AP (The Netherlands) - 04.11.2019: Difference between revisions

From GDPRhub
(nitpick capitalisation)
No edit summary
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{{DPAdecisionBOX
! colspan="2" |AP - Health insurance companie Menzis and VGZ
 
|-
|Jurisdiction=Netherlands
| colspan="2" style="padding: 20px;" |[[File:logoNL.png|center|250px]]
|DPA-BG-Color=
|-
|DPAlogo=LogoNL.png
|Authority:||[[AP (The Netherlands)]]
|DPA_Abbrevation=AP (The Netherlands)
[[Category:AP (The Netherlands)]]
|DPA_With_Country=AP (The Netherlands)
|-
 
|Jurisdiction:||[[Data Protection in the Netherlands|Netherlands]]
|Case_Number_Name=
[[Category:Netherlands]]
|ECLI=
|-
 
|Relevant Law:||[[Article 32 GDPR|Article 32 GDPR]] [[Category:Article 32 GDPR]]
|Original_Source_Name_1=AP
|-
|Original_Source_Link_1=https://autoriteitpersoonsgegevens.nl/nl/nieuws/sancties-voor-menzis-en-vgz-voor-overtreding-van-de-privacywet
|Type:||Investigation
|Original_Source_Language_1=Dutch
|-
|Original_Source_Language__Code_1=NL
|Outcome:||Violation Found
|Original_Source_Name_2=
|-
|Original_Source_Link_2=
|Decided:||2018
|Original_Source_Language_2=
|-
|Original_Source_Language__Code_2=
|Published:||4. 11. 2019
 
[[Category:2019]]
|Type=Investigation
|-
|Outcome=Violation Found
|Fine:||50,000 EUR
|Date_Started=
|-
|Date_Decided=2018
|Parties:||Health insurance companies Menzis and VGZ
|Date_Published=04.11.2019
|-
|Year=
|National Case Number:||n/a
|Fine=50,000
|-
|Currency=EUR
|European Case Law Identifier:||n/a
 
|-
|GDPR_Article_1=Article 32 GDPR
|Appeal:||n/a
|GDPR_Article_Link_1=Article 32 GDPR
|-
|GDPR_Article_2=
|Original Language:||[[Category:Dutch]]
|GDPR_Article_Link_2=
Dutch
|GDPR_Article_3=
|-
|GDPR_Article_Link_3=
|Original Source:||[https://autoriteitpersoonsgegevens.nl/nl/nieuws/sancties-voor-menzis-en-vgz-voor-overtreding-van-de-privacywet AP (in NL)]
 
|}
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
 
|Party_Name_1=Menzis
|Party_Link_1=https://www.menzis.nl/
|Party_Name_2=VGZ
|Party_Link_2=https://www.vgz.nl/
|Party_Name_3=
|Party_Link_3=
 
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
 
|Initial_Contributor=
|
}}


The AP fined the health insurance companies Menzis and VGZ € 50.000 for insufficient security measures under [[Article 32 GDPR]].
The AP fined the health insurance companies Menzis and VGZ € 50.000 for insufficient security measures under [[Article 32 GDPR]].

Revision as of 15:54, 22 March 2022

AP (The Netherlands) -
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 2018
Published: 04.11.2019
Fine: 50,000 EUR
Parties: Menzis
VGZ
National Case Number/Name:
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: AP (in NL)
Initial Contributor: n/a

The AP fined the health insurance companies Menzis and VGZ € 50.000 for insufficient security measures under Article 32 GDPR.

English Summary

Translated summary by the AP (The Netherlands):[1]

In 2018, the Authority for Personal Data (AP) imposed a penalty payment on two health insurers, VGZ and Menzis, for failure to comply with the Privacy Act. Both health insurers were negligent in the processing of medical data. For example, the authorisation policy was not in order, there was no proper logging, and marketing staff also had incorrect access to health data of insured parties. In order to ensure that health insurers set up their systems to prevent unauthorised access to personal data, the AP imposed a penalty payment on them. Menzis did not comply with the entire order on time. The AP therefore collected a penalty payment of €50,000 at the beginning of 2019. The health insurers have since changed their working methods.

