AP (The Netherlands) - 4.02.2021: Difference between revisions

From GDPRhub
 
(10 intermediate revisions by one other user not shown)
Line 29: Line 29:
|GDPR_Article_3=Article 32 GDPR
|GDPR_Article_3=Article 32 GDPR
|GDPR_Article_Link_3=Article 32 GDPR
|GDPR_Article_Link_3=Article 32 GDPR
 
|National_Law_Name_1=Regeling gebruik burgerservicenummer in de zorg
 
|National_Law_Link_1=https://wetten.overheid.nl/BWBR0023923/2018-04-20
 
|National_Law_Name_2=Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg
|National_Law_Link_2=https://wetten.overheid.nl/BWBR0023864/2020-07-01
|Party_Name_1=
|Party_Name_1=
|Party_Link_1=
|Party_Link_1=
Line 52: Line 53:
}}
}}


The Dutch DPA fined an unnamed orthodontic practice €12000 for failing to implement appropriate technical and organisational measures to secure special category personal data, including that belonging to children, on its website.
The Dutch DPA fined an unnamed orthodontic practice €12,000 for failing to implement appropriate technical and organisational measures to secure personal data, including that belonging to children, on its website.


== English Summary ==
== English Summary ==
Line 66: Line 67:
Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, ''inter alia'', the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected.   
Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, ''inter alia'', the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected.   


Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare. In section 10.1.1 of the NEN 7510, it is stated that to protext information, a policy for the use of cryptographic management measures should be developed and implemented.
Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare ('de Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg'). Section 10.1.1 and 13.2.1 of the NEN 7510 highlight that healthcare providers should develop a policy for the use of cryptographic management measures when storing and transmitting information, in order to ensure its confidentiality, integrity, and authenticity.  


The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption.  
The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption.  
Line 73: Line 74:
The DPA identified a violation of Article 32 GDPR.  
The DPA identified a violation of Article 32 GDPR.  


It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It also considered that the provisions of NEN 7510 on encryption were not adhered to.   
It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data, which is special category data under the GDPR, was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It considered that the provisions of NEN 7510 when reaching this conclusion.   


The AP considered a fine of € 12,000 appropriate and necessary for the violation.  € 100,000 fine applicable to this category of fines. The AP sees reason to adjust the fine on the principle of proportionality. As far as this is taken into account, the infringement lasted approximately one year.9 The AP considers it serious that the breach was structural andThe AP considers it serious that the infringement was structural and of long duration, all the more so because [the person concerned] was also involved before the AVG became applicable.  
The DPA also highlighted that that the fact that no damage resulting from the lack of encryption was known to the orthodontic practice does not alter the fact that insufficient technical and organisational security measures were implemented.


The DPA argued that the fact that no damage resulting from the lack of encryption is known to the controller, does not alter the fact that insufficient technical and organisational security measures were implemented.   
The AP considered a fine of €12,000 appropriate and necessary for the violation. It applied the lowest penalty category, category I, under the Penalty Policy Rules 2019 ('Boetebeleidsregels 2019'). The base fine for category is € 100,000, which the AP can adjust to suit the specific case. In this case, the AP saw reason to reduce the fine to €12,000 in accordance with the principle of proportionality.   


The orthodontic practice has objected to the fine imposed. The AP has declared this objection unfounded, and an appeal against this is open in court.  
The orthodontic practice has objected to the fine imposed. The AP has declared this objection unfounded, and an appeal against this is open in court.


== Comment ==
== Comment ==

Latest revision as of 17:07, 12 December 2023

AP (The Netherlands) - Orthodontiepraktijk
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 8 GDPR
Article 9 GDPR
Article 32 GDPR
Regeling gebruik burgerservicenummer in de zorg
Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.06.2021
Published: 04.02.2021
Fine: 12000
Parties: n/a
National Case Number/Name: Orthodontiepraktijk
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Autoriteit Persoongegevens (in NL)
Initial Contributor: n/a

The Dutch DPA fined an unnamed orthodontic practice €12,000 for failing to implement appropriate technical and organisational measures to secure personal data, including that belonging to children, on its website.

English Summary

Facts

The Dutch DPA ('AP') received a complaint stating that a registration form on an unnamed orthodontic practice's ('the practice') website was requesting personal data, including name, address, date of birth, and telephone number, and social security number, as well as health data, from patients. The complainant alleged that this data was not adequately secured, as it was transmitted in an unencrypted format.

The DPA initiated an investigation in response to the complaint, in which it visited the relevant website, and took screenshots. The AP also wrote to the practice requesting information, which was provided to the AP in various letters from the orthodontic practice.

During its investigation, the DPA observed that, among other things, on the practice's website, a window was shown under the heading "Technical details", that displayed the message: "Not encrypted connection". The DPA also technically determined that communication by the patient with the website, including the sending of a completed registration form, took place over a non-encrypted and therefore unsecured connection. Between July 2018 and June 2019, the practice received "at most" ten online registrations via this mechanism.

Pursuant to Article 32(1) of the GDPR, controllers are obliged to take appropriate technical and organisational measures to protect the processing of personal data against, inter alia, the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data. the implementation costs, the risks involved in the processing and the nature of the data to be protected.

Further, in the Netherlands, healthcare providers processing patients social security numbers must also comply with 'NEN 7510', which is an information security standard for healthcare. The obligation to comply with this standard follows from Article 2 of the Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional Provisions for processing personal data in healthcare ('de Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg'). Section 10.1.1 and 13.2.1 of the NEN 7510 highlight that healthcare providers should develop a policy for the use of cryptographic management measures when storing and transmitting information, in order to ensure its confidentiality, integrity, and authenticity.

