AP (The Netherlands) - 24.02.2022: Difference between revisions

From GDPRhub
No edit summary

Revision as of 14:26, 13 April 2022

AP (The Netherlands) - Ministry of Foreign Affairs
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 13(1)(e) GDPR
Article 24 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 24.02.2022
Published: 06.04.2022
Fine: 565,000 EUR
Parties: Dutch Minister of Foreign Affairs
National Case Number/Name: Ministry of Foreign Affairs
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: autoriteitpersoonsgegevens.nl (in NL)
Initial Contributor: ea

The Dutch DPA issued a fine of EUR 565,000 against the Dutch Ministry of Foreign Affairs for having insufficient security measures and not providing data subjects with adequate information when processing visa applications, in violation Article 13(1)(e), 24 and 32 GDPR.

English Summary

Facts

The Dutch Ministry of Foreign Affairs handled personal data in processing visa applications. That data included fingerprints, name, address, place of residence, country of birth, purpose of visit, nationality and a photograph. The DPA carried out an investigation of the New Visa Information System that the Ministry used for visa processing operations.

Holding

The DPA held that the New Visa Information System lacks sufficient level of security, giving rise to a risk that unauthorised persons can view and change files. It also increases the risk that other errors go unnoticed. Some of the issues concerned were a lack of a security plan, insufficient physical security safeguards, lack of formal registration and deregistration procedures in relation to the access to the system, and weaknesses in the procedure for reporting security incidents. These errors and abuses would have major consequences on applicants' rights. Consequently, the Ministry violated Article 32 GDPR and Article 24 GDPR.

The DPA also found that visa applicants were insufficiently informed about how their data was shared with third parties. Consequently, the Ministry violated Article 13(1)(e) GDPR.

The Ministry of Foreign Affairs was held to be severely negligent as it had been aware of these deficiencies for years. The DPA ordered the Ministry to rectify the situation. It imposed a fine of EUR 565,000 for the past violations. It also imposed penalty payments payable for as long as the violations continue, namely EUR 50,000 per two weeks for security breaches and EUR 10,000 per week for lack of transparency.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                        AuthorityPersonal Data
                                                        PO Box93374,2509AJ The Hague

                                                        Bezuidenhoutseweg30,2594AV The Hague
                                                        T0708888500-F0708888501
                                                        authority data.nl

Confidential/Registered
Minister of Foreign Affairs
Deheermr.W.B.HoekstraMBA
Rijnstraat8
2515XPDenHaag








Date Unidentified
24 February 2022 [CONFIDENTIAL]


                           Contact
                           [CONFIDENTIAL]




Subject
Decidingtoimposeafineandannuitycompensation



Dear Hoekstra,

The Data Protection Authority (AP) has decided to ask the Minister of Foreign Affairs (hereinafter:
the Minister) to impose an administrative fine of €565,000. TheAP has come to the conclusion that the
Minister, as controller in the process of issuing so-called Schengen visas,

data subjects provide insufficient information and security of the processing of personal data
insufficiently guarantees. With regard to the security of personal data, the AP relates to
until the New Visa Information System (NVIS) briefly determined that:
    - a security plan is missing;
    - insufficient measures have been taken or have been taken to protect personal data physically;

    - incomplete procedures exist with regard to (control of) access rights to NVIS;
    - there are shortcomings in the log files and regular checks on them; and
    - the procedure for reporting security incidents was incomplete.

As a result, the Minister acts in conflict with article 13, paragraph 1, and article 32, paragraph 1, of the General

RegulationData Protection (GDPR). The AP has decided to also impose an injunction sum
to impose, who sees the reversal of these violations–that in determining this
still decides not to be terminated.


The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the
findings.Inchapter3the(amountofthe)administrative fine is elaboratedandinchapter4
the burdensubjectivesumdescribed.Chapter5finallycontainsthedictmentandremediesclause.




                                                                                              1,Date Unidentified
24 February 2022 [CONFIDENTIAL]



Contents

1.Introduction 4

1.1Background 4
1.2Target research 5
1.3Visa ProcessforSchengen Short Stay Visa 5
1.4 Legal framework 8

1.5Process flow 8

2.Findings 9
2.1Processing of personal data 9

       2.1.1 Factual findings 9
       2.1.2Legal assessment 9
2.2 Controller and processor(s) 10
       2.2.1 Factual findings 10
       2.2.2Legal assessment 12

2.3Security planNVIS 13
       2.3.1 Legal framework 13
       2.3.2 Factual findings 14
       2.3.3Legal assessment 17

2.4PhysicalSecurityAccesstoNVIS 19
       2.4.1Legal framework 19
       2.4.2 Factual findings 19
       2.4.3Legal Review 22

2.5AccessrightstoNVISandstaffprofiles 25
       2.5.1 Legal framework 25
       2.5.2 Factual findings 26
       2.5.3Legal assessment 32
2.6 Monitoring NVIS usage: log files 36

       2.6.1 Legal framework 36
       2.6.2 Factual Findings 37
       2.6.3Legal assessment 40
2.7 Control of NVIS usage: security incidents 42

       2.7.1 Legal framework 42
       2.7.2 Factual Findings 44
       2.7.3Legal assessment 47
2.8Training staff on data protection 48

2.9 Information provision to visa applicants 48
       2.9.1 Legal framework 48
       2.9.2 Factual findings 49
       2.9.3Legal Assessment 50
2.10 Conclusions 51




                                                                                                   2/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]



3Fine 53
3.1Introduction 53
3.2.Finance policy rules Data Authority2019 53
3.3Penaltyforviolatingthesecurityofprocessing 53

      3.3.1 Nature, seriousness and duration of the infringement 54
      3.3.2 Negligent nature of the infringement 54
      3.3.3Categories of data 55
3.4Amount of fines for violation of information provision to those involved 55
3.5 Blame and proportionality for both violations 56

3.6 Conclusion 56

4.Load forced sum 57

5.Directive 59


APPENDIX1 61


































                                                                                              3/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]



       1 Introduction


       1.1Background

1. The APis responsible for supervising the national part of a number of European
       information systems, including the Visa Information System (hereinafter: VIS) and the Schengen
       InformationSystem (hereinafter: SISII). Under the EU legal framework of these systems, the AP
       to independently monitor the lawfulness of the processing of personal data by the

       Member State concerned, including the transmission from and to the central European facility of VIS
       and SIS. For visa applications, access to the European VIS takes place via a national system, to
       know: N.VIS.The specific application that falls under N.VIS by the Ministry of Foreign Affairs
       (hereinafter: BZ) is used for the purposes of Schengen visas, the New Visa Information System
       (hereinafter: NVIS).

2. The NVIS contains the application data, including biometric data, of all applicants who

       Dutch Consular Post AbroadWant to obtain a Schengen visa for their stay
       in the Netherlands and/or in other Schengen countries.Schengen visa applications are made in countries
       outside the Schengen areas where there is also no question of a special visa exemption
       processing of the visa applications is also always checked whether the application appears in SIS II.SIS
       IIincludes alerts imported by Member States in, among other things, the area of European arrest warrants and
       declared undesired. The SISII check takes place automatically, in the background of a
       visa application via NVIS.


3. In 2015, the Schengen evaluation took place, in which the supervision of the national carried out by the AP
       part of the SISIIandVISwasassessed.IntheSchengenevaluationreport2015isexplicit
       included that the AP must carry out regular checks at the Dutch consular posts
       AP checks are also part of the police and justice multi-year plan that the AP follows within the framework
       of its supervision of, among others, the above-mentioned SIS II and VIS (systems).


4. As a result of this, the AP has carried out a controlling investigation at BZen a number of parties
       who have a role in the process of issuance of Schengen visas. The study included the following
       organizations:
           - the Netherlands Embassy to London, United Kingdom (hereinafter: Consular PostLondon);
           - the Netherlands Embassy in Dublin, Ireland (hereinafter: consular post Dublin);
           - the Consular Service Organization in The Hague, which functions as the back office of the
               visa granting (hereinafter: the CSO);

           - [CONFIDENTIAL](hereinafter: Processor1) of London, United Kingdom, which acts as
               external service provider (hereinafter: EDP) in the visa process of the Consular Post London;
           - [CONFIDENTIAL] (hereinafter: Processor2) in Utrecht, the executor of various IT tasks in
               relation to the national visa information system; and
           - [CONFIDENTIAL] (hereinafter: Processor3) in Amsterdam, the service provider for the benefit of the
               NVIS servers.






                                                                                                 4/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]




       1.2Target research

5. The research of the AP focused on the (selected) physical, organizational and technical

       security aspects of NVIS in the context of the Schengen visa process and includes the
       security plan, physical security, granting access rights to NVIS and logging of the
       NVIS use. In addition, compliance with legal requirements was checked with regard to the

       information provision to visa applicants and training of employees involved in the
       visa process.


       1.3Visa ProcessforSchengenShort Stay Visa

6. In this section, the AP explains the Schengen visa process in general, and specifically

       with regard to the consular posts in London and Dublin.


         Schengen short stay visa

         A short-stay visa is referred to as a 'Schengen Visa'. This visa allows persons within a
         period of 180 days, 90 days to stay in the Schengen area. ImmediatelySchengenvisumishet–short
         summarized–for a personwithoutEU nationalityallowedfreetravelwithin26

         Schengen countries. The country where one has to apply for the visa is determined by the main purpose
         of the applicant's journey or main destination.


7. The visa process at the examined consular posts consists of the following steps : 1

             1. [CONFIDENTIAL]
             2. [CONFIDENTIAL]
             3. [CONFIDENTIAL]
                                   2
             4. [CONFIDENTIAL]
             5. [CONFIDENTIAL]
             6. [CONFIDENTIAL] 3

             7. [CONFIDENTIAL]
             8. [CONFIDENTIAL]
             9. [CONFIDENTIAL]


8. After the registrations are completed and the substantive steps have been completed, a decision can be made on the
       visa application will be taken. This decision will be registered in NVIS. A positive decision

       the visa sticker is printed in the applicant's passport, if a negative decision is taken
       a refusal decision is created. In both cases, the decision is recorded in VIS. 5



       1File document3, appendix1: NVISManualVisa application processingFebruary2018,p.19.
       2During the processing of the visa application, it is always checked whether the application appears in the SISII system. SIS II includes
       alerts imported by member states in, among other things, the area of European arrest warrants, and unwanted aliens.
       takes place automatically, in the background of a visa application via NVIS.
       3File document3, appendix3: Visio-SchengenFlowchart, p.6and7.
       4File document3, appendix 3: Visio-Schengen Flowchart, p.7.
       5File 3, appendix 3: Visio-Schengen Flowchart, p.9.



                                                                                                  5/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]




       Apply for a Schengen visa at a consular postLondon
9. The Consular PostLondon cooperates with Processor 1 who fulfills a role of an EDP. The tasks of 7
       the EDV include, among other things:

       [CONFIDENTIAL]





10. Processor1 handles the intake of most visa applications that pass through the London Consular Post.

       In the context of a visa application, the applicant downloads the application form via the BZ website
       or via the website of Processor1.Then the requester makes an appointment with Processor1 via the
       appointment system of Processor1. On the day of the appointment, the applicant reports to Processor1.
                                                                8
       Processor1 successively performs the following tasks:
       [CONFIDENTIAL]








11. The Consular PostLondon carries out the following tasks, among others:

       [CONFIDENTIAL]












12. The tasks of the CSO include the following activities: 9
       [CONFIDENTIAL]













       6Recital13Visacode,article40lid3Visacode,article43Visacode.
       7Article 43, paragraph 5, Visa code.
       8File document3, attachment3:Visio Schengen visaFlowchart.
       9File document3, appendix3:Visio Schengen visa Flowchart,p.4-5.



                                                                                                         6/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



13. Where appropriate, submitting an application to the Immigration and Naturalization Service
                                                                                     10
       (IND) necessary or necessary to consult or inform member states. In addition, it can
       are necessary to interview the applicant. During the processing of the visa applications,
       always checked whether the applicant appears in SISII. The SISII check takes place automatically, in the

       background of a visa application through NVIS. After these steps have been completed, a decision can be made on the
       visa application will be taken. This decision will be registered in NVIS. A positive decision
       the visa sticker is printed in the applicant's passport, if a negative decision is taken
                                                                                               13
       a refusal decision is created. In both cases, the decision is recorded in VIS.


       Apply for a Schengen visa at consular postDublin
14. The consular postDublin worked during the investigation of the AP without the intervention of an EDV and
       processes visa applications itself. Most of the same steps are taken here
       visa application process followed by Processor1 and the Consular PostLondon.[CONFIDENTIAL].

       [CONFIDENTIAL]. In the context of a visa application, the applicant downloads the application form
       via the website of the embassy or BZ. An appointment for an intake at the consulate can be made
       be on the embassy's website via a link to a system for appointments.


15. As part of the visa process, the consulate performs the following tasks, among others:
        [CONFIDENTIAL]














16. In its role as back office, the CSO performs the same tasks as in the case of the consular post
       London. In addition, the CSO has an important task in registering the visa application details

       which the consular post takes Dublin as paper files by mail to the CSO in The Hague
       sends.

       ViewBZ

17. BZ has stated that since the investigation by the AP some changes have been made to the above visa process
       have been implemented. Processor1 today takes live photos, the intake of the visa applications
       no longer proceeds by mail(viatheconsularpostLondon).In addition,consularmailmakesDublin
                                        14
       meanwhilewelluseofanEDV.



       1File document3, appendix3:Visio Schengen visa Flowchart,p.6.
       1File document3, appendix3:Visio Schengen visa Flowchart,p.7.
       1File document3, appendix3:Visio Schengen visa Flowchart,p.7.
       1File document3, appendix3:Visio Schengen visa Flowchart,p.9.
       1WrittenViewBZvan15October2021,p3.



                                                                                                   7/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       1.4Legal framework


18. For the legal framework, the AP refers to APPENDIX1.

       1.5Process flow


19. In the context of this research, the AP used various research methods. The AP carried out
       desk research, requested in writing for information and has several locations in several locations
       on-site investigations (hereinafter referred to as: OTPs). During the OTPs, the inspectors of the AP

       conducted interviews and researched the information systems used in the
       visa process. Following the OTPs performed, the AP has the additional documentation
       requestedandwrittenquestions.Duringtheexamination,severalfileswererequested

       relating to the granted access rights to NVIS, NVIS logging and selection from the NVIS
       databases (in particular tables of the databases).

20. By letter dated August 13, 2021, the AP sent an intention to enforcement to the Minister.

       On 15 October 2021, the minister gave a written opinion about this intention and about it
       substantiatedreportwithfindings. On November 4, 2021 at the AP has a
       opinion session took place at which BZook explained its view orally. at10
                                                                    17
       December 2021 has sent further documents on request.




























       1WrittenOpinionBZvan15October2021.
       1LetterBZaanAPof19November2021withappendix1Conversation report.
       1EmailBZaanAPvan10December2021.




                                                                                                 8/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]





       2.Findings


       2.1Processing of personal data

       2.1.1 Factual Findings


21. The Visa Code defines what information the Member States must collect in order to be able to visa
       The VIS Regulation lays down that the following information is required for the

       handling and making decisions about visa applications for the Schengen area in the VIS
       should be stored: alphanumeric data concerning the applicant and the requested,
       visa issued, refused, annulled, revoked or extended, a photo of the applicant,
                                                                 18
       fingerprint data and links to other requests. Upon receipt of an application, the
       visa authority without delay on the application file by entering various data into the VIS,
       such as first and last name, gender, places, country of birth, nationality, type of visa that will be
                                                                                                     19
       applied for, purpose of travel, place of residence, current occupation, photo and fingerprints of the applicant.

22. Authorized personnel of the visa authorities have access to and can access the VIS
       enter, change or delete data. For example, upon the issuance of a visa, upon the cancellation of

       a visa application, in the event of a refusal of a 21 visa application, in the event of annulment/revocation of a
       visa or an extension of a visa details added to the application file. Then it is
       the data may be changed or deleted during the application process. BZ(service

       consular posts) use the NVIS in which data is required from the
       Schengen visa process are saved, modified and deleted.

       2.1.2Legal review


23. The data of visa applicants that have been processed in the NVIS qualify as personal data in the sense
       of article 4, under 1, GDPR, because it concerns information about identified natural persons. A 23

       part of this data is biometric data within the meaning of article 4, under 14, and article 9 AVG
       and thus qualify as special personal data.

24. Continue to enter, consult, save, view and change data in NVIS under the

       scope of the concept of processing of personal data within the meaning of article 4, under 2, AVG.DeAP
       establishes that data are processed through the NVIS when going through the
       visa process for short-term stay.





       1Article 5, paragraph 1, Regulation (EC) No. 767/2008 of the European Parliament and Council of 9 July 2008 on the Visa Information System
       (VIS) and the exchange between Member States of data in the field of short-stay visas (‘VIS Regulation’), PB2008, L218/60.
       1Article8, paragraph 1jo.9VIS Regulation.
       20Article 6, paragraph 1, VIS Regulation.
       2Article 10 to 14VIS Regulation.
       22Article24and25VIS Regulation.
       23Because, among other things, name and address data and also the social security number are processed, the identity of the persons is fixed and therefore
       identified persons.