The AP has investigated how health insurers collect and process medical data. The AP carried out a survey of the four largest health insurers, which together account for almost 90% of the market. In doing so, the AP looked at, among other things, purpose limitation (health data are used for marketing purposes) and authorisation policy (which persons have access to medical data). The AP found that none of the health insurers had used the insured person's medical data for marketing purposes. The AP investigated the working methods of health insurers following an enforcement request from Vrijbit.

Burden of a penalty payment for Menzis

At Menzis, one of the health insurers, the AP found that marketing staff had access to medical data, whereas according to the policy of the health insurer this should not be possible. It has not been established that these employees actually used the insured's medical data for marketing purposes. As the technical measures at Menzis were insufficient to ensure that employees did not have access to more data than necessary for their work, the AP imposed an order for a periodic penalty payment. This order was not fully complied with in time, so that the AP claimed a penalty payment of €50,000.

No penalty payment collected from VGZ

Employees at VGZ also had access to medical data, although this was not necessary for their work. In this case, too, the AP has no indication that they have actually processed the data for marketing purposes. At VGZ, too, the technical measures were insufficient to ensure that employees do not have access to more data than is necessary for their work. The breaches found were a reason for the AP to impose a penalty payment on VGZ as well. VGZ complied with the order on time. For this reason, the AP did not collect a penalty payment from VGZ. Remedies

The AP's investigation and enforcement decisions were part of legal proceedings. In these proceedings, the court has recently ruled and dismissed objections to the AP's investigation and the enforcement decisions as unfounded. This is why the AP now publishes on the sanctions. Vrijbit lodged an appeal against this decision with the Administrative Jurisdiction Division of the Council of State.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the press release

The press release below is a machine translation of the original. Please refer to the Dutch original for more details.

By decision of 15 February 2018 with reference z2016-12335, the Authority for the Protection of Personal Data (AP), pursuant to Section 65 of the Personal Data Protection Act (Wbp) and in conjunction with Section 5:32(1) of the General Administrative Law Act (Awb), imposed an order subject to a penalty on Coöperatie Menzis U.A. (Menzis) for violation of Section 13 of the Wbp, now Section 32 of the General Data Protection Regulation (AVG).

By letter dated 12 November 2018, the AP sent Menzis an intention to recover the penalty payment forfeited by Menzis. In this intention, the AP identified a breach of section 1 of the order subject to a periodic penalty payment. Menzis gave its opinion on this intention on 6 December 2018.

In this decision, the AP noted that Menzis had not fully complied with part 1 of the order subject to an incremental penalty imposed on 15 February 2018 and had therefore forfeited an amount of €5o.ooo,oo by operation of law. Menzis will therefore receive a reminder from the CJIB - on behalf of the AP - to pay within two weeks after this recovery decision has been sent and after a court ruling in case z2016-12335.
 



1.	Procedure
On 15 February 2018, the AP imposed an order subject to a penalty payment on Menzis in connection with a violation of Section 13 of the Wbp.

In a letter dated 17 April 2018, Menzis informed the AP of the progress of the implementation of the various remedial measures to comply with the order subject to an incremental penalty.

On 24 April 2018, the AP confirmed receipt of the progress report by letter.

In a letter dated 3 May 2018, Menzis sent documents to the AP to demonstrate that Menzis complied with part 1 of the order subject to an incremental penalty payment.

On 25 May 2018, the AP announced in a letter that an on-site investigation (OTP) is necessary for the verification of part 1 of the order subject to periodic penalty payments.

By letter dated 29 May 2018, Menzis sent documents to the AP to demonstrate that Menzis complies with part 1 of the order subject to an incremental penalty.

On 12 June 2018, the AP confirmed by letter that the OTP will take place on 18 June 2018 at Menzis' office in Wageningen.

