AP (The Netherlands) - Ministry of Foreign Affairs
|AP (The Netherlands) - Ministry of Foreign Affairs|
|Authority:||AP (The Netherlands)|
|Relevant Law:||Article 13(1)(e) GDPR|
Article 24 GDPR
Article 32 GDPR
|Parties:||Dutch Minister of Foreign Affairs|
|National Case Number/Name:||Ministry of Foreign Affairs|
|European Case Law Identifier:||n/a|
|Original Source:||AP (in NL)|
The Dutch DPA issued a fine of €565,000 against the Dutch Ministry of Foreign Affairs for having insufficient security measures and not providing data subjects with adequate information when processing visa applications, in violation of Article 13(1)(e), 24 and 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The Dutch Ministry of Foreign Affairs handled personal data in processing visa applications. That data included fingerprints, name, address, place of residence, country of birth, purpose of visit, nationality and a photograph. The DPA carried out an investigation of the New Visa Information System that the Ministry used for visa processing operations.
Holding[edit | edit source]
The DPA held that the New Visa Information System lacks sufficient level of security, giving rise to a risk that unauthorised persons can view and change files. It also increases the risk that other errors go unnoticed. Some of the issues concerned were a lack of a security plan, insufficient physical security safeguards, lack of formal registration and deregistration procedures in relation to the access to the system, and weaknesses in the procedure for reporting security incidents. These errors and abuses would have major consequences on applicants' rights. Consequently, the Ministry violated Article 32 GDPR and Article 24 GDPR.
The DPA also found that visa applicants were insufficiently informed about how their data was shared with third parties. Consequently, the Ministry violated Article 13(1)(e) GDPR.
The Ministry of Foreign Affairs was held to be severely negligent as it had been aware of these deficiencies for years. The DPA ordered the Ministry to rectify the situation. It imposed a fine of EUR 565,000 for the past violations. It also imposed penalty payments payable for as long as the violations continue, namely EUR 50,000 per two weeks for security breaches and EUR 10,000 per week for lack of transparency.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
AuthorityPersonal Data PO Box93374,2509AJ The Hague Bezuidenhoutseweg30,2594AV The Hague T0708888500-F0708888501 authority data.nl Confidential/Registered Minister of Foreign Affairs Deheermr.W.B.HoekstraMBA Rijnstraat8 2515XPDenHaag Date Unidentified 24 February 2022 [CONFIDENTIAL] Contact [CONFIDENTIAL] Subject Decidingtoimposeafineandannuitycompensation Dear Hoekstra, The Data Protection Authority (AP) has decided to ask the Minister of Foreign Affairs (hereinafter: the Minister) to impose an administrative fine of €565,000. TheAP has come to the conclusion that the Minister, as controller in the process of issuing so-called Schengen visas, data subjects provide insufficient information and security of the processing of personal data insufficiently guarantees. With regard to the security of personal data, the AP relates to until the New Visa Information System (NVIS) briefly determined that: - a security plan is missing; - insufficient measures have been taken or have been taken to protect personal data physically; - incomplete procedures exist with regard to (control of) access rights to NVIS; - there are shortcomings in the log files and regular checks on them; and - the procedure for reporting security incidents was incomplete. As a result, the Minister acts in conflict with article 13, paragraph 1, and article 32, paragraph 1, of the General RegulationData Protection (GDPR). The AP has decided to also impose an injunction sum to impose, who sees the reversal of these violations–that in determining this still decides not to be terminated. The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the findings.Inchapter3the(amountofthe)administrative fine is elaboratedandinchapter4 the burdensubjectivesumdescribed.Chapter5finallycontainsthedictmentandremediesclause. 1,Date Unidentified 24 February 2022 [CONFIDENTIAL] Contents 1.Introduction 4 1.1Background 4 1.2Target research 5 1.3Visa ProcessforSchengen Short Stay Visa 5 1.4 Legal framework 8 1.5Process flow 8 2.Findings 9 2.1Processing of personal data 9 2.1.1 Factual findings 9 2.1.2Legal assessment 9 2.2 Controller and processor(s) 10 2.2.1 Factual findings 10 2.2.2Legal assessment 12 2.3Security planNVIS 13 2.3.1 Legal framework 13 2.3.2 Factual findings 14 2.3.3Legal assessment 17 2.4PhysicalSecurityAccesstoNVIS 19 2.4.1Legal framework 19 2.4.2 Factual findings 19 2.4.3Legal Review 22 2.5AccessrightstoNVISandstaffprofiles 25 2.5.1 Legal framework 25 2.5.2 Factual findings 26 2.5.3Legal assessment 32 2.6 Monitoring NVIS usage: log files 36 2.6.1 Legal framework 36 2.6.2 Factual Findings 37 2.6.3Legal assessment 40 2.7 Control of NVIS usage: security incidents 42 2.7.1 Legal framework 42 2.7.2 Factual Findings 44 2.7.3Legal assessment 47 2.8Training staff on data protection 48 2.9 Information provision to visa applicants 48 2.9.1 Legal framework 48 2.9.2 Factual findings 49 2.9.3Legal Assessment 50 2.10 Conclusions 51 2/64,Date Unidentified 24 February 2022 [CONFIDENTIAL] 3Fine 53 3.1Introduction 53 3.2.Finance policy rules Data Authority2019 53 3.3Penaltyforviolatingthesecurityofprocessing 53 3.3.1 Nature, seriousness and duration of the infringement 54 3.3.2 Negligent nature of the infringement 54 3.3.3Categories of data 55 3.4Amount of fines for violation of information provision to those involved 55 3.5 Blame and proportionality for both violations 56 3.6 Conclusion 56 4.Load forced sum 57 5.Directive 59 APPENDIX1 61 3/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 1 Introduction 1.1Background 1. The APis responsible for supervising the national part of a number of European information systems, including the Visa Information System (hereinafter: VIS) and the Schengen InformationSystem (hereinafter: SISII). Under the EU legal framework of these systems, the AP to independently monitor the lawfulness of the processing of personal data by the Member State concerned, including the transmission from and to the central European facility of VIS and SIS. For visa applications, access to the European VIS takes place via a national system, to know: N.VIS.The specific application that falls under N.VIS by the Ministry of Foreign Affairs (hereinafter: BZ) is used for the purposes of Schengen visas, the New Visa Information System (hereinafter: NVIS). 2. The NVIS contains the application data, including biometric data, of all applicants who Dutch Consular Post AbroadWant to obtain a Schengen visa for their stay in the Netherlands and/or in other Schengen countries.Schengen visa applications are made in countries outside the Schengen areas where there is also no question of a special visa exemption processing of the visa applications is also always checked whether the application appears in SIS II.SIS IIincludes alerts imported by Member States in, among other things, the area of European arrest warrants and declared undesired. The SISII check takes place automatically, in the background of a visa application via NVIS. 3. In 2015, the Schengen evaluation took place, in which the supervision of the national carried out by the AP part of the SISIIandVISwasassessed.IntheSchengenevaluationreport2015isexplicit included that the AP must carry out regular checks at the Dutch consular posts AP checks are also part of the police and justice multi-year plan that the AP follows within the framework of its supervision of, among others, the above-mentioned SIS II and VIS (systems). 4. As a result of this, the AP has carried out a controlling investigation at BZen a number of parties who have a role in the process of issuance of Schengen visas. The study included the following organizations: - the Netherlands Embassy to London, United Kingdom (hereinafter: Consular PostLondon); - the Netherlands Embassy in Dublin, Ireland (hereinafter: consular post Dublin); - the Consular Service Organization in The Hague, which functions as the back office of the visa granting (hereinafter: the CSO); - [CONFIDENTIAL](hereinafter: Processor1) of London, United Kingdom, which acts as external service provider (hereinafter: EDP) in the visa process of the Consular Post London; - [CONFIDENTIAL] (hereinafter: Processor2) in Utrecht, the executor of various IT tasks in relation to the national visa information system; and - [CONFIDENTIAL] (hereinafter: Processor3) in Amsterdam, the service provider for the benefit of the NVIS servers. 