                                                                                                     9/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]



       2.2 Controller and processor(s)


       2.2.1 Factual Findings


       Ministry of Foreign Affairs

25. The AP establishes that for the Netherlands the Minister of Foreign Affairs is the designated person responsible for
       processing of the data in the VIS. 24


26. The AP establishes that an important part of the tasks in the field of NVIS services
       organisationally, it is entrusted to the Directorate-General for European Cooperation. UnderthisDirectorate

       a number of directorates, two of which have a particular role in the granting of visas.
       Firstly, the board of directorsConsular Business and Visa Policy (DCV).
       providing consular services to Dutch nationals in foreign countries by directing the
                                                         26
       consular function at the departments and at the posts. Second, the Consular Service Organization
       (CSO) in The Hague. CSO is a shared service organization whose primary task is back office
       to shape processes related to the issuance of visas and travel documents. TheAPhas

       established,andBZconfirmed,thattheconsulatebackofficeLondonandtheconsulateDublin
       is located at CSO. In addition, CSO provides back office work for a number of
       other consular services and products. 27


       Processor1

27. Processor1 is an outsourcing and technology services company that serves the Netherlands in various countries
       arranges executive affairs with regard to visa and passport issuance. The head office,

       [CONFIDENTIAL] is located in Dubai, United Arab Emirates.

28. Processor1 is designated as an external service provider to facilitate visa application facilities

       company directs physical visitor centers to which data subjects can submit their applications.InLondon
       handles Processor1for BZthefrontofficeforthevisaapplicationsintheUnitedKingdom
       be submitted. With regard to this work, on March 21, 2019, a
                                                             29
       concession agreement concluded between Processor1 and BZ. Based on this assignment, Processor
       1process visa and biometric information.EmployeesofProcessor1takethese
       data received from the applicant. At the location of [CONFIDENTIAL] in London are ICT
                                                 30
       facilities made[CONFIDENTIAL]. Processor1 does not have access to NVIS, this happens at
       the CSO. At Processor1, applicants can hand in and collect their passports.






       24
        Listofthecompetentnationalauthorities to which they belongauthorizedstaffhaveaccesstotheVisaInformation
       25steem(VIS)toenter,change,deleteorconsult data(2012/C79/05).
       26rtikel7, paragraph2, subd, Organizational DecreeForeign Affairs2019.
       27rtikel7, paragraph2, subc, Organizational DecreeForeign Affairs2019.
       28rtikel7, paragraph2, subd, Organizational DecreeForeign Affairs2019.
       29rtikel40, paragraph 3, Visa code.
       30esss piece3, appendix 4a:[CONFIDENTIAL].
        File3,Appendix4d:Appendix1tothestandardcontractualclauses.



                                                                                                  10/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



29. For the transfer of processed personal data by BZ to Processor1 there is an intermediary

       arrangement made on the basis of the European Commission, in accordance with article 46, paragraph 2, subparagraph, GDPR
       established standard contractual clauses for data protection (´StandardContractual
       Clauses'). Article1,subbenc,is put down as follows:


       (b)´thedataexporter´meansthecontrollerwhotransferthepersonaldata;
       (c)´thedataimporter´meanstheprocessorwhoagreestoreceivefromthedataexporterpersonaldataintendedfor
       processingonhisbehalfafterthetransferinaccordancewithhisinstructionsandthetermsoftheClausesandwhoisnot

       subjecttoathirdcountry´ssystemssuringadequateprotectionwithinthemeaningofChapterVofRegulation(EU)
       2016-679.


30. Article 4 of the Standard Contractual Clauses contains obligations laid down by the dates
       exporter´.UnderArticle4,subb,StandardContractualClauses,the´dataexporter´connects

       the obligation 'thatithasinstructedandthroughoutthedurationofthepersonaldataprocessingservices
       willinstructthedataimportertoprocessthepersonaldatatransferredonlyonthedataexporter'sbehalf
       andinaccordancewiththeapplicabledataprotectionlawandtheclauses'.


31. Inappendix1totheStandardContractualClausesstatesthatBZthe´dataexporter´isen
       [CONFIDENTIAL]the´dataimporter´. 32


       Processor2
32. The investigation of the AP has shown that Processor 2 plays an important role within the

       visa granting process. Processor2 is a consultancy company that focuses on providing consultancy and advice
       of information technology.


33. The services for NVIS are provided by the following organizational units of Processor2
       performed: [CONFIDENTIAL] as part of [CONFIDENTIAL] and [CONFIDENTIAL].
       [CONFIDENTIAL] (and therefore Processor2NederlandBV)uses the services of the
                                                                                                33
       [CONFIDENTIAL]inIndiathatispartofProcessor2[CONFIDENTIAL].

34. Processor2 entered into an agreement with BZ on 31 August 2010 for the delivery of
       support services for NVIS. The service includes application and technical

       management, making available (including hosting), maintaining, developing and renewing
       of the functionality for and advice for the benefit of, among others, the NVIS. Processor2 delivers in this framework
       including custom applications specifically developed for the visa issuance process
                      34 35
       support. Processor2 reports to the Director of Consular Affairs and Visa Policy of the Ministry of Foreign Affairs.

35. In Article 2.1 of the Processing Agreement (Appendix to the Agreement Making available,

       MaintainanddevelopNVISfromAugust31,2010)statesthatrelatingtoprocessing


       31File 3, appendix 4b:Standardcontractualclauses(processors).
       32File3,Appendix4d:Appendix1tothestandardcontractualclauses
       33File 23, appendix05:OrganogramProcessor2worldwideforNVIS
       34File piece14, appendix02.1: AVGChange agreementProcessor2–MinBZNVIS20180529,p.14.
       35File document14, appendix02.1: AVGChange agreementProcessor2–MinBZNVIS20180529,p.1.



                                                                                                        11/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]




       personal dataof BZbyProcessor2underthisProcessing Agreement,BZde
       controller require Processor2 to be the processor. 36


36. It follows from article 4.1 of the Processor Agreement between Processor2 and BZ that Processor2 sub-
       processors can engage for the processing of personal data when there is a question of
       prior written specific or general permission from BZ. Processor2 must be based on the

       agreement with BZ to impose the same obligations on sub-processors with regard to the
       processing of personal data as that to which Processor2 itself is bound by this
       Processing Agreement.


37. In article 5.1 of the processing agreement between BZ and Processor 2 it is established that BZ has the right
       has been audited once per contract year by a certified internal or external auditor

       perform to Processor2's compliance with its obligations under the processor agreement. The AP
       has determined that BZ evaluates the compliance of Processor2 by the desire of so-called
       assurance statements from Processor2. The AP has received two assurance reports from BZ with
                                                                              37
       related to Processor2 for the period 1 November 2017-31 October 2018.

38. The AP has established that Processor2 in the context of its services on behalf of NVIS it

       companyProcessor3deploysassubprocessor.Processor3(formerly[CONFIDENTIAL])developed
       operates worldwide data storage centers. In the Netherlands, Processor 3 has a data center in
       Amsterdam.Processor3providesservicestoProcessor2,namelymakingtheavailabilityof

       the data center, including physical facilities.

       [CONFIDENTIAL] 39










       2.2.2Legal review


       Controller
39. In accordance with the VIS Regulation (Article 41(4)), each Member State shall designate for the processing of

       personal data in the VIS to the authority that must be regarded as the responsible person who
       has central responsibility for data processing by this Member State. The responsible person
       has been notified to the European Commission and published in the Official Journal of the European
            40
       Union. Based on this, the Minister of Foreign Affairs has been noted


       3File piece14, appendix02.1:GDPRChange agreementProcessor2–MinBZNVIS20180529.
       3File 14, attachment 12.2:[CONFIDENTIAL].
       3File 20:[CONFIDENTIAL].
       3File 20:[CONFIDENTIAL].
       4ListofthecompetentnationalauthoritiesandtowhichtheauthorizedpersonnelmembershaveaccesstotheVisaInformation
       System (VIS) to enter, modify, delete or consult data, PB2012, C79/05.



                                                                                                  12/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       NVIS controller. This is also confirmed by the Ministry to the AP
       documents issued.1


40. The Minister (with the support of his ministry) decides on how to apply for visas
       should be treated and also make the final decision on visa applications
       the Minister determines the objectives and the means for the processing of data within NVIS.


41. The AP establishes that the Minister of Foreign Affairs is the controller, in the sense of
       article4, preamble to 7, AVG, for the processing of personal data in the context of NVIS.In which
       this decision is called the Ministry of Foreign Affairs, the AP makes this equivalent to the Minister of Foreign Affairs.


       Processors
42. According to Article 43 Visa Code, Member States may cooperate with an external service provider that
       controllersupportsinthevisaprocess.Memberstatesaremandatoryagreements
                                                                                          42
       create in a legal instrument where the minimum requirements are determined in the Visa Code.

43. The AP finds that BZenengages a number of parties to the data processing and in the visa process
       to support, namely Processor1 (the third-party service provider that is processing the visa applications

       takes), Processor2 (for the application and technical management of NVIS) and Processor3 which acts as a processor
       provides support for Processor2's processes. There are with these parties
       processing agreements. From the various processing agreements concluded between
       thesepartiesandBZfollowsthattheMinisterisdesignatedascontrolleristhe
       said parties as processors.


44. The AP therefore establishes that Processor2 and Processor1 are processors as referred to in article 4, under 8,
       GDPR.Processor3isaprocessorthat has been engaged byProcessor2,asreferred to in article28,
       member2andlid4,AVG(sub-processor).


       2.3Security planNVIS


       2.3.1Legal framework

45. Article 32, paragraph 2, VIS Regulation prescribes that each Member State provides the necessary technical and organizational
       establishes security measures, including a security plan. This plan is one of the
       security measures it must take to secure the data before and during transmission

       to the NVIS. Such an obligation also arises from article 32 and 24 AVG. Article 24 AVG writes
       more in general for the responsible measures in the field of compliance with the
       GDPR should take and that they should be periodically evaluated.

46. Article 32(3) VIS Regulation further states that the managing authority must take the necessary measures

       to achieve the objectives referred to in paragraph 2 with regard to the functioning of the VIS,
       including the adoption of a security plan. The strategic principles and

       41
       42iexample filepiece12,appendix44a:piaapplicationstationsignedandfilepiece12,appendix 44b:nvispiasigned.
        AppendixXVisa code.



                                                                                                13/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]



       preconditions that BZ uses for information security in relation to NVIS must be clear
       the security plan. In concrete terms, this means that BZe must have drawn up a security plan
       for the NVIS, where at least attention is paid to the points to which I mentioned in article 32, paragraph
       2,VIS Regulation are included.


47. AlsotheBaselineInformationsecurityGovernment(BIO)writesthepresenceofa
       information security plan for periodic assessment, the following standards are relevant:


        5.1.1 Information Security Policies
                     For information security, a set of policies should be
                     defined, approved by management, published and communicated to
                     employees and relevant external parties.

        5.1.1.1 There is an information security policy established by the organization. This policy is
                     determined by the management of the organizations and contain at least the following points:
                     a.The strategic principles and preconditions that the organization uses for

                     informationsecurityintheparticularembeddinginandalignmentwiththegeneral
                     security policy and the information provision policy.
                     b. The organization of the information security function, including responsibilities,
                     duties and powers.

                     c. The assignment of responsibilities for chains of information systems to
                     line managers.
                     d.Thecommonreliabilityrequirementsandstandardsthatontheorganizationof
                     apply.

                     e.The frequency with which the information security policy is evaluated.
                     f.Promoting security awareness.
        5.1.2.1 The information security policy is updated periodically and in line with the (existing)
                     governance and P&C cycles and external developments and assessments adjusted if necessary.


       2.3.2 Factual Findings

48. During the investigation, the AP asked BZ in writing about the security plan with

       relating to data in NVIS. The AP also has the existence of a security plan and
       contentchecked in practice during the on-site investigation at the consular posts in
       London and Dublin. Furthermore, the AP requested written documentation relating to the
       existing content of a security plan.


       Ministry of Foreign Affairs
49. The AP establishes that the Ministry of Foreign Affairs, at the request of the AP, established a security plan(N) during the investigation

       provide, replied with three documents, namely:
           - Vulnerability analysis and IB planDCV 44
           - PIA Request station 45


       43
       44File document3, appendix 5a: Vulnerability analysis and IB planDCV.an29May2019.
       45File 3, attachment 5b: PIA Request station.




                                                                                                   14/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



           - QuickscanSchengen VisaFebruary2019 46


50. The “Vulnerability analysis and IB plan DCV” of January 2015 contains a risk assessment, with regard to
       to the business processes for visa granting of DCV and the posts, which the board of directors has left
       to comply with the obligations of the DecreeRegulationInformation Security
       Rijksdienst2007.Thereportcontainsareportoftherelevantthreatsand

       vulnerabilities of the information systems. The report also contains measures that the identified
       risks to an acceptable level.The reportqualifies theseproposedmeasures
       as an “information security plan” including prioritization.

51. The “PIA Request Station” concerns a PrivacyImpactAssessment of the Request Station.

       end resultofthePIAisasetofrisksandrecommendationsforthesecuritymeasuresthat
       DCV's sub-responsibility should be realised.

52. The“QuickScanSchengenVisaFebruary2019”isaQuickScanthatisperformedondemandfromDCVisto

       the security requirements imposed by the business processes on the process Schengen visa where
       special data are included. The purpose of the QuickScani is as objective as possible
       determine the security requirements for the Schengen visa
       whether these requirements fall within the baseline information security or whether they exceed it
       QuickScanfollowsthattheSchengenVisaprocessfallsoutsideofBZBaseline Information Security

       an additional risk analysis is required. This is instructed in the QuickScan.

53. Based on these three documents, the AP finds that B has a number of different documents,
       in which (intended) security measures are mentioned. A number of those measures have

       directly related to NVIS.

       Consular PostLondon
54. During the on-site investigation on 2 July 2019 in London, the AP asked for completeness

       access the security plan related to NVIS.The Consular PostLondon has a
       standard format security planprovided by BZ and locally by the consular post
       filled in. Two inspectors of the AP and FG of BZ have had a look at the most recent version
       of the security plan.[CONFIDENTIAL]:

       [CONFIDENTIAL]





       The documents mentioned relate to the security of the Consular Post in London, in particular
       [CONFIDENTIAL], and are not focused on the information security of NVIS and the visa process. The AP
       notes that she has seen documentation at the consular post in London that does not appear on the
       information security related to NVIS.47



       46
       47Order Document3,Appendix5c:QuickscanSchengenVisaFebruary2019.
        File 8:ReportofOfficial ActionsSecurity PlanOTPConsular PostLondon.



                                                                                                15/64, Date Unidentified

         24 February 2022 [CONFIDENTIAL]




         Consular PostDublin
55. The AP also checked in Dublin or in practice a security plan related to NVIS

         was available. During the on-site investigation on January 22, 2020 at the consular post in Dublinis
         declared that a security plan is present. It is a standard format security plan that
         BZisdeliveredandfilledlocallyatthepost.Anadjustmentofthesecurityplanwillbe
                                                                                    48
         Done once a year by the deputy chief of post.


56. On 23 January 2020, two inspectors from the AP and FG of the Ministry of Foreign Affairs, also during the investigation
         on site at the consular post in dublin, if requested, received access to a security plan with
                                  49
         regarding NVIS. [CONFIDENTIAL]:
         [CONFIDENTIAL]. 50













         The AP establishes that the documentation submitted at the consular post in Dublin does not appear on the
         information security related to NVIS. 51


         CSODenHaag

57. The AP has checked with CSO whether a security plan in the sense of the VIS Regulation is available
         is.The AP determines that the CSO upon the request of the AP to provide a security plan(N)VIS
                                                     53
         replied with 9 documents, namely:
              - Baseline information securityBZ2018, version1.00final; 54
                                                                                            55
              - SecuritySecurityManagementPackage,version0.2final;
              - Security PlanRisk Analysis Reporting–[CONFIDENTIAL]; 56
                                                                                  57
              - Security analysis stolensecurepostCSO;
              - Security analysis burglary building; 58
              - Security analysis intrusion measurement; 59

              - Security exampleUnauthorized[CONFIDENTIAL]; 60
              - Security preview info on unexpected visit; 61


         48File document27:ReportofOfficial ActsConsular PostDublin.
         49File document28:ReportofOfficial ActionsSecurity PlanOTPConsular PostDublin.
         50On the spot, the AP inspectors established that in the end, this document was not necessary for the investigation.
         51File document27:ReportofOfficial ActsConsular PostDublin.
         52File document13:Information requestAPfrom25july2019.
         53File piece14:ReactionBZvan8August2019onInformationAPvan25July2019.
         54
         55File document14, appendix14.1Baseline information securityBZ2018v1.00Final.pdf.
         56File 14, attachment 16.1: SecuritySecurityManagementPackage0.2final.
         57File document14, appendix 16.2: Security planRisk analysis report-[CONFIDENTIAL].
           File 14, appendix 16.3: Security analysis theft and secure post CSO.
         58File 14, appendix 16.4: Security analysis burglary building.
         59File piece14, appendix16.5:Security analysispenetratemoreser.
         60File 14, appendix 16.6:Security exampleUnauthorized[CONFIDENTIAL].
         61File document14, appendix16.7:Security example infoforunexpectedvisit.




                                                                                                                               16/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



           - Overview accessCSO. 62


58. These documents describe aspects of information security. The AP notes that these aspects
       are not specifically aimed at or related to NVIS. There are also no concrete references to the
       visa process found.


