AP (The Netherlands) - 24.03.2020
|AP (The Netherlands) - CP&A
|AP (The Netherlands)
|Article 4(15) GDPR
Article 9 GDPR
Article 32 GDPR
|National Case Number/Name:
|European Case Law Identifier:
|Autoriteit Persoonsgegevens (in NL)
The Dutch DPA fined a maintenance company €15,000 for processing the health data of sick employees, and for failing to implement appropriate security measures regarding such processing.
English Summary[edit | edit source]
Facts[edit | edit source]
The Dutch DPA ('AP') received a notification on 11 January 2019 that CP&A processes the health data of its employees. From this notification, the AP concluded that CP&A maintained an online register, containing data on the cause of absenteeism in its employees. In response, it launched an own volition investigation into CP&A's compliance with Article 9, as well as Article 32 GDPR. Since Article 9 GDPR prohibits the processing of special categories of data, including health data, it was necessary for the AP to determine whether one of the exceptions outlined in Article 9 applies. The AP also sought to determine whether whether CP&A had taken sufficient technical and organisational measures to ensure a risk-appropriate level of security for the health data under Article 32 GDPR.
Holding[edit | edit source]
The AP's investigation found that the relevant online register included employees' names, addresses, email addresses and social security number, which made employees directly identifiable. The register also included employees' reasons for absence (concerning both physical and mental health), including the names of illnesses, specific symptoms, and indications of pain. This constituted health data within the meaning of Article 4(15) GDPR. By digitally storing, updating, and making this data available, CP&A was processing health data.
The AP considered whether CP&A could process health data in line with the exception established by Article 9(2)(b), whereby processing is necessary for the carrying out of the controllers rights or obligations in the field of employment, so far as this is authorised by Union or member state law. In the Netherlands, Article 30(1) of the UAVG stipulates that the processing of personal data concerning health is permitted if this is necessary for the reintegration or guidance of employees in connection with illness or disability. With respect to this reintegration, further details are provided in the Section 658a(2) of the Dutch Civil Code, which requires employees to take the necessary measures to enable a sick employee to perform their work as soon as possible.
The AP found that the processing of the names of illnesses, specific symptoms, and indications of pain is not necessary for the reintegration of employees, in accordance with Article 30(1) UAVG, meaning it could not invoke the exception established at Article 9(2)(b) GDPR. Since no other exceptions were applicable, CP&A's processing of the health data was considered unlawful.
With regards to Article 32 GDPR, the AP found that CP&A's security measures concerning the online register were inappropriate. In particular, the register was accessible without any form of authentication. Given the sensitive nature of the data, the fact that the health data was processed on the internet, the CP&A should have taken further measures to mitigate the risk of unauthorised access to the data.
On account of the violations of Articles 9 and 32 GDPR, the DPA imposed a fine of €15,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Personal data P.O. Box 93374, 2509AJ The Hague Bezuidenhoutseweg 30,2594AV The Hague T0708888500-F0708888501 authoritypersonal data.nl Confidential / Registered CP & AB.V. Attn the management P.O. Box 514 5600AMindhoven Date Our reference March 24, 2020 [CONFIDENTIAL] Contact [CONFIDENTIAL] Topic Decides to impose an administrative fine Dear Management, The Dutch Data Protection Authority (AP) has decided to impose an administrative fine on CP & AB.V. (CP&A). € 15,000 in addition.The AP judges that CP & A from 12 March 2019 to 2 May 2019 the ban of Article 9, first paragraph, of the General Data Protection Regulation (GDPR) by processing employee health data. In addition, CP&A has for this During the same period, insufficient appropriate security measures have been taken as referred to in Article 32, first paragraph, of the AVG. After this, the decision is explained in more detail. legal framework. Chapter 3 contains the facts and in chapter 4 assesses the AP of the discussion processing of health data, the controller and violations Chapter 5 The (height of the) administrative fine is elaborated and Chapter 6 contains the remedies clause. 1 Date Our reference March 24, 2020 [CONFIDENTIAL] 1 Introduction 1.1Involved legal persons and cause investigation CP & A is a private limited company located at Maas22E, 5684PLteBest (North Brabant). CP & Aise registered in the trade register of the Chamber of Sales under the number 54592526 and has, according to the extract from the trade register, about 160 employees. CP&A performs according to the trade register its website, including inspection and maintenance work of public objects. On January 11, 2019, the AP received a notification that CP&A is processing its health data. employees absenteeism registration with which keeps health data of employees This signal is the APA (ex officio) investigation started for compliance by CP & Avande Articles9 and 32 of the AVG. The processing of special categories of personal data is based on Article 9, first paragraph, of The AVG is prohibited unless a legal exception