AP (The Netherlands) - 24.03.2020

From GDPRhub
AP (The Netherlands) - CP&A
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 4(15) GDPR
Article 9 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: €15,000
Parties: CP&A B.V
National Case Number/Name: CP&A
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Autoriteit Persoonsgegevens (in NL)
Initial Contributor: n/a

The Dutch DPA fined a maintenance company €15,000 for processing the health data of sick employees, and for failing to implement appropriate security measures regarding such processing.

English Summary

Facts

The Dutch DPA ('AP') received a notification on 11 January 2019 that CP&A processes the health data of its employees. From this notification, the AP concluded that CP&A maintained an online register, containing data on the cause of absenteeism in its employees. In response, it launched an own volition investigation into CP&A's compliance with Article 9, as well as Article 32 GDPR. Since Article 9 GDPR prohibits the processing of special categories of data, including health data, it was necessary for the AP to determine whether one of the exceptions outlined in Article 9 applies. The AP also sought to determine whether whether CP&A had taken sufficient technical and organisational measures to ensure a risk-appropriate level of security for the health data under Article 32 GDPR.

Holding

The AP's investigation found that the relevant online register included employees' names, addresses, email addresses and social security number, which made employees directly identifiable. The register also included employees' reasons for absence (concerning both physical and mental health), including the names of illnesses, specific symptoms, and indications of pain. This constituted health data within the meaning of Article 4(15) GDPR. By digitally storing, updating, and making this data available, CP&A was processing health data.

The AP considered whether CP&A could process health data in line with the exception established by Article 9(2)(b), whereby processing is necessary for the carrying out of the controllers rights or obligations in the field of employment, so far as this is authorised by Union or member state law. In the Netherlands, Article 30(1) of the UAVG stipulates that the processing of personal data concerning health is permitted if this is necessary for the reintegration or guidance of employees in connection with illness or disability. With respect to this reintegration, further details are provided in the Section 658a(2) of the Dutch Civil Code, which requires employees to take the necessary measures to enable a sick employee to perform their work as soon as possible.

The AP found that the processing of the names of illnesses, specific symptoms, and indications of pain is not necessary for the reintegration of employees, in accordance with Article 30(1) UAVG, meaning it could not invoke the exception established at Article 9(2)(b) GDPR. Since no other exceptions were applicable, CP&A's processing of the health data was considered unlawful.

With regards to Article 32 GDPR, the AP found that CP&A's security measures concerning the online register were inappropriate. In particular, the register was accessible without any form of authentication. Given the sensitive nature of the data, the fact that the health data was processed on the internet, the CP&A should have taken further measures to mitigate the risk of unauthorised access to the data.

On account of the violations of Articles 9 and 32 GDPR, the DPA imposed a fine of €15,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                      Authority Personal data
                                                      P.O. Box 93374, 2509AJ The Hague

                                                      Bezuidenhoutseweg 30,2594AV The Hague
                                                      T0708888500-F0708888501
                                                      authoritypersonal data.nl

Confidential / Registered
CP & AB.V.
Attn the management
P.O. Box 514
5600AMindhoven








Date Our reference
March 24, 2020 [CONFIDENTIAL]


                          Contact
                          [CONFIDENTIAL]


Topic

Decides to impose an administrative fine


Dear Management,


The Dutch Data Protection Authority (AP) has decided to impose an administrative fine on CP & AB.V. (CP&A).
€ 15,000 in addition.The AP judges that CP & A from 12 March 2019 to 2 May 2019 the ban
of Article 9, first paragraph, of the General Data Protection Regulation (GDPR)
by processing employee health data. In addition, CP&A has for this

During the same period, insufficient appropriate security measures have been taken as
referred to in Article 32, first paragraph, of the AVG.

After this, the decision is explained in more detail.
legal framework. Chapter 3 contains the facts and in chapter 4 assesses the AP of the discussion

processing of health data, the controller and violations
Chapter 5 The (height of the) administrative fine is elaborated and Chapter 6 contains the
remedies clause.















                                                                                           1 Date Our reference
March 24, 2020 [CONFIDENTIAL]




1 Introduction

1.1Involved legal persons and cause investigation


CP & A is a private limited company located at Maas22E, 5684PLteBest (North Brabant).
CP & Aise registered in the trade register of the Chamber of Sales under the number 54592526
and has, according to the extract from the trade register, about 160 employees. CP&A performs
according to the trade register its website, including inspection and maintenance work of public

objects.

On January 11, 2019, the AP received a notification that CP&A is processing its health data.
employees
absenteeism registration with which keeps health data of employees

This signal is the APA (ex officio) investigation started for compliance by CP & Avande Articles9 and
32 of the AVG.