On 18 June 2018, the OTP took place at Menzis' office in Wageningen. During this on-site investigation, the AP requested Menzis to send information to the AP. The final report of this on-site investigation was sent to Menzis by letter dated 31 July 2018.

Menzis responded to the AP's request by e-mail dated 18 June 2018.

The AP sent a further request for information by letter and e-mail on 26 June 2018. Menzis responded to the AP's request by e-mail dated 27 June 2018.
On 28 June 2018 Menzis answered questions from the AP by telephone. The AP and Menzis replied during
this phone call agreed that Menzis would pick one question and answer it later. The final report of this conversation was sent to Menzis by letter dated 31 July 2018.

By e-mail of 3 July 2018 Menzis answered the open question of 28 June 2018. On 5 July 2018, the AP requested further information by e-mail.
Menzis responded to the AP's request by e-mail dated 10 July 2018.
 


On 6 August 2018, Menzis answered questions from the AP by telephone.

On 7 August 2018, the AP informed Menzis by telephone that it had come to the conclusion that Menzis was not complying with section 1 of the order subject to a penalty payment because employees of the Marketing and Sales Department still had unauthorized access to health data.

On 8 August 2018, the AP sent a letter requesting further information. Menzis responded to the AP's request by e-mail dated 20 August 2018.
On 10 September 2018, the AP sent Menzis the report with the findings of the follow-up audit.

In a letter dated 24 September 2018, Menzis gave its views on the report with findings about the follow-up audit.

On 5 October 2018, the AP sent a letter requesting further information. Menzis responded to the AP's request in a letter dated 22 October 2018.
On 12 November 2019, the AP sent a letter to Menzis and Vrijbit as interested parties with a view to recovering the penalty payment forfeited by Menzis.

By letter dated 16 November 2018, Vrijbit gave its view on the intention to collect the fine forfeited by Menzis in writing. The AP sent Vrijbit's opinion to Menzis by e-mail on 21 November 2018.

In a letter dated 6 December 2018, Menzis gave its view in writing on the intention to collect the fine forfeited by Menzis.

2.	Text of the offence and charge section 1
2.1 Text of the infringement

The breach of the order subject to periodic penalty payments as imposed on Menzis by the AP by decision of 15 February 2018 reads as follows:

In its findings, the AP concludes that Menzis is in violation of Section 13 of the Wbp. In that context, the AP found the following:
1.	Menzis has organised its corporate culture in such a way that only employees may have access to
personal data concerning health insofar as this is necessary for the purpose for which the employees process the personal data. Among other things, Menzis has laid down that marketing staff may not process personal data relating to health.
 


2.	However, the AP's research shows that Menzis' marketing staff do in fact have access to personal data relating to health. Pursuant to Article 1, opening words and under b, of the Wbp, being able to consult personal data can be regarded as processing personal data.
3.	Consequently, Menzis does not have adequate technical means at its disposal to ensure that employees do not have access to personal data that is not necessary for the purpose for which they are being processed. In that context, the AP points out that Menzis does not, for example, keep log files on access to personal data, including special personal data.
4.	The foregoing leads to the conclusion that Menzis does not have appropriate technological measures at its disposal as referred to in Section 13 of the Wbp. Incidentally, the AP did not find any evidence from the underlying documents showing how a marketing action is carried out at Menzis to support the conclusion that marketing staff actually process personal data relating to health for a marketing action. However, this does not detract from the conclusion that Section 13 of the Wbp has been violated because the technological measures taken by Menzis are not appropriate.

2.2 Text of burden item 1
Section 1 of the periodic penalty payment order imposed on Menzis by the AP decision of 15 February 2018 reads as follows:

The AP orders Menzis to set up its system in such a way as to prevent unauthorised access to personal data.