applies. CP & A can successfully appeal to this case relevant exception. ofCP & Avoorhealthdatain its absenteeism registrysufficiently appropriatetechnicaland Organizational measures have been taken to attune the risk to security level safeguards, as referred to in Article 32, first paragraph, of the GDPR. 1.2 Process sequence The AP contacted CP & Aomaant by phone on May 2, 2019 absenteeism registration of CP & A for unauthorized access and she has CP & A request The violation has been terminated as soon as possible. conversation a standard transferring letter and the legal framework relating to the duty of notification Personal data breaches reported on AP. By letter of 7 May 2019, CP & Ade receipt of the letter and acknowledged that the absenteeism record has been deleted. On May 7, 2019, CP & A filed a data breach report in connection with the breach personal data. By letter of July 29, 2019, the AP asked questions to CP&A, to which she responded by letter of 7 August2019.On21August2019, the APper-mailrequested furtherinformationfromCP&A. CP&A responded to this by email from August 28, 2019. By letter of October 30, 2019, the AP gave CP & A a requirement to enforce it there. Basic research report sent and CP&A to the occasion 2 / 17Date Our reference March 24, 2020 [CONFIDENTIAL] On November 12, 2019, CP & A had a written view to be made visible. Finally, the AP was created on January 30, 2020, and the pieces added to the file CP & Ade Opportunity to respond to these items. CP&A did not use them. 2. Legal framework 2.1 Scope AVG Pursuant to Article 2, paragraph 1, of the GDPR, this Regulation applies to all or part of the automated processing, as well as the processing of personal data contained in a file recorded or intended to be recorded there. Pursuant to Article 3, first paragraph, of the GDPR, this Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether processing in the Union than does not take place. Pursuant to Article 4 of the GDPR, for the purposes of this Regulation the following is understood: 1. "Personal data" means all information about an identified or identifiable natural person (“The data subject”); […]. 2. “Processing” means an operation or a set of operations related to personal data, or a set of personal data, if not performed through automated processes […]. 7. “Controller” means a [...] legal entity who, alone or together with others, has the purpose of and determines the means for the processing of personal data; […]. 2.2 Prohibition of processing data on health Article 4, section 15, of the GDPR defines health data as personal data that related to the physical or mental health of a natural person, including data about the health services provided that give information about his health status. Prohibited under Article 9, first paragraph, of the GDPR, the processing of health data. Exceptions to the prohibition against processing special personal data are mentioned in Article 9, second paragraph, of the AVG. […] b) the processing is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the area of the labor rights, social security and social protection law, insofar as this is permitted Union law or member state law or a collective agreement based on member state law appropriate safeguards for fundamental rights and fundamental interests of the area concerned; 3/17 Date Our reference March 24, 2020 [CONFIDENTIAL] […] Pursuant to Article 30 Implementing Act, General Data Protection Regulation (UAVG) Article 9, subsection 2 b, of the AVG prohibiting the processing of health data applicable if processing is done by administrative bodies, pension funds, employers or institutions that they may need to work with, and as far as processing is necessary for: […] b. further integration or counseling of employees or benefit recipients in connection with illness or incapacity for work. […] 2.3 Security of processing Pursuant to Article 32, first paragraph, of the GDPR, the controller is concerned […], taking into account with the state of the technology, the implementation costs, as well as with the nature, scope, context and processing purposes that are probable and seriously incur a variety of risks to rights freedoms of persons, appropriate technical and organizational measures at risk matched security level guarantees […]. Pursuant to the second paragraph of Article 32, the assessment of the appropriate security level is taking into account processing risks, especially as a result of destruction, loss, or damage modification or unauthorized provision of unauthorized access to forwarded, stored, or otherwise processed data, either accidentally or unlawfully. 2.4 Administrative fine Pursuant to Article 58, paragraph 2, preamble, in conjunction with Article 83, paragraph 4, of the GDPR and article 14, third paragraph, of the UAVG is authorized to apply to GDPR breaches None administrative fine. 2.4.1AVG Pursuant to Article 83, first paragraph, of the GDPR, every supervisory authority is Administrative fees imposed on the head of this article imposed on the four, five members and six listed violations of this Regulation are effective, proportionate and dissuasive in each case. Under the second member, the administration will be fined, depending on the circumstances of the concrete case, imposed next to or in place of in Article 58, second paragraph, under intended measures. From the fourth paragraph, preamble and below, it follows that there is a breach of the obligations of the controller and processor as in Article 32 of the GDPR in accordance with paragraph 2 4/17 Date Our reference March 24, 2020 [CONFIDENTIAL] subject to an administrative fee up to € 10,000,000 or, for a company, up to 2% of The total worldwide annual turnover in the previous financial year, if this figure is higher. From the fifth paragraph, preamble and below a, it follows that a violation of the basics of processing such as in Article 9 of the AVG in accordance with paragraph 2 is subject to an administration which is fined to € 20,000,000 or, for a company, up to 4% of the total global annual turnover in the foregoing financial year, if this figure is higher. 