The practice updated its website after June 2019, and it no longer transmits data in an unencrypted form. The practice argued that the developer of the old website never pointed out to it the possibility of an encrypted connection. Further, if it had known about this possibility, it would certainly have used it. It also argued that it had actively tried to comply with the GDPR by having an audit carried out every two years by a certification body appointed by the Dutch Association of Orthodontists. It stated that the latest audit report, from 2017, showed that the website was reviewed, and no comments were made. The practice also stated that to its knowledge, no damage had been suffered as a result of the lack of encryption.

Holding

The DPA identified a violation of Article 32 GDPR.

It stated that the lack of encryption of the data transmitted in the form led to an increased risk of a "man-in-the-middle" attack, whereby information sent by the patient is intercepted and read and/or modified. It held that this risk is particularly severe in the present case, as the patients in the orthodontic practice are children. Moreover, the DPA highlighted that, rather than only the social security number being transmitted, health data, which is special category data under the GDPR, was also shared. It balanced this against the very low cost of implementing an encrypted connection, and concluded that the orthodontic practice had not taken appropriate technical and organisations measures to secure the personal data, in violation of Article 32(1) GDPR. It considered that the provisions of NEN 7510 when reaching this conclusion.

The DPA also highlighted that that the fact that no damage resulting from the lack of encryption was known to the orthodontic practice does not alter the fact that insufficient technical and organisational security measures were implemented.

The AP considered a fine of €12,000 appropriate and necessary for the violation. It applied the lowest penalty category, category I, under the Penalty Policy Rules 2019 ('Boetebeleidsregels 2019'). The base fine for category is € 100,000, which the AP can adjust to suit the specific case. In this case, the AP saw reason to reduce the fine to €12,000 in accordance with the principle of proportionality.

The orthodontic practice has objected to the fine imposed. The AP has declared this objection unfounded, and an appeal against this is open in court.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                               AuthorityPersonal Data

                                                               PO Box93374,2509AJ The HagueJ
                                                               Bezuidenhoutseweg30,2594AV The Hague
                                                               T0708888500-F0708888501
                                                               authority data.nl

      Confidential/Registered
      [CONFIDENTIAL]












      Date Unidentified
      February 4, 2021 [confidential]

                                 Contact

                                 [confidential]


      Topic

      Decision to impose an administrative fine


      Dear [involved person],


      The Data Protection Authority (hereinafter: AP) has decided to impose an administrative fine of € 12,000.00
      The AP is of the opinion that in any case in the period from July 1, 2018 to May 29, 2019
      has not met your obligation to apply appropriate technical information when processing personal data

      and organizational measures (Article 32, first paragraph, of the General Ordinance
      data protection; hereinafter: GDPR).

      The decision is then explained. Section 1 contains an introduction. Section 2 deals with the

      processing, processing responsibility and the detected violation. Paragraph 3 becomes
      discussed the authority of the AP to impose a fine, and the amount of the fine. Section 4
      finally contains the decision (the operative part) and the remedies clause.


1 Introduction

1.1. over the offender

      The company “[company]” is driven by [data subject]. On the website of the

      orthodontic practice it is stated that the practice has eleven employees, in addition to [the person concerned] as an orthodontist.
      The practice is located at [address] and the company is registered in the trade register of the
      Chamber of Commerce under number [Chamber of Commerce number].







                                                                                                    1 Date Unidentified
      February 4, 2021 [confidential]



1.2. Reason for the investigation process

      On 27 November 2018, the AP received a complaint as referred to in article 77 of the GDPR. According to the

      complaintbecome sensitive data via the registration form on the website of the orthodontics practice
      requested, such as the citizen service number (hereinafter: BSN), but the data is thengegevens
      sent unencrypted.


      On 26 February 2019, the AP visited the website of the orthodontics practice in the morning of screenshots
      made.

      In a letter dated 29 May 2019, the AP requested [the person concerned] for information.

      letter of 4 June 2019 replied.

      On July 4, 2019, the AP visited the website of the orthodontics practice and screenshots there

      made.

      In a letter dated 12 August 2019, the AP has requested [the person concerned] for further information. [The person concerned]
      responded to the letter dated 19 August 2019.


      The findings and conclusions of the study were recorded in a report dated August 27, 2019.

      By letter dated 12 September 2019, the AP sent the investigation report to [person concerned]. The AP

      has thereby expressed the intention to impose an administrative fine and [the person concerned] in the
      opportunity to comment on it.

      By letter dated 7 October 2019, supplemented by those dated 9 and 12 December 2019, [the person concerned] has

      opinion submitted.

2. Fact Assessment


      The relevant laws and regulations are listed in the appendix to this Decree.

2.1. Processing of personal data


      At the time of the complaint, the website of the orthodontic practice contained a registration form
      of new patients. This form contained fields for, among other things, name and address details, date of birth,
      BSN, telephone numbers of the patients and the parents, information about the school, general practitioner, dentist and

      insurance company. This data concerns information about an identified or
      identifiable natural person, and are thus personal data as referred to in article 4, preambles
      under 1, of the AVG.







                                                                                                 2/20 Date Unidentified
      February 4, 2021 [confidential]



      From the letter from [person concerned] dated 19 August 2019, it follows that after sending the form, the
      completed data were stored online. The orthodontic practice received a notification by e-mail

      of the new registration. An employee of the practice log on to the website, opened the data
      of the registrations created a new patient in their own patient file

      the data stored online will be deleted, according to [data subject]. This whole of processing, but also
      every part of it, including capturing, saving and destroying data, is a
      processing of personal data as referred to in article 4, opening words, under 2 of the AVG.


2.2. Controller


      [Data subject] determines the purposes and means of the processing of personal data
      After all, registration form serves to obtain data from new patients from her
      orthodontic practice run as a sole proprietorship, required for the treatment and financial

      processing thereof. [Data subject] is, according to the controller, referred to in Article 4, preamble
      and under 7, of the AVG.