4/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 1.2Target research 5. The research of the AP focused on the (selected) physical, organizational and technical security aspects of NVIS in the context of the Schengen visa process and includes the security plan, physical security, granting access rights to NVIS and logging of the NVIS use. In addition, compliance with legal requirements was checked with regard to the information provision to visa applicants and training of employees involved in the visa process. 1.3Visa ProcessforSchengenShort Stay Visa 6. In this section, the AP explains the Schengen visa process in general, and specifically with regard to the consular posts in London and Dublin. Schengen short stay visa A short-stay visa is referred to as a 'Schengen Visa'. This visa allows persons within a period of 180 days, 90 days to stay in the Schengen area. ImmediatelySchengenvisumishet–short summarized–for a personwithoutEU nationalityallowedfreetravelwithin26 Schengen countries. The country where one has to apply for the visa is determined by the main purpose of the applicant's journey or main destination. 7. The visa process at the examined consular posts consists of the following steps : 1 1. [CONFIDENTIAL] 2. [CONFIDENTIAL] 3. [CONFIDENTIAL] 2 4. [CONFIDENTIAL] 5. [CONFIDENTIAL] 6. [CONFIDENTIAL] 3 7. [CONFIDENTIAL] 8. [CONFIDENTIAL] 9. [CONFIDENTIAL] 8. After the registrations are completed and the substantive steps have been completed, a decision can be made on the visa application will be taken. This decision will be registered in NVIS. A positive decision the visa sticker is printed in the applicant's passport, if a negative decision is taken a refusal decision is created. In both cases, the decision is recorded in VIS. 5 1File document3, appendix1: NVISManualVisa application processingFebruary2018,p.19. 2During the processing of the visa application, it is always checked whether the application appears in the SISII system. SIS II includes alerts imported by member states in, among other things, the area of European arrest warrants, and unwanted aliens. takes place automatically, in the background of a visa application via NVIS. 3File document3, appendix3: Visio-SchengenFlowchart, p.6and7. 4File document3, appendix 3: Visio-Schengen Flowchart, p.7. 5File 3, appendix 3: Visio-Schengen Flowchart, p.9. 5/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] Apply for a Schengen visa at a consular postLondon 9. The Consular PostLondon cooperates with Processor 1 who fulfills a role of an EDP. The tasks of 7 the EDV include, among other things: [CONFIDENTIAL] 10. Processor1 handles the intake of most visa applications that pass through the London Consular Post. In the context of a visa application, the applicant downloads the application form via the BZ website or via the website of Processor1.Then the requester makes an appointment with Processor1 via the appointment system of Processor1. On the day of the appointment, the applicant reports to Processor1. 8 Processor1 successively performs the following tasks: [CONFIDENTIAL] 11. The Consular PostLondon carries out the following tasks, among others: [CONFIDENTIAL] 12. The tasks of the CSO include the following activities: 9 [CONFIDENTIAL] 6Recital13Visacode,article40lid3Visacode,article43Visacode. 7Article 43, paragraph 5, Visa code. 8File document3, attachment3:Visio Schengen visaFlowchart. 9File document3, appendix3:Visio Schengen visa Flowchart,p.4-5. 6/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 13. Where appropriate, submitting an application to the Immigration and Naturalization Service 10 (IND) necessary or necessary to consult or inform member states. In addition, it can are necessary to interview the applicant. During the processing of the visa applications, always checked whether the applicant appears in SISII. The SISII check takes place automatically, in the background of a visa application through NVIS. After these steps have been completed, a decision can be made on the visa application will be taken. This decision will be registered in NVIS. A positive decision the visa sticker is printed in the applicant's passport, if a negative decision is taken 13 a refusal decision is created. In both cases, the decision is recorded in VIS. Apply for a Schengen visa at consular postDublin 14. The consular postDublin worked during the investigation of the AP without the intervention of an EDV and processes visa applications itself. Most of the same steps are taken here visa application process followed by Processor1 and the Consular PostLondon.[CONFIDENTIAL]. [CONFIDENTIAL]. In the context of a visa application, the applicant downloads the application form via the website of the embassy or BZ. An appointment for an intake at the consulate can be made be on the embassy's website via a link to a system for appointments. 15. As part of the visa process, the consulate performs the following tasks, among others: [CONFIDENTIAL] 16. In its role as back office, the CSO performs the same tasks as in the case of the consular post London. In addition, the CSO has an important task in registering the visa application details which the consular post takes Dublin as paper files by mail to the CSO in The Hague sends. ViewBZ 17. BZ has stated that since the investigation by the AP some changes have been made to the above visa process have been implemented. Processor1 today takes live photos, the intake of the visa applications no longer proceeds by mail(viatheconsularpostLondon).In addition,consularmailmakesDublin 14 meanwhilewelluseofanEDV. 1File document3, appendix3:Visio Schengen visa Flowchart,p.6. 1File document3, appendix3:Visio Schengen visa Flowchart,p.7. 1File document3, appendix3:Visio Schengen visa Flowchart,p.7. 1File document3, appendix3:Visio Schengen visa Flowchart,p.9. 1WrittenViewBZvan15October2021,p3. 7/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 1.4Legal framework 18. For the legal framework, the AP refers to APPENDIX1. 1.5Process flow 19. In the context of this research, the AP used various research methods. The AP carried out desk research, requested in writing for information and has several locations in several locations on-site investigations (hereinafter referred to as: OTPs). During the OTPs, the inspectors of the AP conducted interviews and researched the information systems used in the visa process. Following the OTPs performed, the AP has the additional documentation requestedandwrittenquestions.Duringtheexamination,severalfileswererequested relating to the granted access rights to NVIS, NVIS logging and selection from the NVIS databases (in particular tables of the databases). 20. By letter dated August 13, 2021, the AP sent an intention to enforcement to the Minister. On 15 October 2021, the minister gave a written opinion about this intention and about it substantiatedreportwithfindings. On November 4, 2021 at the AP has a opinion session took place at which BZook explained its view orally. at10 17 December 2021 has sent further documents on request. 1WrittenOpinionBZvan15October2021. 1LetterBZaanAPof19November2021withappendix1Conversation report. 1EmailBZaanAPvan10December2021. 8/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 2.Findings 2.1Processing of personal data 2.1.1 Factual Findings 21. The Visa Code defines what information the Member States must collect in order to be able to visa The VIS Regulation lays down that the following information is required for the handling and making decisions about visa applications for the Schengen area in the VIS should be stored: alphanumeric data concerning the applicant and the requested, visa issued, refused, annulled, revoked or extended, a photo of the applicant, 18 fingerprint data and links to other requests. Upon receipt of an application, the visa authority without delay on the application file by entering various data into the VIS, such as first and last name, gender, places, country of birth, nationality, type of visa that will be 19 applied for, purpose of travel, place of residence, current occupation, photo and fingerprints of the applicant. 