2.4.2UAVG Pursuant to Article 14, third paragraph, of the UAVG, the AP in case of violation of the particular in Article 83, fourth, fifth, or sixth member, of the ordinance impose an administrative fine on the highest place these amounts. 3. Facts The AP has determined that CP & A in any case from 12 March 2019 to 2 May 2019 and Absence logging in a GoogleDrive file on the Internet has kept where the following data of 25 (sick) employees mentioned: 1 - Branch; - Forecast - E-mail address; - Name; (short / medium / long); - BSN; - Last name; - Remarks; - Date of birth; - Starting date; - (nursing) address; - Employment - End date; - House number; (temporary / permanent); - Number of calendar days; - Postal Code; - Date service; - reason for absenteeism; - Residence; - Contract hours; - Telephone number; - End of contract date. During this period from March 12 to May 2, 2019, the AP has reached her known web address. website six times and found that they do not have any form of authentication or other Access control could view the absenteeism registration. The AP has also determined that the absenteeism registration active was updated due to the fact that the content of the absenteeism register 2 changed weekly. By letter of May 7, 2019, CP & A signified the relevant file with health data is deleted and is no longer available. The AP was adopted on May 13, 2019 that the absenteeism registration was no longer accessible through her known web address. In addition, 4 1 2Research reportAP, 3 September 2019, appendix 2 to 8. 3Research reportAP, 3 September 2019, appendix 2 to 8. 4 Letter of 7 May 2019 from CP & A on AP. Research report AP, 3 September 2019, appendix 8. Date Our reference March 24, 2020 [CONFIDENTIAL] the AP based on a copy of the new absenteeism registration from CP & A established that CP & Ade reason no longer registered. 5 4. Assessment 4.1 Processing of data on health As mentioned in Chapter 3, the AP has determined that CP & A in each case from March 12, 2019 with 2May2019, a absenteeism registration in a GoogleDrive file has kept where the following personal data of 25 (sick) employees were stated: the name, surname, the address, home number, postal code, place of residence, telephone number, hot-mail address, 6 BSN, and date of birth. Helping the committed employees of CP & Adirect identifiable. The aforementioned data are therefore personal data as referred to in Article 4, part 1 of the AVG. In addition, the AP has determined that CP&A is the reason for absenteeism registration (overall physical if mental health), the forecast and the comments about the absenteeism reasons and the forecast about this 7 employees. This data is for the benefit of the AP data about health within the meaning of Article 4, Section 15, of the GDPR. With the digital record, store, update and make available of these personal data (sick) employees and keeping absenteeism records has CP & AHealth information (partially) automatically processed in the sense of Article 4, Part 2, of the GDPR. In view of the foregoing, the AP comes to the conclusion that CP & A data about the health of 25 employees processed in the period from March 12, 2019 to May 2, 2019. 4.2 Controller The AP is judged that CP & Ad uses the means for processing personal data, including health data, CP&A has stated that sickness absenteeism reintegration an important point of attention within the organization, CP&A has made the decision Include an overview of her sick employees in a specially designed file to do it to keep an overview, to prevent people from imagining and filling in the best possible way can give further integration. In addition, it appears from the fact that CP & Ad has absenteeism registration removed that the decision-making authority whether to process any default data at CP & Aligt. 5 Letter of August 7, 2019 from CP & A to AP. 6Research reportAP, 3 September 2019, appendix 2 to 8. 7 Research report AP, 3 September 2019, appendix 2 to 8. View CP&A, November 12, 2019, p. 2. Date Our reference March 24, 2020 [CONFIDENTIAL] The AP marks CP & As controller as referred to in Article 4, Section 7, of the GDPR. 4.3 Violation of the prohibition on processing health data 4.3.1 Introduction Health data falls under the special category of personal data. Personal data that is particularly sensitive deserves specific protection because of the processing of it can entail increased risk for fundamental rights and fundamental freedoms special categories of personal data is therefore based on Article 9, first paragraph, of the GDPR 9 prohibited unless a legal exception applies. The AP tests in the following whether CP & A can successfully appeal to the relevant case. exception as referred to in Article 9, second paragraph, salutation and underb of the AVGjo. Article 30, first paragraph, preamble underb, of the UAVG. 4.3.2 Legal framework On the basis of Article 9, second paragraph, preambles under the GDPR, the data controller Process data about health as it is necessary for the execution of obligations