calendar days; - Reason for absence; - Forecast (short/medium/long); - Comments; - (nursing) address; - House number; - Postcode; - City; - Telephone number; - Email address; - BSN; - Date of birth; - Employment (temporary/permanent); - Date of employment; - Contract hours; - End of contract date. During this period from 12 March to 2 May 2019, the AP visited the website six times via the web address known to it and established that it could view the absence registration without any form of authentication or other access control. The AP further established that the absence registration was actively updated due to the fact that the content of the absence registration changed weekly. 2 In a letter dated 7 May 2019, CP&A indicated that the relevant file with health data had been deleted and was no longer available.3 On 13 May 2019, the AP established that the absence registration was no longer accessible via the web address known to it.4 In addition, 1 AP investigation report, 3 September 2019, appendices 2 to 8. 2 AP investigation report, 3 September 2019, appendices 2 to 8. 3 Letter dated 7 May 2019 from CP&A to the AP. 4 AP investigation report, 3 September 2019, appendix 8. Date 24 March 2020 Our reference [CONFIDENTIAL] 6/17 the AP determined on the basis of a copy of the new CP&A absence registration that CP&A no longer records the reason for absence. 5 4. Assessment 4.1 Processing of health data As stated in Chapter 3, the AP determined that CP&A kept an absence registration in a Google Drive file from at least 12 March 2019 to 2 May 2019, in which the following personal data of 25 (sick) employees were listed: name, surname, (nursing) address, house number, postcode, city, telephone number, e-mail address, BSN, and date of birth.6 This made the CP&A employees involved directly identifiable. The aforementioned data are therefore personal data as referred to in Article 4, section 1, of the GDPR. Furthermore, the AP has determined that CP&A has processed the reason for absence (regarding both physical and mental health), the prognosis and the comments on the reason for absence and prognosis for these employees in the absence registration.7 In the opinion of the AP, these data are health data within the meaning of Article 4, section 15, of the GDPR. By digitally registering, storing, updating and making available these personal data of (sick) employees and maintaining the absence registration, CP&A has (partially) automatically processed health data within the meaning of Article 4, section 2, of the GDPR. In view of the foregoing, the AP concludes that CP&A processed health data of 25 employees in the period from 12 March 2019 to 2 May 2019. 4.2 Controller The AP is of the opinion that CP&A has determined the purposes and means for the processing of personal data, including health data. CP&A has stated that sickness absence and reintegration are important points of attention within the organisation. CP&A has decided to include an overview of its sick employees in a specially designed file in order to maintain an overview, prevent people from disappearing from view and to be able to fulfil the reintegration in the best possible way.8 In addition, the fact that CP&A has removed the absence registration shows that the decision-making authority to process or not to process absence data lies with CP&A. 5 Letter of 7 August 2019 from CP&A to the AP. 6 AP Research Report, 3 September 2019, appendices 2 to 8. 7 AP Research Report, 3 September 2019, appendices 2 to 8. 8 CP&A Opinion, 12 November 2019, p. 2. Date 24 March 2020 Our reference [CONFIDENTIAL] 7/17 The AP designates CP&A as the controller as referred to in Article 4, section 7, of the GDPR. 4.3 Violation of the prohibition on processing health data 4.3.1 Introduction Health data fall under the special category of personal data. Personal data that are particularly sensitive deserve specific protection, because their processing can entail high risks for fundamental rights and freedoms. The processing of special categories of personal data is therefore prohibited on the basis of Article 9, paragraph 1, of the GDPR, unless a statutory exception applies.9 The AP will assess below whether CP&A can successfully invoke the exception relevant to this case as referred to in Article 9, paragraph 2, opening sentence and under b of the GDPR in conjunction with Article 30, paragraph 1, opening sentence and under b, of the UAVG. 4.3.2 Legal framework On the basis of Article 9, paragraph 2, opening sentence and under b of the GDPR, the controller may process health data if this is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the field of employment law and social security and social protection law. This exception does not have direct effect on the basis of the GDPR, but leaves room for the Member States to further specify it. This has happened in the Netherlands in the UAVG. Article 30, first paragraph, opening sentence and under b of the UAVG stipulates in this context that the processing of health data is permitted if this is necessary for the reintegration or guidance of employees or benefit recipients in connection with illness or incapacity for work. This exception is then further specified in sector-specific legislation. With regard to reintegration, the AP notes that employers are obliged, on the basis of article 658a, second paragraph, of Book 7 of the Civil Code (BW), to take the measures that are necessary to enable a sick employee to do his own or other suitable work as soon as possible. Although processing health data may then be obligatory, the nature and scope of the data that may be