22. Authorized personnel of the visa authorities have access to and can access the VIS enter, change or delete data. For example, upon the issuance of a visa, upon the cancellation of a visa application, in the event of a refusal of a 21 visa application, in the event of annulment/revocation of a visa or an extension of a visa details added to the application file. Then it is the data may be changed or deleted during the application process. BZ(service consular posts) use the NVIS in which data is required from the Schengen visa process are saved, modified and deleted. 2.1.2Legal review 23. The data of visa applicants that have been processed in the NVIS qualify as personal data in the sense of article 4, under 1, GDPR, because it concerns information about identified natural persons. A 23 part of this data is biometric data within the meaning of article 4, under 14, and article 9 AVG and thus qualify as special personal data. 24. Continue to enter, consult, save, view and change data in NVIS under the scope of the concept of processing of personal data within the meaning of article 4, under 2, AVG.DeAP establishes that data are processed through the NVIS when going through the visa process for short-term stay. 1Article 5, paragraph 1, Regulation (EC) No. 767/2008 of the European Parliament and Council of 9 July 2008 on the Visa Information System (VIS) and the exchange between Member States of data in the field of short-stay visas (‘VIS Regulation’), PB2008, L218/60. 1Article8, paragraph 1jo.9VIS Regulation. 20Article 6, paragraph 1, VIS Regulation. 2Article 10 to 14VIS Regulation. 22Article24and25VIS Regulation. 23Because, among other things, name and address data and also the social security number are processed, the identity of the persons is fixed and therefore identified persons. 9/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 2.2 Controller and processor(s) 2.2.1 Factual Findings Ministry of Foreign Affairs 25. The AP establishes that for the Netherlands the Minister of Foreign Affairs is the designated person responsible for processing of the data in the VIS. 24 26. The AP establishes that an important part of the tasks in the field of NVIS services organisationally, it is entrusted to the Directorate-General for European Cooperation. UnderthisDirectorate a number of directorates, two of which have a particular role in the granting of visas. Firstly, the board of directorsConsular Business and Visa Policy (DCV). providing consular services to Dutch nationals in foreign countries by directing the 26 consular function at the departments and at the posts. Second, the Consular Service Organization (CSO) in The Hague. CSO is a shared service organization whose primary task is back office to shape processes related to the issuance of visas and travel documents. TheAPhas established,andBZconfirmed,thattheconsulatebackofficeLondonandtheconsulateDublin is located at CSO. In addition, CSO provides back office work for a number of other consular services and products. 27 Processor1 27. Processor1 is an outsourcing and technology services company that serves the Netherlands in various countries arranges executive affairs with regard to visa and passport issuance. The head office, [CONFIDENTIAL] is located in Dubai, United Arab Emirates. 28. Processor1 is designated as an external service provider to facilitate visa application facilities company directs physical visitor centers to which data subjects can submit their applications.InLondon handles Processor1for BZthefrontofficeforthevisaapplicationsintheUnitedKingdom be submitted. With regard to this work, on March 21, 2019, a 29 concession agreement concluded between Processor1 and BZ. Based on this assignment, Processor 1process visa and biometric information.EmployeesofProcessor1takethese data received from the applicant. At the location of [CONFIDENTIAL] in London are ICT 30 facilities made[CONFIDENTIAL]. Processor1 does not have access to NVIS, this happens at the CSO. At Processor1, applicants can hand in and collect their passports. 24 Listofthecompetentnationalauthorities to which they belongauthorizedstaffhaveaccesstotheVisaInformation 25steem(VIS)toenter,change,deleteorconsult data(2012/C79/05). 26rtikel7, paragraph2, subd, Organizational DecreeForeign Affairs2019. 27rtikel7, paragraph2, subc, Organizational DecreeForeign Affairs2019. 28rtikel7, paragraph2, subd, Organizational DecreeForeign Affairs2019. 29rtikel40, paragraph 3, Visa code. 30esss piece3, appendix 4a:[CONFIDENTIAL]. File3,Appendix4d:Appendix1tothestandardcontractualclauses. 10/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 29. For the transfer of processed personal data by BZ to Processor1 there is an intermediary arrangement made on the basis of the European Commission, in accordance with article 46, paragraph 2, subparagraph, GDPR established standard contractual clauses for data protection (´StandardContractual Clauses'). Article1,subbenc,is put down as follows: (b)´thedataexporter´meansthecontrollerwhotransferthepersonaldata; (c)´thedataimporter´meanstheprocessorwhoagreestoreceivefromthedataexporterpersonaldataintendedfor processingonhisbehalfafterthetransferinaccordancewithhisinstructionsandthetermsoftheClausesandwhoisnot subjecttoathirdcountry´ssystemssuringadequateprotectionwithinthemeaningofChapterVofRegulation(EU) 2016-679. 30. Article 4 of the Standard Contractual Clauses contains obligations laid down by the dates exporter´.UnderArticle4,subb,StandardContractualClauses,the´dataexporter´connects the obligation 'thatithasinstructedandthroughoutthedurationofthepersonaldataprocessingservices willinstructthedataimportertoprocessthepersonaldatatransferredonlyonthedataexporter'sbehalf andinaccordancewiththeapplicabledataprotectionlawandtheclauses'. 31. Inappendix1totheStandardContractualClausesstatesthatBZthe´dataexporter´isen [CONFIDENTIAL]the´dataimporter´. 32 Processor2 32. The investigation of the AP has shown that Processor 2 plays an important role within the visa granting process. Processor2 is a consultancy company that focuses on providing consultancy and advice of information technology. 33. The services for NVIS are provided by the following organizational units of Processor2 performed: [CONFIDENTIAL] as part of [CONFIDENTIAL] and [CONFIDENTIAL]. [CONFIDENTIAL] (and therefore Processor2NederlandBV)uses the services of the 33 [CONFIDENTIAL]inIndiathatispartofProcessor2[CONFIDENTIAL]. 34. Processor2 entered into an agreement with BZ on 31 August 2010 for the delivery of support services for NVIS. The service includes application and technical management, making available (including hosting), maintaining, developing and renewing of the functionality for and advice for the benefit of, among others, the NVIS. Processor2 delivers in this framework including custom applications specifically developed for the visa issuance process 34 35 support. Processor2 reports to the Director of Consular Affairs and Visa Policy of the Ministry of Foreign Affairs. 35. In Article 2.1 of the Processing Agreement (Appendix to the Agreement Making available, MaintainanddevelopNVISfromAugust31,2010)statesthatrelatingtoprocessing 31File 3, appendix 4b:Standardcontractualclauses(processors). 32File3,Appendix4d:Appendix1tothestandardcontractualclauses 33File 23, appendix05:OrganogramProcessor2worldwideforNVIS 34File piece14, appendix02.1: AVGChange agreementProcessor2–MinBZNVIS20180529,p.14. 35File document14, appendix02.1: AVGChange agreementProcessor2–MinBZNVIS20180529,p.1. 11/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] personal dataof BZbyProcessor2underthisProcessing Agreement,BZde controller require Processor2 to be the processor. 36 36. It follows from article 4.1 of the Processor Agreement between Processor2 and BZ that Processor2 sub- processors can engage for the processing of personal data when there is a question of prior written specific or general permission from BZ. Processor2 must be based on the agreement with BZ to impose the same obligations on sub-processors with regard to the processing of personal data as that to which Processor2 itself is bound by this Processing Agreement. 