       2.3.3Legal Review

59. The AP notes that the Ministry of Foreign Affairs has included certain security measures in various documents.
       Some of these documents have been provided to the AP in response to information requests

       to the minister.Other documents have been brought forward at or following the visit of AP
       toCSO.

60. With regard to the documents submitted, the AP establishes the following.

       The “Vulnerability analysis and IB plan DCV” contains a number of security measures, but not
       current (dating from 2015). The local security measures, which were put in place during the investigation
       For the sake of completeness, the consular post in Dublin, London, has seen the documents attached to the
       CSO are requested, are not specific to NVIS and only see on a limited number
       security measures (and not on information security) that pursuant to Article 32VIS Regulation

       are prescribed. The measures in these documents mainly focus on the broad security of
       buildings and systems, including related potential security risks. The AP notes that
       an overarching security plan with regard to NVIS, with attention to the measures, such as
       laid down in article 32, paragraph 2, under a note with k of the VIS Regulation, however, is not present.


61. In its view, BZ states that the AVG, the VIS regulations and the BIR/BIO do not impose any requirements on the form
       ofasecurityplananddoesnotrequireasecurityplanonlyonthenationalvisa
       informationsystem.BZconsideranumberofdocumentsincoherenceassecurityplan
       for NVIS :3

           - PrivacyImpactAssessmentSchengenenCaribbeanVisafrom25October2018.
           - Baseline testNVIS
           - QuickscanSchengen VisaFebruary2019andRisk Analysis‘Vulnerability AnalysisandIB plan
              DCV'.


62. BZ has indicated in its view that BZ has noted with regret that in the previous
       information request from the AP the first two documents have not been provided to the AP. BZ notes later
       that the external auditor, commissioned by the AP, has judged in the context of the VIS audit that the Ministry of Foreign Affairs
       the Baseline test, PIA and risk analysis comply with the standard that a security plan has been established.


63. The AP does not follow the opinion of the Ministry of Foreign Affairs. During the investigation, the AP has
       asked about the security plan of NVIS. BZ had several options to obtain the relevant documents

       The APis, for its own sake,investigatingtheVISauditbytheexternalparty
       performed if two separate processes that did not take place at the same time. The VIS audit was

       62
       63ossspiece14,appendix16.8:OverviewAccessCSO.
        WrittenOpinionBZvan15October2021,p.4.



                                                                                                17/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       broader scope and made use of a different testing framework. In addition, the external auditor
       only established that1) not he but BZ the combination of the baseline test, PIA and risk analysis together
       regarded as information security plans2) a concrete information security plan around the

       Visa process is missing.

64. The AP has assessed the newly delivered documentation from BZ. The AP determines that the 'Privacy
       ImpactAssessmentSchengenenCaribbeanVisafrom25 October 2018', as the title suggests, a
       PrivacyImpactAssessmentconcerning.Thisisaveryusefultooltoconsidertheprivacyrisksofa

       data processing, but does not form a plan that focuses on information security in
       are complete. The submitted 'Baseline test NVIS' is a kind of completed questionnaire/checklist.
       enumeration of BIO standards with resulting commands for making and taking
       security measures, in which it is not understandable to the AP how the given answers must be
       based on these documents, it is unclear to the AP which policy measures and

       BZ has specifically taken control measures for NVIS.

65. The form of a security plan is free but the strategic principles and preconditions that BZ
       uses for information security in relation to NVIS must be clear from the security plan
       In addition, article 32, paragraph 2, VISOrdinance requires that BZe must have a security plan

       drawn up for NVIS, where at least attention is paid to the points at to and with k uitarticle
       32, paragraph 2, VISOrdinance. In the opinion of the AP, BZ has demonstrated this insufficiently. BZ has
       for example, not submitted a security plan stating what preconditions apply to the
       physical security of NVIS that ensures the appropriate protection of personal data
       is. Nor has the AP received a formal procedure from BZ that describes how and

       when BZ checks performs top logging. The general procedure BZ has at the time of the investigation
       provided for reporting security incidents by BZ employees, did not comply.Ende
       procedures about granting and checking access rights to NVIS environment are only by BZin
       January 2022. The AP refers to paragraphs 2.4, 2.5, 2.6 and 2.7 for the comprehensive review
       oftheseprocedures.TheAPconcludesthatthedocumentsthatBZpresentedas-inareentirely
       viewed-an information security plan, does not meet the preconditions set therein.


66. In view of the BIO standards, the AP further establishes that due to the lack of (essential components in)
       information security policy, not this policy at scheduled intervals (or if it becomes significant
       changes occur) assessed by BZ to ensure that it is always appropriate, adequate
       and effective. Securing information is a process where there is always a Plan-Do-Check-Act

       cycle must be completed, as laid down, among others, in BIO standard 5.1.2.1.

67. In its view, BZ has provided some documents about the PDCA cycle it has gone through. 64
       The AP notes in this regard that BZin the 'Baseline information security BZ2021' is on a high
       abstraction level has determined who is responsible for implementation and execution of BIO standards

       is responsible.The Data Protection Policy describes the PDCA cycles
       with regard to the protection of data, but does not contain the security aspects about it.
       The same applies to the document Gripopprivacy, the AVG manual, in-control statements and the
       submitted follow-up memo. BZ has developed a plan of measures with risk analysis from 2015 and 2020


       6Written ViewBZof 15 October 2021, p.4.



                                                                                                18/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]


       November 2021 show that it only occasionally has security measures related to NVIS

       evaluated and acted on it.

68. Based on the above, the AP comes to the conclusion that BZ has no security plan (and this
       also has not evaluated) that meets the requirements of article 24 and 32, paragraph 1, AVG and further elaborated in
       article32, paragraph2, preamble, FISHOrdinancesBIO standards5.1.1,5.1.1.1and5.1.2.1.


       2.4PhysicalSecurityAccesstoNVIS

       2.4.1Legal framework


69. Article 32, paragraph 2, undera, VIS Regulation prescribes before measures must be adopted to
       protect physical data, including preparing emergency plans for the physical
       infrastructure. This requirement is also laid down in general terms in article 32 AVG. being furtherin
       BIO-standardsincludedthatillustratewherethephysicalsecuritycanbecontrolled
       The BIO does not literally describe goals that need to be realized (the “what”) how
       must be arranged. The AP has checked the physical security against a checklist (see
       explanation in the next section). The following provisions from the BIO are for the assessment of this

       checklist relevant:

        11.1.1 Physical Security Zone
                    Security zones should be defined and used to areas
                    protect those sensitive or essential information and information processing facilities
                    contain.

        11.1.2 Physical Access Security
                    Secure areas should be protected by appropriate access security to
                    ensure that only authorized personnel have access.
        11.1.3 Securing offices, rooms and facilities
                    Front offices, rooms and facilities should be designed and physically secured

                    applied.
        11.1.4 Protecting against outside threats
                    Againstnatural disasters,malicious attacksoraccidentsbelongtophysicalprotection
                    to be designed and applied.
        11.1.5 Working in secure areas
                    For working in secure areas, procedures should be developed

                    applied.
        11.2.2 Utilities
                    Equipmentshouldbeprotectedagainstpowerfailureandotherdisruptionsthat
                    are caused by disruptions in utilities.


       2.4.2 Factual Findings

70. The AP examined the physical security at the consular posts in London and Dublin, the CSO in Den
       Haag,Processor2inUtrechtProcessor3inAmsterdam.Duringthechecks,theAPperlocationhas




                                                                                                   19/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]




       used two (identical) checklists. The first checklist was focused on physical security
       ofthebuildingthesecondchecklistonthephysicalsecurityoftheroomsin whichaccesstothe
       NVIS environment and/or whether the intake process for Schengen visas takes place. Below is per

       location described the situation encountered during the on-site investigation.


       Consular PostLondon
71. [CONFIDENTIAL] 66

























       Processor1London
72. [CONFIDENTIAL] 67




















       65
         [CONFIDENTIAL]
       66File 7:ReportofOfficial OperationsOTP Consular PostLondon.
       67File 9:ReportofOfficial OperationsOTP Processor1London.



                                                                                                       20/64, Date Unidentified
        24 February 2022 [CONFIDENTIAL]



        Consular PostDublin
                              68
73. [CONFIDENTIAL]


























        CSODenHaag
                             69
74. [CONFIDENTIAL]

























        68File document27:ReportofOfficial OperationsOTPConsular PostDublin.
        69File document11:ReportofOfficial ActsOTPCSO18July2019and12September2019.



                                                                                                                21/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       Processor2Utrecht

75. [CONFIDENTIAL]














       Processor3Amsterdam
                          70 71 72
76. [CONFIDENTIAL]
























       2.4.3Legal Review

77. The AP first establishes that measures have been taken in the area of at all sites surveyed
       physical security. The AP concludes that measures have been taken to protect the buildings and space(s)

       in which data of visa applicants are processed and physically protected, including with cameras
       and motion sensors. Furthermore, the AP concludes that the spaces in which data of
       visa applicants are processed and marked as secure areas.




       70File document19:ReportofOfficial OperationsOTP Processor38November2019.
       7File document[CONFIDENTIAL]
       72File piece21:EmailBZof13November2019withdocumentsfollowing OTP8November.



                                                                                                    22/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



78. However, the AP notes that the Ministry of Foreign Affairs has not explicitly determined which parts of the IT infrastructure
       should be regarded as critical infrastructure of the visa process
       can comply witharticle32AVGjo.32,lid2,ondera,VISRegulationisthisonlyrequirement.BZhas
       in her opinion stated that in the spring of 2020 she went different systems as critical

       During the opinion session on 4 November 2021, BZ has an (undated) list of
       information systems handed over to the AP, on which BZ indicated which systems are considered critical
       infrastructure have been identified. NVISisoneofthosesystemsontheselistssoisbyBZby now
       classified as critical infrastructure.


79. The AP also established during an on-site investigation that the Ministry of Foreign Affairs has no emergency plans
       designed to protect the physical infrastructure of the visa process.The Consular PostLondon,
       the consular postDublin and CSO do not have an emergency power supply while section 11.2.2 of
       the BIO determines that equipment should be protected against power failure. This means that BZ,
       when it comes to drawing up emergency plans and protecting equipment against disruptions

       in utilities, in the opinion of the AP, does not meet the provisions of article 32, paragraph 1, GDPR
       further elaborated in article32, paragraph2, suba,VISOrdinancesBIO standards11.1.4and11.2.2.

80. BZ has indicated in its view that BZ has concluded from its own threat analyzes that
       flood detectors and emergency power supplies at the stations London and Dublin are not needed.
       The AP partly follows this view. Flood detectors can be dispensed with after a

       explicit risk assessment. With regard to power failure, the BIO requires equipment to be
       protected against power failures and other disturbances caused by disturbances in
       utilities. Critical infrastructure such as NVIS must be highly secured, with the
       business interruption should be avoided as much as possible. BZ has insufficient
       explained why NVIS as a critical system does not need an emergency power supply.


81. Furthermore, the AP notes that with regard to the rooms and rooms at the consulate in London, where
       is with visa stickers and the NVIS system, there were shortcomings in the field of physical
       security.[CONFIDENTIAL]. In practice, there were no security guarantees when entering
       of the zone that must be extra secured, the AP determines that the physical security of the rooms in which

       the visa process in london is not complied with article 32, paragraph 1, AVG, further elaborated
       inarticle32, paragraph2, suba,VISOrdinancesBIO standards11.1.1t/m11.1.5and11.2.2.

82. BZ has stated in its opinion (and provided supporting documents) which show that in the past
       two-year measures have been taken to secure access to the consular section. 73

       [CONFIDENTIAL].The AP notes that the shortcomings in the area of physical security in the
       ConsulateLondonthereforehavebeenremedialated.









       7Written ViewBZof 15 October 2021, p.5.



                                                                                                23/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]




83. The AP has further established that with regard to the activities of Processor2 in the context of the
       visa process, it is important that employees of Processor2 are largely independent of place and time
       are allowed to work. As soon as work is done outside Processor2's buildings, the physical

       ensuring security at Processor2's locations, of course, no help. The legal requirement that
       personal data of visa applicants may only be processed in spaces with adequate physical
       security, however, remains unaffected. For the AP, it is unclear how data within databases of
       NVIS are physically protected in case of place and time working independently by employees of

       Processor2 who are stationed in both the Netherlands and [CONFIDENTIAL]. The AP has during the
       investigation did not receive any documentation from BZ that sees to the physical protection of NVIS data at
       work independent of place and time. BZ, as the controller, must ensure
       appropriate security measures in the field of physical protection of NVIS data, and

       verify the effectiveness of these security measures.

84. BZ maintains in its view that there is sufficient security where arcs apply to employees of
       Processor2thatworksfromhome.First of all,unauthorizedandnottrue Processor2employeeslive

       and the connection to the network and the management VPN is immediately disconnected as a laptop from a
       home is stolen. Setting up the VPN connection works through multi-factor authentication and
       There is a strict employee policy. The Ministry of Foreign Affairs has issued two regulations in this context. 74


85. The AP has assessed these regulations with regard to the place-and-time-independent working state
       states that the employee must take all necessary precautions when using the
       personal device in a public place, so that the screen cannot be viewed by others.

       However, it is not clear which precautions an employee is expected to take
       the AP asked BZ the question whether and under what conditions employees of Processor2
       inpublic placeswithNVISmaywork withNVIS,howBZassessedthehomeworkpolicyof Processor2
       which written agreements between BZenProcessor2aboutthephysicalsecurityofNVISplaceand

       time-independentworkerapplies.Finally, the AP requested some audit statements.

86. BZ has stated that all employees of Processor2 involved in the NVIS services
       apply office policy for remote work, which in theory can also take place outside one's own home
             75
       find. BZ has assessed Processor2's home work policy as satisfactory on the basis of it already
       previously provided employee policy. However, the AP establishes that in the . submitted by BZo
       control statements, audit statements and the processing agreement the subject place and time
       work independentlynot treated/assessed. It is therefore unclear to the AP based on

       which considerations BZ has assessed the place-and-time-independent working as sufficient.








       7WrittenViewBZof15October2021,Appendices19and20.
       7E-mailBZof10December2021.
       7E-mailBZfrom December 10, 2021, attachment 11.1 to 13.3.




                                                                                               24/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]


87. On the basis of the above, the AP is of the opinion that BZ has not shown that there is sufficient

       guarantees apply to physical security when working in NVIS in public places. As stated
       in section 2.1.2 BZ processes very much-also-special data in NVIS. This makes that the
       nature of processing is sensitive and negative consequences for data subjects in the case of unlawful
       processing and can be drastic. In addition, BZ has the NVIS system as a critical infrastructure
       while at the consular posts and CSO there is a pass access system and camera surveillance
       is applied, such guarantees are not present in public areas.


88. NuBZhasnotshownthatsufficientguaranteesapplyforphysicalsecurityinthe
       workinginNVISinpublicplacesandBsevenhastheeffectivenessofthepolicyonthis
       checked, the AP concludes that there is an infringement of article 32, paragraph 1, GDPR

       further elaborated in article 32, paragraph 2, subaenk, VIS Regulation.

       2.5AccessrightstoNVISandstaffprofiles

       2.5.1Legal framework


89. Article 6, paragraph 1, VIS Regulation provides that only duly authorized personnel of the
       visa authorities have access to the VIS to enter, modify or delete
       visa data.Article 32, paragraph 2, subparagraph, VIS Regulation prescribes before the necessary measures are taken
       determined to ensure that those authorized to consult the VI, access only
       have access to the data to which their authorization of access relates and only with
       personal and unique user identities (control of access to data).


90. Article 32, paragraph 2, sub, VIS Regulation prescribes before the necessary measures are adopted to
       ensure that all authorities with access rights to the VIS draw up profiles in which the tasks and
       responsibilities are described of the persons authorized to access data, on
       take, update, delete and search these profiles and if requested and without delay
       to make available to the national supervisory authorities, as referred to in Article 41

       (staff profiles). This is also described in article 28, paragraph 4, subc, VIS Regulation which states
       that “each Member State is responsible for managing the arrangements under which they belong”
       authorizedstaffmembersofthecompetentnationalauthorityinaccordancewiththisregulation
       access the VIS, the setups regularly update a list of such
       staff members and their profile”.


91. Article 32, paragraph 2, subparagraph, VISRegulation prescribes before the necessary measures are adopted to
       verify the effectiveness of the security measures referred to in this paragraph and with regard to
       the internal control to take the necessary organizational measures to ensure that these
       regulationiscomplied(internalcontrol).Thisisjoiningthegenerallydeterminedin
       article32 of the AVG.


       Internally allocate theBIObligation management and implementation measures
       information security policy should show which roles within an organization are responsible for





                                                                                                25/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]


       themeasures to be taken. It is important that security procedures are carried out by the relevant

       person responsible are determined. Concretely, the following provisions are relevant to the BIO:

        9.2.1 User registration and logout
                    A formal registration and unsubscribe procedure should be implemented by
                    to enable allocation of access rights.
        9.2.2 Granting user access

                    A formal user access procedure should be implemented
                    to allow access rights for all types of users and for all systems and services
                    pointing or withdrawing.
        9.2.5 Assessment of user access rights
                    Asset owners belongaccess rightsofusersregularly
                    judge.