processed is limited by the requirement of necessity as laid down in article 9, second paragraph, opening sentence and under b, GDPR. This means that an assessment must always be made of each processing to determine whether the processing is really necessary in light of the reintegration obligation that rests on the employer. The policy rules ‘The sick employee’ (the policy rules) of the AP, which were published in the Government Gazette on 29 April 2016, specify which medical personal data the employer may process in the context of reintegration and absence management and which can be considered necessary 9 See also consideration 51 of the GDPR. Date March 24, 2020 Our reference [CONFIDENTIAL] 8/17 labeled, and which are not necessary and therefore may not be processed.10 The legal rules regarding the processing of personal data about the health of sick employees in the context of their reintegration and absence management as laid down in the Personal Data Protection Act have not changed with the GDPR coming into effect on May 25, 2018.11 The policy rules are therefore, although written in the context of the Wbp, still apply accordingly to processing under the GDPR. The data that may be processed according to these policy rules are:12 - the activities that the employee is no longer or still capable of (functional limitations, residual capabilities and implications for the type of work that the employee can still do); - the expected duration of the absence; - the extent to which the employee is incapacitated for work (based on functional limitations, residual capabilities and implications for the type of work that the employee can still do); - any advice on adjustments, work facilities or interventions that the employer must take for reintegration. The data that may not be processed according to these policy rules include:13 - diagnoses, name of illness, specific complaints or pain indications; - own subjective observations, both on mental and physical health status; - data on therapies, appointments with doctors, physiotherapists, psychologists, etc.; - other situational problems, such as relationship problems, problems from the past, relocation, death of partner, divorce, etc. 4.3.3 Assessment As stated in Chapter 3, the AP determined that CP&A kept an absence registration in which the reason for absence (regarding both physical and mental health), the prognosis and comments on the reason for absence and the prognosis for its employees were recorded. The AP assessed this data on the basis of the aforementioned legal framework. The AP's policy rules specify which medical personal data the employer may process in the context of reintegration and absence management and which may be considered necessary. The AP concludes that the absence registration contained health data that, due to the lack of necessity, were not allowed to be processed by CP&A. This concerns the reasons for absence that were stated with regard to 25 persons involved, including names of physical and mental illnesses, specific complaints and pain indications. For some employees, additional information about their health was recorded in the comments field. 10 Policy rules for the processing of personal data about the health of sick employees, Dutch Data Protection Authority (Stcr. 2016, 21703). 11 See the old article 21, first paragraph, opening sentence and under f, under 2, of the Personal Data Protection Act and the current article 30, first paragraph, under b, of the UAVG. And Parliamentary Papers II 2017/2018, 34851, 3, p. 109. 12 Policy rules for sick employees, paragraph 5.2.2., p. 27. 13 Policy rules for sick employees, paragraph 5.2.1., p. 25, read in conjunction with p. 27. Date March 24, 2020 Our reference [CONFIDENTIAL] 9/17 Based on Article 9, paragraph 2, opening sentence and under b of the GDPR, the controller may process health data if this is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the field of employment law and social security and social protection law. Article 30, paragraph 1, opening sentence and under b of the GDPR stipulates in this context that the processing of health data is permitted if this is necessary for the reintegration or guidance of employees or benefit recipients in connection with illness or disability. Because the processing of names of illnesses, specific complaints and pain indications is not necessary for the reintegration of employees, as also follows from the AP's policy rules, the processing thereof is prohibited. CP&A can therefore not successfully invoke Article 30, paragraph 1 and under b of the GDPR. The AP has not demonstrated that CP&A can successfully invoke the other exceptions of Article 30 of the GDPR. The AP is therefore of the opinion that CP&A has processed the aforementioned health data in violation of the prohibition in Article 9, paragraph 1 of the GDPR. With regard to the period of this violation, the AP last determined on 2 May 2019 that CP&A had processed the health data in its absence registration. As stated in Chapter 3, the AP subsequently determined on 13 May 2019 that the absence registration is no longer accessible via the web address known to it. Finally, the AP determined that in the current absence registration, the reason for absence is no longer registered by CP&A. 4.3.4 Conclusion The AP concludes that CP&A, as the controller, violated the prohibition in Article 9, paragraph 1, of the GDPR from at least 12 March 2019 to 2 May 2019 by processing the health data of 25 employees. 