It shall do so in any event:
1.	The authorisation matrix and accompanying documents in which it has laid down the logical access security of its systems must be adapted. These documents shall be adapted or re-created in such a way that it is clear which access rights employees have. The authorisation matrix should provide a clear overview of the authorisations and consultation roles that belong to a function or role by means of, among other things, an unambiguous use of terminology. Menzis should determine for which function or role the processing of personal data relating to health is necessary and for which purpose and adapt this document to revised company insights if necessary. In addition, the authorisations of Menzis' employees must continue to be effectively reconciled with this.

(…)

Period of grace and level of penalty payment in respect of components 1 and 3a
With regard to section 1. of this burden, the PfA considers that less effort is needed to implement it. The AP therefore attaches a grace period ending on 26 May 2018 to items 1 and 3a of the tax burden.

If Menzis does not comply with the tax before the end of the benefit period referred to under 0, it will forfeit a penalty payment. The AP sets the amount of this periodic penalty payment at an amount of € 50,000.00 for each (entire) week, after
 


expiry of the last day of the set term, on which Menzis fails to comply with part 1 and part 3a of the charge, up to a maximum of € 250.000,00.
In view of the fact that the periodic penalty payment should serve as an incentive to comply with the order, the level of Menzis' turnover, the large number of insured persons and the seriousness of the offence, the AP considers the level of this periodic penalty payment to be appropriate.

3.	Findings
3.1 Findings prior to the on-site visit of 18 June 2018

Menzis sent documents to the AP on 3 and 29 May 2018 to demonstrate that Menzis complies with part 1 of the order subject to a penalty payment. This documentation on Menzis' authorization policy concerns not only the Marketing and Sales department, but all Menzis employees.

The documentation on the authorization policy focuses on four documents:

- Overview of FAM authorizations all employees with functional units1: an Excel file containing all users with associated IT roles and an indication of whether there is access to personal and health-related personal data.2 The AP first viewed this document as a definitive situation. However, it later emerged that this document was not the definitive situation after 26 May 2018, but rather an inventory that was used to arrive at a desired situation.
- Function Authorization Matrix (FAM)3: An overview of the company role name/authorization profile as can be assigned to an employee with the required roles (which an employee with this company role name must have), allowed roles (which an employee with this company role name can have and is assigned by means of a separate procedure) and associated assignment rule. This document provides an overview of which company roles have been issued following the changes made by Menzis.
- Data Authorization Matrix (DAM)4: An overview of company role name/authorization profile with an indication of whether this profile has access to the Data Ware House, personal data and health data (care & declarations and diagnosiss/fraud).
- Target loyalty framework5: An overview of the business functions per cluster, whether there should be access to personal data and health data (care & declarations and diagnosiss/fraud), where the data originated from, for what purposes they were collected and what the basis is. Roles and authorisation profiles are indicated for each business function.

The AP first analysed the documentation provided by Menzis. From this, the AP concluded that the Excel document '20180425_Overview FAM authorizations all employees with

1 Official document name: 20180425_Overview FAM authorizations all employees with functional units(003).
2 This document looks at the IST situation (actual situation, as configured in the Menzis systems) of 25 April 2018. An IST situation should be seen in combination with a SOLL situation (a desired situation towards which work is being done). 3 Official document name: FAM overview report 2018-05-30.
4 Official document name: 20180525_Data_Authorization_Matrix.
5 Official document name: 20180522_Target binding framework (005).
 


Functional Units(003)' gave a recent overview of the authorizations of all employees. This is based on the following information:
a.	The name of the Excel document containing the date.
b.	The columns mentioned, including: employee number, sector, department, job name, authorisation profile, access to personal data and access to health data.
c.	The large number of rows gives an indication that all employees are indeed involved.
However, on the basis of the accompanying documentation, it was not clear to the AP in advance that this was a document from before the changes in the FAM and DAM. Only during the on-site investigation at Menzis did it become clear that this document was not a recent situation.