        9.2.6 Revoke or modify access rights
                    The access rights of all employees and external users for information and
                    information processing facilities associated with the termination of their employment,
                    contractoragreementtoberemoved,andtobeclosedwithchanges
                    adjusted.


       2.5.2 Factual findings

92. During the investigations, the AP asked BZ questions about the setting up of access rights to
       NVIS has the internal control on this. For this, the AP has the current authorization lists,
       personnel profiles, authorization procedures and other relevant documentation requested regarding

       to granting access rights to the NVIS environment. The AP's research focused on the
       following questions regarding access rights:
           -Has BAsestablishedprocedures for granting and checking access rights
               toNVIS?
           - Has BZ drawn up personnel profiles with regard to NVIS in which the tasks and
               responsibilities are described of the persons authorized to transfer data in the
               view, record, update, delete, and search the system?

               personnel profiles updated regularly?
           - Are the assigned access rights (authorization lists) regularly assessed?

93. The AP has only examined this component with the parties that have access to the NVIS environment.















                                                                                                 26/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]




       2.5.2.1ProceduresongrantingandcheckingaccessrightstoNVIS

       Consular PostLondon

94. BZ has provided the AP with three documents relating to authorization procedures in connection with
       withNVIS:(1)‘Data Management ManualNVIS’ ,(2)a document titled ‘Authorization Procedure
       NVISEmbassyLondon' and (3)'Work instruction/procedure: logging authorization applications'. 79


95. The first document is in the form of a practical user manual, where it is not clear
       which person responsible within BZ has determined this manual. In chapter 3 of the document

       there is a short line about granting access rights to NVIS, stating all
       practical steps in the system related to the assignment and removal of NVIS roles and
       the change of the authorization period. It is further stated that the management of tasks at the NVIS

       rolesinthedepartmentbymanagementConsularBusinessandVisapolicy,cluster
       Information Management and Management (hereinafter: DCM/MB-IB) is performed. The document shows
       not who is responsible for allocating, changing and checking

       authorizations.

96. The second document is one page, undated and not (at a management level)

       it has not become clear to the AP whether this piece has been prepared in response to its request
       for information, whether it existed before. The document describes how
       employeesoftheconsularpostLondonobtainaccesstoNVIS. Please state it

       document:“in addition to theannualcheckbyfunctionalmanagementfindad-hocchecks(ofthe
       authorisations) at the postal location.”.


97.Thethirddocumentconsistsoftwopagesandseethecheckofauthorizations.Itcontainsthe
       next stated: “For the purpose of the control log requests authorizations DCV/MB-IBdeposts
       RSOs once a year (after the annual transfer round) to carry out a check on which

       collaborators which should have roles in certain applications...”.The document further contains
       flowcharts that schematically depict a 'checkup logging authorization applications'
       documentisgenericandnotspecificallyfocusedonthecontrolofaccessrightstoNVIS.Thedocumentis

       undated has not been established (at a management level).

98. The AP finds on the basis of the check at the consular post in London that the Ministry of Foreign Affairs is not over-formal

       establishedproceduresavailableforassigning, changing and terminating accessrightsto



       77File 3, appendix 1: ManualData managementNVISFebruary2018.
       78File document12, appendix04: Authorization procedureNVISConsular PostLondon.
       79File 3, appendix 6b: Work instruction logging and authorization applications.
       80File piece3, appendix1: ManualData managementNVISFebruary2018,p.<16: “..NVISautomatically transfersnumbersofemployees
       from [CONFIDENTIAL]. ICT manages this technical functionality. So no employees can be added manually in NVIS.
       An employee can only access NVIS if they are authorized for a particular role. Roles determine what an employee can and cannot do
       dowithinNVIS.Aroleconsistsofseveraltasks.EachtaskgivesaccesstoaspecificNVIScomponent.Managethetasksatthe
       rolling is performed at the department by [CONFIDENTIAL].”.
       8File3,Appendix1:ManualData ManagementNVISFebruary2018:“AccesstoNVISislinkedtotheBZaccountofthe
       employeeandpostvaluetheemployeeisworking.Whentheemployeeleavethestation,accesstoNVISisautomatic
       terminated due to the employee's BZ account being closed at the post or transferred to another post. [CONFIDENTIAL]




                                                                                                    27/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]




       NVIS. Nor does BZo have established procedures to change the access rights granted to NVIS
       to check.


       Consular PostDublin
99. Prior to the investigation in Dublin, the APBZ in writing requested 83
       authorization proceduresNVISandotherrelevantdocumentationrelatingtothedeviceof

       accessrightstoNVIS.BZhasadocumenttitled‘Authorisation procedureNVISEmbassy
       Dublin' to the AP provided.


100. The document consists of half a page of text, undated and not at (management level)
       it has not become clear to the AP whether this piece has been prepared in response to its request
       for information, whether it existed before. The document submitted describes that the

       supervisor will be granted an application to [CONFIDENTIAL].Access to NVISis
       linked to [CONFIDENTIAL].The [CONFIDENTIAL] controls transactions of the NVIS accounts
       roles. Furthermore, the annual check of the assigned authorizations is carried out by [CONFIDENTIAL]

       executed.

101. As a result of its investigation at the consular postDublin, the AP establishes that BZ does not

       procedures available for granting, changing and terminating access rights to NVIS and for
       checking the authorizations granted to NVIS.


       CSODenHaag
102. During the investigation of the AP, the interviewed CSO employees gave an explanation
                                                                                      85
       about the procedure that the CSO follows in obtaining access rights to NVIS.
       [CONFIDENTIAL]










103. When granting access rights to NVIS, the CSO uses the 'Manual'
       Data managementNVIS' (the description of this document can be found in section 2.5.2). Also
       does the CSO have a work instruction [CONFIDENTIAL]. The (undated) work instruction exists

       from 13 unnumbered pages. It is unknown whether the document has been established at management level.
       It is not clear from the document who is formally responsible for the granting of authorizations, the
       making changes to accounts, assigning NVIS roles and checking on them. The AP

       concludes as a result of its investigation at the CSO that it has not been shown that BZ has


       8File document27:ReportofOfficial OperationsOTPConsular PostDublin.
       8File document25: AnnouncementOTP ConsulateDublinenInformation requestAPvan19December2019.
       8File piece26, appendix4.1:Employee-Roles–Dublin.
       8File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019.
       8File piece3, appendix1:ManualData managementNVISFebruary2018.
       8File piece14, appendix 23.1:Assign work instructionrolesNVISatCSO.



                                                                                                  28/64, Date Unidentified
        24 February 2022 [CONFIDENTIAL]



        formal procedures related to granting, changing and terminating access rights and

        control of the granted access rights to NVIS.

        Processor2
                                           88
104. As a result of the investigation that the AP has carried out at Processor2, the following are
        documents related to authorizations issued: (1) a procedure for the internal access
                              89
        management system, (2-4) authorization procedure of CloudInfrastructureManagement,consisting of
        three documents , and an authorization list with names of employees of Processor2 who
        have access authority to the NVIS platform and databases.


105. The submitted authorization procedures (1 to 4) describing the method used by Processor2
        applied when creating, modifying and/or deleting employee accounts

        the procedures, schematic representations of the (practical) steps that are relevant for the application,
        change and remove access rights to the systems that Processor2 works with. In addition

        ingoing authorization procedures in the types of accounts that employees may have at their disposal. By
        a further explanation by BZ during the opinion phase it has become sufficiently clear for the AP
        what the relationship is between these types of accounts and responsibilities on the one hand and the NVIS environment
                   92
        on the other hand.


        2.5.2.2Staff profiles

        Consular PostLondon Consular PostDublinenCSO
                                                                           93
106. BZ has provided a generic document entitled 'NVIS profiles'. It is a table in which the
        know NVIS roles are related to tasks that fall under the assigned NVIS role. The tasks are

        summarily indicated, it is unclear with which concrete actions (e.g. view data,
        record, update, delete, and search) in the NVIS context are associated.
        between the function of the staff members and the assigned NVIS roles and tasks not defined.


107. The AP has requested BZ to provide personnel profiles relating to the
        employeesoftheCSO.BZsubmittedatemplatetextwithresultareasand

        competences, which may be used for the purpose of the description of vacancies at the CSO. The
        descriptionincludedinthisdocumentdoesnotseethetasksandresponsibilitiesinrelationto

        actionsinNVIS.

108. During the investigation, the AP established that BZ has not drawn up any personnel profiles in which the

        tasksand responsibilities are described of the staff at the consular postLondon,



        88
        89 dossier 17:ReportofOfficial ActsOTP Processor21November2019.
        90ossspiece17, appendix8:[CONFIDENTIAL].
         File 18, attachment3:[CONFIDENTIAL];File 63:[CONFIDENTIAL];andFile 18, attachment1:
        91CONFIDENTIAL].
        92ossspiece21,appendix4:Authorization listNVIS.
        93ienswijsBZ14October2021,p.8andletterBZaanAPvan19November2021,appendix1Conversation report,p.33and34.
        94ossspiece5,appendix1:NVISprofiles.
        95 file4:Information requestAPfrom13June2019.
         File16, appendix 2.1: Function profilesCSOvisa, version 15October2019.



                                                                                                            29/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       consular postDublin and CSO who are authorized to view, update, delete and delete data in NVIS
       to search.


       2.5.2.3CheckingaccessrightstoNVIS


       Consular PostLondon 96
109. BZ has an up-to-date authorization list of all employees of the Consular Post in London at the AP
       submitted.


110. At the time of the survey, 17 staff were working with the at the Consular Post in London
       access rights to NVIS. These employees are assigned the following (several) NVIS roles:
       [CONFIDENTIAL].



       Most employees had more than two NVIS roles, with a maximum of six NVIS roles
       which one employee had.


111. The AP has checked the role [CONFIDENTIAL] more closely. On the authorization list that BZ has the AP
       providedwasoneemployee(hereafter:employeeX)listedwiththisNVIS role.[CONFIDENTIAL].

       Employee X hadn't worked in the Consular department for a long time, but did as
       [CONFIDENTIAL]withanotherdepartmentoftheembassy.Forcurrentactivities,
       employeeXnoaccesstoNVISnecessary.During the AP check it was found that logging into the
       system underroleof[CONFIDENTIAL]wasstillpossible.Afterlogin,employeeX

       view and update current NVIS data.

112. The authorization list provided also shows that some employees of the London Consular Post
                                                                         97
       possessed authorization with mutually incompatible NVIS roles, such as those of
       [CONFIDENTIAL].NVIS did not include a justification in the award of this
       conflicting roles had been explained.


113. At the time of the inquiry at the Consular Post in London, the BZ also stated that the NVIS
       Authorizations granted are checked once a year by [CONFIDENTIAL]. At the consular
       postLondon[CONFIDENTIAL]responsible for transmitting all mutations in the NVIS
                      98
       access rights. The operational manager was not present during the investigation and it was unknown
       how often the changes related to NVIS access rights to [CONFIDENTIAL] become
       passed on. BZ has not provided any documents proving when the last check of the
       authorizationsand NVIS roles at the Consular PostLondonhas taken place.


114. The AP determines that at the time of its check at the consular post in London an employee was wrongly
       had access rights to NVIS. This employee was at the time of the AP investigation

       appointed to another position at the embassy, which did not require the use of NVIS. Further

       9File document3, appendix7:OverviewNVIS authorizationsZMAlonden.
       9 The mutually incompatible NVIS roles are listed in File Document 12, Appendix 06a: Tasks-roles-incompatible-NVIS.
       9File 7:Report of the official acts and consular postLondon.
       9File document10:Information requestAPvan12july2019.




                                                                                                30/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]



       several employees of the Consular Post in London had NVIS roles that mutually
       are incompatible. During the investigation, the AP has no justification for the incompatible roles in

       NVISaffectedandreceiveddocumentationprovingwhenthelastcheckofthe
       authorizations and NVIS roles has occurred.


       Consular PostDublin
115. BZ has submitted an overview of the authorizations granted to the consular post in Dublin to the AP. 100
       At the consular post, at the time of the investigation, there were six employees working on

       had access rights to NVIS, in the following assigned NVIS roles:
       [CONFIDENTIAL].
       Two employees had NVIS [CONFIDENTIAL] roles that are mutually incompatible.

       The assignment of these conflicting roles in NVISist times of the investigation by or on behalf of BZ
       unmotivated.


116. During the investigation of the AP, employees of the consular postDublin stated that one
       The list of all authorized authorizations is checked at the consular post every year.
                                                                                              101
       The Functional Management department in The Hague carries out checks on the assigned authorizations.

       CSO

117. The CSO stated during the investigation that the assigned NVIS roles are focused on the
       segregation of duties.The roles of registration and decision making are mutually incompatible according to the
       functional design of the NVIS application. 102
                          103
       [CONFIDENTIAL]




       The AP found no justification in NVIS with regard to [CONFIDENTIAL].

                                                                      104
118. The overview provided to the AP 'NVIS role distribution per function' shows that at the CSO79
       employees have access to NVIS. The following positions are listed:

       [CONFIDENTIAL].



       Three or more NVIS roles have been assigned to these roles.
       it appears from the research of the AP that these rollers have not been in use for several years. 105


119. The above overview also shows that some NVIS roles, over which some employees
       of the CSO, are marked as mutually incompatible. 10This is about the next one
       NVIS Roles:[CONFIDENTIAL].


       10File 26, Appendix 4.1:Employee-Roles–Dublin.
       10File document27:ReportofOfficial OperationsOTPConsular PostDublin.
       10File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019.
       10File document16, attachment3.1:ProcessDescriptionDepartmentRegistration,version1August2019.
       10File 14, appendix 23.2: NVISrole division by function.
       10File piece5, appendix2and3andfilepiece11.
       10File 14, appendix 23.2: NVISrole division by function.



                                                                                                   31/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]




       The CSO did not submit any documents to the AP during the investigation that provided the substantive motivation
       contain about the conflicting NVIS roles.


120. During the investigation on July 18, 2019, the CS clarified that the control of the granting of
       authorizations according to an internal control plan
       year-by-year[CONFIDENTIAL].In addition, an audit is performed once a year by
       [CONFIDENTIAL].
                         107
       [CONFIDENTIAL]


       The CSO also submitted the management report to the AP on 8 August 2019.

       evidencing that the assigned authorizations to NVIS, including the NVIS roles, have been verified
       last check took place in 2018.

121. The AP establishes that the granted authorizations for access to NVIS are checked at the CSO.

       Furthermore, the AP notes that several employees at the CSO are under the award of
       mutually incompatible NVIS roles, and that [CONFIDENTIAL] employees default over
       have access rights with [CONFIDENTIAL] in NVIS
       there is no incompatible roles in NVIS. Finally, some CSO employees did not have a role

       was more in use.

       Processor2

122. At the time of the investigation, the AP concluded that BZ did not provide any documentation
       which shows (sufficiently) which agreements have been made with Processor2 about the procedures and respect
       of access rights between the controller and a processor.


123. In its view, BZ states that the agreements between it and Processor2 about the access rights to NVIS
       followfromagreementsbetweenBZenProcessor2.BZalsohasaquarterlyreportinthat context
                                                                      109
       submitted about the control of these access rights of Processor2. The AP has these documents
       assessed and comes to the conclusion that on this point no violation of article 32, paragraph 2 can be established
       subk,VISOrdinanceswillnotcoverthiswithinthelegal review below.


       2.5.3Legal review


       Consular postsLondonDublinenCSO
124. As a result of its investigation, the AP notes that the consular posts in London and Dublin
       CSO have access to NVIS.
       [CONFIDENTIAL]



       107
         File14:BZ response of August 8, 2019 to the AP information request of July 25, 2019. Written answer to the AP's question: 'Wieis
       10File piece14, appendix24.1:Management reportingvisapril2018,version30may2018.andseBusinessandspecificattheCSO?'
       10Written ViewBZof15October2021,p.8.




                                                                                                32/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]



       Procedures about granting and checking access rights to NVIS environment
125. When allocating access rights, including NVIS roles, the Ministry of Foreign Affairs uses the method

       the practice is almost identical for the staff of the investigated consular posts and the CSO in
       The Hague.The AP notes that the Ministry of Foreign Affairs did not have formal registration and deregistration procedures

       regarding the assignment of access rights to NVIS employees
       although a manual is used to the system, which contains all kinds of practical
       steps have been explained, but that this is an unformally established user access grant procedure
                                                                                              111
       includes with regard to registering and unsubscribing from authorizations
       authorization procedures have been provided by BZ, concerning an undated, summary description of the
       working method that BZ uses when authorizing employees of the consular posts and are no

       formally established registration and deregistration procedures. The AP determines that BZ conflicts with this point
       acts with article 32, paragraph 1, AVG and further elaborated in BIO standards 9.2.1 and 9.2.2.


126. In its view, BZ has indicated that the existing work instructions will be formally
       be determined. The AP has received that document on January 9, 2022, and is of the opinion that it

       the procedure for applying for, changing and canceling access rights in NVIS is sufficient
       described.113


       Personnel profiles
127. During the investigation, the AP established that the Ministry of Foreign Affairs has not drawn up any personnel profiles in which the
       tasksand responsibilities are described of the staff of the consular posts

       LondonandDublindareauthorizedtosee,record,update,delete in NVIS data
       and search. With regard to the provided personnel profiles of the employees at the CSO,
       the AP considers that these profiles do not provide sufficient insight into the tasks and responsibilities of

       the CSO staff who are authorized to process data in NVIS.