37. In article 5.1 of the processing agreement between BZ and Processor 2 it is established that BZ has the right has been audited once per contract year by a certified internal or external auditor perform to Processor2's compliance with its obligations under the processor agreement. The AP has determined that BZ evaluates the compliance of Processor2 by the desire of so-called assurance statements from Processor2. The AP has received two assurance reports from BZ with 37 related to Processor2 for the period 1 November 2017-31 October 2018. 38. The AP has established that Processor2 in the context of its services on behalf of NVIS it companyProcessor3deploysassubprocessor.Processor3(formerly[CONFIDENTIAL])developed operates worldwide data storage centers. In the Netherlands, Processor 3 has a data center in Amsterdam.Processor3providesservicestoProcessor2,namelymakingtheavailabilityof the data center, including physical facilities. [CONFIDENTIAL] 39 2.2.2Legal review Controller 39. In accordance with the VIS Regulation (Article 41(4)), each Member State shall designate for the processing of personal data in the VIS to the authority that must be regarded as the responsible person who has central responsibility for data processing by this Member State. The responsible person has been notified to the European Commission and published in the Official Journal of the European 40 Union. Based on this, the Minister of Foreign Affairs has been noted 3File piece14, appendix02.1:GDPRChange agreementProcessor2–MinBZNVIS20180529. 3File 14, attachment 12.2:[CONFIDENTIAL]. 3File 20:[CONFIDENTIAL]. 3File 20:[CONFIDENTIAL]. 4ListofthecompetentnationalauthoritiesandtowhichtheauthorizedpersonnelmembershaveaccesstotheVisaInformation System (VIS) to enter, modify, delete or consult data, PB2012, C79/05. 12/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] NVIS controller. This is also confirmed by the Ministry to the AP documents issued.1 40. The Minister (with the support of his ministry) decides on how to apply for visas should be treated and also make the final decision on visa applications the Minister determines the objectives and the means for the processing of data within NVIS. 41. The AP establishes that the Minister of Foreign Affairs is the controller, in the sense of article4, preamble to 7, AVG, for the processing of personal data in the context of NVIS.In which this decision is called the Ministry of Foreign Affairs, the AP makes this equivalent to the Minister of Foreign Affairs. Processors 42. According to Article 43 Visa Code, Member States may cooperate with an external service provider that controllersupportsinthevisaprocess.Memberstatesaremandatoryagreements 42 create in a legal instrument where the minimum requirements are determined in the Visa Code. 43. The AP finds that BZenengages a number of parties to the data processing and in the visa process to support, namely Processor1 (the third-party service provider that is processing the visa applications takes), Processor2 (for the application and technical management of NVIS) and Processor3 which acts as a processor provides support for Processor2's processes. There are with these parties processing agreements. From the various processing agreements concluded between thesepartiesandBZfollowsthattheMinisterisdesignatedascontrolleristhe said parties as processors. 44. The AP therefore establishes that Processor2 and Processor1 are processors as referred to in article 4, under 8, GDPR.Processor3isaprocessorthat has been engaged byProcessor2,asreferred to in article28, member2andlid4,AVG(sub-processor). 2.3Security planNVIS 2.3.1Legal framework 45. Article 32, paragraph 2, VIS Regulation prescribes that each Member State provides the necessary technical and organizational establishes security measures, including a security plan. This plan is one of the security measures it must take to secure the data before and during transmission to the NVIS. Such an obligation also arises from article 32 and 24 AVG. Article 24 AVG writes more in general for the responsible measures in the field of compliance with the GDPR should take and that they should be periodically evaluated. 46. Article 32(3) VIS Regulation further states that the managing authority must take the necessary measures to achieve the objectives referred to in paragraph 2 with regard to the functioning of the VIS, including the adoption of a security plan. The strategic principles and 41 42iexample filepiece12,appendix44a:piaapplicationstationsignedandfilepiece12,appendix 44b:nvispiasigned. AppendixXVisa code. 13/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] preconditions that BZ uses for information security in relation to NVIS must be clear the security plan. In concrete terms, this means that BZe must have drawn up a security plan for the NVIS, where at least attention is paid to the points to which I mentioned in article 32, paragraph 2,VIS Regulation are included. 47. AlsotheBaselineInformationsecurityGovernment(BIO)writesthepresenceofa information security plan for periodic assessment, the following standards are relevant: 5.1.1 Information Security Policies For information security, a set of policies should be defined, approved by management, published and communicated to employees and relevant external parties. 220.127.116.11 There is an information security policy established by the organization. This policy is determined by the management of the organizations and contain at least the following points: a.The strategic principles and preconditions that the organization uses for informationsecurityintheparticularembeddinginandalignmentwiththegeneral security policy and the information provision policy. b. The organization of the information security function, including responsibilities, duties and powers. c. The assignment of responsibilities for chains of information systems to line managers. d.Thecommonreliabilityrequirementsandstandardsthatontheorganizationof apply. e.The frequency with which the information security policy is evaluated. f.Promoting security awareness. 18.104.22.168 The information security policy is updated periodically and in line with the (existing) governance and P&C cycles and external developments and assessments adjusted if necessary. 2.3.2 Factual Findings 48. During the investigation, the AP asked BZ in writing about the security plan with relating to data in NVIS. The AP also has the existence of a security plan and contentchecked in practice during the on-site investigation at the consular posts in London and Dublin. Furthermore, the AP requested written documentation relating to the existing content of a security plan. Ministry of Foreign Affairs 49. The AP establishes that the Ministry of Foreign Affairs, at the request of the AP, established a security plan(N) during the investigation provide, replied with three documents, namely: - Vulnerability analysis and IB planDCV 44 - PIA Request station 45 43 44File document3, appendix 5a: Vulnerability analysis and IB planDCV.an29May2019. 45File 3, attachment 5b: PIA Request station. 14/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] - QuickscanSchengen VisaFebruary2019 46 50. The “Vulnerability analysis and IB plan DCV” of January 2015 contains a risk assessment, with regard to to the business processes for visa granting of DCV and the posts, which the board of directors has left to comply with the obligations of the DecreeRegulationInformation Security Rijksdienst2007.Thereportcontainsareportoftherelevantthreatsand vulnerabilities of the information systems. The report also contains measures that the identified risks to an acceptable level.The reportqualifies theseproposedmeasures as an “information security plan” including prioritization. 51. The “PIA Request Station” concerns a PrivacyImpactAssessment of the Request Station. end resultofthePIAisasetofrisksandrecommendationsforthesecuritymeasuresthat DCV's sub-responsibility should be realised. 52. The“QuickScanSchengenVisaFebruary2019”isaQuickScanthatisperformedondemandfromDCVisto the security requirements imposed by the business processes on the process Schengen visa where special data are included. The purpose of the QuickScani is as objective as possible determine the security requirements for the Schengen visa whether these requirements fall within the baseline information security or whether they exceed it QuickScanfollowsthattheSchengenVisaprocessfallsoutsideofBZBaseline Information Security an additional risk analysis is required. This is instructed in the QuickScan. 