4.4 Violation of processing security 4.4.1 Introduction In order to ensure security and to prevent the processing of personal data from violating the GDPR, the controller must, pursuant to Article 32 of the GDPR, assess the risks inherent in the processing and take measures to limit the risks. These measures must ensure an appropriate level of security, taking into account the state of the art and the implementation costs in relation to the risks and the nature of the personal data to be protected.14 The AP assesses below whether CP&A has applied an appropriate level of security for the processing of the health data in its absence registration as it was accessible via the web address. 4.4.2 Assessment Pursuant to Article 32, paragraph 1, of the GDPR, the controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risk 14 Recital 83 of the GDPR. Date March 24, 2020 Our reference [CONFIDENTIAL] 10/17 to ensure. In assessing the risks, attention must be paid, according to Article 32, paragraph 2, of the GDPR, to risks that arise from the processing of personal data, such as the unauthorized disclosure of or unauthorized access to the transmitted, stored or otherwise processed data, whether accidentally or unlawfully. The more sensitive the data is, or the context in which it is used poses a greater threat to the privacy of data subjects, the more stringent requirements are imposed on the security of data. This means that high demands are placed on the technical and organisational measures to protect this data.15 With regard to authentication when accessing the processing of data about the health of (sick) employees and where access is provided via the internet, one must therefore take more stringent measures to meet an appropriate level of security, such as two-factor authentication.16 The AP has determined that the absence registration (containing health data) of CP&A was accessible without any form of authentication. The AP is of the opinion that CP&A has not applied an appropriate level of security to its absence registration. Given the sensitive nature of the data, the fact that the health data was processed on the internet and the risks to the personal privacy of the persons involved, CP&A should have taken further measures to mitigate the risk of unauthorised access to the absence registration. However, CP&A failed to do so. This lack of security could have been avoided by, for example, implementing an appropriate authentication technique (or another method) to prove the claimed identity of a user of the absence registration. The AP considers such a security measure appropriate, given the current state of the art and the implementation costs. The AP is therefore of the opinion that CP&A has violated Article 32, paragraph 1, of the GDPR because CP&A has applied an insufficiently appropriate level of security to the health data in its absence registration. CP&A's point of view and AP's response CP&A argues in its point of view that it had only one objective with the absence registration: to support its employees as well as possible during a period of illness and reintegration. CP&A believed that it had handled the data of the employees concerned in a correct manner, in accordance with the applicable regulations, and had also carefully secured that data in such a way that it was not freely accessible. In order to protect the privacy of the employees involved, the file was only accessible via a specific link. The link was only provided to those persons who were/are involved in the reintegration of employees and as such had to have access to absence data in order to guide the employees as well as possible during the absence and reintegration (management, two regional managers, one HRM employee, the HRM manager and the absence supervisor). No one else had access to these persons. CP&A did not take into account that the link would be provided to a third party without permission. With the knowledge we have now, 15 See also Policy rules for the processing of personal data about the health of sick employees, p. 13. 16 See also policy rules for the processing of personal data about the health of sick employees, p. 7. Date March 24, 2020 Our reference [CONFIDENTIAL] 11/17 CP&A deeply regrets that it did not see that risk and that it was therefore possible for a third party to consult the data. Based on CP&A's point of view, the AP does not come to a different conclusion. Providing a specific link only to persons who are/were involved in the reintegration of employees is admittedly an organizational measure that benefits the security of personal data. However, given the sensitive nature of the data, the fact that the health data were processed on the internet and the risks to the personal privacy of the persons involved, CP&A should also have taken an appropriate technical measure, such as implementing an authentication technique for the link. With such a measure, CP&A could have largely reduced the risk that a third party could gain unauthorized access to highly sensitive data. 4.4.3 Conclusion The AP concludes that CP&A, as the controller, violated Article 32, paragraph 1, of the GDPR from at least 12 March 2019 to 2 May 2019 by not applying an insufficiently appropriate level of security to the health data in its absence registration. 4.5 Final conclusion The AP first concludes that CP&A violated the prohibition in Article 9, paragraph 1, of the GDPR from at least 12 March 2019 to 2 May 2019 by processing health data of 25 employees. In addition, the AP concludes that CP&A violated Article 32, paragraph 1, of the GDPR during the same period by not taking sufficient appropriate technical and organizational measures to ensure a risk-appropriate level of security to these health data in its absence registration. 