128. In its view, BZ states that the access rights assigned to the functions are determined on the basis of
       of tasks and responsibilities. As a result of this, the AP again has documentation
       requested what this should be shown. BZ has issued an authorization matrix dated 7 January 2014. 116

       On the basis of this, the AP concludes that BZ still has personnel profiles that are sufficient
       provide insight into the tasks and responsibilities of authorized employees. It follows that
       In the opinion of the AP, BZ has acted on this point in accordance with article 32, paragraph 2, under

       g,VIS Regulation. This provision also prescribes that personnel profiles must be available and
       must be provided at the request of the AP. The AP must conclude that BZ at the time of
       the investigation by AP has not provided the complete personnel profiles, at the moment that the AP

       so requested. It follows that B Zo has acted contrary to article 32, paragraph 2, sub,
       FISH Regulation.



       111 case piece3, appendix1 and file piece26, appendix1.1:ManualData ManagementNVISFebruary2018.
         File document12, appendix 4: Authorization procedure NVIS consular postLondon; and File document 26, annex 3.1: Authorization procedure NVIS
       112sulairepostDublin.
       113Christian ViewBZof October 15, 2021, p.6.
       114-mailBZaandeAPvan9jan2022,BZprocessNVISauthorization.
       115ossspiece16,appendix2.1:Function profilesCSOvisa.
       116ScripturalViewBZof15October2021,p.7.
       117-mailBZfrom December 10, 2021, attachment 14.
         In view of Article 41, paragraph 1, VIS Regulation, the AP is the competent supervisor



                                                                                                   33/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]





       ControlaccessrightstoNVIS
129. First of all, the AP established that the Ministry of Foreign Affairs did not have formal procedures with regard to

       periodic check of 118 assigned access rights to NVIS and NVIS roles
       documentation provided shows that the granted authorizations are issued once a year by [CONFIDENTIAL]
       are checked. In addition, it has been stated that internal checks are carried out at the consular
       posting in London and Dublin at the CSO. 119


130. The AP considers that during the investigation it did not receive any documents showing the frequency
       appears from the checks by [CONFIDENTIAL]. Nor has BZ shown when the most recent

       control has been performed. With regard to the internal controls, the AP considers that in the case of the
       consular postLondonnodocumentswereprovidedthatseetheinternalcontrolsof the assigned
       authorizations. With regard to the CSO and the consular post Dublin, the AP concludes from the
                          120
       information provided that some internal controls related to authorizations in the past
       have taken place. The late stein internal audit at the CSO took place in April 2018. Deconsular
       postDubl carries out a check at least once a year; the last check was done in 2019. 121


131. Furthermore, the AP has established that several employees of CSO and one employee of the consular

       postLondon had NVIS role(s) that were not needed and some of the roles turned out to be
       hadn't been in use for some time. This indicates that the assigned access rights to
       NVIS and NVIS roles have been insufficiently checked.


132. During the hearing, BZ stated that [CONFIDENTIAL] at consular posts
       are responsible for the control of access rights to NVIS. The one-time annual control of

       [CONFIDENTIAL] acts as a safety net. 12BZfurtherindicatedtheprocedureforchecking
       will formally determine access rights.


133. In response to this, the AP requested documentation from BZ of the checks that [CONFIDENTIAL]
       oftheconsularpostLondonandDublinhaveperformedonaccessrightstoNVISfrom2018toten

       with 2021. BZ has provided the following in response: authorization lists (from 2019, 2020 and 2021),
       the withdrawal of access rights of one employee in 2019 and two evaluation reports that no longer

       to give a general picture of the screening of consular posts (from 2018 and 2019).
       documents submitted do not lead the AP to any other judgment. The AP establishes that BZ has not
       demonstratedthattheoperationalmanagersoftheconsularpostLondonandDublinregularchecks

       have performed on the access rights to NVIS.




       11File document3, appendix1: ManualData managementNVISFebruary2018;File document12,appendix4: Authorization procedureNVISConsular post
       London; and File 26, Annex 3.1: Authorization procedure NVIS Consular Post Dublin.
       11File document7:ReportofOfficial OperationsConsular PostLondon;File Document27:ReportofOfficial OperationsConsular PostDublin;
       enDossierstuk11:Report ofCSOCSO18July2019and12September2019.
       12File piece14, appendices24.1and24.2:Managementreportingvisaapr2018enManagementreportagevisasep2018;enFile piece27,appendix
       6:6.CorrespondenceaboutcustomizingrolesNVIS.
       12File document27:ReportofOfficial OperationsOTP ConsulateDublin.
       12BZ to AP of 19 November 2021, appendix 1 Interview report, p.30.



                                                                                                 34/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



134. With regard to the procedure provided by BZ regarding the control of access rights, the AP notes
       that the process surrounding the one-time annual audit of [CONFIDENTIAL] is described herein. 12The

       AP notes that no clarity is provided in this procedure as to how BZ takes care of it
       that access rights are checked regularly. The one-off annual check functions, like BZ
       sets,as a safety net.Considering the type of data processing in NVIS considers the APan annual audit

       insufficient to ensure that only authorized personnel have access to this system
       working methodmitigatestheriskinsufficientlydateachangeoffunctionandemployeeformonths
       incorrectly accesses NVIS,[CONFIDENTIAL].


135. The AP further determined that an employee at the consular post in London was wrongly
       accessrightstoNVIShastheroleof[CONFIDENTIAL],andthiscouldbeinNVISdata

       view and change. This employee was appointed to another position at the embassy, for which it was
       use of NVIS was not necessary. BZ stated in its view that the [CONFIDENTIAL]-
       application showed flaws at the time of the investigation, so that the role [CONFIDENTIAL] still

       should be kept in case the [CONFIDENTIAL] application should not function. This
       argument fails. An employee who has not worked in the consular department for some time,
       should not have access to NVIS. With regard to the role [CONFIDENTIAL], the AP follows

       opinion of BZ that the finding about this had an incorrect source
       finding related to employees of CSO and does the AP above match the correct

       source corrected.

136. Finally, during the investigation, the AP has established that a statement of reasons for incompatible

       roles within NVIS is missing. BZ states in its view that in appropriate cases does not occur
       may be that conflicting roles are assigned to a person. For example, this may concern
       smaller posts where an employee suddenly drops out. According to BZ, the motivation of conflicting

       roleswelldocumented.As a result of this, the AP has requested documentation about the
       responsibility and justification for assigning incompatible roles. Based on this
       the AP notes that BZ has shown several examples showing that BZincompatible roles in
                                   124
       the past has motivated. On this point, the AP follows the opinion of the Ministry of Foreign Affairs. The AP has
       however, unable to see a policy that shows how BZo deals with incompatible roles and how BZ
       defines incompatible roles. The NVIS Data Management Guide only states that the incompatible
                                               125
       roles in NVIS are not currently set. Job segregation policy is ideally suited to
       include in the security policy as referred to in section 2.3.


137. In view of the above, the AP is of the opinion that BZ, with regard to procedures regarding access rights
       until the NVIS environment and its control violates article 32, paragraph 1 AVGGennader
       elaboratedin32, paragraph2, subch,VISOrdinancesBIO standards9.2.1,9.2.2,9.2.5and9.2.6.(en
       relevant standards from the BIO about the Plan-Do-Check-Actcycle). 126


       123
       124-mailBZaandeAPofJanuary9,2022,BZprocessNVISauthorization.
       12File piece3, appendix 1: ManualData managementNVISFebruary2018,p.16.Zvan15October2021,appendix22.
       12This means that there should be regular checks on whether the security policy is still being adhered to in the practices or the measures
       should any imperfections come to light, the principle Plan-Do–Check-ActfromtheBIO–in short-that errors




                                                                                                35/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       2.6 MonitoringNVIS usage:log files


       2.6.1Legal framework

138. The obligation to maintain and regularly check log files is an essential
       part of the regulations for information security. In this way an organization can see
       keep which employee when, for what purpose, consults or changes certain information

       in addition, it is necessary that periodic monitoring of the recorded log files takes placetom
       detect unusual patterns and, for example, check whether unauthorized
       access takes place to the data.

139. Article 32, paragraph 2, including the VIS Regulation stipulates that the Ministry of Foreign Affairs must be able to verify and determine
       which data when, by whom and for what purpose have been processed in NVIS. BZ must also

       check the effectiveness of these security measures and with regard to the internal control
       take necessary organizational measures. Article 32, paragraph 2, sub, VIS Regulation prescribes before
       those who are authorized to consult the VI, have access only to the data on which
       their access authorization relates, and only to personal and unique
       user identities and secret access procedures (control of access to data).


140. Write the BIO standards before BZlog files with the registration of activities of NVIS
       users should keep and review these logs regularly. The BIO standards
       specify which information about NVIS usage should be kept in a log file as a minimum
       registered. BZshould also have an overview of all log files that are placed in the context of NVIS

       generated. In the BIO, the following rules are particularly relevant:

        12.4.1 Log events
                    Logs of events that user activities, exceptions
                    and record information security events, belonging

                    be made, kept and regularly reviewed.
        12.4.1.1 A log line contains at least:
                    a. the event;
                    b.thenecessaryinformationnecessarytoconfirm theincident with a high degree of certainty
                    trace back to a natural person;

                    c.the device used;
                    d. the result of the action;
                    e. a date and time of the event.
        12.4.2.1 There is an overview of log files that are generated.






       be corrected and that the policy is adjusted in such a way that the related problems will not recur next time.
       abovedescribedresultsofthespotcheckbyinspectorsoftheAPshowthatthishasnothappenedconsistingof
       authorizationsandrolemanagement.This means that an appropriate internal control in the field of access security is missing.
       the risk of access to NVIS for unauthorized persons, as referred to in article 32 paragraph 2 under b VIS Regulation.



                                                                                                 36/64, Date Unidentified
        24 February 2022 [CONFIDENTIAL]




        2.6.2 Factual Findings

141. To check compliance with legal requirements regarding log files, the

        APrequested a sampleofthelogsatBZ.Theselogscontainlogsofthe
        consular posts, of CSO and of Processor 2. Also, during the investigation, the AP has 127
        questions about the setup of the logging and internal control of this by the Ministry of Foreign Affairs. Furthermore, the AP

        checked the requested log files and compared them with the corresponding
        authorization lists that relate to the same period.


        Logging of NVIS usage at consular posts London and Dublin
142. [CONFIDENTIAL]








143. [CONFIDENTIAL] 128







        Analyzesoflogfiles

144. The AP requested two log files related to the NVIS usage by the employees
        fromtheconsularpostLondon.Thefirstfile(hereaftername:Log1)concernsthelogfileof4
        July2019,between9.00am and 12.00pm.ThistimeslotcoincideswiththeresearchoftheAPtersite.It
        second file (hereafter: Log2) sees the period from April 1 to July 4, 2019.


145. [CONFIDENTIAL] 129











146. [CONFIDENTIAL] 130



        12In-placeInvestigationsat the Consular PostLondon(2and4July2019),theCSODenHaag(18July and12September2019), Processor2(1
        November 2019) and the Consular Post Dublin (22 and 23 January 2020).
        12WrittenOpinionBZof15October2021,appendix2undernumber6.3.
        12File document12, appendices40a and 40b: Logging useNVIS, version 25 July 2019 and Explanation.
        13File piece16, appendix8.1:LON_01April2019_04July2019_Overview.



                                                                                                           37/64, Date Unidentified
        24 February 2022 [CONFIDENTIAL]
























        Logging of NVIS usage at CSO The Hague
147. During the on-site survey at the CSO, the AP conducted interviews with the employees of

        B As far as the various aspects of security in relation to NVIS, where the subject
        ‘logging of NVIS’ has been investigated. The AP also has additional documentation on this subject at BZ
        queried and analyzed. In addition, the AP has performed log file analysis.


        Processofloggingandcheckinglogfiles
                             133
148. [CONFIDENTIAL]











149. [CONFIDENTIAL] 134 135















        13File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019.
        13File document13:Information requestAP of 25 July 2019; and File document17:Information requestAP of 1 October 2019.
        13File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019.
        13File document13:Information requestAPfrom25july2019.
        13File document14, appendix18.1:Responsibility controlNVIS usage.




                                                                                                             38/64, Date Unidentified

        24 February 2022 [CONFIDENTIAL]



150. The AP has requested (extensive) documentation in the field of security from BZ

        analyzedforrelevantinformationaboutlogging.HeretheAPhasfocusedoninformationabout
        the logging of the actions within the NVIS platform, in particular how the logging process and control on this

        are configured, which log files are generated, and how log files are checked
        concerns the following documents: [CONFIDENTIAL]; 136[CONFIDENTIAL]; 13[CONFIDENTIAL]; 138
                              139 140 141
        [CONFIDENTIAL]; [CONFIDENTIAL]; [CONFIDENTIAL].


151. [CONFIDENTIAL]






        Analyzesoflogfiles

152. Furthermore, the AP requested NVIS from BZlog files in which the NVIS actions of the
        employees of the CSO have been recorded. BZ has submitted the following log files to the AP that
        relate to the following periods:
                                                                             142
        (1) September 1, 2018 to November 30, 2018; (hereinafter: Log3);
        (2) April 1 to July 18, 2019, (hereinafter: Log4); 143
                                                   144
        (3) on September 12, 2019 (hereinafter: Log5).


153. [CONFIDENTIAL]










154. [CONFIDENTIAL] 145













        13File 14, attachment[CONFIDENTIAL]
        13File document12, attachment[CONFIDENTIAL]
        13File 14, attachment[CONFIDENTIAL]
        13File 14, attachment[CONFIDENTIAL]
        140
          File 14, attachment[CONFIDENTIAL]
        14File 14, attachment[CONFIDENTIAL]
        14File piece16, appendix9.1:CSO_01Sept2018_30Nov2018_Overview.
        14File piece16, appendix9.2:CSO_01April2019_18Juli2019_Overview.
        14File document16, appendix9.3:CSO_12Sept2019_Overview.
        14WritingViewBZof15October2021,p.10and11.




                                                                                                                39/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]










       Processor2

155. [CONFIDENTIAL]








156. [CONFIDENTIAL] 146






157. [CONFIDENTIAL] 147






158. The AP has analyzed down to some of Processor2's logs. The AP determines that, by
       lack of sufficient evidence about the actual situation in combination with the explanation of the Ministry of Foreign Affairs, for what

       regardingthecontentoftheselogfilescannotidentifyviolenceandsowillnotcontinue
       deal with the legal assessment below. 148


       2.6.3Legal review


159. The AP has assessed how far BZ has taken appropriate measures in the field of logging
       of the NVIS environment.


160. The AP notices that log files are kept related to NVIS. In the log files
       standing names of employees registered only a very limited amount of other data with
       relating to actions in NVIS, such as an indication of some steps in the context of the
       visa process(eg [CONFIDENTIAL]).





       14File document13:Information requestAPof 25 July 2019;andFile document15:Information requestAPof1October2019andannouncementOTP
       Processor2on1November2019.
       14File document17:ReportofOfficial OperationsOTP Processor21November2019,p.7and8.
       14WritingViewBZof15October2021,p.11.



                                                                                                        40/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



161. Log1 does not show which actions in NVIS by the staff of the Consular Post in London are
       performed at whatever time that happened. With regard to Log2, AP determines that it is not going

       which data of visa applicants the consular post staff have processed, with which
       target, when this happened and what device was used here. The AP sets
       in addition, there are discrepancies between the two log files. Since Log1 is about July 4, 2019 and
       Log2 over the period 1 July 2019 up to 3 July 2019, Log 2 and Log 1 close chronologically.
                                                   149
       However, both files differ in their structure.

162. InLog3,Log4andLog5 is next to the employee's name also the visa application number and a

       global designation of the part of the visa process that has been performed and the time at which
       part has been completed. However, these log files do not show which data of
       visa applicants have processed the employees of the CSO, for what purposes at what time this
       occurred.


163. In view of the above findings, the AP notes that the Ministry of Foreign Affairs does not have an adequate overview of the
       logfilesgeneratedintheNVISenvironment.TheNVISuseistrueloged,

       butshowthesubmittedlogfilesin terms of buildupandtypedatathatisincluded
       inconsistencies. The log files that the AP has received and assessed also show that
       not all mandatory actions are logged.[CONFIDENTIAL] 151






164. In its opinion (to the extent that it is relevant to the violation) BZ sets out in its opinion on the log files
       next.As to log file1, according to BZ, it was located on the road from the AP to
       point out that not only the access log data was requested, but also what actions in NVIS
       performed and at what time. This argument fails. In its request for information, the AP has a log file
                                                           152
       asked about the use of NVIS at the embassy in London. It needs the AP's judgment
       little argues that when using NVIS, in which-undisputedly personal data is processed, the
       AP is not only interested in information about logging in to this system.


165. With regard to log file2, BZ states that article 32 paragraph 2 under the VIS Regulation, to which AP
       logging tests,requiresthatwhichdataisprocessedberecorded.Butthisarticledoesnotrequire

       that any data being processed is logged. An indication of which data is being processed
       can therefore, according to BZ, suffice without an exact representation of that data.
       article32AVG.The purpose of the logging is to verify the legitimate use of access rights. Because

       BZ determines which application data is processed, therefore it is sufficiently precise which
       data have been processed. According to BZ, the visa application number is also known from which person concerned

       personal data have been processed
       For example, NVIS employee has processed only the name or only the date of birth or both.