53. Based on these three documents, the AP finds that B has a number of different documents, in which (intended) security measures are mentioned. A number of those measures have directly related to NVIS. Consular PostLondon 54. During the on-site investigation on 2 July 2019 in London, the AP asked for completeness access the security plan related to NVIS.The Consular PostLondon has a standard format security planprovided by BZ and locally by the consular post filled in. Two inspectors of the AP and FG of BZ have had a look at the most recent version of the security plan.[CONFIDENTIAL]: [CONFIDENTIAL] The documents mentioned relate to the security of the Consular Post in London, in particular [CONFIDENTIAL], and are not focused on the information security of NVIS and the visa process. The AP notes that she has seen documentation at the consular post in London that does not appear on the information security related to NVIS.47 46 47Order Document3,Appendix5c:QuickscanSchengenVisaFebruary2019. File 8:ReportofOfficial ActionsSecurity PlanOTPConsular PostLondon. 15/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] Consular PostDublin 55. The AP also checked in Dublin or in practice a security plan related to NVIS was available. During the on-site investigation on January 22, 2020 at the consular post in Dublinis declared that a security plan is present. It is a standard format security plan that BZisdeliveredandfilledlocallyatthepost.Anadjustmentofthesecurityplanwillbe 48 Done once a year by the deputy chief of post. 56. On 23 January 2020, two inspectors from the AP and FG of the Ministry of Foreign Affairs, also during the investigation on site at the consular post in dublin, if requested, received access to a security plan with 49 regarding NVIS. [CONFIDENTIAL]: [CONFIDENTIAL]. 50 The AP establishes that the documentation submitted at the consular post in Dublin does not appear on the information security related to NVIS. 51 CSODenHaag 57. The AP has checked with CSO whether a security plan in the sense of the VIS Regulation is available is.The AP determines that the CSO upon the request of the AP to provide a security plan(N)VIS 53 replied with 9 documents, namely: - Baseline information securityBZ2018, version1.00final; 54 55 - SecuritySecurityManagementPackage,version0.2final; - Security PlanRisk Analysis Reporting–[CONFIDENTIAL]; 56 57 - Security analysis stolensecurepostCSO; - Security analysis burglary building; 58 - Security analysis intrusion measurement; 59 - Security exampleUnauthorized[CONFIDENTIAL]; 60 - Security preview info on unexpected visit; 61 48File document27:ReportofOfficial ActsConsular PostDublin. 49File document28:ReportofOfficial ActionsSecurity PlanOTPConsular PostDublin. 50On the spot, the AP inspectors established that in the end, this document was not necessary for the investigation. 51File document27:ReportofOfficial ActsConsular PostDublin. 52File document13:Information requestAPfrom25july2019. 53File piece14:ReactionBZvan8August2019onInformationAPvan25July2019. 54 55File document14, appendix14.1Baseline information securityBZ2018v1.00Final.pdf. 56File 14, attachment 16.1: SecuritySecurityManagementPackage0.2final. 57File document14, appendix 16.2: Security planRisk analysis report-[CONFIDENTIAL]. File 14, appendix 16.3: Security analysis theft and secure post CSO. 58File 14, appendix 16.4: Security analysis burglary building. 59File piece14, appendix16.5:Security analysispenetratemoreser. 60File 14, appendix 16.6:Security exampleUnauthorized[CONFIDENTIAL]. 61File document14, appendix16.7:Security example infoforunexpectedvisit. 16/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] - Overview accessCSO. 62 58. These documents describe aspects of information security. The AP notes that these aspects are not specifically aimed at or related to NVIS. There are also no concrete references to the visa process found. 2.3.3Legal Review 59. The AP notes that the Ministry of Foreign Affairs has included certain security measures in various documents. Some of these documents have been provided to the AP in response to information requests to the minister.Other documents have been brought forward at or following the visit of AP toCSO. 60. With regard to the documents submitted, the AP establishes the following. The “Vulnerability analysis and IB plan DCV” contains a number of security measures, but not current (dating from 2015). The local security measures, which were put in place during the investigation For the sake of completeness, the consular post in Dublin, London, has seen the documents attached to the CSO are requested, are not specific to NVIS and only see on a limited number security measures (and not on information security) that pursuant to Article 32VIS Regulation are prescribed. The measures in these documents mainly focus on the broad security of buildings and systems, including related potential security risks. The AP notes that an overarching security plan with regard to NVIS, with attention to the measures, such as laid down in article 32, paragraph 2, under a note with k of the VIS Regulation, however, is not present. 61. In its view, BZ states that the AVG, the VIS regulations and the BIR/BIO do not impose any requirements on the form ofasecurityplananddoesnotrequireasecurityplanonlyonthenationalvisa informationsystem.BZconsideranumberofdocumentsincoherenceassecurityplan for NVIS :3 - PrivacyImpactAssessmentSchengenenCaribbeanVisafrom25October2018. - Baseline testNVIS - QuickscanSchengen VisaFebruary2019andRisk Analysis‘Vulnerability AnalysisandIB plan DCV'. 62. BZ has indicated in its view that BZ has noted with regret that in the previous information request from the AP the first two documents have not been provided to the AP. BZ notes later that the external auditor, commissioned by the AP, has judged in the context of the VIS audit that the Ministry of Foreign Affairs the Baseline test, PIA and risk analysis comply with the standard that a security plan has been established. 63. The AP does not follow the opinion of the Ministry of Foreign Affairs. During the investigation, the AP has asked about the security plan of NVIS. BZ had several options to obtain the relevant documents The APis, for its own sake,investigatingtheVISauditbytheexternalparty performed if two separate processes that did not take place at the same time. The VIS audit was 62 63ossspiece14,appendix16.8:OverviewAccessCSO. WrittenOpinionBZvan15October2021,p.4. 17/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] broader scope and made use of a different testing framework. In addition, the external auditor only established that1) not he but BZ the combination of the baseline test, PIA and risk analysis together regarded as information security plans2) a concrete information security plan around the Visa process is missing. 64. The AP has assessed the newly delivered documentation from BZ. The AP determines that the 'Privacy ImpactAssessmentSchengenenCaribbeanVisafrom25 October 2018', as the title suggests, a PrivacyImpactAssessmentconcerning.Thisisaveryusefultooltoconsidertheprivacyrisksofa data processing, but does not form a plan that focuses on information security in are complete. The submitted 'Baseline test NVIS' is a kind of completed questionnaire/checklist. enumeration of BIO standards with resulting commands for making and taking security measures, in which it is not understandable to the AP how the given answers must be based on these documents, it is unclear to the AP which policy measures and BZ has specifically taken control measures for NVIS. 65. The form of a security plan is free but the strategic principles and preconditions that BZ uses for information security in relation to NVIS must be clear from the security plan In addition, article 32, paragraph 2, VISOrdinance requires that BZe must have a security plan drawn up for NVIS, where at least attention is paid to the points at to and with k uitarticle 32, paragraph 2, VISOrdinance. In the opinion of the AP, BZ has demonstrated this insufficiently. BZ has for example, not submitted a security plan stating what preconditions apply to the physical security of NVIS that ensures the appropriate protection of personal data is. Nor has the AP received a formal procedure from BZ that describes how and when BZ checks performs top logging. The general procedure BZ has at the time of the investigation provided for reporting security incidents by BZ employees, did not comply.Ende procedures about granting and checking access rights to NVIS environment are only by BZin January 2022. The AP refers to paragraphs 2.4, 2.5, 2.6 and 2.7 for the comprehensive review oftheseprocedures.TheAPconcludesthatthedocumentsthatBZpresentedas-inareentirely viewed-an information security plan, does not meet the preconditions set therein. 