2.3. Processing Security Violation


2.3.1. preface

      The controller is obliged under article 32, first paragraph, of the GDPR

      to take appropriate technical and organizational measures to prevent the processing of personal data
      against, among other things, loss or unlawful processing of the data. Thesemeasures
      must ensure an appropriate level of security, taking into account the state of the art

      the execution costs, the risks of the processing and the nature of the data to be protected.


      The question whether the controller referred to in Article 32, first paragraph, of the GDPRAV
      has taken measures, will be assessed as follows in case the present one
      of a patient's BSN by a care provider must comply with NEN7510.Datisa

      information security standard for health care. The obligation to comply with this standard
      from article 2 of the Regulations for the use of citizen service number in healthcare, read in conjunction with article 8
      of the Supplementary Provisions for the Processing of Personal Data in Healthcare. Also outside these legalwet

      obligation with regard to the citizen service number, health care applies that NEN7510 the general
      accepted security standards. NEN7510 is further elaborated in NEN7510-1and
      NEN7510-2.


      Chapter 10 of NEN7510-2 discusses control measures related to cryptography.

      These measures are aimed at ensuring correct and effective use of cryptography in order to


      1Article 8, first paragraph, of this Act relates to the provision of care. It follows from article 1, preamble under b, of that law that the
      financial-administrative settlement is also part of this. That settlement begins with the submission of the required
      data, such as the social security number. Compare the drafting history of this provision (Parliamentary PapersII2005/06, 30 380, no. 3, page 20).
      2Compare the CPPGuidelines for the protection of personal data (Government Gazette 2013 nr. 5174, p.11).



                                                                                                      3/20 Date Unidentified
      February 4, 2021 [confidential]




      to protect confidentiality, authenticities/or integrity of information. In Section 10.1.1 is
      mentionthattoprotectinformation,apolicyfortheuseofcryptographic
      control measures should be developed and implemented. These may include

      be used for the purpose of ensuring confidentiality, by decoding information
      use to protect sensitive or critical information during storage or transmission.


      Chapter 13 of NEN7510-2 deals with control measures with regard to
      communications security. Section 13.2 contains controls related to

      transport of information. The purpose of these control measures is to maintain the security of
      information that is exchanged within an organization and with an external entity. In Section 13.2.1 is
      mention that when using communication facilities for information transport, consideration must be given to

      be taken to use cryptographic techniques, for example to protect confidentiality,
      to protect the integrity and authenticity of information.


      With regard to the state of the art with regard to cryptographic techniques is further from
      importance that the National Cyber Security Center (hereinafter: NCSC) also points out the importance of its website
                                                                                                       3
      of protecting communication when sensitive information is sent over a connection.
      According to the NCSC is TLS(TransportLayerSecurity), the most commonly used protocol for securing

      connections on the internet. Application of TLS on web traffic is done via the HTTPS protocol on the
      using a TLS certificate.

                                                          4
      A TLS certificate can be obtained free of charge, provided that costs are incurred as a rule to
      let an IT install or renew the certificate on the server because the validity period is

      expired. These are short-term operations that only involve wage costs.

2.3.2. Facts


      [The person concerned] has stated that the website of the orthodontic practice went online on 4 June 2010. 5

      Because at the time of the first information request from the AP, a new website was being worked on,
      silk then-existing website referred to as 'old website'.


      The AP visited the website – which has since been replaced by another – on February 26, 2019.
      It was noted that the website, as stated, contained a form for the registration of

      new patients. This form contained fields for, among other things, contact details of the patients
      the patient's parents and social security number. The AP has also noted that the website at the time of the
      visitintothenotusedanencryptedconnection at all.Thisisshownfromthescreenshotsin

      appendix 9 of the investigation report, of which an excerpt is included below:


      3
      4https://www.ncsc.nl/subjects/connection security.
       For example, at non-profit certificate authority Let's Encrypt, < https://letsencrypt.org/>. There are certificate authorities that take precious
      offer certificates(ExtendedValidation,orEV). Such certificates provide more information about the party to whom the certificate is
      provided, but do not lead to a different or better encryption of the information exchanged.
      5Letter dated 19 August 2019, appendix 8 to the investigation report.



                                                                                                        4/20Date Unidentified

February 4, 2021 [confidential]



































                        Figure 1: Cutout of the page formation of the website[url].


In the displayed window, under the heading “Technical details” there is a message “Unencrypted connection”
included. This message reads: “The website[url] does not support encryption for the page you
data that is sent over the Internet without encryption can pass through

others are seen.”

[Data subject] acknowledged that the old website did not use an encrypted connection. The 6

developer of the old website never pointed her out to that possibility
made use of, according to [person concerned].

It follows from [the person concerned]'s letter of 19 August 2019 that if a form was sent, the

data was stored on the web server on which the old website was running
received a notification about this. After logging into the website, the saved data was viewed,
taken over into the administration of the practice and finally removed from the web server.Between July 2018

and June 2019, the practice received no more than ten online registrations, according to [person concerned].

6Opinion of 7 October 2019 on the intention to impose an administrative fine.




                                                                                             5/20 Date Unidentified

      February 4, 2021 [confidential]



                                                                      7
      [Data subject] had the old website taken offline on 29 May 2019.

      On July 4, 2019, the AP visited the website of the orthodontics practice again and noted that the

      website, now renewed, did use an encrypted connection, but no longer a
      includes an online registration form.Instead, a registration form is now offered in the form
      from a PDF file, which can be downloaded, printed, filled out, and delivered to the practice.


2.3.3. Rating


      The question whether [the person concerned] the appropriate technical and referred to in article 32, first paragraph, of the GDPR
      has taken organizational measures – as stated under 2.3.1 – must be answered to
      the hand of NEN7510. This NEN standard is mandatory for the use of the BSN and for the care

      This standard also includes the accepted security standards.