       14The differences concern the number of the logged variables and their names in the log files.
       15 For example, compare the type of actions that are recorded in Log1 with the type of actions that are recorded in Log 2.
       1InformationprovidedbyBZduringOTPsCSOon16July2019and12September2019(see file document11:Report of Official ActsOTP
       CSO16July2019and12September2019).
       15File piece10, appendix1under point40.




                                                                                                41/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]



166. The AP does not follow the BZ's view. Article 32 paragraph 2 under the VIS Regulation requires that it
       it should be possible to check and determine which data when, by whom and for what purpose
       the VIS have been processed. Logging a visa application number does not provide sufficient indication which
       data is being processed. This makes it impossible to see afterwards which data has been processed when.

       The more sensitive the personal data that is being processed, the higher the requirements for logging in this regard
       In this context, in which a great deal–also–special data are processed, it is
       It is very important that changes in data are traceable. BZshould be able to check which data
       who have changed, not only after an incident. This information may also be from a combination of

       (log) files are derived. The purpose of logging is therefore not limited, as BZ states, only to the
       checklegitimateuseofaccessrights.

167. BZ further states in its written opinion that the conclusion of the AP, that checks on the NVIS

       usethatBZperformstargetthegrantedauthorizationsandnotlogfilesandactions
       carried out in NVIS by staff members is incorrect and premature. BZ believes that it
       information request about this was formulated in general by the AP.According to BZ, there are many
       opportunities to report on the actual use of NVIS. Finally, BZ states that the

       question from the AP was unclear about logging and how control of this was in the security policy
       tuned.

168. Although the AP is of the opinion that it is on the road to the Ministry of Foreign Affairs in due time–and not only in an opinion–

       to make known that an information request raises questions, the DPS again has the opportunity
       askedtoconsultproceduresthatdescribehowBZregardingNVISlogs
       carries out checks on this.3BZreactedtothiswithanundateddocumentwithseveralparagraphs
                                                                                    154
       provided with where 155 actual description water is logged when using NVIS.
       [CONFIDENTIAL]






169. Given the shortcomings in log files in combination with the fact that BZ the log files do not

       regularly assesses and there is no procedure in this regard, the AP concludes that BZin
       acts contrary to article 32, paragraph 1, AVG and further elaborated in article 32, paragraph 2, sub f, each of the VIS
       RegulationsandBIOstandardsconcerninglogfiles(namestandard12.4.1).


       2.7 Control of NVIS usage: security incidents

       2.7.1Legal framework


170. Article 32, paragraph 2, subcend, of the VIS Regulation provides, respectively, that BZ has appropriate
       take measures to prevent data carriers from being illegally read, copied,


       153
       15EmailBZaanAPvan10December2021, attachment16.
       15See paragraph 2.6.2 and letter from the Ministry of Foreign Affairs to AP of 19 November 2021, appendix 1 Interview report, p.36.




                                                                                               42/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       changed or deleted, and that data is illegally viewed, changed or deleted. If
       there is unauthorized (external or internal) access to data carriers and/or personal data
       stored in the NVIS environment, then there is talk of a security incident. Under the requirements of
       article32, subsection2, subsection, VISRegulation applies that the necessary organizational measures have been taken
       should be used for the follow-up of such security incidents
       before placing internal controls on NVIS data carriers and storage of NVIS data

       and that the effectiveness of the security measures should be checked.

       Chapter 16.1 of the BIO describes the mandatory standards for the management of the
       security incidents and improvements. These include the following BIO standards from
       application:


        16.1.11 Responsibilities and procedures:
                    Management responsibilities and procedures should be established with a
                    rapid, effective and orderly response to information security incidents
                    accomplish.

        16.1.2 Reporting information security events:
                    Information security events should be sent as soon as possible via the correct
                    managerial levels are reported.
        16.1.2.1 There is a reporting desk where security incidents can be reported.
        16.1.2.2 There is a reporting procedure that includes tasks and responsibilities of the reporting desk
                    described.

        16.1.2.3 All employees and contractors have demonstrably taken note
                    of the incident reporting procedure.
        16.1.2.5 The process owner is responsible for resolving security incidents.
        16.1.2.6 Follow-up of incidents is reported monthly to the responsible person.

        16.1.3 Reporting of information security vulnerabilities:
                    From employees and contractors who use the information systems and -
                    servicesoftheorganizationshouldberequiredthatsideinsystemsorservices
                    observed or alleged vulnerabilities in information security record and
                    report.
        16.1.6 Lessons learned from information security incidents:

                    Knowledge acquired by analyzing information security incidents
                    andsolveshouldbeusedtotheprobabilityor
                    reduce the impact of future incidents.
        16.1.6.1 Security incidents are analyzed with target learning and
                    prevent future security incidents.


171. The above BIO standards indicate that a consistent approach should be an effective approach
       be effected of the management of information security incidents, including
       communication about security events and security vulnerabilities
       responsibilities and procedures are established, a reporting desk is set up, in which
       security incidents are reported, including the reporting procedure. Information security incidents and

       the follow-up of this is reported to the responsible person on a monthly basis




                                                                                                  43/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       security incidents analysed, among others, metals targeting and future

       prevent security incidents.

       2.7.2 Factual Findings


172. As part of its investigation, the AP has checked whether BZo has a procedure for the
       reporting and following up on security incidents/data breaches in relation to NVIS and the visa process

       In connection, the APBZ has requested an extract from the notification register for 2018 and 2019, in which all
       NVIS-related security incidents are recorded. During the investigation, the AP
       inspectors asked about this relevant documentation about security incidents

       requested.

       Consular posts:LondonDublin andCSODenThe Hague


       Procedural security incidents
173. The Consular PostsLondon andDublinandCSOnextsame BZ-wide method with regard to

       until reporting security incidents/data breaches: a security incident is reported directly to
       [CONFIDENTIAL] reported, and if there is a data breach, a [CONFIDENTIAL]
       created and sent digitally to [CONFIDENTIAL]. This procedure is set to [CONFIDENTIAL],
       consultation by employees of the Ministry of Foreign Affairs [CONFIDENTIAL].


174. On site at the consular posts, employees also make use of 'Factsheets data leaks' which are
       Dutch and English have been prepared. These fact sheets are a schematic representation of the procedure

       a listing of all steps that employees must follow in the event of a data breach.
       During the investigations, the aforementioned fact sheets data leaks were shown to the AP inspectors
       [CONFIDENTIAL].

                                                                        156
175. As a result of the investigation in London, the DPS asked for the procedure report
       provide data leaks. BZ has submitted the following documents:
                                              157
           - Factsheets dated August2018, in both Dutch and English.See these factsheets
               on the schematic representation of the method in case of data leaks, as described above and
               shown at the consular posts.
           - Instructional videos about data leaks : these short films provide information about

               data leaks.
           - Printout of the information material about data leaks on [CONFIDENTIAL], with examples
               of data leaks 15 and description of the working method for BZ employees in case of
                         160
               data breaches .This last document contains a description of the steps that employees of



       15File document10:Information requestAPvan12july2019.
       15Dossier12,appendix11a:FactsheetdatalekNLaug2018;Dossier12,appendix11b:FactsheetdatalekENAug2018;en
       Dossier 12, attachment 11d: Sharepoint data breach.
       15File Document12,Appendix11c: Instructional video-Help,adata breach;andFilepiece12,Appendix11f:Databreachmovie.Thesefilepiecesare
       video files.
       15File document12, attachment11e:Data leaksexamplesandsharepoint.
       16File document12, appendix 12c: Data leak information for BZ employees.



                                                                                                   44/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



               BZshould take submitters of data leaks, in accordance with the procedure used during the

               InvestigationsinLondonandDublinisexplained.

176. The AP notes that the staff of the consular posts in London and Dublin and the CSO, with
       regarding the reporting of security incidents/data breaches, follow the procedure for all

       employeesofBZapplies.Thisprocedureisapracticalmanualonthestepsthat
       employees must act in the event of security incidents: they must report as soon as possible
       [CONFIDENTIAL] be reported in the event of data leaks, a report will be made to

       [CONFIDENTIAL]. The procedure mentioned is not established at a management level, and gives
       furthermore no insight into the steps that are followed after a report about a security incident/
       data breach has occurred. The procedure also does not describe the tasks and responsibilities of the

       hotline chainwhoseprocessownerisresponsibleforresolvingsecurityincidentsand
       the reporting on this.

       Security Incidents

177. [CONFIDENTIAL]





178. The AP has requested a security incident register from BZe in which all security incidents in

       relationship to NVIS and the visa process are stated, with respect to the following periods: (1) October 1
       2018 to December 31, 2018, and(2) April 1, 2019 to July 1, 2019. The AP has nine notifications
       of incidents 16 received at the Consular Post in London.[CONFIDENTIAL].Due to the lack of

       a further explanation on these reports was the AP during the investigation assuming that BZ
       did not provide a copy of the Security Incidents Register.

179. [CONFIDENTIAL] 163






180. [CONFIDENTIAL] 164












       16File document10:Information requestAPfrom12july2019.
       16[CONFIDENTIAL]
       16[CONFIDENTIAL]
       16File piece11:ReportofOfficial OperationsOTPCSO18July2019and12September.



                                                                                                  45/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]










181. An employee of [CONFIDENTIAL] stated during the investigation that BZVereen
       incident register has in which security incidents are registered. The AP has requested
       to provide a security incidents register with regard to NVIS and concerning the year 2018
                                                   165
       and the first half of 2019. [CONFIDENTIAL]. BZ did not supply any (blank) incident register.
       In addition, the AP also requested six-monthly reporting on security incidents. This
       documentisprovided.166Itdescribesdataleaksrelatedtotraveldocuments.


182. During the opinion phase, BZ gave, among other things, the following explanation about the process of
       security incidents. Notifications are handled by [CONFIDENTIAL] in [CONFIDENTIAL].
       All actions necessary for handling a report are recorded here

       saved. These reported incidents/violations, regardless of whether they had reported to the AP
       must be, after complete completion, are closed, logged, and stored in a
       protected, only accessible to [CONFIDENTIAL] environment behind the [CONFIDENTIAL]

       (the data leak register). All executed (continued) steps are recorded in the individual
       report files in the central register of incident reports that is filled by
       [CONFIDENTIAL].Finally, the Ministry of Foreign Affairs has stated that all incidents are now in one central place

       are tracked and preserved.

183. As a result of the foregoing, BZ has answered further questions from the AP about the design

       of the central register of security incidents. Based on this and on the basis of the above
       explanation, the AP considers it plausible enough that BZwel has a
       security incident registerin which security incidents in relation to NVIS are registered.


       Processor2
184. On November 1, 2019, the AP carried out an investigation at Processor 2. In doing so, the AP
                                                                                  167
       procedure that Processor2 uses in case of security incidents. In this
       escalation procedure describes which steps need to be taken within the organization
       when a security incident occurs, which roles/functions should be assigned to Processor2
       informed and what roles/functions should be escalated to. Processor 2 also has a policy
                                                168 169
       submitted that covers security incidents and data breaches .

185. With regard to security incidents, Processor2 stated during the investigation dated in 2018

       en2019 have been no incidents in relation to the NVIS environment. This saw specific on incidents
       [CONFIDENTIAL]



       16File 14, appendix 20.1: Explanation.
       16File 14, attachment 21.1:[CONFIDENTIAL].
       16File document17, attachment3:IncidentEscalationProcedure.
       16File 17, attachment 4: [CONFIDENTIAL].
       16File document17, attachment5:ProcedureDataBreachController.



                                                                                                  46/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]






186. When asked if Processor2 keeps a log or registry of security incidents, Processor2 has

       stated that they use different registers depending on the incident. Processor2 explained that
       two incident registers are used.
       [CONFIDENTIAL] 170 171








187. [CONFIDENTIAL]. Processor2 has indicated that there are no security incidents at Processor2
       have been related to NVIS in the study period. There were no internal reports because of this
                                            172
       dieProcessor2 to AP.

188. On the basis of the above and the explanation of BZ during the opinion phase, the AP considers the

       division of tasks between BZenProcessor2 with regard to security incidentssufficiently clear.

       2.7.3Legal assessment


189. The AP concludes that the general procedure provided by the Ministry of Foreign Affairs at the time of the investigation
       does not meet the requirements for reporting security incidents by BZ employees. This procedure is a
       no more than a manual on the steps that employees should take when

       security incidents: they must be reported to [CONFIDENTIAL] as soon as possible in case
       data leaks are reported to [CONFIDENTIAL]. The procedure mentioned is not on
       management level established and provides no further insight into the specific steps that are followed
       after a report about a security incident/data breach has occurred. The procedure describes

       alsonotthetasksandresponsibilitiesofthereportingdeskchainwheelprocessownerresponsible
       is for resolving security incidents and reporting about them.

190. During the opinion phase, BZ reacted to this with an AVG manual (approved on 13 October

       2021)andaProcessdescriptionIncidentmanagementsecurityincidentsanddata breaches(July2020)
       provided to the AP. The AP has assessed this documentation and comes to the conclusion that BZ from 13
       October 2021 does provide full insight into the steps to be followed after a notification about
       a security incident/data breach has occurred. Also, the duties and responsibilities of

       mentioning the reporting desk has established who the process owner is responsible for
       resolving security incidents and reporting about them.




       170
       17File piece23, appendix06.1:-AP-z2019-12207-06-Incidentenregisterextract.enmet1November2019.
       17WritingViewBZof15October2021,p.13.




                                                                                                  47/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]


191. On the basis of the above, the AP comes to the conclusion that BZ, with regard to the defects in the

       procedure for reporting security incidents, until 13 October 2021 insufficiently appropriate
       has taken organizational measures to prevent unlawful data processing
       in NVIS. As a result, BZ has breached the requirements laid down in article 32, paragraph 1, AVG
       elaborated in article 32, paragraph 2, subcend, VIS Regulations and BIO standards 16.1.1 and 16.1.2.2.

       As of 13 October 2021, the aforementioned defects have been repaired by BZ, the infringement is thus
       point ended.

       2.8Training staff on data protection


192. Article 28(5) VIS Regulation prescribes that the personnel of the authorities with access rights to
       the VIshouldbecompletedequaltrainingondatasecurityandprotectionrules.
       Staff are also informed of the relevant criminal offenses and sanctions. The AP
       however, has not tested the content of these courses nor the manner in which they are offered
       during the investigation. Article 38, paragraph 3, Visa Code continues to write before the 'central authorities of'

       Member States should train and train both the posted and the local staff in a careful manner
       provide them with complete, accurate and up-to-date information on the relevant legislation.”

193. The AP establishes on the basis of the statements of employees and documents provided by BZ
       with regard to the training of employees who have access to data in the NVIS dater

       of training in data protection and security. In addition, the training
       offered for both employees who are recently employed and employees who have been with BZ for a long time
       work. The training courses include, among other things, the systems to be used (including NVIS), relevant laws and
       regulations and security. The AP also notes that training of both broadcast and
       localemployees.


194. This is, with regard to the question of whether attention is paid in training to
       information securityandregulationsontheprocessingofpersonaldata,meettherequirements
       they are deposited in BIO objective 7.2.2 and article 38, paragraph 3, Visa code.

       2.9 Information provision to visa applicants


       2.9.1Legal Framework

195.Transparencyaboutdataprocessingandisoneofthegeneralprinciplesforaproper
       data processing. Informing the data subject about data processing contributes to

       transparency.Article 37VIS Regulation prescribes that visa applicants are informed about the
       responsible person, the purposes of the processing of the data of the visa applications, the
       categories of recipients of processed data, the retention period, the obligation of the
       collect this data and the rights of the person concerned. This means that BZ the visa applicants








                                                                                              48/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]




       informs in writing b173 collecting the data for the purpose of the application form, the photo
       andfingerprints. This obligation also arises from article 13 of the AVG.
       2.9.2 Factual Findings


196. The AP has conducted an investigation at the consular post in London and Dublin. From these investigations

       and the information obtained follows, that data subjects can be informed in three ways about
       processing their photos, fingerprints and personal data for the purpose of a visa application.
       Information is provided through (1) a “Privacy Statement Regarding Short-StayVisa”
                                                174
       Applications” (hereinafter: Privacy Statement) , (2) an appendix to the application form for the
       visa application (hereinafter: Annex), and (3) a folder 176 at the location of the consular post.