The processing of special categories of personal data is based on Article 9, first paragraph, of
The AVG is prohibited unless a legal exception applies.

CP & A can successfully appeal to this case relevant exception.
ofCP & Avoorhealthdatain its absenteeism registrysufficiently appropriatetechnicaland
Organizational measures have been taken to attune the risk to security level
safeguards, as referred to in Article 32, first paragraph, of the GDPR.


1.2 Process sequence

The AP contacted CP & Aomaant by phone on May 2, 2019
absenteeism registration of CP & A for unauthorized access and she has CP & A request
The violation has been terminated as soon as possible.

conversation a standard transferring letter and the legal framework relating to the duty of notification
Personal data breaches reported on AP. By letter of 7 May 2019, CP & Ade
receipt of the letter and acknowledged that the absenteeism record has been deleted.

On May 7, 2019, CP & A filed a data breach report in connection with the breach

personal data.

By letter of July 29, 2019, the AP asked questions to CP&A, to which she responded by letter of 7

August2019.On21August2019, the APper-mailrequested furtherinformationfromCP&A.
CP&A responded to this by email from August 28, 2019.

By letter of October 30, 2019, the AP gave CP & A a requirement to enforce it there.

Basic research report sent and CP&A to the occasion



                                                                                    2 / 17Date Our reference
March 24, 2020 [CONFIDENTIAL]



On November 12, 2019, CP & A had a written view to be made visible.
Finally, the AP was created on January 30, 2020, and the pieces added to the file CP & Ade
Opportunity to respond to these items. CP&A did not use them.



2. Legal framework

2.1 Scope AVG


Pursuant to Article 2, paragraph 1, of the GDPR, this Regulation applies to all or part of the
automated processing, as well as the processing of personal data contained in a file
recorded or intended to be recorded there.

Pursuant to Article 3, first paragraph, of the GDPR, this Regulation applies to the processing of

personal data in the context of the activities of an establishment of a
controller or processor in the Union, regardless of whether processing in the Union than
does not take place.

Pursuant to Article 4 of the GDPR, for the purposes of this Regulation the following is understood:

1. "Personal data" means all information about an identified or identifiable natural person
(“The data subject”); […].
2. “Processing” means an operation or a set of operations related to personal data, or
a set of personal data, if not performed through automated processes […].
7. “Controller” means a [...] legal entity who, alone or together with others, has the purpose of

and determines the means for the processing of personal data; […].

2.2 Prohibition of processing data on health

Article 4, section 15, of the GDPR defines health data as personal data that

related to the physical or mental health of a natural person, including data
about the health services provided that give information about his health status.

Prohibited under Article 9, first paragraph, of the GDPR, the processing of health data.


Exceptions to the prohibition against processing special personal data are mentioned in Article 9,
second paragraph, of the AVG.
[…]
b) the processing is necessary for the performance of obligations and the exercise of
specific rights of the controller or the data subject in the area of the

labor rights, social security and social protection law, insofar as this is permitted
Union law or member state law or a collective agreement based on member state law
appropriate safeguards for fundamental rights and fundamental interests of the area concerned;




                                                                                     3/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]


[…]


Pursuant to Article 30 Implementing Act, General Data Protection Regulation (UAVG)
Article 9, subsection 2 b, of the AVG prohibiting the processing of health data
applicable if processing is done by administrative bodies, pension funds, employers or

institutions that they may need to work with, and as far as processing is necessary for:
[…]
b. further integration or counseling of employees or benefit recipients in connection with illness or
incapacity for work.

[…]

2.3 Security of processing

Pursuant to Article 32, first paragraph, of the GDPR, the controller is concerned […], taking into account

with the state of the technology, the implementation costs, as well as with the nature, scope, context and
processing purposes that are probable and seriously incur a variety of risks to rights
freedoms of persons, appropriate technical and organizational measures at risk
matched security level guarantees […].


Pursuant to the second paragraph of Article 32, the assessment of the appropriate security level is
taking into account processing risks, especially as a result of destruction, loss, or damage
modification or unauthorized provision of unauthorized access to forwarded, stored, or

otherwise processed data, either accidentally or unlawfully.

2.4 Administrative fine

Pursuant to Article 58, paragraph 2, preamble, in conjunction with Article 83, paragraph 4, of the

GDPR and article 14, third paragraph, of the UAVG is authorized to apply to GDPR breaches None
administrative fine.

2.4.1AVG

Pursuant to Article 83, first paragraph, of the GDPR, every supervisory authority is
Administrative fees imposed on the head of this article imposed on the four, five members
and six listed violations of this Regulation are effective, proportionate and dissuasive in each case.


Under the second member, the administration will be fined, depending on the circumstances of the
concrete case, imposed next to or in place of in Article 58, second paragraph, under
intended measures.