5. Fine 5.1 Introduction CP&A violated Article 9, paragraph 1, and Article 32, paragraph 1, of the GDPR from at least 12 March 2019 to 2 May 2019. With regard to both established violations, the AP uses its authority to impose a fine on CP&A on the basis of Article 58, paragraph 2, opening sentence and under i and Article 83, paragraphs 4 and 5, of the GDPR, read in conjunction with Article 14, paragraph 3, of the UAVG. The AP uses the Fine Policy Rules 2019 for this purpose.17 In the following, the AP will first briefly explain the fine system, followed by the motivation for the fine amount in the cases at issue. 17 Stcrt. 2019, 14586, 14 March 2019. Date 24 March 2020 Our reference [CONFIDENTIAL] 12/17 5.2 Fine Policy Rules Dutch Data Protection Authority 2019 (Fine Policy Rules 2019) In the event of a violation of the unlawful processing of special personal data pursuant to Article 9, first paragraph, of the GDPR, the AP is authorised to impose a fine of up to €20,000,000, or up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher. This is based on Article 58, second paragraph, opening sentence and under i and Article 83 of the GDPR read in conjunction with Article 14, third paragraph, of the UAVG. Based on the appendix to the Fine Policy Rules 2019, this violation falls into the highest category, namely category IV. And for violation of Article 32, paragraph 1, of the GDPR, the AP is authorized to impose an administrative fine of up to €10,000,000 or up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher. Based on the appendix to the Fine Policy Rules 2019, this violation falls into category II. Based on Article 2.3 of the Fine Policy Rules 2019, the AP uses the following fine ranges for the above-mentioned violations: Category II: Fine range between €120,000 and €500,000 and a basic fine of €310,000. […]. Category IV: Fine range between €450,000 and €1,000,000 and a basic fine of €725,000. […]. Pursuant to Article 6 of the Fine Policy Rules 2019, the AP determines the amount of the fine by adjusting the amount of the basic fine upwards (up to a maximum of the bandwidth of the fine category linked to an offence) or downwards (down to a minimum of that bandwidth). The basic fine is increased or reduced depending on the extent to which the factors mentioned in Article 7 of the Fine Policy Rules 2019 give reason to do so. In accordance with Article 7, the AP shall, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act (Awb), take into account the factors derived from Article 83, paragraph 2, of the GDPR and referred to in the 2019 Policy Rules under a to k: a. the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected and the extent of the damage suffered by them; b. the intentional or negligent nature of the infringement; c. the measures taken by the controller […] to limit the damage suffered by data subjects; d. the extent to which the controller […] is responsible in view of the technical and organisational measures it has implemented in accordance with Articles 25 and 32 of the GDPR; e. previous relevant infringements by the controller […]; f. the extent of cooperation with the supervisory authority in remedying the breach and mitigating its possible adverse effects; g. the categories of personal data concerned by the breach; h. the manner in which the supervisory authority became aware of the breach, in particular whether, and if so to what extent, the controller […] notified the breach; i. compliance with the measures referred to in the second paragraph of Article 58 of the GDPR, insofar as they have been taken in relation to the controller […] in question in relation to the same Date 24 March 2020 Our reference [CONFIDENTIAL] 13/17 matter; j. adherence to approved codes of conduct pursuant to Article 40 of the GDPR or approved certification mechanisms pursuant to Article 42 of the GDPR; and k. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial profits made, or losses avoided, whether or not directly resulting from the infringement. In the present case, this concerns an assessment of the nature, seriousness and duration of the infringement in the specific case. In principle, this remains within the bandwidth of the fine category linked to that infringement. The AP may, if necessary and depending on the extent to which the aforementioned factors give rise to this, apply the fine bandwidth of the next higher or next lower category on the basis of Article 8.1 of the Fine Policy Rules 2019. In addition, when imposing an administrative fine on the basis of Article 5:46, paragraph 2, of the General Administrative Law Act, the AP assesses to what extent this can be attributed to the offender. Finally, the AP will assess, on the basis of its Fine Policy Rules 2019 and Articles 3:4 and 5:46 of the General Administrative Law Act, whether the application of its policy for determining the amount of the fine, given the circumstances and the capacity of CP&A in this specific case, does not lead to a disproportionate outcome. 