and exercise of specific rights of the controller or the controller person concerned in the field of labor rights, social security and social protection law. This exception has no direct notification based on the AVG, but leaves room for Member States. in order to get more detailed information. This happens in the Netherlands in the UAVG. Article 30, first paragraph, preamble underb of the UAVG determines in that framework that the processing of data about health allowed if this is necessary for the integration or guidance of employees or benefit recipients in connection with illness or incapacity for work. This exception ground then further specified that employers are obliged on the basis of Article 658a, second paragraph, of Book 7 of the Civil Code (Civil Code) as soon as possible that measures to be taken when necessary by a sick employee They are own or do other appropriate work Therefore, it may be mandatory, the earth and size of the data that may be processed limited by the requirement of necessity as laid down in Article 9, second paragraph, salutation, and below b, GDPR. This means that an assessment of each processing must always take place or the processing is also really necessary in light of other integration obligation that rests on the employer. In the policy rules "The sick employee" (the policy rules) of the AP, Government Gazette have been published, it has been concretized which medical personal data the employer has in it framework of other integration and absenteeism guidance which may be processed and if necessary 9 See also recital 51 of the AVG. Date Our reference March 24, 2020 [CONFIDENTIAL] stamped, and which are not necessary and therefore should not be processed. Legal regulations about the processing of personal data about the health of employees in the context of their reintegration and absenteeism counseling as laid down in law protection personal data are not changed by application of the AVG on May 25, 2018. The 11 policy rules are therefore, although written in the framework of the Wbp, still corresponding applies to processing under the AVG. The data that can be processed according to these policy rules are: 12 - the work by which the employee is no longer or is still the state (functional limitations, residual possibilities and implications for the type of work that the employee can still do to do); - the expected duration of the default; - the extent to which the employee is incapacitated for work (based on functional limitations, residual possibilities and implications for the type of work that the employee can still do); - any advice about adjustments, work facilities or interventions that the employee has for reintegration. 13 The data that cannot be processed under these policies include: - diagnoses, name disease, specific symptoms or pain indications; - individual subjective perceptions, both mental and physical health status; - information about therapies, appointments with doctors, physiotherapists, psychologists, etc. - other situation problems, such as relationship problems, problems from the past, moving house, death partner, divorce, etc. 4.3.3 Assessment As noted in Chapter 3, the AP has determined that CP & A kept an absenteeism record in which reason for absenteeism (overall physical and mental health), the forecast and comments about the The forecast of her employees was recorded. The AP has assessed this data according to the aforementioned legal framework. In the Policy rules of the AP are concretized which medical personal data the employer has in the context Other integration and absenteeism guidance may be processed and become necessary The AP came to the conclusion that the absenteeism registration contained health information. which, due to lack of necessity, should not be handled by CP&A This is because of the absenteeism reasons mentioned in relation to 25 data subjects with their names physical and mental illnesses, specific symptoms and pain indications comments field further information recorded about health. 1 Policy rules for the processing of personal data about the health of sick employees, Dutch Data Protection Authority (Stcr 2016, 21703). 1 See the old Article 21, first paragraph, preamble underf, under 2, of the Personal Data Protection Act and the current Article 30, first member, bottom b, of the UAVG. and Parliamentary Papers II2017 / 2018,34851,3, p.109. 1 Policy rules for sick employees, section 5.2.2., P. 27. 1 Policy rules for the sick worker, section 5.2.1., P. 25, read in conjunction with p. 27. 8/17 Date Our reference March 24, 2020 [CONFIDENTIAL] On the basis of Article 9, second paragraph, preambles under the GDPR, the data controller Process data about health as it is necessary for the execution of obligations and exercise of specific rights of the controller or the controller person concerned in the field of labor rights, social security and social protection law. Article 30, first paragraph, preamble underb of the UAVG determines in that framework that the processing of data about health allowed if this is necessary for the integration or guidance of employees or benefit recipients in connection with illness or incapacity for work. Because the processing of names of diseases, specific symptoms and indications of pain are not necessary for further integration of employees, as also follows from the policies of the AP, processing thereof is prohibited.CP & Akan thus do not successfully make use of Article 30, first level, underb, of the UAVG. The AP has not been found that CP & A can successfully appeal to the other exceptions of Article 30 of the UAVG. is thus of the opinion that CP & Ade above mentioned health data in violation of the prohibition of article 9, first member, of the AVG has processed. Regarding the period of this violation, the AP on 2 May 2019 was last determined that CP & Ad has processed health data in its absenteeism registry. The AP on May 13, 2019 then determined that the absenteeism registration is no longer accessible via At its known web address. Finally, the AP has detected that the current absenteeism is registered. reason is not registered anymore by CP&A. 4.3.4 Conclusion The AP comes to the conclusion that CP & As controller of any case 12 March 2019 until 2 May 2019 the prohibition of article 9, first member, of the AVG has violated by Process health data of 25 employees. 