From the fourth paragraph, preamble and below, it follows that there is a breach of the obligations of the

controller and processor as in Article 32 of the GDPR in accordance with paragraph 2





                                                                                       4/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]



subject to an administrative fee up to € 10,000,000 or, for a company, up to 2% of

The total worldwide annual turnover in the previous financial year, if this figure is higher.

From the fifth paragraph, preamble and below a, it follows that a violation of the basics of processing such as in
Article 9 of the AVG in accordance with paragraph 2 is subject to an administration which is fined to

€ 20,000,000 or, for a company, up to 4% of the total global annual turnover in the foregoing
financial year, if this figure is higher.


2.4.2UAVG
Pursuant to Article 14, third paragraph, of the UAVG, the AP in case of violation of the particular in Article
83, fourth, fifth, or sixth member, of the ordinance impose an administrative fine on the highest place

these amounts.


3. Facts


The AP has determined that CP & A in any case from 12 March 2019 to 2 May 2019 and
Absence logging in a GoogleDrive file on the Internet has kept where the following
data of 25 (sick) employees mentioned: 1

- Branch; - Forecast - E-mail address;
-   Name; (short / medium / long); - BSN;
-   Last name; -   Remarks; -    Date of birth;

-   Starting date; - (nursing) address; -    Employment
-   End date; -   House number; (temporary / permanent);

- Number of calendar days; -   Postal Code; -    Date service;
- reason for absenteeism; -   Residence; - Contract hours;
                                        -   Telephone number; - End of contract date.


During this period from March 12 to May 2, 2019, the AP has reached her known web address.

website six times and found that they do not have any form of authentication or other
Access control could view the absenteeism registration. The AP has also determined that the
absenteeism registration active was updated due to the fact that the content of the absenteeism register
                    2
changed weekly.


By letter of May 7, 2019, CP & A signified the relevant file with
health data is deleted and is no longer available. The AP was adopted on May 13, 2019
that the absenteeism registration was no longer accessible through her known web address. In addition, 4


1
2Research reportAP, 3 September 2019, appendix 2 to 8.
3Research reportAP, 3 September 2019, appendix 2 to 8.
4 Letter of 7 May 2019 from CP & A on AP.
 Research report AP, 3 September 2019, appendix 8.



                                                                                                          Date Our reference

March 24, 2020 [CONFIDENTIAL]



the AP based on a copy of the new absenteeism registration from CP & A established that CP & Ade
reason no longer registered. 5



4. Assessment


4.1 Processing of data on health

As mentioned in Chapter 3, the AP has determined that CP & A in each case from March 12, 2019

with 2May2019, a absenteeism registration in a GoogleDrive file has kept where the following
personal data of 25 (sick) employees were stated: the name, surname, the
address, home number, postal code, place of residence, telephone number, hot-mail address,
                         6
BSN, and date of birth. Helping the committed employees of CP & Adirect
identifiable. The aforementioned data are therefore personal data as referred to in Article 4,
part 1 of the AVG.


In addition, the AP has determined that CP&A is the reason for absenteeism registration (overall physical
if mental health), the forecast and the comments about the absenteeism reasons and the forecast about this
                          7
employees. This data is for the benefit of the AP data about health
within the meaning of Article 4, Section 15, of the GDPR.


With the digital record, store, update and make available of these personal data
(sick) employees and keeping absenteeism records has CP & AHealth information
(partially) automatically processed in the sense of Article 4, Part 2, of the GDPR.


In view of the foregoing, the AP comes to the conclusion that CP & A data about the health of 25
employees processed in the period from March 12, 2019 to May 2, 2019.


4.2 Controller


The AP is judged that CP & Ad uses the means for processing personal data,
including health data, CP&A has stated that sickness absenteeism reintegration
an important point of attention within the organization, CP&A has made the decision

Include an overview of her sick employees in a specially designed file to do it
to keep an overview, to prevent people from imagining and filling in the best possible way
can give further integration. In addition, it appears from the fact that CP & Ad has absenteeism registration

removed that the decision-making authority whether to process any default data at CP & Aligt.



5 Letter of August 7, 2019 from CP & A to AP.
6Research reportAP, 3 September 2019, appendix 2 to 8.
7 Research report AP, 3 September 2019, appendix 2 to 8.
View CP&A, November 12, 2019, p. 2.




                                                                                             Date Our reference
March 24, 2020 [CONFIDENTIAL]



The AP marks CP & As controller as referred to in Article 4, Section 7, of the
GDPR.


4.3 Violation of the prohibition on processing health data

4.3.1 Introduction
Health data falls under the special category of personal data.

Personal data that is particularly sensitive deserves specific protection because of the processing
of it can entail increased risk for fundamental rights and fundamental freedoms
special categories of personal data is therefore based on Article 9, first paragraph, of the GDPR
                                                       9
prohibited unless a legal exception applies.