66. In view of the BIO standards, the AP further establishes that due to the lack of (essential components in) information security policy, not this policy at scheduled intervals (or if it becomes significant changes occur) assessed by BZ to ensure that it is always appropriate, adequate and effective. Securing information is a process where there is always a Plan-Do-Check-Act cycle must be completed, as laid down, among others, in BIO standard 22.214.171.124. 67. In its view, BZ has provided some documents about the PDCA cycle it has gone through. 64 The AP notes in this regard that BZin the 'Baseline information security BZ2021' is on a high abstraction level has determined who is responsible for implementation and execution of BIO standards is responsible.The Data Protection Policy describes the PDCA cycles with regard to the protection of data, but does not contain the security aspects about it. The same applies to the document Gripopprivacy, the AVG manual, in-control statements and the submitted follow-up memo. BZ has developed a plan of measures with risk analysis from 2015 and 2020 6Written ViewBZof 15 October 2021, p.4. 18/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] November 2021 show that it only occasionally has security measures related to NVIS evaluated and acted on it. 68. Based on the above, the AP comes to the conclusion that BZ has no security plan (and this also has not evaluated) that meets the requirements of article 24 and 32, paragraph 1, AVG and further elaborated in article32, paragraph2, preamble, FISHOrdinancesBIO standards5.1.1,126.96.36.199and188.8.131.52. 2.4PhysicalSecurityAccesstoNVIS 2.4.1Legal framework 69. Article 32, paragraph 2, undera, VIS Regulation prescribes before measures must be adopted to protect physical data, including preparing emergency plans for the physical infrastructure. This requirement is also laid down in general terms in article 32 AVG. being furtherin BIO-standardsincludedthatillustratewherethephysicalsecuritycanbecontrolled The BIO does not literally describe goals that need to be realized (the “what”) how must be arranged. The AP has checked the physical security against a checklist (see explanation in the next section). The following provisions from the BIO are for the assessment of this checklist relevant: 11.1.1 Physical Security Zone Security zones should be defined and used to areas protect those sensitive or essential information and information processing facilities contain. 11.1.2 Physical Access Security Secure areas should be protected by appropriate access security to ensure that only authorized personnel have access. 11.1.3 Securing offices, rooms and facilities Front offices, rooms and facilities should be designed and physically secured applied. 11.1.4 Protecting against outside threats Againstnatural disasters,malicious attacksoraccidentsbelongtophysicalprotection to be designed and applied. 11.1.5 Working in secure areas For working in secure areas, procedures should be developed applied. 11.2.2 Utilities Equipmentshouldbeprotectedagainstpowerfailureandotherdisruptionsthat are caused by disruptions in utilities. 2.4.2 Factual Findings 70. The AP examined the physical security at the consular posts in London and Dublin, the CSO in Den Haag,Processor2inUtrechtProcessor3inAmsterdam.Duringthechecks,theAPperlocationhas 19/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] used two (identical) checklists. The first checklist was focused on physical security ofthebuildingthesecondchecklistonthephysicalsecurityoftheroomsin whichaccesstothe NVIS environment and/or whether the intake process for Schengen visas takes place. Below is per location described the situation encountered during the on-site investigation. Consular PostLondon 71. [CONFIDENTIAL] 66 Processor1London 72. [CONFIDENTIAL] 67 65 [CONFIDENTIAL] 66File 7:ReportofOfficial OperationsOTP Consular PostLondon. 67File 9:ReportofOfficial OperationsOTP Processor1London. 20/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] Consular PostDublin 68 73. [CONFIDENTIAL] CSODenHaag 69 74. [CONFIDENTIAL] 68File document27:ReportofOfficial OperationsOTPConsular PostDublin. 69File document11:ReportofOfficial ActsOTPCSO18July2019and12September2019. 21/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] Processor2Utrecht 75. [CONFIDENTIAL] Processor3Amsterdam 70 71 72 76. [CONFIDENTIAL] 2.4.3Legal Review 77. The AP first establishes that measures have been taken in the area of at all sites surveyed physical security. The AP concludes that measures have been taken to protect the buildings and space(s) in which data of visa applicants are processed and physically protected, including with cameras and motion sensors. Furthermore, the AP concludes that the spaces in which data of visa applicants are processed and marked as secure areas. 70File document19:ReportofOfficial OperationsOTP Processor38November2019. 7File document[CONFIDENTIAL] 72File piece21:EmailBZof13November2019withdocumentsfollowing OTP8November. 22/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 78. However, the AP notes that the Ministry of Foreign Affairs has not explicitly determined which parts of the IT infrastructure should be regarded as critical infrastructure of the visa process can comply witharticle32AVGjo.32,lid2,ondera,VISRegulationisthisonlyrequirement.BZhas in her opinion stated that in the spring of 2020 she went different systems as critical During the opinion session on 4 November 2021, BZ has an (undated) list of information systems handed over to the AP, on which BZ indicated which systems are considered critical infrastructure have been identified. NVISisoneofthosesystemsontheselistssoisbyBZby now classified as critical infrastructure. 79. The AP also established during an on-site investigation that the Ministry of Foreign Affairs has no emergency plans designed to protect the physical infrastructure of the visa process.The Consular PostLondon, the consular postDublin and CSO do not have an emergency power supply while section 11.2.2 of the BIO determines that equipment should be protected against power failure. This means that BZ, when it comes to drawing up emergency plans and protecting equipment against disruptions in utilities, in the opinion of the AP, does not meet the provisions of article 32, paragraph 1, GDPR further elaborated in article32, paragraph2, suba,VISOrdinancesBIO standards11.1.4and11.2.2. 80. BZ has indicated in its view that BZ has concluded from its own threat analyzes that flood detectors and emergency power supplies at the stations London and Dublin are not needed. The AP partly follows this view. Flood detectors can be dispensed with after a explicit risk assessment. With regard to power failure, the BIO requires equipment to be protected against power failures and other disturbances caused by disturbances in utilities. Critical infrastructure such as NVIS must be highly secured, with the business interruption should be avoided as much as possible. BZ has insufficient explained why NVIS as a critical system does not need an emergency power supply. 81. Furthermore, the AP notes that with regard to the rooms and rooms at the consulate in London, where is with visa stickers and the NVIS system, there were shortcomings in the field of physical security.[CONFIDENTIAL]. In practice, there were no security guarantees when entering of the zone that must be extra secured, the AP determines that the physical security of the rooms in which the visa process in london is not complied with article 32, paragraph 1, AVG, further elaborated inarticle32, paragraph2, suba,VISOrdinancesBIO standards11.1.1t/m11.1.5and11.2.2. 82. BZ has stated in its opinion (and provided supporting documents) which show that in the past two-year measures have been taken to secure access to the consular section. 