4.4 Violation of security of processing 4.4.1 Introduction To ensure security and prevent the processing of personal data from being breached on the AVG, the controller is required by Article 32 of the AVG processing to assess risk and take measures to mitigate risk measures should ensure an appropriate level of security, taking into account the situation of technology and implementation costs set against the risks of the nature of the protection personal data. The AP will check in the following whether CP & A has an appropriate security level used for processing the health data in her absenteeism register, such as that was accessible through the web address. 4.4.2 Assessment On the basis of Article 32, first paragraph, of the GDPR, the controller must apply one technical and organizational measures to address the risk-adjusted security level 1 Recital 83 of the AVG. 9/17 Date Our reference March 24, 2020 [CONFIDENTIAL] During the assessment of the risks, according to Article 32, second paragraph, of the GDPR. to be spent on risk that occurs in the processing of personal data, such as the unauthorized provision of or unauthorized access to forwarded, stored, or otherwise processed data, either accidentally or unlawfully. As data has a sensitive nature, or the context in which they are used poses a greater threat to the personal life sphere of those involved, become more stringent requirements data security. This means that it is required to be set for technical and technical reasons 15 organizational measures to protectthis data. Regarding authentication with access to the processing of data about the health of (sick) employees and to which access is provided through the internet, so it is necessary to take more stringent measures to meet a 16 appropriate security level, such as two-factor authentication. The AP has determined that the absenteeism registration (with health data) of CP & A Some form of authentication was accessible. The AP is judged by CP & A's view of its absenteeism registration has used an inadequate level of security. sensitive nature of data, the fact that the health data were processed on the internet The risks to the personal life sphere of those involved must take further measures to prevent it risk of unauthorized access to the absenteeism registration. CP&A left this behind. This lack of security could have been avoided by, for example, a matching one authentication technique (or another method) to implement the claimed identity of a user of the absenteeism registration can provide evidence. considering the current state of the engineering and implementation costs, appropriate. The AP is therefore of the opinion that CP & A has infringed Article 32, first paragraph, of the AVG because CP & A has with regard to the health data in her absenteeism register and not sufficiently appropriate security level. View CP & AenreactionAP CP & A argues in her view that she had one goal with the absenteeism registration: her assisting employees as best as possible during a period of illness and reintegration. CP&A believe that she handled it correctly, in accordance with the applicable regulations with the data of the employees involved who also had the data carefully in such a way secured that are not freely accessible Employees was only accessible through a specific link. The link was only provided those who are / were involved with the integration of employees and as such about absenteeism data should be available to guide the employees as best as possible in the absence of integration (management, two-region managers, one employee HRM, HRM manager as the absenteeism supervisor). taking into account that the link will provide unauthorized access to one third of the parties 15 16 also Policies for the processing of personal data about the health of sick employees, p. 13. See also Policies for the processing of personal data about the health of employees, p. 7. 10/17 Date Our reference March 24, 2020 [CONFIDENTIAL] CP & Ahetten very much regretted that she did not see this risk for one third may be known to consult data. The AP is based on the view of CP & No to another conclusion. specifically link only to people who are / were involved in the integration of employees It is true that an organizational measure is taken to ensure the security of personal data. However, CP&A had seen the sensitive nature of the data, the fact that the health data was The internet and the risks to the personal life sphere of those involved were also processed appropriate technical measure, such as, for example, the implementation of a authentication technique by the link. unauthorized access to very sensitive data can be largely reduced. 