The AP tests in the following whether CP & A can successfully appeal to the relevant case.
exception as referred to in Article 9, second paragraph, salutation and underb of the AVGjo. Article 30, first paragraph,

preamble underb, of the UAVG.

4.3.2 Legal framework
On the basis of Article 9, second paragraph, preambles under the GDPR, the data controller

Process data about health as it is necessary for the execution of
obligations and exercise of specific rights of the controller or the controller
person concerned in the field of labor rights, social security and social protection law.
This exception has no direct notification based on the AVG, but leaves room for Member States.

in order to get more detailed information. This happens in the Netherlands in the UAVG.

Article 30, first paragraph, preamble underb of the UAVG determines in that framework that the processing of data
about health allowed if this is necessary for the integration or guidance of employees

or benefit recipients in connection with illness or incapacity for work.
This exception ground then further specified
that employers are obliged on the basis of Article 658a, second paragraph, of Book 7 of the Civil

Code (Civil Code) as soon as possible that measures to be taken when necessary by a sick employee
They are own or do other appropriate work
Therefore, it may be mandatory, the earth and size of the data that may be processed
limited by the requirement of necessity as laid down in Article 9, second paragraph, salutation, and below

b, GDPR. This means that an assessment of each processing must always take place or the
processing is also really necessary in light of other integration obligation that rests on the employer.

In the policy rules "The sick employee" (the policy rules) of the AP,

Government Gazette have been published, it has been concretized which medical personal data the employer has in it
framework of other integration and absenteeism guidance which may be processed and if necessary




9 See also recital 51 of the AVG.



                                                                                          Date Our reference
March 24, 2020 [CONFIDENTIAL]



stamped, and which are not necessary and therefore should not be processed. Legal regulations
about the processing of personal data about the health of employees in the context of

their reintegration and absenteeism counseling as laid down in law protection
personal data are not changed by application of the AVG on May 25, 2018. The 11
policy rules are therefore, although written in the framework of the Wbp, still corresponding

applies to processing under the AVG.

The data that can be processed according to these policy rules are: 12

    - the work by which the employee is no longer or is still the state (functional
        limitations, residual possibilities and implications for the type of work that the employee can still do
        to do);

    - the expected duration of the default;
    - the extent to which the employee is incapacitated for work (based on functional limitations,
        residual possibilities and implications for the type of work that the employee can still do);

    - any advice about adjustments, work facilities or interventions that the employee has for
        reintegration.

                                                                                       13
The data that cannot be processed under these policies include:
    - diagnoses, name disease, specific symptoms or pain indications;

    - individual subjective perceptions, both mental and physical health status;
    - information about therapies, appointments with doctors, physiotherapists, psychologists, etc.
    - other situation problems, such as relationship problems, problems from the past, moving house,

        death partner, divorce, etc.

4.3.3 Assessment

As noted in Chapter 3, the AP has determined that CP & A kept an absenteeism record in which
reason for absenteeism (overall physical and mental health), the forecast and comments about the
The forecast of her employees was recorded.


The AP has assessed this data according to the aforementioned legal framework. In the
Policy rules of the AP are concretized which medical personal data the employer has in the context

Other integration and absenteeism guidance may be processed and become necessary
The AP came to the conclusion that the absenteeism registration contained health information.
which, due to lack of necessity, should not be handled by CP&A

This is because of the absenteeism reasons mentioned in relation to 25 data subjects with their names
physical and mental illnesses, specific symptoms and pain indications
comments field further information recorded about health.


1 Policy rules for the processing of personal data about the health of sick employees, Dutch Data Protection Authority
(Stcr 2016, 21703).
1 See the old Article 21, first paragraph, preamble underf, under 2, of the Personal Data Protection Act and the current Article 30,
first member, bottom b, of the UAVG. and Parliamentary Papers II2017 / 2018,34851,3, p.109.
1 Policy rules for sick employees, section 5.2.2., P. 27.
1 Policy rules for the sick worker, section 5.2.1., P. 25, read in conjunction with p. 27.




                                                                                                  8/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]




On the basis of Article 9, second paragraph, preambles under the GDPR, the data controller
Process data about health as it is necessary for the execution of

obligations and exercise of specific rights of the controller or the controller
person concerned in the field of labor rights, social security and social protection law.
Article 30, first paragraph, preamble underb of the UAVG determines in that framework that the processing of data
about health allowed if this is necessary for the integration or guidance of employees

or benefit recipients in connection with illness or incapacity for work. Because the processing of
names of diseases, specific symptoms and indications of pain are not necessary for further integration of
employees, as also follows from the policies of the AP, processing thereof is prohibited.CP & Akan

thus do not successfully make use of Article 30, first level, underb, of the UAVG. The AP has not been found
that CP & A can successfully appeal to the other exceptions of Article 30 of the UAVG.
is thus of the opinion that CP & Ade above mentioned health data in violation of the prohibition of article
9, first member, of the AVG has processed.