73 [CONFIDENTIAL].The AP notes that the shortcomings in the area of physical security in the ConsulateLondonthereforehavebeenremedialated. 7Written ViewBZof 15 October 2021, p.5. 23/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 83. The AP has further established that with regard to the activities of Processor2 in the context of the visa process, it is important that employees of Processor2 are largely independent of place and time are allowed to work. As soon as work is done outside Processor2's buildings, the physical ensuring security at Processor2's locations, of course, no help. The legal requirement that personal data of visa applicants may only be processed in spaces with adequate physical security, however, remains unaffected. For the AP, it is unclear how data within databases of NVIS are physically protected in case of place and time working independently by employees of Processor2 who are stationed in both the Netherlands and [CONFIDENTIAL]. The AP has during the investigation did not receive any documentation from BZ that sees to the physical protection of NVIS data at work independent of place and time. BZ, as the controller, must ensure appropriate security measures in the field of physical protection of NVIS data, and verify the effectiveness of these security measures. 84. BZ maintains in its view that there is sufficient security where arcs apply to employees of Processor2thatworksfromhome.First of all,unauthorizedandnottrue Processor2employeeslive and the connection to the network and the management VPN is immediately disconnected as a laptop from a home is stolen. Setting up the VPN connection works through multi-factor authentication and There is a strict employee policy. The Ministry of Foreign Affairs has issued two regulations in this context. 74 85. The AP has assessed these regulations with regard to the place-and-time-independent working state states that the employee must take all necessary precautions when using the personal device in a public place, so that the screen cannot be viewed by others. However, it is not clear which precautions an employee is expected to take the AP asked BZ the question whether and under what conditions employees of Processor2 inpublic placeswithNVISmaywork withNVIS,howBZassessedthehomeworkpolicyof Processor2 which written agreements between BZenProcessor2aboutthephysicalsecurityofNVISplaceand time-independentworkerapplies.Finally, the AP requested some audit statements. 86. BZ has stated that all employees of Processor2 involved in the NVIS services apply office policy for remote work, which in theory can also take place outside one's own home 75 find. BZ has assessed Processor2's home work policy as satisfactory on the basis of it already previously provided employee policy. However, the AP establishes that in the . submitted by BZo control statements, audit statements and the processing agreement the subject place and time work independentlynot treated/assessed. It is therefore unclear to the AP based on which considerations BZ has assessed the place-and-time-independent working as sufficient. 7WrittenViewBZof15October2021,Appendices19and20. 7E-mailBZof10December2021. 7E-mailBZfrom December 10, 2021, attachment 11.1 to 13.3. 24/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 87. On the basis of the above, the AP is of the opinion that BZ has not shown that there is sufficient guarantees apply to physical security when working in NVIS in public places. As stated in section 2.1.2 BZ processes very much-also-special data in NVIS. This makes that the nature of processing is sensitive and negative consequences for data subjects in the case of unlawful processing and can be drastic. In addition, BZ has the NVIS system as a critical infrastructure while at the consular posts and CSO there is a pass access system and camera surveillance is applied, such guarantees are not present in public areas. 88. NuBZhasnotshownthatsufficientguaranteesapplyforphysicalsecurityinthe workinginNVISinpublicplacesandBsevenhastheeffectivenessofthepolicyonthis checked, the AP concludes that there is an infringement of article 32, paragraph 1, GDPR further elaborated in article 32, paragraph 2, subaenk, VIS Regulation. 2.5AccessrightstoNVISandstaffprofiles 2.5.1Legal framework 89. Article 6, paragraph 1, VIS Regulation provides that only duly authorized personnel of the visa authorities have access to the VIS to enter, modify or delete visa data.Article 32, paragraph 2, subparagraph, VIS Regulation prescribes before the necessary measures are taken determined to ensure that those authorized to consult the VI, access only have access to the data to which their authorization of access relates and only with personal and unique user identities (control of access to data). 90. Article 32, paragraph 2, sub, VIS Regulation prescribes before the necessary measures are adopted to ensure that all authorities with access rights to the VIS draw up profiles in which the tasks and responsibilities are described of the persons authorized to access data, on take, update, delete and search these profiles and if requested and without delay to make available to the national supervisory authorities, as referred to in Article 41 (staff profiles). This is also described in article 28, paragraph 4, subc, VIS Regulation which states that “each Member State is responsible for managing the arrangements under which they belong” authorizedstaffmembersofthecompetentnationalauthorityinaccordancewiththisregulation access the VIS, the setups regularly update a list of such staff members and their profile”. 91. Article 32, paragraph 2, subparagraph, VISRegulation prescribes before the necessary measures are adopted to verify the effectiveness of the security measures referred to in this paragraph and with regard to the internal control to take the necessary organizational measures to ensure that these regulationiscomplied(internalcontrol).Thisisjoiningthegenerallydeterminedin article32 of the AVG. Internally allocate theBIObligation management and implementation measures information security policy should show which roles within an organization are responsible for 25/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] themeasures to be taken. It is important that security procedures are carried out by the relevant person responsible are determined. Concretely, the following provisions are relevant to the BIO: 9.2.1 User registration and logout A formal registration and unsubscribe procedure should be implemented by to enable allocation of access rights. 9.2.2 Granting user access A formal user access procedure should be implemented to allow access rights for all types of users and for all systems and services pointing or withdrawing. 9.2.5 Assessment of user access rights Asset owners belongaccess rightsofusersregularly judge. 9.2.6 Revoke or modify access rights The access rights of all employees and external users for information and information processing facilities associated with the termination of their employment, contractoragreementtoberemoved,andtobeclosedwithchanges adjusted. 2.5.2 Factual findings 92. During the investigations, the AP asked BZ questions about the setting up of access rights to NVIS has the internal control on this. For this, the AP has the current authorization lists, personnel profiles, authorization procedures and other relevant documentation requested regarding to granting access rights to the NVIS environment. The AP's research focused on the following questions regarding access rights: -Has BAsestablishedprocedures for granting and checking access rights toNVIS? - Has BZ drawn up personnel profiles with regard to NVIS in which the tasks and responsibilities are described of the persons authorized to transfer data in the view, record, update, delete, and search the system? personnel profiles updated regularly? - Are the assigned access rights (authorization lists) regularly assessed? 93. The AP has only examined this component with the parties that have access to the NVIS environment. 26/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 184.108.40.206ProceduresongrantingandcheckingaccessrightstoNVIS Consular PostLondon 94. BZ has provided the AP with three documents relating to authorization procedures in connection with withNVIS:(1)‘Data Management ManualNVIS’ ,(2)a document titled ‘Authorization Procedure NVISEmbassyLondon' and (3)'Work instruction/procedure: logging authorization applications'. 