The AP then decided to again focus on the Marketing and Sales department in the follow-up audit, because the earlier investigation revealed that the employees of the Marketing and Sales department had unauthorised access to personal data relating to health. Based on the Excel document '20180425_Overview FAM authorizations all employees with functional units(003)', the AP made a selection of employees from the Marketing and Sales department for the sample during the survey at Menzis in order to check some authorizations.

3.2 Findings during the on-site survey of 18 June 2018

On 18 June 2018, the AP carried out an on-site investigation at Menzis to determine whether Menzis load part 1 is being properly complied with. During this investigation, the AP asked questions about the documentation provided and carried out a random check.

Menzis stated during the on-site investigation that the document '20180425_Overview FAM authorizations all employees with functional units(003)' is an outdated manual list, which served as input for the redrafting of the FAM and DAM. As a result of this finding, the AP has reviewed the authorizations of the previously selected employees with the recent version of the FAM, the DAM and the target loyalty framework.

Menzis also stated that access to (special) personal data per position is laid down in the DAM.

Menzis subsequently stated that no other employees within the Marketing and Sales department may have access to health data other than the employee [VERTROUWELIJK].

The AP has determined that the employee [Confidential] of the Marketing and Sales Department has access to the SAS6 environment. This gives the [CONFIDENTIAL] employee access to a large number of tables that are used for making analyses. The AP has determined that this employee has access to the table 'idacom.DMT_Salesforce_Case'. This table contains information about cases/complaints from individuals, including a column with information reported by the customer.
6 Statistical Analysis System is a collection of software used for analysis, business intelligence and data management.
 


The AP has further determined that in the table columns are visible with, among other things, the sender of the complaint (in this column names of persons are visible on some lines) and the content of the complaint (column name: 'Description_Problem') in which on some lines information about health is mentioned.

Menzis has stated the following:
"The Marketing and Sales Department is, among other things, concerned with product development and, in view of this, the employees of this department must have insight into the individual feedback on Menzis' products.
Product development is a task that can be assigned to [CONFIDENTIAL] as an employee of this department. It is therefore necessary for the fulfilment of his function that a marketing employee can see what Menzis receives complaints about. Menzis' products are health insurances, therefore complaints and customer feedback may include medical information. These employees are subject to Menzis' instructions on how to handle personal data. Customer feedback is not classified as health data based on the purpose limitation framework".

The AP did not identify any other sources of health data for this sample other than the table 'idacom.DMT_Salesforce_Case'.

3.3 Findings following the on-site visit of 18 June 2018

The AP reviewed the authorisations of seven previously selected employees in the context of the current situation with the following documents:
- 20180522_ Target binding framework (005)
- 20180525_Data_Authorization_Matrix
- FAM overview report 2018-05-30

The AP found in this sample that access rights to personal data relating to health are described in a consistent manner in the documentation referred to above.

3.3.1 Findings regarding the table 'idacom.DMT_Salesforce_Case

On 27 June 2018, Menzis provided the AP with an overview of the last 100 entries from the table 'idacom.DMT_Salesforce_Case', including the column names.

The AP once again determined that the table 'idacom.DMT_Salesforce_Case' contains personal data concerning health that are accessible to the [CONFIDENTIAL]. This means that employees, who, like the [CONFIDENTIAL], have been assigned the allowed role in the FAM that gives access to this table, also (may) have access to these data in practice. These are, for example, employees of the Marketing and Sales department with the [CONFIDENTIAL], [CONFIDENTIAL] and [CONFIDENTIAL] authorisation profiles.
 


The AP also determined from the target loyalty framework, the DAM and the FAM that an employee with the company role name/authorisation profile [VERTROUWELIJK] (which is assigned to the [VERTROUWELIJK]) may have access to personal data but may not have access to health data. See figures 3 and 4. The same also applies, for example, to other employees of the Marketing and Sales department with the [CONFIDENTIAL], [CONFIDENTIAL] and [CONFIDENTIAL] authorisation profiles.