197. The first option of providing information is the Privacy Statement. On the (in English
       written)websitesoftheembassiesinIrelandandtheUnited Kingdomstateinformationaboutthe
                                                                177
       ask how a (Schengen) visa application works. The websites refer to thisPrivacy
       Statement, which can be found on the BZ website. 178


198. In the Privacy Statement, various privacy components are treated like the goals for the

       processing the data of the visa applications, the controller, the
       retention period of 5 years, the obligation to collect the data and rights of
       stakeholders.In a separate document, the risk countries are listed that could influence the
                                         179
       visa process on risk analysis. ThePrivacyStatement further states that there may be
       sharing data with third parties such as other European authorities within the Schengen area
       areasinstancessuch asEuropol.InthePrivacyStatementthere isno mention of the possible

       processors of data, such as, for example, private parties that may be involved in the
       process of the visa application. The AP further establishes that the national “DataProtectionAuthority”,

       including the address details, is mentioned in the privacy statement as the designated authority in the
       case the data subject would like to exercise her/his rights. 180

                                                                                   181
199. The second possibility of providing information takes place via the Annex. TheAppendixbecomes
       provided in writing to the person concerned at the time the details of the application form are

       collected.In the Annex, BZ is named as the controller for the
       data processing, the purposes of the processing of data are stated, the
       retention periods and is referred to as the obligation to collect the data



       17Article 37, paragraph 2, Regulation “The information referred to in paragraph 1 will be communicated in writing to the applicant when collecting the
       data of the application form, the photo and fingerprint data as referred to in article 9, paragraphs 4, 5 and 6.”
       17File 7, attachment 2: PrivacyStatementre.Shortstayvisapplications.
       17File 7, attachment 6:SchengenVisaApplication(sample form),provided to the OTP Consular PostLondon.
       17File document 7, appendix 4: Information sheet about SISII; and File document 27, appendix 10: Leaflet public information about SISII.
       17SeeforIreland:https://www.netherlandsandyou.nl/your-country-and-the-netherlands/ireland/travel-and-residence/applying-for-a-short-
       stay-schengen-visa(before last consulted on 14 August 2020) and for the United Kingdom:
       https://www.netherlandsandyou.nl/your-country-and-the-netherlands/united-kingdom/travel-and-residence/applying-for-a-short-stay-
       schengen visa (last consulted on 14 August 2020).
       17https://www.netherlandsandyou.nl/documents/publications/2017/12/06/privacystatement-regarding-short-stay-visa-applications-en(for
       it was last consulted on February 23, 2022).
       17Conformarticle22Visa code.
       18Article37, paragraph 1, sub, VIS Regulation.
       181
         File 7, Attachment 6: SchengenVisaApplication(sample form), provided to the OTP Consular PostLondon.



                                                                                                        49/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       explained.TheCollegeProtection of Personal Information is also referred for complaint handling.
       The AP also notes that permission is requested from the data subject. In the list of categories

       Recipients of personal data are not referred to as third-party private parties.

200. The third possibility of providing information has been shown in the study in Dublin, 18 when by the
       employeesoftheconsularposta folderSISII 18isdisplayedwhichwillbemadeavailabletothe

       visa applicants in the waiting area. This leaflet relates to SISII and does not contain any information about
       rights of data subjects with regard to a visa application and the exercise of rights of data subjects
       during the visa application process.Although the folder itself contains information about SISII vs

       background of the visa application, the leaflet is not applicable to the practice of
       rights of those involved in the visa process.


       2.9.3Legal Review

201. The AP establishes that BZindePrivacyStatementsintheAppendix(1)theobjectivesofthedataprocessing

       mentions, (2) makes clear that collecting the person is mandatory, (3) includes retention periods,
       and (4) mention the competent (privacy) supervisor. However, with regard to both documents,
       not all (categories of) recipients of data are listed by BZ.The AP determines
       that only a few categories of recipients have been mentioned, such as other European authorities and Europol.

       ThePrivacyStatementandAttachmentdonotnotstatethesharingofpersonaldatawiththird
       private parties, such as the processors, Processor2 and Processor3, who are involved in the process of the
       visa application. This does not meet the requirement of article 37, paragraph 1, sub, VIS Regulations article

       13, paragraph 1, below, AVG.

202. In its view, BZ argues that it is not a foregone conclusion that those involved should be informed

       about the provision of data to a processor. BZ is of the opinion that Processor2 only if
       processor does not qualify as a recipient of personal data. Without obligation to do so
       acknowledging BZindePrivacystatements/ortheAppendixincludethatBZleavespersonaldata

       processing processors.

203. The AP does not follow the statement of BZ. It follows from article 13, paragraph 1 sube, AVG that the

       controller informs the data subject about the recipients or categories of
       recipientsofthedata.Article4,section9,GDPRdefinesarecipientasa

       natural or legal person, a public authority, a service or another body, whether or not
       one-third, to whom/to whom the data is provided. Processors as Processor2and
       Processor3 are legal persons who receive the data about the data subjects. The
                                                                                                  185
       Also specify guidelines on transparency that a recipient may be a processor.





       18File document27:ReportofOfficial OperationsOTPConsular PostDublin.
       18File document7, appendix 4: Information sheet about SISII; and File document27, appendix 10: Leafletpublic information about SISII..
       18In the Appendix, however, reference is still made to theCollegeProtection of Personal Data.
       18Group data protectionarticle29Guidelinesontransparencyaccording toRegulation(EU)2016/679,p.18.




                                                                                                50/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       2.10 Conclusions

204. The AP comes to the following conclusions with regard to the established violations.

       Security plan

205. The AP comes to the conclusion that BZ has no security plan with regard to NVIS (and therefore also
       has not evaluated).
       article 24 and 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2, preamble, VISOrdinances BIO-
       standards5.1.1,5.1.1.1and5.1.2.1.


       Physical Security
206. BZ has not explicitly determined which parts of the IT infrastructure should be marked
       be as critical infrastructure of the visa process, from at least September 1, 2018, until any time
       case the spring of 2020 acted contrary to article 32, paragraph 1, AVG, which is further elaborated in article
       32,lid2,ondera,VISRegulation.


207. The AP further concludes that BZ, where it concerns drawing up emergency plans and
       protection of equipment against disruptions in utilities, from at least September 1, 2018
       until now does not comply with the provisions of article 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2
       suba,VISOrdinancesBIO standards11.1.4and11.2.2.


208. Furthermore, the AP is of the opinion that due to the lack of security guarantees when entering the
       zone that must be extra secured, the physical security of the rooms in which the is being worked on
       visa process in London was not satisfactory. As a result, BZ has at least September 1, 2018 to April 2020 in
       acted contrary to article 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2, suba, VIS
       RegulationsBIO standards11.1.1t/m11.1.5and11.2.2.


209. Finally, since the Ministry of Foreign Affairs has not shown that sufficient guarantees apply for the physical protection of
       working in NVIS in public spaces and B Seven less has the effectiveness of the policy on this matter
       checked, the AP comes to the conclusion that BZ is in conflict with at least September 1, 2018
       acts with article 32, paragraph 1, AVG, which is further elaborated in article 32, paragraph 2, suba and k, VIS Regulation.


       Access rights to NVIS
210. The AP concludes that BZ is not over-formal from at least September 1, 2018 to January 1, 2022
       registration-and-logoutprocedureshavetoviewtheassignmentofaccessrightsto
       NVIS.BZ has acted in conflict with article 32, paragraph 1, AVG, which is further elaborated in BIO-

       standards 9.2.1 and 9.2.2.

211. The AP is further of the opinion that the Ministry of Foreign Affairs, with regard to the procedure for the control of access rights to
       the NVIS environment and control of this in practice, from at least September 1, 2018 to the present in
       acts contrary to article 32, paragraph 1, GDPR, which is further elaborated in 32, paragraph 2, subject, VIS Regulations

       BIO standards9.2.1,9.2.2,9.2.5and9.2.6.





                                                                                                51/64, Date Unidentified

       24 February 2022 [CONFIDENTIAL]


       ControlNVIS usage:logging
212. Given the deficiencies in log files in combination with the fact that BZ the log files do not

       regularly assesses and there is no procedure in this regard, the AP concludes that BZ van
       at least 1 September 2018 until now does not act in accordance with article 32, paragraph 1, GDPR that
       further elaborated in article 32, paragraph 2, sub f, each of the VIS Regulations and BIO standards
       concerning log files (name standard 12.4.1).

       ControlNVIS usage:security incidents

213. With regard to the deficiencies in the procedure for reporting security incidents, the AP comes to
       the conclusion that BZ from at least September 1, 2018 to October 13, 2021 insufficiently appropriate
       has taken organizational measures to prevent unlawful data processing
       in NVIS. As a result, B has infringed article 32, paragraph 1, GDPR, which is further elaborated in article 32,
       lid2,ondercend,VISRegulationsandBIOstandards16.1.1and16.1.2.2.


       Information provision for visa applicants
214. The AP finally concludes that BZin the framework of the information provision
       visa applicants do not mention sharing personal data with third private parties,
       such as Processor2andProcessor3.This violatesBZvanatleastSeptember1,2018todate
       Article 13, paragraph 1, sub, GDPR, which is further elaborated in article 37, paragraph 1, sub c, VIS Regulation.

































                                                                                              52/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]




       3Fine

       3.1Introduction

215. BZ has acted contrary to article 32, paragraph 1, AVG and article 13, paragraph 1, sub, GDPR.

       not acted in accordance with the basic principles of data processing
       as referred to in article 5 AVG. The AP makes use of its for the established violations
       authority to impose a fine on BZ. In its view, BZ has stated that by several
       transition processes and improvement measures the imposition of a fine and/or burden under coercion at all

       is reasonable. Because of the seriousness of the violations, the extent to which they can be blamed on the Ministry of Foreign Affairs and
       the fact that the violations are still going on after the AP, other than BZ, the imposition of a fine and a
       load under duress if appropriate. The AP motivates this in the following.


       3.2.Finance Policy RulesData Authority2019

216. Pursuant to article 58, second paragraph, preamble and article 83, fourth paragraph, of the AVG, read in
       in connection with article 14, third paragraph, of the UAVG, the AP is competent to the Ministry of Foreign Affairs in the event of an infringement
       ofArticle32oftheGDPRNottoimpose anadministrativefineupto€10,000,000.


217. Pursuant to article 58, second paragraph, preamble and article 83, fifth paragraph, of the AVG, read in
       in connection with article 14, third paragraph, of the UAVG, the AP is competent to the Ministry of Foreign Affairs in the event of an infringement
       ofarticle13oftheGDPRNottoimpose anadministrativefineupto€20,000,000.


218. The AP has established Penalty policy rules regarding the fulfillment of the above-mentioned authority to
       imposing an administrative fine, including determining the amount thereof. 186Inde
       Penaltypolicyruleischosenforacategoryclassificationbandwidthsystem.Violationof
       article32oftheAVGisingpartincategoryII.CategoryIIhasafinebandwidthbetween€

       120,000 and €500,000 and a basic fine of €310,000.Violation of article 13 of the AVG is shared
       incategoryIII.CategoryIIIhas a finebandwidthbetween€300,000 and €750,000 and a basic fine
       from€525,000


219. The amount of the fine adjusts the AP to the factors mentioned in article 7 of the
       Fine policy rules, by decreasing or increasing the base amount. It is about an assessment of the
       seriousness of the violation in the specific case, the extent to which the violation can affect the offender
       be blamed and, if there is reason to do so, other circumstances.


       3.3Penalageforviolatingthesecurityofprocessing

220. Any processing of personal data must be done properly and lawfully
       organizationswithprocessingdatainfringetheprivacyofcitizensitisof


       18Stcrt.2019,14586,14March2019.



                                                                                               53/64, Date Unidentified
       24 February 2022 [CONFIDENTIAL]



       It is very important that they apply a level of security appropriate to risk. When determining risk
       for the data subject include the nature of the personal data and the extent of the processing

       important: these factors determine potential damage for the individual involved in, for example,
       loss, alteration or unlawful processing of the data. As the data becomes more sensitive
       character, or the context in which they are used, pose a greater threat to personal

       privacy, stricter requirements are imposed on the security of personal data. The
       APconcludedthatBZonhassufficientlyrisk-adjustedsecuritylevel
       guaranteed and guaranteed in the context of processing Schengen visa applications.


       3.3.1 Nature, seriousness and duration of the infringement
221. The AP has established that BZ processes a great deal of (sensitive) data of those involved.
       Examples of this are the combination of name and address details, country of birth, purpose of the trip,
       nationalities photo. Those involved are obliged to provide all these details to BZ in order to

       obtain a Schengen visa. In such a dependent and unequal position is of
       it is very important that BZ guarantees and guarantees a sufficient level of security adjusted to risk
       consequences and the resulting damage for those involved are large in the event of loss,

       modification or unlawful processing of the data. For example, unauthorized persons may
       view and change personal data, but also authorized employees can during the treatment
       of the application make input errors. This can cause applications to be incorrectly refused, which again
       an infringement results in the freedom of movement of those involved. The AP therefore concludes that as a result

       due to the fact that the Ministry of Foreign Affairs has failed to take appropriate technical and organizational measures
       the confidentiality and integrity of the personal data are insufficiently guaranteed.


222. In addition, the AP takes into consideration that BZ processes personal data of very many involved parties.
       It is established that BZ processes hundreds of thousands of applications per year(682,484in2018,739,248in2019and
       169,926in2020).187The personal details of all these applications are therefore insufficiently secured.
       the AP notices that the violation has been going on for 3.5 years and is still going on.

       extremely serious.

223. In view of the above, the AP, pursuant to Article 7, preamble and under a, of the Penalty Policy Rules

       reason to impose a fine and increase the basic amount of the fine from €310,000 to €
       390,000.

       3.3.2 Negligence of the infringement

224. BZisobligedtouseasecuritylevelthatfitstheearthandsizeofthe
       processing and that BZ performs. Now B will not ensure an adequate level of security for years, the AP of
       judge that B has been seriously negligent still is in meeting appropriate
       security measures and checking and adapting these measures. Citizens who are required

       to hand over personal data, we must be able to assume that the Ministry of Foreign Affairs, as a government agency,
       has taken the necessary measures and taken appropriate steps to protect personal data.


       18https://ec.europa.eu/home-affairs/policies/schengen-borders-and-visa/visa-policy_en,under 'Statisticsonshort-stayvisasissuedbythe
       Schengen States', last consulted on February 23, 2022.



                                                                                               54/64, Date Unidentified
       February 24,2022 [CONFIDENTIAL]



225. The AP also considers that BZin own analyzes (from 2015 and 2020) already pose risks in the

       areaofinformationsecurityrelatingtoNVIShasdetectedandnotintime/or
       has taken insufficient action. For example, 188BZ has the risk in 2015 and in 2020
       definedthatas a result ofpower failure equipment can break down and that unauthorized persons
       may make changes in NVIS due to insufficient governance with regard to authorizations. The AP

       points to this point in addition to the Accountability investigations by the General Court of Auditors
       2017, 2018 and 2019, which means that the imperfections in the information security for BZ also on
       were already known for this. The Court of Audit has established that BZ risks are

       focus areas governance, organization design and risk management
       General Court of Audit held that BZ has no management framework for the implementation and implementation of
       to initiate and control the information security within the organisation.


226. In view of the above, the AP, pursuant to article 7, preamble under b, of the Penalty Policy Rules
       reason to increase the fine even further, to an amount of €440,000.


       3.3.3Categories of personal data
227. The AP has established that the Ministry of Foreign Affairs in the context of processing Schengen visa applications
       processes special data, such as fingerprints. Such data qualifies as

       biometric data. For special personal data, an even higher protection is required. The AP
       has established that the Ministry of Foreign Affairs has determined that there is insufficient risk for a very large group of involved
       coordinated level of security applies for this category of special data.


228. In view of the above, the AP, pursuant to Article 7, preamble, subsection, of the Penalty Policy Rules
       reason to increase the fine to €465,000.


       3.4 Amount of fines for violation of information provision to those involved

229. The controller must provide the data subject with information that is necessary for

       to guarantee a proper and transparent processing towards the data subject, taking into account
       of the specific circumstances and context in which the personal data is processed. 18TheAP
       has established that the Ministry of Foreign Affairs does not report within the framework of the information provision to visa applicants

       makes the sharing of personal data with third private parties and with this article 13, paragraph 1, sub,
       GDPR violating.

230. As mentioned above, BZ processes a lot of (special) data. It must be for those involved

       be transparent with which (categories of) recipients BZ shares this data
       personal data, the fact that hundreds of thousands of data subjects are insufficiently informed and
       violation has lasted for 3.5 years and still continues, the AP considers the imposition of an administrative fine

       appropriate.


       188
       189 file3, appendix 5a: Vulnerability analysis and IB plan DCV; Written ViewBZ of 15 October 2021, appendix3.
         See recital 60 of the AVG.



                                                                                                55/64, Date Unidentified
       February 24,2022 [CONFIDENTIAL]



231. With regard to the amount of the fine, the AP considers that the consequences of this violation
       are limited
       reduce the fine from €525,000 to €100,000.


       3.5 Blame and proportionality for both violations

232. Pursuant to article 5:46, second paragraph, of the Awb, the AP reserves the right to impose an administrative fine

       take into account the extent to which they can be blamed on the offender
       violation, is not required for the imposition of an administrative fine in accordance with established case law that
       it is shown that intent may presuppose the AP culpability if it

       criminal record.

233. The Ministry of Foreign Affairs is obliged to take a risk by means of appropriate technical and organizational measures
       to use a coordinated security level. In addition, the Ministry of Foreign Affairs must be sufficiently clear

       make which parties provide the data to. It is the BZ's fault that it does not
       meets two obligations. The AVG, but also the VISOrdinances BIO with which BZ must comply
       have emphatically described the security of the processing of personal data
       that organizations must maintain a risk-adjusted level of security. Furthermore, the AVG(s)

       providetheguidelinesontransparency)sufficient explanationastowhichinformationwith
       those involved must be shared. The Ministry of Foreign Affairs may be expected to apply itself to the
       standards that act accordingly.