      The AP notes that the old website of the orthodontics practice did not have a TLS certificate

      as a result, did not use the HTTPS protocol. Communication with the website, including the
      sending a completed registration form, therefore went over an unencrypted one and so
      unsecured connection. This made some availability of the registration form
      an increased risk of a “man-in-the-middle attack”, where information is sent

      intercepted and/or modified, without the sending and receiving party knowing
      It is thus established that [the person concerned] has not taken any control measures with regard to
      communication security. That is not in accordance with the provisions of NEN7510 (including the

      paragraphs 10.1 and 13.2).

      It should be borne in mind that the patients of an orthodontic practice are usually minor children.

      This follows from the nature of the treatment, the fields of the registration form (which asks for
      the details of the parents) and the visual material on the website of the orthodontic practice
      the data of these minor children who are on the unencrypted, unsecured connection

      In addition, it is not only about the social security number, but also data that is closely related
      are to the health of the patient concerned.


      In view of the sensitive nature of the data that could be collected via the registration form
      sent, and, on the other hand, the state of the techniques and the associated very low levels
      execution costs of an encrypted connection, the conclusion is that [the person concerned] does not have an appropriate
      has taken technical and organizational measures to prevent the processing of personal data

      protect against loss or unlawful processing. With this, she has article 32, first paragraph, of the GDPR
      violate.





      7Letter dated 19 August 2019, Appendix 8 to the investigation report.




                                                                                                  6/20 Date Unidentified
      February 4, 2021 [confidential]



2.3.4. ViewsandreactionAP


      In its view, [the person concerned] intends to impose an administrative fine on the
      next brought forward.

      The developer of the old website never pointed out to [the person concerned] the possibility of a

      the encrypted connection. If she knew about it, she would certainly have used it. Otherwise, she has been active
      tried to comply with the AVG, by having an audit carried out by a every two years
      DutchAssociationofOrthodontistsdesignatedcertificationbureau.Privacyispart of

      the audit.The latest report, dated June 2017, shows that the website has been reviewed and that no
      comments have been made.The same certification agency provided a roadmap in March 2018
      to comply with the AVG. [Involved person] has completed this plan point by point, and although attention is
      spent on privacy and information security, there is no mention that the website must use a

      encrypted connection. Furthermore, [the person concerned] is visited every five years by colleagues
      orthodontists. Nor did the last visitation report indicate the lack of an encrypted
      website connection.No one has complained to [involved person] about the security and there is for

      as far as she knows, no damage suffered. Finally, [the person concerned] took the old website offline immediately
      andassignedtobettersecurethenewwebsite.

      This view does not lead the AP to a different point of view on the detected violation. An audit

      by a certification agency, a step-by-step plan in preparation for the application of the
      GDPR and a peer review do not dismiss [data subject], as controller, not from the
      article32, first paragraph, of the GDPR, the obligation laid down to comply with the technical requirements referred to in that provision

      organizational measures. That others have not pointed out to her, while they
      assumed that this would happen where necessary, does not absolve her of her own responsibility for being active
      ensure a technically secure processing of personal data. An organization that
      internet data of sensitive nature and much of children processes, has a large

      responsibility to make sure that such data is also safe about the
      be sent on the internet. Incidentally, the contents of the audit report and the report of the
      peer reviewnotthatintheframeworkoftheauditandvisitattentionhasbeenpaidtoprotection
      of personal data. That no one has complained to [the person concerned] that no damage is known to her,

      also takes into account that they do not take sufficient technical and organizational security measures
      has hit.


2.3.5. Conclusion

      In view of the foregoing, the AP is of the opinion that [the person concerned] Article 32, first paragraph, of the AVG of
      May 25, 2018 (when the GDPR came into effect) until May 29, 2019, because she

      thewebsiteoftheorthodonticspracticeofferedaregistrationformthatnotuseda
      encrypted connection while that form was intended to exchange sensitive data.







                                                                                                7/20 Date Unidentified

      February 4, 2021 [confidential]



3. Administrative fine

3.1. Power of the AP to impose an administrative fine


      Under Article 58, second paragraph, preamble below i, the AP is read in conjunction with Article 83 of the
      GDPR, authorized to impose an administrative fine. According to article 83, first paragraph, an imposed
      to be effective, proportionately deterrent.It follows from the fourth paragraph of that provision that

      breaches of the obligations of the controller (including those mentioned in Article 32
      of the GDPR) are subject to fines up to €10,000,000.00 or, for a company, up to 2% of
      the total worldwide annual turnover in the previous financial year, if this figure is higher.


      Pursuant to Article 14, paragraph 3, of the Implementing Act of the General Data Protection Regulation
      (hereafter: UAVG) the AP may in the event of a violation of the provisions of article 83, fourth, fifth or

      sixth paragraph, of the AVNot to impose an administrative fine on at the most endthese members mentioned
      amounts.


      In exercising its power to impose an administrative fine, the AP applies the 8
      Fines Policy Rules of the Authority for Personal Data 2019 (hereinafter: Fines Policy Rules 2019).

3.2. Fine policy rulesAuthorityPersonal data2019


      The relevant provisions of the Fines Policy Rules 2019 are listed in the appendix to this Decree
      system of the Fine Policy Rules 2019 is as follows.


      The violations for which the AP can impose a fine up to the amount stated above are in the
      Finespolicy rules2019categorizedinthreefinecategories.Thesecategoriesareorderedby

      gravityoftheviolationofthementionedarticles,wherebycategoryIdeleastseriousviolations
      category III contain the most serious offences. The categories are subject to increasing monetary fines
      connected. This follows from article 2, under 2.1 and 2.3 of the Fine Policy Rules 2019.