5.3 Fine amount for violation of the prohibition on processing health data and security of the processing 5.3.1. Nature, seriousness and duration of the infringement Pursuant to Article 7, opening words and under a, of the Fine Policy Rules 2019, the AP takes into account the nature, seriousness and duration of the infringement. In assessing this, the AP takes into account, among other things, the nature, extent or purpose of the processing as well as the number of affected data subjects and the extent of the damage suffered by them. The protection of natural persons in the processing of personal data is a fundamental right. Under Article 8, paragraph 1, of the Charter of Fundamental Rights of the European Union and Article 16, paragraph 1, of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of personal data concerning them. The principles and rules for the protection of natural persons with regard to the processing of their personal data must respect their fundamental rights and freedoms, in particular their right to the protection of personal data. The GDPR aims to contribute to the creation of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and convergence of the economies within the internal market and to the well-being of natural persons. The processing of personal data must serve the human being. The right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and weighed against other fundamental rights in accordance with the principle of proportionality. Any processing of personal data must be carried out fairly and lawfully. Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Personal data must be Date March 24, 2020 Our reference [CONFIDENTIAL] 14/17 processed in a manner that ensures appropriate security and confidentiality of that data, including to prevent unauthorized access to or unauthorized use of personal data and the equipment used for processing. The GDPR offers a high level of protection for particularly sensitive personal data. Personal data that are particularly sensitive deserve specific protection, because processing them can entail high risks for fundamental rights and freedoms. Data subjects must therefore have a high degree of control over their health data. The starting point is therefore that processing special personal data is in principle prohibited. Only a limited number of exceptions are possible in the (U)AVG. In this case, CP&A has violated the high level of protection offered by Article 9, paragraph 1, of the GDPR by processing health data. Based on Article 32, paragraph 1, of the GDPR, the controller must also take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. When determining the risk for the data subject, the nature of the personal data and the nature of the processing are important: these factors determine the potential damage to the individual data subject in the event of, for example, loss, modification or unlawful processing of the data. The AP has concluded that CP&A has not taken appropriate security measures relating to the health data in its absence registration. The AP has determined that CP&A has processed health data of 25 employees without appropriate security from at least 12 March 2019 to 2 May 2019. This health data contained highly sensitive information such as names of physical and mental illnesses, specific complaints and pain indications of its employees. During this period, CP&A violated the prohibition on processing special personal data and the relevant data subjects therefore had no control over their health data. And it is precisely this control that the GDPR wants to offer to data subjects, so that data subjects are able to protect their personal data and freely provide it. In addition, during this period, CP&A's absence registration was accessible without any form of authentication. As a result, CP&A employees ran a great and unnecessary risk of unauthorized access to their personal data. The fact that this concerns the processing of particularly sensitive data makes insufficient security of the data even more reprehensible. In the opinion of the AP, there are two serious violations in which CP&A processed the special data of data subjects under incorrect conditions, but on the basis of article 7 of the Fine Policy Rules 2019, the circumstances mentioned, insofar as applicable in the present case, see no reason to increase or decrease the fine amount. However, the AP will still assess in paragraph 5.4 whether the amount of the fine needs to be adjusted on the grounds of proportionality. 5.3.2 Blameability In accordance with article 5:46, paragraph 2, of the General Administrative Law Act, the AP takes into account the extent to which the fine can be blamed on the offender when imposing an administrative fine. Since this concerns Date March 24, 2020 Our reference [CONFIDENTIAL] 15/17 violations, in accordance with established case law18, it is not required to demonstrate that intent has occurred and the AP may assume culpability if the perpetration has been established.19 Based on Article 9, paragraph 1, of the GDPR, it is in principle prohibited to process health data. The statutory rules regarding the processing of personal data about the health of sick employees in the context of their reintegration and absence management as laid down in the Personal Data Protection Act have not changed with the entry into force of the GDPR on 25 May 2018. In addition, CP&A could have inferred from the AP's policy rules 'The sick employee', which were already published in the Staatscourant on 29 April 2016, which personal data CP&A could and could not have processed. A party such as CP&A may be expected, also in view of the special nature of the personal data, to thoroughly satisfy itself of the standards that apply to it and to comply with them. CP&A has violated the high level of protection for special personal data by its actions. The AP considers this reprehensible. Based on Article 32 of the GDPR, the policy rules ‘The sick employee’ and the nature of the processing, CP&A should also have known that it should have taken additional measures to mitigate the risk of unauthorised access to the absence registration. CP&A failed to implement an appropriate authentication technique (or another method) when accessing the absence registration via the web address in order to be able to prove the claimed identity of a user. The AP also considers this to be reprehensible. 