Regarding the period of this violation, the AP on 2 May 2019 was last determined that
CP & Ad has processed health data in its absenteeism registry.
The AP on May 13, 2019 then determined that the absenteeism registration is no longer accessible via

At its known web address. Finally, the AP has detected that the current absenteeism is registered.
reason is not registered anymore by CP&A.

4.3.4 Conclusion

The AP comes to the conclusion that CP & As controller of any case 12 March 2019
until 2 May 2019 the prohibition of article 9, first member, of the AVG has violated by
Process health data of 25 employees.


4.4 Violation of security of processing

4.4.1 Introduction

To ensure security and prevent the processing of personal data from being breached
on the AVG, the controller is required by Article 32 of the AVG
processing to assess risk and take measures to mitigate risk
measures should ensure an appropriate level of security, taking into account the situation

of technology and implementation costs set against the risks of the nature of the protection
personal data. The AP will check in the following whether CP & A has an appropriate security level
used for processing the health data in her absenteeism register, such as that
was accessible through the web address.


4.4.2 Assessment
On the basis of Article 32, first paragraph, of the GDPR, the controller must apply one
technical and organizational measures to address the risk-adjusted security level


1 Recital 83 of the AVG.



                                                                                          9/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]



During the assessment of the risks, according to Article 32, second paragraph, of the GDPR.

to be spent on risk that occurs in the processing of personal data, such as the
unauthorized provision of or unauthorized access to forwarded, stored, or
otherwise processed data, either accidentally or unlawfully.


As data has a sensitive nature, or the context in which they are used
poses a greater threat to the personal life sphere of those involved, become more stringent requirements
data security. This means that it is required to be set for technical and technical reasons
                                                            15
organizational measures to protectthis data. Regarding authentication with
access to the processing of data about the health of (sick) employees and to which access
is provided through the internet, so it is necessary to take more stringent measures to meet a
                                                         16
appropriate security level, such as two-factor authentication.

The AP has determined that the absenteeism registration (with health data) of CP & A
Some form of authentication was accessible. The AP is judged by CP & A's view of its

absenteeism registration has used an inadequate level of security.
sensitive nature of data, the fact that the health data were processed on the internet
The risks to the personal life sphere of those involved must take further measures to prevent it

risk of unauthorized access to the absenteeism registration. CP&A left this behind.
This lack of security could have been avoided by, for example, a matching one
authentication technique (or another method) to implement the claimed identity of a

user of the absenteeism registration can provide evidence.
considering the current state of the engineering and implementation costs, appropriate.

The AP is therefore of the opinion that CP & A has infringed Article 32, first paragraph, of the AVG because CP & A has

with regard to the health data in her absenteeism register and not sufficiently appropriate
security level.


View CP & AenreactionAP
CP & A argues in her view that she had one goal with the absenteeism registration: her
assisting employees as best as possible during a period of illness and reintegration. CP&A

believe that she handled it correctly, in accordance with the applicable regulations
with the data of the employees involved who also had the data carefully in such a way
secured that are not freely accessible
Employees was only accessible through a specific link. The link was only provided

those who are / were involved with the integration of employees and as such about
absenteeism data should be available to guide the employees as best as possible
in the absence of integration (management, two-region managers, one employee HRM, HRM

manager as the absenteeism supervisor).
taking into account that the link will provide unauthorized access to one third of the parties

15
16 also Policies for the processing of personal data about the health of sick employees, p. 13.
 See also Policies for the processing of personal data about the health of employees, p. 7.



                                                                                           10/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]


CP & Ahetten very much regretted that she did not see this risk for one third

may be known to consult data.

The AP is based on the view of CP & No to another conclusion.
specifically link only to people who are / were involved in the integration of employees

It is true that an organizational measure is taken to ensure the security of personal data.
However, CP&A had seen the sensitive nature of the data, the fact that the health data was
The internet and the risks to the personal life sphere of those involved were also processed
appropriate technical measure, such as, for example, the implementation of a

authentication technique by the link.
unauthorized access to very sensitive data can be largely reduced.

4.4.3 Conclusion
The AP comes to the conclusion that CP & As controller of any case 12 March 2019

until 2 May 2019 Article 32, first member, of the AVG has violating types of
health data in her absenteeism registry and inadequate management of an appropriate security level.