234. Finally, pursuant to articles 3:4 and 5:46 of the Awb, the AP assesses the application of its policy for
       determining the amount of the fines in view of the circumstances of the specific case, not until
       disproportionate outcome.

                                                                 190
235. The AP is of the opinion that (the amount of) both fines is proportional. In this judgment, the AP has
       otherthe seriousness of the infringements and the extent to which they can be blamed on the Ministry of Foreign Affairs.
       Due to the nature of the data, the duration of the violations, the fact that the violations

       have not yet ended and the risks involved and run, the AP qualifies the relevant
       violationsoftheGDPR.serious.With regard tothelevelofthefinefortheviolationforthe
       information provision to those involved, the AP has already motivated in paragraph 3.4 why the
       determined fine and its judgment is proportionate.


236. In view of the foregoing, the AP sees no reason for the amount of both fines on the basis of the
       proportionalityandendFinancepolicy rulesmentionedcircumstances,ifapplicableinthe
       present case, further increase or decrease.


       3.6Conclusion
237. The AP sets the total fine at €565,000.



       1See also paragraph 3.3 and 3.4 for the justification.



                                                                                              56/64, Date Unidentified
       February 24,2022 [CONFIDENTIAL]




       4. Compulsory charge

238. Now it concerns a continuous violation of article 32, paragraph 1, GDPR and article 13, paragraph 1, sub, GDPR

       BZ should end these violations as soon as possible.
       article58, paragraph2, preamble, AVGjo.article16, paragraph1,UAVGenarticle5:32,lid1,Awbaande
       Minister also a burden order sum.

239. The AP instructed the Minister of Foreign Affairs in the context of handling applications from

       Schengen visa:

       1. to end the violation of article 32, paragraph 1, GDPR by appropriate technical and organizational
       to take measures to ensure a security level appropriate to the risk.


              The Minister serves that purpose for the national information system for the purpose of treating
              fromSchengen visas:
              a. draw up an information security policy that also states how BZ this policy
              will periodically review and adjust if necessary.
              b. draw up emergency plans and protect equipment against disruptions in

              utilities.
              c.takesufficientguaranteeforphysicalsecuritywhenworkinginthisnational
              system in public areas.
              d.defining how BZ ensures the regular checks on access rights to this system.
              This also means that access rights should be checked and checked regularly

              be adjusted without delay when a check shows that an employee is wrongly
              authorized to have access to personal data.
              e.ensure that it is possible to check and determine which data when, by
              who have been processed for what purpose.
              f.recordinghowBZloggingandregularcheckonthisinthissystem

              This also means that BZ should check log files regularly.

              It is up to the Minister, as controller, to ensure the exact completion of
              to determine the above remedial measures.


       2. to end the violation of article 13, paragraph 1, subparagraph e, GDPR.

              The Minister should achieve this through information about the recipients or categories of
              recipients of the data of data subjects (when obtaining the
              personal data).








                                                                                               57/64, Date Unidentified
       February 24,2022 [CONFIDENTIAL]


       Beneficiary terms and level of coercion with regard to part 1

240. The AP connects to part 1 of the ass a stone beneficiaries term that ends at 24 October 2022.

241. If the Minister for Foreign Affairs does not charge before the end of this beneficiary period
       complies, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of

       €50,000 for every two weeks after the end of the last day of the term set by which the minister
       van Foreign Affairs fails to comply with part 1 of the burden, up to a maximum of
       €500,000.


       Beneficiary terms and level of coercion with regard to part 2
242. With regard to part 2 of this burden, the AP is of the opinion that with its implementation less
       efforts are involved. The AP therefore connects to part 2 a beneficiary period that ends
       March 24,2022.


243. If the Minister for Foreign Affairs does not charge before the end of this beneficiary period
       complies, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of
       €10,000 for each (whole) week, after the expiry of the last day of the stipulated period, on which the
       Minister of Foreign Affairs fails to comply with part 2 of the burden, up to a maximum of

       €300,000.

244. In the judgment of the AP, the above amounts are for both parts of the burden
       in reasonable proportion to the gravity of the interests violated by the violations, namely the

       protection of (special) data and transparency about processing to
       In addition, the AP considers the amounts to be sufficiently high to move the BZ into action
       to end.

245. The above measures are in BZ's power to take the time limit for these measures

       considering the AP realistic. In doing so, the AP took into account that a large part of the
       measuresthatBZmusttakewithpart1primarilyincludesthedraftingdocumentation.Andfor
       with regard to part 2, BZ only needs to adjust the information provision on a small part.


       Follow-up
246. If BZ wanted to forfeit the penalty payments immediately after the beneficiary's term
       prevent, the DPSZ considers the documents–with which the BZ can demonstrate that it complies
       aandeburden–on time, but within a week before the end of the beneficiary term at the APter

       send assessment.

247. Finally, the AP regularly informs the Ministry of Foreign Affairs on the basis of a concrete planning
       inform the AP about the progress of the measures it is taking to comply with part 1
       of the imposed load.







                                                                                               58/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]




5.Dictum

TheAP has come to the conclusion that the Minister of Foreign Affairs, as
controller in the process of issuance of Schengen visas, data subjects

insufficientinformedandsecurityoftheprocessingofdatainsufficient
guarantees. In view of the fact that the Minister of Foreign Affairs very much (sensitive) data
processed from hundreds of thousands of data subjects and violations still continue after 3.5 years,
the AP qualifies the relevant infringements of the AVG as serious.


That is why the AP opens an administrative fine to the Minister of Foreign Affairs in addition
a foreclosure order.


    - The AP explains to the Minister of Foreign Affairs for violation of article 32, paragraph 1, AVG
       and article 13, subsection 1 below, AV No administrative fines, an amount of: € 565,000 (in words:
       five hundred and sixty-five thousand euros).1


    - The AP ordered the Minister of Foreign Affairs in the context of processing applications
       fromSchengen visas:
       1.take appropriate technical and organizational measures for a risk-adjusted
       to ensure a security level and thus to prevent the violation of article 32, paragraph 1, GDPR

       end;and
       2. information about the recipients or categories of recipients of the data to
       data subjects (when obtaining the personal data) and thereby
       violation of article 13, paragraph 1, subparagraph, GDPR.


IftheMinisterofForeign Affairsforpart1notbefore24October2022tothe
If the order is complied with, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of
€50,000 (in words: fifty thousand euros) for every two weeks after the last day of the

term within which the Minister of Foreign Affairs fails to comply with part 1 of the order, until
maximum of €500,000 (in words: five hundred thousand euros).

If the Minister for Foreign Affairs with regard to part 2 not before 24 March 2022 at the

If the order is complied with, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of
€10,000 (in words: ten thousand euros) for each (entire) week, at the end of the last day of the
term, by which the Minister of Foreign Affairs fails to comply with part 2 of the order, until
maximum of €300,000 (in words: three hundred thousand euros).





19The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).
article 4: 87, first paragraph, Awb to be paid within six weeks. For information and/or instructions about the payment can contact
be recorded with the aforementioned contact person at the AP.



                                                                                        59/64,Date Unidentified

24 February 2022 [CONFIDENTIAL]


Yours faithfully,
AuthorityPersonal Data,


w.g.

ir.M.J.Verdier

Vice President























Remedies Clause
If you do not agree with this decision, you can within six weeks of the date of shipment of the
decide to submit an objection digitally or on paper to the Data Protection Authority. In accordance with
Article 38 of the UAVG suspends the submission of an objection to the effect of the decision

imposition of the administrative fine. Filing an objection suspends the effect of the charge
under duress not opposing this decision. For submitting a digital objection, see
www.autoriteitpersoonsgegevens.nl,onderhetkopjeBezwaarmakentegeneenbesluit,bottom
page under the heading Contact with the Data Authority. The address for submission on paper

is: Authority for Personal Data, PO Box93374, 2509AJDenHaag. Mentioned on the envelope 'Awb-objection'
and put 'objection' in the title of your letter. In your letter of objection, write at least:
- your name and address;
- the date of your notice of objection;
- the reference (case number) mentioned in this letter; or attach a copy of this decision;

- the reason(s) why you do not agree with this decision;
-your signature.





                                                                                        60/64,Date Unidentified

24 February 2022 [CONFIDENTIAL]




ATTACHMENT 1


The following legislation forms the basis of the legal framework for the present Decree:


     The General Data Protection Regulation (GDPR) determines the overall general legal framework
        for the processing of personal data, and the supervision of the AP.
     The Regulation on the Visa Information System (VIS) and the exchange between the
                                                                                        192
        Member States of data in the field of short-stay visas (hereinafter: the VIS Regulation) gives
        the specific frameworks regarding the European Visa Information System that the member states

        use for mutual cooperation in the issuance of visas.This Regulation regulates
        including which authorities are responsible for data processing via the VIS
        VIS Regulation prescribes for which data of persons involved who obtain a visa for the

        Schengen area applications must be included in the (national)
        visa information system.193
        The VIS Regulation further describes, among other things, the objectives of the functions of VIS and sets requirements for
                                                                   194
        the parties responsible for using the VIS. This includes
        safeguards in the field of integrity, confidentiality of the visa information. 195
     The Regulation establishing a Common Visa Code (hereinafter: Visa Code) 196

        outline the general framework which Member States must comply with in the context of the application and
        issuanceofvisa.9Thisframeworkdeterminesamongotherwhichdatamustbeprocessedforthe
        applying for and issuing a visa for the Schengen areas various preconditions

        value Member States must comply with this process.


The AP has thereby assessed the following provisions:

Explanation

The AVG contains the general legal framework for the processing of personal data
relevant standards from the AVG are:


Definitions
Article 4GDPR defines a number of basic concepts from data protection law that are used in this decision

have been applied. Specifically the notion “personal data198”, the processing of
personal data, the controller and the processor.






19Location:https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=celex%3A32008R0767
19See Article 9 of the VIS Regulation
19See, for example, Articles1and47VISRegulation
19See, for example, Articles1and28VISRegulation
19Location:https://eur-lex.europa.eu/legal-content/NL/ALL/?uri=CELEX%3A32009R0810
19Article 1Visa Code: This Regulation establishes the procedures and conditions for the issuance of visas for transit through the
territory of the Member States or an intended stay in the territory of the Member States for a maximum of three months within a period
ofsix months.
19Article4,part1,2,7and8.



                                                                                           61/64,Date Unidentified

24 February 2022 [CONFIDENTIAL]


Principles

Article 5 GDPR describes a number of basic principles that must generally be met in order to
process personal data in accordance with the Regulation. In particular the principles
transparency, integrity, confidentiality play a role in this case. These principles from article 5 paragraph 1,
bottom and bottom f, of the AVG, are further elaborated by the more specific provisions in the AVG, in the

context of this Decree, in the specific legal framework with regard to
visa information systems.

Processing security

Article32AVGwrites-briefly-before the controller and the processor
must take appropriate technical and organizational measures in order to match the risk
to ensure the level of security. The general standards regarding the securing of
personal data in article 32 GDPR means that the controller, taking into account

with the state of the art, the implementation costs, as well as with the nature, scope, context and
processing purposes and in terms of probabilities and serious risks to the rights and
freedomsofpersons,shouldtakeappropriatetechnicalandorganizationalmeasuresonthe
risk-adjusted security level.


The term 'appropriate' also indicates a proportionality between security measures and the nature of
the data to protect. The more sensitive data is, or the context in which it
are used, mean a greater threat to privacy, become more serious
requirements for the security of this data. 199


To further determine which security measures are appropriate in most sectors
more specific standards for information security. The master relevant security standards for the
governmentarecontainedinTheBaselineInformationsecurityGovernment(BIO). 200TheBIOiswhole

structured according to NEN-ISO/IEC27001:2017, appendixAandNEN-ISO/IEC27002:2017.HetForum
Standardization has included these standards in the 'apply-or-explain' list of mandatory standards
for the public sector, according to the complyor explain principle. This means that the government
applied they are explicitly formulated reasons for not doing so.


The AP hereby notes that the Baseline information security government has been in effect since January 1, 2020.
are various baselines and standards from various public sectors united into an overarching standard
for the whole government. At the start of the investigation in 2019, the relevant security aspects were

further elaborated in the BaselineInformation SecurityNational Service (hereinafter: BIR).
based on the ISO27002 standards and valid until the end of 2019.

The APhasthestateofdataprocessingsecuritythroughthenational

visa information system also specifically tested against article 32, paragraph 2, VIS Regulation. This article looks at the
taking security measures, including a security plan. These provisions from the VIS


19Authority of Personal Data: Policy Rules for the Security of Personal Data, February 2013, page 10 and Parliamentary Papers II1997-1998, 25892,
2003, p.99.
  For the government, the Baseline Information Security Government (BIO) is the leading standard, in this case its predecessor is also the
ISO27000 standards in the field of information security. and the research up to the end of 2019. Both standards are based on the




                                                                                          62/64,Date Unidentified
February 24,2022 [CONFIDENTIAL]



Regulation is a lex specialist, of what is described in Article 32AVG as 'appropriate'
measures'.

The AP has considered the scope of this decision on the following aspects of this article
tested:
    - Article32,paragraph2,VISRegulationwritefirstbeforeasecurityplanmustbeto

        the confidentiality and integrity of data processing through NVISte
        guarantee.
    - Member States must take measures to protect data physically, including
        drawing up emergency plans for the protection of critical infrastructure, according to article 32 paragraph 2
        suba,VISRegulation.

    - According to article 32, paragraph 2, under f, VIS Regulation, Member States must take measures to
        ensure that those who are authorized to consult the VI only have access
        to the data to which their access authorization relates, and only with
        personal and unique user identities and secret access procedures (control of the
        access to the data) This means that an appropriate authorization policy must be in place for the
        access to NVIS and that the roles assigned in that framework must be managed.

    - To monitor in the organization which persons can qualify for authorizations
        for the use of NVIS, article 32, paragraph 2, subject, VISOrdinanceasadditionalguarantee
        that all authorities with right of access to the VIS draw up personnel profiles in which the tasks
        and responsibilities are described of the persons authorized to transfer data in
        to view, record, update, delete, and search. These profiles must be
        can be made available to the AP without delay upon request.

    - Article 32, paragraph 2, sub i, VIS Regulation prescribes that each Member State with regard to
        its national system, adopts the necessary measures to ensure that it is possible to
        to check and determine which data are in the VIS, when, by whom and for what purpose
        processed. That means BZ must keep log files.
    - In article32, paragraph 2, subparagraph, VIS Regulation it is determined that the efficiency of the

        security measures is checked and related to this internal control the
        necessaryorganizationalmeasuresaretakentoensurethattheregulations
        of this Regulation are complied with (checking the log files).
        security regulations of article 32 AVG.

Integrity in the processing of visa information

Article 28(5) VIS Regulation prescribes that personnel who want to process data that are in the VIS
stored,received the same trainingontherulesofdatasecurityand
protection.Only after receiving this training, can personnel be authorized to enter the VIS
to process stored data. This article can be seen as a concrete elaboration of the
principle of integrity, which is laid down in article 5 paragraph 1, sub f, GDPR. Based on this principle, a
controllerorganizationalguaranteesimplementandensureintegrity

and confidentiality of data processing.

Providing information to the person concerned
Being transparent about data processing is, as mentioned above, one of the general
principles for proper data processing. Informing the data subject about a




                                                                                         63/64,Date Unidentified
24 February 2022 [CONFIDENTIAL]



data processing contributes to transparency. In this context, article 13 AVG and in particular article 37
VISRegulationrelevant.Article 37VISRegulation is a specialization of what is

laid down in article 13 AVG. The AP has checked whether at the start of the procedure for applying for
aSchengen visa is satisfied with the obligation to provide adequate information about it to the
person who is applying for a visa.


This produces the following picture of relevant norms, arranged from general to specific for the
visa process.


Figure 1: Schematic representation of the legal framework:
 General Special 
 Confidentialities and Data Security Security Plan: BIO Version 1.0.4, Part2, Chapter 5
 integrity of NVIS: Art32lid2 preambleVISVo (p.27):
 data processing Art.32lid2VISVo standardssubsection 5.1.

 Art5lid1(f)AVG
 Art24AVG
 Art.32AVG
                                                  Physical Security: BIOversion1.0.4,part2,chapter
                                                  Art32lid2subaVISVo 11(p.43):

                                                                            standardssubsection 11.1and
                                                                            11.2.
                                                  Access rightsand BIOversion1.0.4,part2,chapter9
                                                  personnel profiles (p.37):
                                                  Art6lid1VISVo standardssubsection9.2.
                                                  Art32lid2subfenkjo

                                                  VISVo
                                                  ArtArt32lid2subgVIS
                                                  fo.
                                                  Logging(internal BIOversion1.0.4,part2,chapter
                                                  control): 12(p.50):
                                                  Art32lid2 subf, ienk standards subsection 12.4.

                                                  VISVo.
                                                  Security Incidents BIO version 1.0.4, part2, chapter
                                                  (internal control): 16(p.63):
                                                  Art32lid2subc,think standardsundersection16.1.
                                                  VISVo.

 Art.5lid1(f)(guarantee Training staff
 intheorganizationon regarding
 area of data protection integrity:
 confidentiality) Art28lid5VisVo
                          Art38lid3Visa code.
 Information to Upright Information:

 data subjects Art.37VISVo.
 Art.5lid1(a)GDPR
 Art.13AVG








                                                                                                  64/64