4.4.3 Conclusion The AP comes to the conclusion that CP & As controller of any case 12 March 2019 until 2 May 2019 Article 32, first member, of the AVG has violating types of health data in her absenteeism registry and inadequate management of an appropriate security level. 4.5 Final conclusion The AP comes first of all to the conclusion that CP & A in each case 12 March 2019 to 2 May 2019 the prohibition of article 9, first paragraph, of the GDPR has violated the health data of 25 In addition, the AP comes to the conclusion that CP & A in the same period Article 32, first member, of the AVG has violating types of health data in her absenteeism registration insufficient appropriate technical and organizational measures to meet a phenomenon risk-adjusted security-level safeguards. 5. Fine 5.1 Introduction CP&A has, from every case March 12, 2019 to May 2, 2019, Article 9, First Member, and Article 32, first member, of the GDPR violations. The AP made use of both established violations of its jurisdiction to impose a fine on CP & A on the basis of Article 58, second paragraph, Article 83, fourth and fifth paragraph, of the AVG read in conjunction with Article 14, third paragraph, of the AVG. UAVG.TheAP uses this for the fine policy rules2019. 17 In the following, the AP will first briefly outline the fine system, followed by the justification. of the fine height in the present cases. 1Stcrt.2019,14586,14March2019. 11/17 Date Our reference March 24, 2020 [CONFIDENTIAL] 5.2 Fines Policy Rules of the Dutch Data Protection Authority 2019 (Fines Policy Rules 2019) Violation of the unlawful processing of special personal data Article 9, first paragraph, of the AVG the AP is authorized to invest a fine up to a maximum of € 20,000,000, or up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher. 58, second paragraph, preamble under ten article 83 of the AVG read in conjunction with article 14, third paragraph, of the UAVG. On the basis of the attached party Fines policy rules 2019, this violation falls in the highest category, namely category IV. And for violation of Article 32, first paragraph, of the GDPR, the AP is authorized and administratively fined up to € 10,000,000 or up to 2% of the total worldwide annual turnover in the previous financial year, if This figure is higher. II. The A is acting on the basis of Article 2.3 of the Fine Policy Rules 2019 for the above mentioned violations under the following fine ranges: Category II: Fine band width between € 120,000 and € 500,000 and a basic fine of € 310,000. […]. Category IV: Fine band width between € 450,000 and € 1,000,000 and a basic fine of € 725,000. […]. Pursuant to Article 6 of the 2019 Fine Policy Rules, the AP determines the amount of the fine by the amount. from base to above (up to the maximum of the bandwidth from one violation linked to fine category) or down (to the lowest minimum of that bandwidth). Factors mentioned in Article 7 of the Fine Policy Rules 2019 give rise to this. Pursuant to Article 7, the AP holds unaffected the Articles 3: 4 and 5:46 of the General Administrative Law (Awb) take into account the factors derived from Article 83, second paragraph, of the AVGeninde Policy Rules2019 named underatotenmetk: a. nature, seriousness of the duration of the infringement, taking into account the nature, size or purpose of the processing issue as well as the number of affected data subjects and the size of the members affected damage; b. the intentional or negligent nature of the infringement; c. the controller took […] measures against the affected members limit damage; d. the degree to which the controller […] is responsible in view of technical and organizational measures he has carried out in accordance with the articles 25 and 32 of the AVG; e) any relevant infringements by the controller […]; f) the degree in which the supervising authority has cooperated to remedy the breach limit the potential negative consequences thereof; g. the categories of personal data to which the infringement relates; h. the way in which the supervising authority has been informed of the infringement, particularly or, and if so to what extent, the controller […] has reported the infringement; (i) compliance with the measures referred to in article 58, second paragraph, of the GDPR, to the extent that with regard to the controller […] in relation to the same 12/17 Date Our reference March 24, 2020 [CONFIDENTIAL] matter taken; j. to adhere to approved codes of conduct in accordance with Article 40 of AVG or of approved certification mechanisms in accordance with Article 42 of the GDPR; and k. any other circumstances of such an aggravating or mitigating factor, such as Financial gains made, or losses avoided, which are not directly from the breach arise. In the present case, it is an assessment of nature, for the seriousness of the duration of the violation in the specific case. associated fine category remained.The AP can, if necessary, depending on the degree in which the aforementioned Factors to give rise to this, on the basis of Article 8.1 of the Fine Policy Rules 2019 the finebandwidthofhigherrespectiveandin addition to the lower category apply. assesses the AP when imposing an administrative fine on the basis of Article 5:46, second part, of the Awbin how far the offender can be blamed for. Fines Policy Rules 2019 and Articles 3: 4 and 5:46 of the AWB test or apply its policy for Determining the amount of the fine, given the circumstances and the carrying capacity of CP & A in this actual case, does not lead to a disproportionate outcome. 