       CategoryI Fine range between €0 and €200,000 Basic fine: €100,000
       Category II Fine range between €120,000 and €500,000 Basic fine: €310,000

       Category III Fine range between €300,000 and €750,000 Basic fine: €525,000

      According to article 6 of the 2019 Fine Policy Rules, the AP determines the amount of the fine through the basic fine

      up or down, depending on the extent to which the factors mentioned in Article 7
      give cause to do so. Under Article 8, it is possible to assign the next higher or lower category
      to apply if the fine category determined for the infringement is not appropriate in the specific case

      punishmentallows.



      8Published in Stcrt. 2019,14586, March 14, 2019.




                                                                                                     8/20 Date Unidentified

      February 4, 2021 [confidential]



3.3. fine amount

      The AP considers a fine of €12,000.00 to be appropriate and appropriate for the violation found herein.

      in the following paragraphs, this is substantiated as follows. First of all, the AP sees a reason for the lower
      finecategoryIapply.Therearenofinereducingorincreasingfactorsapplicablethat
      require the adjustment of the basic fine of €100,000.00 for that fine category.

      culpability of the conduct does not give rise to this. The AP sees a reason to on the ground
      from the principle of proportionality to moderate the fine and up to the aforementioned amount.


3.3.1. Fine categories basic fine

      The violation of article 32 of the GDPR (Processing Security) is, according to appendix I to the

      Fines Policy Rules 2019, classified in category II. As follows from the table for this, applies to this
      category a penalty bandwidth of €120,000.00 and €500,000.00 and a basic fine of €310,000.00.
      In this case, this fine bandwidth and basic fine cannot lead to an appropriate penalty of the

      detected violation. In doing so, the AP takes into account that the investigation sees the violation
      on the registration form on the practice's website, and not on the patient administration as such.
      Technically, the registration form forms a separate system from that administration

      thereforeapply under article 8 of the Fine Policy Rules 2019 category I(for which a
      fine range applies from €0.00 to €200,000 and a basic fine of €100,000.00), and also within that
      category the fine is moderate and on the basis of what is not in this and the following paragraphs

      considered.

      The basic fine is based on a neutral starting point, and should be increased or decreased as far as the

      Article 7 of the Fines Policy Rules 2019, the factors mentioned give rise to this
      the amount of the fine must be proportionate and attuned to the seriousness of the violations to the extent to which
      this can be blamed on the offender (compared articles 3:4 and 5:46 of the General Law

      administrative law; hereinafter: Awb). The factors mentioned in Article 7 give rise to
      notes. The factors not discussed are not applicable in this case.


      a.Nature, seriousness, duration of the infringement

      According to [person concerned], the website with the registration form went online on October 27, 2010 and on

      Taken offline May 29, 2019. Although the form was available for eight years and seven months for
      use, the AP's research focused on the period from May 25, 2018 to May 29, 2019.
      the AP aligns with the date on which the GDPR became applicable. That means the violation, for
                                                                        9
      as far as taken into account, has lasted approximately one year. TheAPrespectsthatthe
      violation was structurally of a long duration, all the more so because [person involved] also applied before it


      9Article 13 of the Personal Data Protection Act (hereinafter: Wbp) is materially comparable to Article 32, first paragraph, of
      the GDPR: both provisions oblige the taking of technical and organizational measures to ensure an appropriate
      ensure security levels. The interpretation of article 13 of the Wbp is no different from that of article 32 of the GDPR, described
      in paragraphs 2.3.2 and 2.3.3. Also in the period that the Wbp was valid, [the person concerned] was therefore in violation.




                                                                                                    9/20Date Unidentified
February 4, 2021 [confidential]



of the AVG, on the basis of the Personal Data Protection Act, was mandatory and appropriate
security level.That obligation did not arise first when it applies

become of the AVG.

The A reckons the [person concerned] that she as a professional care provider in the run-up to the
the period examined did not take care of the . referred to in article 32, first paragraph, of the GDPR

appropriate technical and organizational measures, through a correct implementation of
NEN7510. It applies to the BSN that it is obligated to do so on the basis of the Use Regulation
social security number in health care. For the other data that were sent via the form,

that NEN7510 contains the end-care generally accepted security standards. [Data subject] had here
must be informed by virtue of its capacity as a healthcare provider.

[Involved person] has furthermore not only created the theoretical possibility that the form

are used to transmit sensitive data over an unsecured connection
after all, that the form has actually been used
that the violated standard was intended to protect, has been called into question. Although the exact number

submissions of the form can no longer be determined, the AP considers it not improbable that it
form was also used when the Wbp was applicable, including only appropriate
security level was required.


The AP reckons the [person concerned] that the violation took a long time and was contrary to the norms
that apply specifically to her profession (care). That the violation also actually led
to the ability to send sensitive data over an unsecured connection, consider the APextra

sorry.

g.The categories of data to which the infringement relates


First of all, you were asked for the BSN via the registration form. That in itself is only sensitive,
but this is more true if the data is viewed in conjunction with the other data requested
sensitivity is also apparent from the legal obligation to comply with
NEN7510. Viewed together, the data provide so much information about the patient to be written, that

the risk of identity fraud exists if the data were intercepted.
also taking into account that it often concerned the data of minors, as stated in paragraph 2.3.3.


Furthermore, the other data requested are just as sensitive, because they are related to you
with the health of the patient to be registered. This also applies to the registration with a
orthodontist as such. The AP has not investigated, partly because the processing no longer takes place
or this qualifies as special personal data as referred to in article 9 of the AVG, but is sufficient with

the finding that the form has been used to send sensitive data.

The AP reckons the [person concerned] that the violation relates to sensitive data of

minors.




                                                                                        10/20 Date Unidentified

      February 4, 2021 [confidential]




      Increase or decrease basic fine


      In view of the foregoing, the AP in the factors listed in the 2019 Fine Policy Rules, to the extent
      application in the present case, no reason to reduce the basic fine
      fine amount is also not in question.