4.5 Final conclusion


The AP comes first of all to the conclusion that CP & A in each case 12 March 2019 to 2 May 2019
the prohibition of article 9, first paragraph, of the GDPR has violated the health data of 25
In addition, the AP comes to the conclusion that CP & A in the same period Article

32, first member, of the AVG has violating types of health data in her
absenteeism registration insufficient appropriate technical and organizational measures to meet a phenomenon
risk-adjusted security-level safeguards.



5. Fine

5.1 Introduction


CP&A has, from every case March 12, 2019 to May 2, 2019, Article 9, First Member, and Article 32,
first member, of the GDPR violations. The AP made use of both established violations
of its jurisdiction to impose a fine on CP & A on the basis of Article 58, second paragraph,
Article 83, fourth and fifth paragraph, of the AVG read in conjunction with Article 14, third paragraph, of the AVG.
UAVG.TheAP uses this for the fine policy rules2019. 17


In the following, the AP will first briefly outline the fine system, followed by the justification.
of the fine height in the present cases.




1Stcrt.2019,14586,14March2019.



                                                                                        11/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]



5.2 Fines Policy Rules of the Dutch Data Protection Authority 2019 (Fines Policy Rules 2019)

Violation of the unlawful processing of special personal data Article 9, first paragraph,
of the AVG the AP is authorized to invest a fine up to a maximum of € 20,000,000, or up to 4% of the
total worldwide annual turnover in the previous financial year, if this figure is higher.

58, second paragraph, preamble under ten article 83 of the AVG read in conjunction with article 14, third paragraph,
of the UAVG. On the basis of the attached party Fines policy rules 2019, this violation falls in the highest
category, namely category IV.


And for violation of Article 32, first paragraph, of the GDPR, the AP is authorized and administratively fined
up to € 10,000,000 or up to 2% of the total worldwide annual turnover in the previous financial year, if
This figure is higher.
II.


The A is acting on the basis of Article 2.3 of the Fine Policy Rules 2019 for the above mentioned
violations under the following fine ranges:
Category II: Fine band width between € 120,000 and € 500,000 and a basic fine of € 310,000. […].
Category IV: Fine band width between € 450,000 and € 1,000,000 and a basic fine of € 725,000. […].


Pursuant to Article 6 of the 2019 Fine Policy Rules, the AP determines the amount of the fine by the amount.
from base to above (up to the maximum of the bandwidth from one
violation linked to fine category) or down (to the lowest minimum of that
bandwidth).
Factors mentioned in Article 7 of the Fine Policy Rules 2019 give rise to this.


Pursuant to Article 7, the AP holds unaffected the Articles 3: 4 and 5:46 of the General Administrative Law
(Awb) take into account the factors derived from Article 83, second paragraph, of the AVGeninde
Policy Rules2019 named underatotenmetk:
a. nature, seriousness of the duration of the infringement, taking into account the nature, size or purpose of the
processing issue as well as the number of affected data subjects and the size of the members affected
damage;

b. the intentional or negligent nature of the infringement;
c. the controller took […] measures against the affected members
limit damage;
d. the degree to which the controller […] is responsible in view of technical and
organizational measures he has carried out in accordance with the articles 25 and 32 of the AVG;
e) any relevant infringements by the controller […];

f) the degree in which the supervising authority has cooperated to remedy the breach
limit the potential negative consequences thereof;
g. the categories of personal data to which the infringement relates;
h. the way in which the supervising authority has been informed of the infringement, particularly or, and
if so to what extent, the controller […] has reported the infringement;
(i) compliance with the measures referred to in article 58, second paragraph, of the GDPR, to the extent that
with regard to the controller […] in relation to the same




                                                                                       12/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]


matter taken;

j. to adhere to approved codes of conduct in accordance with Article 40 of AVG or of
approved certification mechanisms in accordance with Article 42 of the GDPR; and
k. any other circumstances of such an aggravating or mitigating factor, such as
Financial gains made, or losses avoided, which are not directly from the breach
arise.


In the present case, it is an assessment of nature, for the seriousness of the duration of the violation
in the specific case.
associated fine category remained.The AP can, if necessary, depending on the degree in which the aforementioned
Factors to give rise to this, on the basis of Article 8.1 of the Fine Policy Rules 2019 the

finebandwidthofhigherrespectiveandin addition to the lower category apply.
assesses the AP when imposing an administrative fine on the basis of Article 5:46, second part, of the
Awbin how far the offender can be blamed for.
Fines Policy Rules 2019 and Articles 3: 4 and 5:46 of the AWB test or apply its policy for
Determining the amount of the fine, given the circumstances and the carrying capacity of CP & A in this

actual case, does not lead to a disproportionate outcome.