5.3 Fines for violation of prohibition on processing data about health and security of processing 5.3.1 Nature, severity and duration of the infringement Pursuant to Article 7, preamble under a, of the Fines Policy Rules 2019, the AP keeps account with the nature, The seriousness of the duration of the infringement size or purpose of processing as well as the number of affected persons affected and size of the processing rod damage. The protection of natural persons in the processing of personal data is a fundamental right. Pursuant to Article 8, first paragraph, of the Charter of Fundamental Rights of the European Union and Article 16, first member of the Treaty on the functioning of the European Union (TFEU) everyone has the right to protection of his personal data. Principles and rules concerning the protection of Of course, persons in the processing of their personal data must be in accordance with their fundamental rights and fundamental freedoms, especially their right to protection of personal data.The AVG aims to contribute to the creation of a space of freedom, security and rights of an economic union, as well as economic and social progress, the strengthens the convergence of the economies within the internal markets and the well-being of natural persons. Processing of personal data must be at the service of man Protection of personal data has no absolute rule, but must be considered in relation The function of societies must be in accordance with the principle of proportionality against others fundamental rights are weighed up. Any processing of personal data must be proper and lawful Personal data should be sufficient to serve and limited to what is necessary for the purposes for which they are processed 13/17 Date Our reference March 24, 2020 [CONFIDENTIAL] processes in a way that ensures appropriate security and confidentiality of data, also to prevent unauthorized access to or unauthorized use of personal data the equipment used for processing. For particularly sensitive personal data, the AVN does not offer a high level of protection. Personal data that is particularly sensitive deserves specific protection because of the processing It may entail increased risk for fundamental rights and fundamental freedoms. Therefore, to have a high level of control over healthy health data. The starting point is also that the Processing of special personal data is prohibited in principle. There is only a limited number and in (U) GDPR, there are possible exceptions. CP&A has the processing of health data in this case the high protection level that Article 9, first level, of the AVG provides violated. On the basis of Article 32, first paragraph, of the GDPR, the controller must be in addition appropriate technical and organizational measures to address the risk security level safeguards Nature of personal data and nature of processing important: these factors determine potential damage for individual involved, for example, loss, modification, or illegal Processing of the data. The AP has come to the conclusion that CP & A is appropriate has taken security measures that monitor the health data in her absenteeism registry. The AP has determined that CP & A from every case 12 March 2019 to 2 May 2019 has processed health data of 25 employees without appropriate security health data contained very sensitive information such as names of physical and mental diseases, specific complaints and indications of pain from her employees. prohibition of processing of special personal data violated and related to this concerned, so did not have any control over the health data. And it is correct this control that GDPR want to provide data subjects so that data subjects are able to protect their data and this freedom can be enjoyed. In addition, during this period, the absenteeism registration of CP & A special form of authentication accessible. large and unnecessary risk open to unauthorized access to their personal data. The fact that here a processing of particularly sensitive data makes an insufficient security of the data extraordinarily. According to the opinion of the APis, we spoke of a two serious violation in which CP & Ade special has processed data from data subjects under incorrect conditions, but not on the basis of Article 7 of the Fine Policy Rules 2019 stated conditions for the application at this time if there is no reason to increase or decrease the amount of the fine. assess whether the amount of the fine needs adjustment based on proportionality. 5.3.2 Reliability Pursuant to Article 5:46, subsection 2, of the Awb, the AP retains the imposition of an administrative fine account of the extent to which she can be blamed for the offender. Now this is all about 14/17 Date Our reference March 24, 2020 [CONFIDENTIAL] 18 violations, is not required for the imposition of an administrative fine, in accordance with case law It is shown that there is a tendency to set up and may assume the AP removability as it perpetrator is established. 19 Under Article 9, first paragraph, of the AVG, the principle prohibits the use of information about health. The legal regulations regarding the processing of personal data about the health of sick employees in the context of their reintegration and absenteeism guidance as recorded in The Personal Data Protection Laws are applied by the AVG on May 25, 2018 unchanged. In addition, CP & A had adopted the policy rules "The sick employee" of the AP, April 2016 published in the Government Gazette, CP & Awelen can determine which personal data from a party like CP & Amag, fellow for the particular nature of the personal data, are expected to be aware of the standards applicable to them This respects CP&A, through its actions, the high level of protection for particular personal data breached. Based on Article 32 of the GDPR, the policy rules "The sick employee" had nature of processing CP&A must also know that its measures must be taken to reduce the risk mitigate unauthorized access to the absenteeism registration CP&A has failed to access to The absenteeism registration through the web address in any case, and an appropriate authentication technique (or other method) to be able to prove the claimed identity of a user. This too deems the AP culpable. 