CONFIDENTIAL


Figure 3. Row 20, column A, C, D, E, F and G of document 20180525_Data_Authorisation_Matrix. The absence of a cross in a column does not allow access to the data from that column.


CONFIDENTIAL]


Figure 4. Row 6, column A, B, C, D, E, F, G, I and J in the second tab of the document 20180522_ Target binding frame (005). Under the heading 'Access to personal data' only 'Personal data' is shown. Under the heading 'Functions linked to the business processes' the function [CONFIDENTIAL]. And under the heading 'Authorization profiles linked to business processes' you will find the profile [CONFIDENTIAL].


Examples of personal data related to health in the table 'idacom.DMT_Salesforce_Case' are the following:


CONFIDENTIAL


Figure 5. Row 39, column A and AJ from part of the table 'idacom.DMT_Salesforce_Case', as provided by Menzis to the AP on 27 June 2018.



CONFIDENTIAL]



Figure 6. Row 42, column A and AJ from part of the table 'idacom.DMT_Salesforce_Case', as provided by Menzis to the AP on 27 June 2018.
 





CONFIDENTIAL]


Figure 7. Row 81, column A and AJ from part of the table 'idacom.DMT_Salesforce_Case', as provided by Menzis to the AP on 27 June 2018.


On 10 September 2018, the AP established its findings regarding the follow-up inspection, including the conclusion that Menzis thereby breached load section 1, and sent them to Menzis. In its opinion on this report, Menzis stated that Menzis had changed the classification of the data from the table 'idacom.DMT_Salesforce_Case' to health data.

On 22 October 2018, Menzis submitted evidence that, on 20 September 2018, Menzis made it impossible for employees in the Marketing and Sales department to view the table 'idacom.DMT_Salesforce_Case'.

3.3.2 Findings about applications outside the Data Ware House

On August 6, Menzis declared that authorisations to applications that do not use the Data Ware House, but do provide access to health data, can be found in the Menzis documentation as follows:
- The current FAM overview (FAM overview report 2018-05-30) shows the 'Required roles' and 'Permitted roles' for each authorisation profile. The Required roles have been assigned to each employee with that assigned authorization profile. The Permitted Roles can differ per employee depending on their specific task within the role.
- To determine which applications an employee has access to and whether this application provides access to health data, see document '20180425_Overzicht FAM authorizations all employees with functional units(003)' (the outdated IST situation/FAM) in the fourth tab 'IST - Users & IT roles'.

Together with Menzis, the AP randomly checked these authorizations for applications that do not use the Data Ware House on two employees. The AP also carried out an additional check itself. In this sample, the AP found that these access rights are described in a consistent manner in the documentation provided by Menzis.

4.	Assessment
The Menzis authorisation model shows that employees of the Marketing and Sales department (with the exception of one employee) may not have access to health data. Menzis has
 


also stated during the on-site investigation that no other employees within the Marketing and Sales department are permitted to have access to health data other than one employee.

However, as mentioned in sections 3.2 and 3.3.1, the AP determined that employees in the Marketing and Sales department have access to the table 'idacom.DMT_Salesforce_Case' containing health data. Menzis has stated that it is necessary for Marketing and Sales staff to access this data and not to classify it as health data based on the target commitment framework.

The AP classifies some data from the idacam.DMT_Salesforce_Case table as personal health data and concludes that Marketing and Sales Department employees (with the exception of one employee) have unauthorized access to health data.

What is relevant to the concept of "personal data" is whether the data contains information about a person.

The identifiability of the person is the second element that determines whether personal data is involved. The starting point is that a person is identifiable if his identity can reasonably be established without disproportionate effort. Two factors play a role here: the nature of the data and the ability of the person responsible to make the identification. A person is identifiable if it is data which, alone or in combination with other data, is so characteristic of a particular person that it can be identified from it.

The concept of personal data relating to a person's health is understood in a broad sense; it includes not only the data processed in the context of a medical examination or treatment by a doctor, but all data relating to a person's mental or physical health. In addition, the mere fact that a person is ill is also a data relating to his or her health, although that data does not in itself say anything about the nature of the condition.