3.3.2. culpability of the conduct


      On the basis of article 5:46, second paragraph, of the Awb, the AP keeps the AP when imposing an administrative fine
      take into account the extent to which they can be blamed on the offender. Because in this case it concerns
      a violation, is for the imposition of an administrative fine in accordance with established case law does not require that

      it is shown that intent may presuppose the AP culpability if it
      criminality is established.10


      As stated in paragraph 2.3.4, [Data Subject] has, in its opinion, pointed to an audit report,
      step-by-step planer preparation for the AVG and a report of a collegiate visitation. According to [person involved]
      did she not point in any of these pieces of the shortcoming with regard to the online

      registration form. Insofar as [the person concerned] means that this is a question of reduced culpability,
      the AP does not follow her.As a health care provider she should have been familiar with the care for that care
      applicable security standards. It does not alter the fact that others have not pointed out the shortcoming to her

      its own obligations as a controller.

      Now that the violation [the person concerned] can be fully blamed, the culpability of the

      violation is no reason to reduce the amount of the fine.

3.3.3. proportionality


      Finally, the AP will assess on the basis of articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality)
      or the application of its policy for determining the amount of the fine, given the circumstances

      of the concrete case, does not lead to a disproportionate outcome.

      In the light of the proportionality of the imposition of the fine, the AP considers it important that the violation,

      as stated in paragraph 3.3.1, see the non-secure use of a registration form on the
      website of the practice, and not on the entire patient administration. The AP has about the use of the
      unsecured connection received one complaint. The AP has no . about the patient administration itself

      received signals and therefore has not conducted any research. Furthermore, the use of the
      registration formremained limited in the eligibility period.


      10Compared rulings of the CBb of 29 October 2014(ECLI:NL:CBB:2014:395, ow. 3.5.4), 2 September 2015(ECLI:NL:CBB:2015:312,
      ow. 3.7) and March 7, 2016 (ECLI:NL:CBB:2016:54, ow. 8.3). Also compare the rulings of the Administrative Jurisdiction Division of
      August 29, 2018(ECLI:NL:RVS:2018:2879,ow.3.2) and December 5,2018(ECLI:NL:RVS:2018:3969,ow.5.1). Finally, see Parliamentary PapersII
      2003/04,29 702,no.3,p. 134.




                                                                                                    11/20 Date Unidentified
      February 4, 2021 [confidential]




      In addition, it is important that the company of [the person concerned] must be counted among the middle and
      small business(SME). Also, given the low cost associated with secure shipping

      from a form (compare paragraph 2.3.1), it is not plausible that as a result of the violation financial
      profits have been made or losses have been avoided.

      In all the circumstances mentioned, the AP sees reason to apply the basic amount of € 100,000.00

      to moderate. The AP considers, also in view of the seriousness of the violation, the substantial capacity of the
      companiesthe target group whose personal data are processed, a fine of €12,000.00
      suitable provided.


      Finally, the AP should consider whether what [the person concerned] has put forward in its view on
      the intention to enforce it is reason to assume that this fine will result in a
      would lead to a disproportionate outcome.


      [The person concerned] has stated in her opinion that she is a finer of the basic amount of
      fine category II (€ 310,000.00) would never be able to pay. She has a
      provisional assessment of income tax for 2018 submitted. However, it is stated in paragraph 3.3.1 that

      not fine category II is applied, but fine category I. The corresponding base amount is
      moreover, hereby moderated to €12,000.00. It does not follow from the documents submitted by [the person concerned] that
      this fine would have disproportionate consequences, for example because the orthodontic practice in the
      continued existence would be threatened. The AP therefore sees no reason in the capacity of [person involved]

      to further moderate the fine.

3.4. Conclusion


      The AP sets the fine for the violation of article 32, first paragraph, of the AVG, in view of the
      previous fixed at €12,000.00.






















                                                                                               12/20 Date Unidentified
      February 4, 2021 [confidential]



4. dictum


      fine
      The AP explains to [the person concerned], acting under the name of [company], for violation of article 32,
      first paragraph, of the AV No administrative fine, amounting to €12,000.00 (in words: twelve thousand euros). 11



      Yours sincerely,

      AuthorityPersonal Data,





      drs.C.E.Mur
      board member


      Remedies Clause
      If you do not agree with this decision, you can within six weeks of the date of shipment of the

      decide to submit an objection digitally or on paper to the Data Protection Authority
      Article 38 of the AVG Implementation Act suspends the submission of an objection to the operation of the
      decision to impose the administrative fine. Mention in your notice of objection at least:


           your name and address;
           the date of your notice of objection;
           the reference (case number) mentioned in this letter, or enclose a copy of this decision;

           the reason(s) why you do not agree with this decision;
           your signature.


      You can submit the notice of objection digitally via the website. Go to www.autoreitinformatie.nl, en
      click at the bottom of the page, under the heading “Contact with the Data Authority”, on the link
      “Objection to a decision”. From there, use the “Objection Form”.


      Do you prefer to send the notice of objection by post? Then you can send it to the following address:


         AuthorityPersonal Data
         Legal Affairs & Legislative Advice Department, Objection Department
         PO Box93374
         2509AJ THE HAGUE




      11The AP will hand over the claim to the Central Judicial Collection Agency (CJIB).