5.3 Fines for violation of prohibition on processing data about health and

security of processing

5.3.1 Nature, severity and duration of the infringement
Pursuant to Article 7, preamble under a, of the Fines Policy Rules 2019, the AP keeps account with the nature,

The seriousness of the duration of the infringement
size or purpose of processing as well as the number of affected persons affected and size of the processing
rod damage.

The protection of natural persons in the processing of personal data is a fundamental right.

Pursuant to Article 8, first paragraph, of the Charter of Fundamental Rights of the European Union and Article 16,
first member of the Treaty on the functioning of the European Union (TFEU) everyone has the right to
protection of his personal data. Principles and rules concerning the protection of
Of course, persons in the processing of their personal data must be in accordance with

their fundamental rights and fundamental freedoms, especially their right to protection of
personal data.The AVG aims to contribute to the creation of a space of freedom,
security and rights of an economic union, as well as economic and social progress, the
strengthens the convergence of the economies within the internal markets and the well-being of natural

persons. Processing of personal data must be at the service of man
Protection of personal data has no absolute rule, but must be considered in relation
The function of societies must be in accordance with the principle of proportionality against others
fundamental rights are weighed up. Any processing of personal data must be proper and lawful
Personal data should be sufficient to serve and limited to

what is necessary for the purposes for which they are processed




                                                                                      13/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]



processes in a way that ensures appropriate security and confidentiality of data,
also to prevent unauthorized access to or unauthorized use of personal data
the equipment used for processing.
For particularly sensitive personal data, the AVN does not offer a high level of protection.

Personal data that is particularly sensitive deserves specific protection because of the processing
It may entail increased risk for fundamental rights and fundamental freedoms.
Therefore, to have a high level of control over healthy health data. The starting point is also that the
Processing of special personal data is prohibited in principle. There is only a limited number

and in (U) GDPR, there are possible exceptions. CP&A has the processing of
health data in this case the high protection level that Article 9, first level, of the AVG provides
violated.


On the basis of Article 32, first paragraph, of the GDPR, the controller must be in addition
appropriate technical and organizational measures to address the risk
security level safeguards
Nature of personal data and nature of processing important: these factors determine

potential damage for individual involved, for example, loss, modification, or illegal
Processing of the data. The AP has come to the conclusion that CP & A is appropriate
has taken security measures that monitor the health data in her absenteeism registry.


The AP has determined that CP & A from every case 12 March 2019 to 2 May 2019
has processed health data of 25 employees without appropriate security
health data contained very sensitive information such as names of physical and mental diseases,
specific complaints and indications of pain from her employees.

prohibition of processing of special personal data violated and related to this
concerned, so did not have any control over the health data. And it is correct this control that
GDPR want to provide data subjects so that data subjects are able to protect their data
and this freedom can be enjoyed. In addition, during this period, the absenteeism registration of

CP & A special form of authentication accessible.
large and unnecessary risk open to unauthorized access to their personal data. The fact that here
a processing of particularly sensitive data makes an insufficient security of the
data extraordinarily.


According to the opinion of the APis, we spoke of a two serious violation in which CP & Ade special
has processed data from data subjects under incorrect conditions, but not on the basis of Article 7
of the Fine Policy Rules 2019 stated conditions for the application at this time

if there is no reason to increase or decrease the amount of the fine.
assess whether the amount of the fine needs adjustment based on proportionality.

5.3.2 Reliability

Pursuant to Article 5:46, subsection 2, of the Awb, the AP retains the imposition of an administrative fine
account of the extent to which she can be blamed for the offender. Now this is all about




                                                                                      14/17 Date Our reference

March 24, 2020 [CONFIDENTIAL]


                                                                                 18
violations, is not required for the imposition of an administrative fine, in accordance with case law
It is shown that there is a tendency to set up and may assume the AP removability as it
perpetrator is established. 19


Under Article 9, first paragraph, of the AVG, the principle prohibits the use of information about health.
The legal regulations regarding the processing of personal data about the health of
sick employees in the context of their reintegration and absenteeism guidance as recorded in

The Personal Data Protection Laws are applied by the AVG on May 25, 2018
unchanged. In addition, CP & A had adopted the policy rules "The sick employee" of the AP,
April 2016 published in the Government Gazette, CP & Awelen can determine which personal data

from a party like CP & Amag, fellow for the particular nature of the
personal data, are expected to be aware of the standards applicable to them
This respects CP&A, through its actions, the high level of protection for particular

personal data breached.

Based on Article 32 of the GDPR, the policy rules "The sick employee" had nature of processing

CP&A must also know that its measures must be taken to reduce the risk
mitigate unauthorized access to the absenteeism registration CP&A has failed to access to
The absenteeism registration through the web address in any case, and an appropriate authentication technique (or other
method) to be able to prove the claimed identity of a user. This too

deems the AP culpable.