Data shown in figures 5, 6 and 7, such as chronic back pain, pregnancy and a broken ankle, are clearly data concerning a person's physical health. These data can also be traced back to a natural person by the insurance number and sometimes the name in the description for Menzis as processing manager and the employees of the Marketing and Sales department. Employees of the Marketing and Sales department thus have access to personal data relating to health.

Now that the documents provided by Menzis show that employees of the Marketing and Sales department are not allowed to have access to health data, but the on-site investigation showed that in practice these employees do have access to personal data concerning health, this is an unauthorized access to personal data. Thus, Menzis has not set up its system in such a way as to prevent unauthorized access to personal data.
 


The AP is then faced with the question of whether Menzis has complied with part 1 of the imposed order subject to a penalty payment. The AP takes into account the evidence provided by Menzis on 22 October 2018 that, in its opinion, the violation has been terminated.

The AP established that Menzis had complied with section 1 of the order subject to a periodic penalty as of 20 September 2018, because written documents and video material provided sufficient evidence that the table 'idacom.DMT_Salesforce_Case' containing personal data relating to health was no longer accessible to the employees of the Marketing and Sales Department.

Menzis on report with findings and reaction AP
Menzis, in her opinion on the findings report, recognised that the personal data in the table above should have been classified as health data. Menzis also stated that the finding established by the AP does not mean that it did not comply with the burden correctly. Menzis is of the opinion that this finding is not included in the authorisation matrix, the accompanying documents or the actual authorisations based thereon and therefore falls outside the scope of the burden. Menzis has not argued or substantiated this further. The AP did not see any reason to deviate from its earlier findings on the basis of this statement.

Menzis' approach to the intention to collect a penalty payment
Menzis takes the view that it has timely and fully complied with part 1 of the order subject to a penalty payment. Menzis puts forward three arguments to this end.

First, Menzis argues that there was no unauthorized access to personal data because the employees in question (at that time) were authorized to have access to the relevant table. The fact that Menzis did not qualify the personal data in the table as personal data concerning health, does not mean that there was unauthorized access. In addition, the AP only established that access was theoretically possible.

Secondly, Menzis concludes that the AP is of the opinion that the charge was violated under a penalty payment because Article 32 of the AVG was breached. According to Menzis, the conclusion from the AP's report of 10 September 2018 also seems to indicate such a view. Menzis disputes this view because the charge does not relate to every violation of section 32 of the AVG and because there is no violation of this section of the law.

Thirdly, Menzis takes the position that there is a special circumstance that means that recovery must be waived. Menzis has only partially failed to carry out one of the three parts of the charge. In view of the large number of employees and the large number of files, the incorrect qualification of one table is a shortcoming that can be regarded as marginal. In addition, part 1 of the charge has now been fully complied with.

AP response
The AP does not follow Menzis in its view that there is no unauthorized access to personal data. The AP did not check whether the employees of the Marketing and Sales department had authorized access to the table 'idacom.DMT_Salesforce_Case', but whether these employees were authorized to have access to personal data relating to health. As previously
 


The Menzis authorisation model shows that employees of the Marketing and Sales department should not have access to health data. The AP found that Marketing and Sales department employees nevertheless had access to health data in the table 'idacom.DMT_Salesforce_Case'. In view of this, Menzis had not set up its system in such a way as to prevent unauthorized access to personal data about health. The fact that Menzis acknowledged that it had not qualified the personal data in the table as health data does not alter this conclusion. In addition, during her visit to Menzis, the AP was able to establish in the systems that employees of the Marketing and Sales department actually had access to health data for product development purposes in practice, and not only in theory.

Nor does the AP follow Menzis in its opinion on Article 32 of the Dutch General Assembly of Shareholders Act. A penalty imposed is forfeited by operation of law as soon as it becomes apparent that the imposed order has not been complied with. Contrary to Menzis' opinion, the follow-up inspection by the AP is limited to determining whether the content of the imposed order, as it was imposed at the time, has been complied with.