                                                                                                13/20Date Unidentified
February 4, 2021 [confidential]



APPENDIX–Legal Framework


General Data Protection Regulation (GDPR)

Article 2 (Material scope

1. This Regulation applies to wholly or partly automated processing,
     as well as to the processing of data that are included in a file or that are intended
     are to be included.
[…]


Article 3(Territorial scope
1. This Regulation applies to the processing of personal data in the context of the
     activities of an establishment of a controller or processor in the Union,

     regardless of whether the processing takes place in the Union or not.
[…]


Article 4 (Definitions)
For the purposes of this Regulation:
1) "personal data": any information about an identified or identifiable natural person
     ("the data subject"); if identifiable is considered a natural person who directly or indirectly

     can be identified, especially by an identifier such as a name, anaam
     identification number, location data, an online identifier or of one or more elements that
     are characteristic of the physical, physiological, genetic, psychological, economic, cultural or

     social identity of that natural person;
2) "processing" means any operation or set of operations relating to personal data or
     a set of data, whether or not carried out via automated processes, such as the
     collect, capture, organize, structure, save, update or change, retrieve, consult,

     use, provide by transmission, distribute or otherwise make available
     set, align or combine, shield, delete or destroy data;
[…]

7) "controller" means a natural or legal person, a public authority,
     a service or other body which, alone or together with others, is the purpose of the means
     for the processing of data; when the objectives of the means
     for this processing is laid down in Union or Member State law,

     are determined who the controller is or according to what criteria it will be
     designated;
[…]


Article32(Processing Security)
1. Taking into account the state of the art, the implementation costs, as well as the nature, the
     size, the context, the processing purposes, and the probability and severity

     various risks to the rights and freedoms of persons,




                                                                                          14/20Date Unidentified
February 4, 2021 [confidential]



     controller and processor appropriate technical and organizational
     measures to ensure a level of security appropriate to the risk, which, where appropriate,

     include the following, among others:

     a) the pseudonymisation and encryption of data;

     b) the ability to stand on the basis of confidentiality, integrity, availability and
         ensure resilience of processing systems and services;
     c) the ability to alter the availability of access to in the event of a physical or technical incident
         restore the personal data in a timely manner;

     d) a procedure for the regular testing, assessment and evaluation of the
         effectivenessofthetechnicalandorganizationalmeasurestosecurethe
         processing.


2. In the assessment of the appropriate level of security, particular account is taken of the
     processing risks, especially as a result of the destruction, loss, modification or
     unauthorized disclosure of or unauthorized access to transmitted, stored, or

     otherwise processed data, either accidental or unlawful.
[…]

Article 58(Powers)

[…]
2. Each supervisory authority shall have all of the following powers to take corrective
     measures:

     […]
     i) according to the circumstances of each case, in addition to or instead of the . referred to in this paragraph
         measures, impose an administrative fine under article 83; and
     […]

[…]

Article 83 (General conditions for the imposition of administrative fines)

1. Each supervisory authority shall ensure that the administrative fines charged under
     thisarticleareimposedbeforetheendparagraphs4,5and6indicatedinviolationsofthisordinancein
     each case be effective, proportionately deterrent.
2. Administrative fines are, depending on the circumstances of the specific case,

     imposed in addition to or instead of the referred to in Article 58, paragraph 2, under a) to h) and under j),
     measures. When deciding whether an administrative fine will be imposed on the
     the following is duly taken into account for each concrete case:


     a) the nature, seriousness and duration of the infringement, taking into account the nature, extent or
         purpose of the processing in question as well as the number of affected data subjects and the extent of
         the damage caused by fishing;

     b) the intentional or negligent nature of the infringement;




                                                                                           15/20Date Unidentified
February 4, 2021 [confidential]



     c) the measures taken by the controller or processor to
         limiting the damage suffered by those involved;

     d) the extent to which the controller or processor is responsible in view of the
         technicalandorganizationalmeasuresthathehascarriedoutinaccordancewiththe
         articles25and32;

     e) previous relevant breaches by the controller or processor;
     f) the extent to which the supervisory authority has cooperated to prevent the infringement
         remedy and limit possible negative consequences;
     g) the categories of data to which the infringement relates;

     h) the manner in which the supervisory authority became aware of the infringement, in particular
         whether, and if so, to what extent, the controller or processor has committed the infringement
         reported;
     (i) compliance with the measures referred to in Article 58(2), as far as they are concerned

         from the controller or processor in question with regard to the same
         matter taken up;
     j) adherence to approved codes of conduct in accordance with article 40 or of approved goed

         certification mechanism accordinglyarticle42;and
     k) any other aggravating or mitigating
         factor, such as financial gains made, or losses avoided, which may or may not be directly
         the infringement arise.

[…]
4. Violations of the following provisions shall be subject to administrative law accordingly
     fines up to EUR 10,000,000 or, for a company, up to 2% of the total worldwide

     annual turnover in the previous financial year, if this figure is higher:
     a) the obligations of the controller and the processor in accordance with the
         articles8,11,25to39,and42and43;
     […]

[…]

Implementing ActGeneral Data Protection Regulation


Article 14 (Taking powers)
1. The Data Authority is authorized to perform the tasks and exercise the powers
     exercises assigned to the supervisory authority by or pursuant to the Regulation.

[…]
3. The Data Authority may, in the event of a violation of the provisions of Article 83, fourth,
     fifth or sixth paragraph of the ordinance to impose an administrative fine from at the most endthese
     member amounts.

[…]








                                                                                            16/20Date Unidentified
February 4, 2021 [confidential]



Supplementary Provisions for the Processing of Personal Data in Healthcare 12


Article8
1. The healthcare provider records the client's citizen service number in his administration at the
     recording data relating to the provision of care.

[…]

Article10

A ministerial regulation can be determined to which security requirements the data processing is intended
in articles 8 and 9, is sufficient.


Scheme for use of citizen service number

Article 1

In this regulation is understood by:
a. Minister: Minister of Health, Welfare and Sport;
                                                      13
b. law: Use of citizen service number in health care;
c. decision: Decree on use of citizen service number in healthcare;
d. NEN: standard issued by the Netherlands Standardization Institute;

e. NEN7510: NEN7510 and its elaboration in NEN7511 and NEN7512;
[…]


Article2
The data processing referred to in Articles 8 and 9 of the Act[…] complies with NEN7510.