5.3.3 CP&A’s opinion and AP’s response CP&A states in its opinion that it has taken note of the corrective measures already taken, whereby, as the AP understands it, it refers to the AP’s request to end the violation as soon as possible, and has immediately provided full cooperation. The absence registration is now only maintained in the secure environment of the HRM system, which is only accessible to the HRM department and the direct managers. In addition, CP&A no longer processes the reason for absence and the prognosis is only registered to the extent that it can be derived from the reports of the company doctor without medical information. In view of the foregoing and also expressly taking into account the fact that CP&A is a medium-sized enterprise within the meaning of Article 2a GDPR and taking into account the manner in which for example, the issues of Nippon Express (2017) and Stichting Abtona (2016) have been dealt with, CP&A requests the AP to suffice with the corrective measures already taken pursuant to Article 58 of the GDPR. In addition, CP&A points out that — fortunately — no damage has been caused to the persons involved, that CP&A has not acted intentionally or negligently, that there have been no previous infringements and that CP&A has (additionally) used guidance from an external advisor in the field of privacy. 18 Cf. CBb 29 October 2014, ECLI:NL:CBB:2014:395, r.o. 3.5.4, CBb 2 September 2015, ECLI:NL:CBB:2015:312, r.o. 3.7 and CBb 7 March 2016, ECLI:NL:CBB:2016:54, r.o. 8.3, ABRvS 29 August 2018, ECLI:NL:RVS:2018:2879, r.o. 3.2 and ABRvS 5 December 2018, ECLI:NL:RVS:2018:3969, r.o. 5.1. 19 Parliamentary Papers II 2003/04, 29702, no. 3, p. 134. Date March 24, 2020 Our reference [CONFIDENTIAL] 16/17 The AP does not share CP&A's view. In this case, CP&A should have failed to process health data of its employees. In addition, CP&A has not taken sufficient appropriate measures to guarantee the security of its absenteeism system. This course of action by CP&A has detracted from the protection of the personal data of its employees. Given the seriousness of the violations, the AP considers the imposition of a corrective measure, other than an administrative fine, insufficiently effective, proportionate and dissuasive. The AP considers the imposition of an administrative fine appropriate in this case. In determining the amount, it will take into account CP&A's position and capacity to pay. CP&A has also stated that no damage has been caused to the persons involved, but this has not been demonstrated and it cannot be ruled out that damage may occur in the future. This grievance, alone or together with the other grievances, does not give the AP reason, given the seriousness of the violations and the degree of culpability, to refrain from imposing a fine or to further reduce the fine on the grounds stated by CP&A. The AP sets the fine amount for the violation of Article 9, paragraph 1, of the GDPR at €725,000. And for the violation of Article 32, paragraph 1, of the GDPR, the AP sets the fine amount at €310,000. 5.4 Proportionality and capacity to pay Finally, the AP assesses on the basis of Articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality) whether the application of its policy for determining the amount of the fine does not lead to a disproportionate outcome, given the circumstances of the specific case. The application of the principle of proportionality can play a role in, among other things, the cumulation of sanctions and the financial capacity of the controller. CP&A has invoked limited financial capacity. Based on the financial data of CP&A currently known to the AP, the AP considers CP&A's financial capacity to be limited, which leads the AP to conclude that CP&A cannot financially bear the combined fine amount of €1,035,000 for both violations. On this basis, the AP sees reason to reduce the fine amount. The AP considers a fine of €15,000 appropriate and necessary in this case and considers CP&A sufficiently financially able to pay this amount. 5.5 Conclusion The AP sets the total fine amount at €15,000. Date March 24, 2020 Our reference [CONFIDENTIAL] 17/17 6.Opinion Fine The AP imposes an administrative fine of €15,000 (in words: fifteen thousand euros) on CP&A for violating Article 9, paragraph 1, of the GDPR and Article 32, paragraph 1, of the GDPR.20 Yours sincerely, Dutch Data Protection Authority, signed drs. C.E. Mur Board member Remedies clause If you do not agree with this decision, you can file an objection with the Dutch Data Protection Authority digitally or on paper within six weeks after the date of dispatch of the decision. Filing an objection suspends the effect of this decision. To file a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Objecting to a decision, at the bottom of the page under the heading Contacting the Dutch Data Protection Authority. The address for submitting on paper is: Dutch Data Protection Authority, PO Box 93374, 2509 AJ The Hague. Please state ‘Awb objection’ on the envelope and put ‘objection’ in the title of your letter. Please include at least the following in your objection: - your name and address; - the date of your objection; - the reference mentioned in this letter (case number); or attach a copy of this decision; - the reason(s) why you disagree with this decision; - your signature. 20 The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).