5.3.3 View of CP & Aenreaction AP

CP & A, in its view, that it has already taken corrective measures in place,
where its understanding of the AP refers to the AP's request for the violation as soon as possible
terminate, and immediately have provided all cooperation

Maintained in the secure environment of the HRM system, which is only accessible to the department
HRMe direct supervisors.In addition, CP & Ad no longer processes the reason for absenteeism and is
forecast only recorded as far as it can be derived from the reports of the company doctor

without medical information.

In view of the foregoing and therewith also expressly taking into account the fact that CP & Aa

medium-sized enterprise is in the sense of article 2a UAVA, taking into account the manner in which
for example, the issues of NipponExpress (2017) andAbtona Foundation (2016) have been closed
CP & AdeAP suffice with the corrective measures already taken under Article 58 of the GDPR.

In addition, CP & A points out the fact that those involved — fortunately — did not cause any damage, that
CP & Ag has acted in some way deliberately or negligently, that has not been praised for prior violations
and that CP&A has employed (additional) guidance by an external advisor in the area of privacy.


18 Compare CBb29 October 2014, ECLI: NL: CBB: 2014: 395, ground 3.5.4, CBb2 September 2015, ECLI: NL: CBB: 2015: 312, ground 3.7 and CBb7 March 2016,
ECLI: NL: CBB: 2016: 54, ground 8.3, ABRvS29 August 2018, ECLI: NL: RVS: 2018: 2879, ground 3.2 and ABRvS5 December 2018,
ECLI: NL: RVS: 2018: 3969, ground 5.1.
19 Chamber documents II2003 / 04, 29702, No. 3, p. 134.




                                                                                           15/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]


The AP shares the view of CP & An, and CP & Ahad in this case should fail to provide health data.

of its employees. In addition, CP&A has not taken adequate measures
to ensure the security of its absentee system. This CP&A practice is detrimental
done to the protection of the personal data of its employees
violations of the AP to impose a corrective measure, other than an administrative fine,

unsatisfactory, effective, proportionate and dissuasive.The AP finds the imposition of an administrative fine
appropriate in this case.
position and the carrying capacity of CP & A. CP & A has also determined that the parties involved are not
harmed, but it has not been proven nor does it fall out only if the future can still be

This ground, alone together with the other letters, gives the AP attention to the seriousness of the
violations of the degree of liability and no reason to impose a fine or to impose a fine
The fine on the grounds referred to by CP & A continues.

The AP sets the fine for violation of Article 9, first paragraph, of the GDPR to € 725,000.

For the violation of Article 32, first paragraph, of the AVG, the AP sets the fine at € 310,000.

5.4 Proportionate carrying capacity

Ultimately, the AP judges on the basis of Articles 3: 4 and 5:46 of the AWB (principle of proportionality) or the
application of its policy to determine the height of the due to the circumstances of the
case, does not lead to a disproportionate outcome.
play among others in the accumulation of sanctions and the carrying capacity of the
controller.


CP&A has relied on limited carrying capacity.
known financial data of CP & AachtheAPthe carrying capacity ofCP & A limited valuetheAPto
The conclusion is that CP & Ahet taken together fines the amount of both violations of € 1,035,000

financially cannot bear. On the basis of this, the AP sees reason to reduce the amount of the fine.
eight in this case, a fine of € 15,000, appropriate, the command, and night, CP & Satisfied, carrying capacity
pay this amount.


5.5 Conclusion
The AP sets the total fine amount to € 15,000.
















                                                                                    16/17 Date Our reference
March 24, 2020 [CONFIDENTIAL]




6 Operative part

Fine

The AP is responsible to CP&A for violation of Article 9, first paragraph, of the GDPR and Article 32, first paragraph of
                                                                            20
The AV No administrative fine of € 15,000 (in words: fifteen thousand euros).

Yours sincerely,
Authority Personal data,


Signed

Drs C. E. Mur
Board member














Remedies Clause

If you do not agree with this decision, you can send it within six weeks
Decide digitally or on paper and submit an objection to the Personal Data Authority. Submit it
of an objection suspends the effect of this decision.
www.autoriteitpersoonsgegevens.nl, under the heading Objection against a decision, below
page bottom header Contact the Authority Personal data. The address for submitting and on paper

is: AutoriteitPersoonsgegevens, PO Box93374,2509AJDenHaag.
On the envelope, state "Awb objection" and put in the title of your letter "notice of objection".
At least write in your notice of objection:
-your name and address;

-the date of your notice of objection;
-the attribute mentioned in this letter (case number); or attach a copy of this decision;
-the reason (s) why you do not agree with this decision;
-your signature.


2 The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).




                                                                                      17/17