NEN7510-2: Medical informatics – Information security in healthcare –
Part2:Control Measures


10.1.1PolicyOnUsingcryptographic Controls

Control measure

To protect information, there should be a policy for the use of cryptographic
control measures are developed and implemented.


[…]

The implementation of the cryptography policy should take into account the

regulations and national restrictions that may apply to the use of cryptographic
techniques in different parts of the world and with problems with cross-border


1Until 1 July 2017, this act was called the Citizen Service Number Act in healthcare.
1As stated in the footnote above, this law is now called the Wet Supplementary Provisions for the Processing of Personal Data in
the care.




                                                                                                17/20Date Unidentified
February 4, 2021 [confidential]



streams of encrypted information (see 18.1.5).


Cryptographic controls can be used for various
information security objectives, e.g.:


    a) confidentiality: use encryption of information to protect sensitive or essential information,
        during storage or shipment, to protect;
    […]


Other information
Decision making about whether a cryptographic solution fit, should be
considered part of the overall process of risk assessment and choosing control measures.
[…]


For choosing the correct cryptographic control measures that meet the objectives
of information security policy should be sought expert advice.


13.2.1Information transport policy procedures

Control measure

To protect the information transport, which takes place through all kinds of communication facilities,
Formal transport policies, procedures and controls should be in place.
Implementation guideline

Atprocedurestobefollowedandcontrolmeasurestobecarried outwith
theuseofcommunicationfacilitiesforinformationtransportcorrelatingfollowingpointsin
to be considered:


    a) procedures designed to protect transmitted information against interception,
        copy,modification,misrouting,destruction;
    […]

    f) use of cryptographic techniques, e.g. for confidentiality, integrity, authenticity
        from information to protect (see chapter 10);
    […]


CARE-SPECIFIC IMPLEMENTATION GUIDELINE
Organizations should ensure that the security of such exchange of information
subject of policy developments and audits of compliance (see chapter 18).
[…]










                                                                                          18/20Date Unidentified
February 4, 2021 [confidential]



Fine policy rulesPersonal Data Authority2019


Article2.Category Classifications of Fine Bandwidths
2.1 The provisions concerning violations of which the Data Protection Authority is an administrative
    can impose a fine of up to the amount of €10,000,000 or, for a company, up to 2%

    of the total worldwide annual sales in the previous financial year, if this figure is higher, in
    annex 1 classified in category I, category II or category III.
[…]
2.3 The Data Protection Authority sets the basic fine for violations for which a statutory

    fine maximum applies from € 10,000,000 or, for a company, up to 2% of the total worldwide
    annual turnover in the previous financial year, if this figure is higher, or € 20,000,000 or, for a
    company, up to 4% of total worldwide annual sales in the previous financial year, if
    number is higher, fixed within the following fine ranges:


      CategoryI Fine range between €0 and €200,000 Basic fine: €100,000
      Category II Fine range between €120,000 and €500,000 Basic fine: €310,000

      Category III Fine range between €300,000 and €750,000 Basic fine: €525,000
    […]
2.4 The amount of the basic fine is set at the minimum of the bandwidth incremented

    with half the bandwidth of the fine category linked to a violation.

Article 6. The basic fine and a possible increase or reduction
The Data Protection Authority determines the amount of the fine by the amount of the basic fine

above(uptothemaximumofthebandwidthoftheviolationlinked
fine category) or down (to the minimum of that bandwidth).
basic fine is increased or decreased depending on the degree to which the factors mentioned in

article 7 give rise to this.

Article7.Relevant factors
Without prejudice to articles 3:4 and 5:46 of the General Law, administrative law keeps the Authority

Personal data account with the factors mentioned under ato and with k, insofar as it is concrete
case applicable:
a) the nature, seriousness and duration of the infringement, taking into account the nature, extent or purpose of

    the processing in question as well as the number of affected persons involved and the extent of the by them
    damages suffered;
b) the intentional or negligent nature of the infringement;
c) the measures taken by the controller or processor to

    limit the damage suffered by those involved;
d) the extent to which the controller or processor is responsible in view of the
    technicalandorganizationalmeasuresthathehasperformedin accordance with the articles25

    en32 of the General Data Protection Regulation;
e) previous relevant breaches by the controller or processor;




                                                                                         19/20Date Unidentified
February 4, 2021 [confidential]



f) the extent to which the supervisory authority cooperated to remedy the infringementbreuk
     and limit the possible negative consequences thereof;

g) the categories of data to which the infringement relates;
h) the manner in which the supervisory authority became aware of the infringement, in particular whether,
     and if so, to what extent, the controller or processor has reported the infringement;

i) compliance with Article 58, paragraph 2, of the General Data Protection Regulation
     the aforementioned measures, to the extent that they are prior to the controller or the
     processor in question have been taken with regard to the same matter;
j) adhere to approved codes of conduct in accordance with article 40 of the GeneralAl

     data protection regulation or of approved certification mechanism accordingly
     Article 42 of the General Data Protection Regulation; and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
     such as financial gains made, or losses avoided, whether or not directly from the infringement

     result.

Article8.Out-of-bandwidth and increased fine maximums for a company

8.1 If the fine category defined for the infringement is not an appropriate
     sanction allows, the Data Authority may, in determining the amount of the fine,
     finebandwidthofthenexthighercategoryrespectivelythefinebandwidthofthenext
     apply lowercategory


Appendix1,associatedwitharticle2


Violations with a statutory fine of maximum €10,000,000 or, for a company, up to 2% of
the total worldwide annual turnover in the previous financial year, if this figure is higher:

 Legislative article Description Category

 General Data Protection Regulation
 […] […] […]
 article32 processing security II

 […] […] […]


















                                                                                          20/20