5.3.3 View of CP & Aenreaction AP CP & A, in its view, that it has already taken corrective measures in place, where its understanding of the AP refers to the AP's request for the violation as soon as possible terminate, and immediately have provided all cooperation Maintained in the secure environment of the HRM system, which is only accessible to the department HRMe direct supervisors.In addition, CP & Ad no longer processes the reason for absenteeism and is forecast only recorded as far as it can be derived from the reports of the company doctor without medical information. In view of the foregoing and therewith also expressly taking into account the fact that CP & Aa medium-sized enterprise is in the sense of article 2a UAVA, taking into account the manner in which for example, the issues of NipponExpress (2017) andAbtona Foundation (2016) have been closed CP & AdeAP suffice with the corrective measures already taken under Article 58 of the GDPR. In addition, CP & A points out the fact that those involved — fortunately — did not cause any damage, that CP & Ag has acted in some way deliberately or negligently, that has not been praised for prior violations and that CP&A has employed (additional) guidance by an external advisor in the area of privacy. 18 Compare CBb29 October 2014, ECLI: NL: CBB: 2014: 395, ground 3.5.4, CBb2 September 2015, ECLI: NL: CBB: 2015: 312, ground 3.7 and CBb7 March 2016, ECLI: NL: CBB: 2016: 54, ground 8.3, ABRvS29 August 2018, ECLI: NL: RVS: 2018: 2879, ground 3.2 and ABRvS5 December 2018, ECLI: NL: RVS: 2018: 3969, ground 5.1. 19 Chamber documents II2003 / 04, 29702, No. 3, p. 134. 15/17 Date Our reference March 24, 2020 [CONFIDENTIAL] The AP shares the view of CP & An, and CP & Ahad in this case should fail to provide health data. of its employees. In addition, CP&A has not taken adequate measures to ensure the security of its absentee system. This CP&A practice is detrimental done to the protection of the personal data of its employees violations of the AP to impose a corrective measure, other than an administrative fine, unsatisfactory, effective, proportionate and dissuasive.The AP finds the imposition of an administrative fine appropriate in this case. position and the carrying capacity of CP & A. CP & A has also determined that the parties involved are not harmed, but it has not been proven nor does it fall out only if the future can still be This ground, alone together with the other letters, gives the AP attention to the seriousness of the violations of the degree of liability and no reason to impose a fine or to impose a fine The fine on the grounds referred to by CP & A continues. The AP sets the fine for violation of Article 9, first paragraph, of the GDPR to € 725,000. For the violation of Article 32, first paragraph, of the AVG, the AP sets the fine at € 310,000. 5.4 Proportionate carrying capacity Ultimately, the AP judges on the basis of Articles 3: 4 and 5:46 of the AWB (principle of proportionality) or the application of its policy to determine the height of the due to the circumstances of the case, does not lead to a disproportionate outcome. play among others in the accumulation of sanctions and the carrying capacity of the controller. CP&A has relied on limited carrying capacity. known financial data of CP & AachtheAPthe carrying capacity ofCP & A limited valuetheAPto The conclusion is that CP & Ahet taken together fines the amount of both violations of € 1,035,000 financially cannot bear. On the basis of this, the AP sees reason to reduce the amount of the fine. eight in this case, a fine of € 15,000, appropriate, the command, and night, CP & Satisfied, carrying capacity pay this amount. 5.5 Conclusion The AP sets the total fine amount to € 15,000. 16/17 Date Our reference March 24, 2020 [CONFIDENTIAL] 6 Operative part Fine The AP is responsible to CP&A for violation of Article 9, first paragraph, of the GDPR and Article 32, first paragraph of 20 The AV No administrative fine of € 15,000 (in words: fifteen thousand euros). Yours sincerely, Authority Personal data, Signed Drs C. E. Mur Board member Remedies Clause If you do not agree with this decision, you can send it within six weeks Decide digitally or on paper and submit an objection to the Personal Data Authority. Submit it of an objection suspends the effect of this decision. www.autoriteitpersoonsgegevens.nl, under the heading Objection against a decision, below page bottom header Contact the Authority Personal data. The address for submitting and on paper is: AutoriteitPersoonsgegevens, PO Box93374,2509AJDenHaag. On the envelope, state "Awb objection" and put in the title of your letter "notice of objection". At least write in your notice of objection: -your name and address; -the date of your notice of objection; -the attribute mentioned in this letter (case number); or attach a copy of this decision; -the reason (s) why you do not agree with this decision; -your signature. 2 The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). 17/17