Finally, the AP does not follow Menzis' view that there is a special circumstance that makes it necessary to waive recovery altogether. Partial, but not full, compliance with an order subject to a penalty payment is not a circumstance that may lead an administrative body to waive recovery. Nor is retrospective compliance with a part of an order, in principle, a ground for waiving recovery. In addition, the AP has yet to assess item 2 of the administrative order, which includes a different preferential period and penalty payment. The AP also noted that it had identified the offence on 10 September 2018 and did not classify it as a continuous offence. If in this case the AP had found the violation to be a continuous violation, Menzis would have received a penalty payment of
€250.000,00 forfeited.

See Method of payment Vrijbit on intention to collect penalty payment and reaction AP
Vrijbit states that Menzis processes medical personal data without there being a legal basis for doing so, circumventing the Code of Conduct that the Dutch Data Protection Authority was obliged to approve at the time. For Vrijbit, it is important that the AP demands the imposed periodic penalty payment immediately.

The AP has taken note of Vrijbit's opinion. The assertion that Menzis processes medical personal data without there being a legal basis for doing so, circumventing the Code of Conduct that the Dutch Data Protection Authority was obliged to approve at the time, plays no role in this decision. With this decision, however, the AP does proceed to collect the penalty payment.

5.	Conclusion
The authorisation model and accompanying documents provided by Menzis show that employees of the Marketing and Sales department should not have access to health data. However, the AP established during the follow-up audit that in practice these employees did have access to health data. Thus, Menzis had not set up its system in such a way as to prevent unauthorized access to personal health data.
 


In view of this, the AP established that Menzis had not fully complied with the first sentence of the order under penalty payment in combination with order part 1 of the decision of 15 February 2018.

On 10 September 2018, the AP established its findings regarding the follow-up audit, including the conclusion that Menzis thereby breached section 1 of the order and sent them to Menzis.

Using the evidence of 22 October 2018, which was subsequently provided, Menzis made it plausible that, as of 20 September 2018, Menzis had still complied with the first sentence of the order subject to a penalty in combination with part 1 of the order.

In view of the foregoing, Menzis has automatically forfeited a penalty for the period from 10 September 2018 to 20 September 2018. This means that one full week has elapsed before the imposed order has been met. The amount of the forfeited penalty payment amounts to one time € 50,000.00 is € 50,000.00.
€50.000,00.

Pursuant to Article 5:33 of the General Administrative Law Act (Awb), a penalty payment shall be paid within six weeks after it has been forfeited by operation of law. The AP has not yet received payment on the date of this resolution.

6.	Decision
In view of the above and Article 5:37 of the General Administrative Law Act, the General Administrative Law Act states that

I.
Menzis has not fully complied with the first sentence of the order under penalty payment in combination with order item 1 of the order of 15 February 2018.
In doing so, Menzis has forfeited a penalty payment of €50,000.00. II.
The AP will proceed to collect the penalty payment of €50,000.00 forfeited by Menzis.

The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). In the absence of timely payment, the outstanding amount will be increased by the reminder and possible collection costs.

7.	In conclusion
In connection with Section 5:37 of the Awb, Vrijbit will receive a copy of this decision as an interested party. This does not include data that makes it possible to identify employees or customers of Menzis.

If you have any questions about this letter, please contact the above-mentioned contact person.
 


A copy of this letter has also been e-mailed to Toezicht@menzis.nl.

Yours sincerely,
Authority Personal data, i.e.
Mr A. Wolfsen Chairman

If you do not agree with this decision, you may lodge an appeal with the District Court of Central Netherlands, where these proceedings are already pending, within six weeks of the date of dispatch of the decision pursuant to the General Administrative Law Act. You must enclose a copy of this decision. Submitting a notice of appeal does not suspend the effect of this decree.