79 95. The first document is in the form of a practical user manual, where it is not clear which person responsible within BZ has determined this manual. In chapter 3 of the document there is a short line about granting access rights to NVIS, stating all practical steps in the system related to the assignment and removal of NVIS roles and the change of the authorization period. It is further stated that the management of tasks at the NVIS rolesinthedepartmentbymanagementConsularBusinessandVisapolicy,cluster Information Management and Management (hereinafter: DCM/MB-IB) is performed. The document shows not who is responsible for allocating, changing and checking authorizations. 96. The second document is one page, undated and not (at a management level) it has not become clear to the AP whether this piece has been prepared in response to its request for information, whether it existed before. The document describes how employeesoftheconsularpostLondonobtainaccesstoNVIS. Please state it document:“in addition to theannualcheckbyfunctionalmanagementfindad-hocchecks(ofthe authorisations) at the postal location.”. 97.Thethirddocumentconsistsoftwopagesandseethecheckofauthorizations.Itcontainsthe next stated: “For the purpose of the control log requests authorizations DCV/MB-IBdeposts RSOs once a year (after the annual transfer round) to carry out a check on which collaborators which should have roles in certain applications...”.The document further contains flowcharts that schematically depict a 'checkup logging authorization applications' documentisgenericandnotspecificallyfocusedonthecontrolofaccessrightstoNVIS.Thedocumentis undated has not been established (at a management level). 98. The AP finds on the basis of the check at the consular post in London that the Ministry of Foreign Affairs is not over-formal establishedproceduresavailableforassigning, changing and terminating accessrightsto 77File 3, appendix 1: ManualData managementNVISFebruary2018. 78File document12, appendix04: Authorization procedureNVISConsular PostLondon. 79File 3, appendix 6b: Work instruction logging and authorization applications. 80File piece3, appendix1: ManualData managementNVISFebruary2018,p.<16: “..NVISautomatically transfersnumbersofemployees from [CONFIDENTIAL]. ICT manages this technical functionality. So no employees can be added manually in NVIS. An employee can only access NVIS if they are authorized for a particular role. Roles determine what an employee can and cannot do dowithinNVIS.Aroleconsistsofseveraltasks.EachtaskgivesaccesstoaspecificNVIScomponent.Managethetasksatthe rolling is performed at the department by [CONFIDENTIAL].”. 8File3,Appendix1:ManualData ManagementNVISFebruary2018:“AccesstoNVISislinkedtotheBZaccountofthe employeeandpostvaluetheemployeeisworking.Whentheemployeeleavethestation,accesstoNVISisautomatic terminated due to the employee's BZ account being closed at the post or transferred to another post. [CONFIDENTIAL] 27/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] NVIS. Nor does BZo have established procedures to change the access rights granted to NVIS to check. Consular PostDublin 99. Prior to the investigation in Dublin, the APBZ in writing requested 83 authorization proceduresNVISandotherrelevantdocumentationrelatingtothedeviceof accessrightstoNVIS.BZhasadocumenttitled‘Authorisation procedureNVISEmbassy Dublin' to the AP provided. 100. The document consists of half a page of text, undated and not at (management level) it has not become clear to the AP whether this piece has been prepared in response to its request for information, whether it existed before. The document submitted describes that the supervisor will be granted an application to [CONFIDENTIAL].Access to NVISis linked to [CONFIDENTIAL].The [CONFIDENTIAL] controls transactions of the NVIS accounts roles. Furthermore, the annual check of the assigned authorizations is carried out by [CONFIDENTIAL] executed. 101. As a result of its investigation at the consular postDublin, the AP establishes that BZ does not procedures available for granting, changing and terminating access rights to NVIS and for checking the authorizations granted to NVIS. CSODenHaag 102. During the investigation of the AP, the interviewed CSO employees gave an explanation 85 about the procedure that the CSO follows in obtaining access rights to NVIS. [CONFIDENTIAL] 103. When granting access rights to NVIS, the CSO uses the 'Manual' Data managementNVIS' (the description of this document can be found in section 2.5.2). Also does the CSO have a work instruction [CONFIDENTIAL]. The (undated) work instruction exists from 13 unnumbered pages. It is unknown whether the document has been established at management level. It is not clear from the document who is formally responsible for the granting of authorizations, the making changes to accounts, assigning NVIS roles and checking on them. The AP concludes as a result of its investigation at the CSO that it has not been shown that BZ has 8File document27:ReportofOfficial OperationsOTPConsular PostDublin. 8File document25: AnnouncementOTP ConsulateDublinenInformation requestAPvan19December2019. 8File piece26, appendix4.1:Employee-Roles–Dublin. 8File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019. 8File piece3, appendix1:ManualData managementNVISFebruary2018. 8File piece14, appendix 23.1:Assign work instructionrolesNVISatCSO. 28/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] formal procedures related to granting, changing and terminating access rights and control of the granted access rights to NVIS. Processor2 88 104. As a result of the investigation that the AP has carried out at Processor2, the following are documents related to authorizations issued: (1) a procedure for the internal access 89 management system, (2-4) authorization procedure of CloudInfrastructureManagement,consisting of three documents , and an authorization list with names of employees of Processor2 who have access authority to the NVIS platform and databases. 105. The submitted authorization procedures (1 to 4) describing the method used by Processor2 applied when creating, modifying and/or deleting employee accounts the procedures, schematic representations of the (practical) steps that are relevant for the application, change and remove access rights to the systems that Processor2 works with. In addition ingoing authorization procedures in the types of accounts that employees may have at their disposal. By a further explanation by BZ during the opinion phase it has become sufficiently clear for the AP what the relationship is between these types of accounts and responsibilities on the one hand and the NVIS environment 92 on the other hand. 220.127.116.11Staff profiles Consular PostLondon Consular PostDublinenCSO 93 106. BZ has provided a generic document entitled 'NVIS profiles'. It is a table in which the know NVIS roles are related to tasks that fall under the assigned NVIS role. The tasks are summarily indicated, it is unclear with which concrete actions (e.g. view data, record, update, delete, and search) in the NVIS context are associated. between the function of the staff members and the assigned NVIS roles and tasks not defined. 107. The AP has requested BZ to provide personnel profiles relating to the employeesoftheCSO.BZsubmittedatemplatetextwithresultareasand competences, which may be used for the purpose of the description of vacancies at the CSO. The descriptionincludedinthisdocumentdoesnotseethetasksandresponsibilitiesinrelationto actionsinNVIS. 108. During the investigation, the AP established that BZ has not drawn up any personnel profiles in which the tasksand responsibilities are described of the staff at the consular postLondon, 88 89 dossier 17:ReportofOfficial ActsOTP Processor21November2019. 90ossspiece17, appendix8:[CONFIDENTIAL]. File 18, attachment3:[CONFIDENTIAL];File 63:[CONFIDENTIAL];andFile 18, attachment1: 91CONFIDENTIAL]. 92ossspiece21,appendix4:Authorization listNVIS. 93ienswijsBZ14October2021,p.8andletterBZaanAPvan19November2021,appendix1Conversation report,p.33and34. 94ossspiece5,appendix1:NVISprofiles. 95 file4:Information requestAPfrom13June2019. File16, appendix 2.1: Function profilesCSOvisa, version 15October2019. 29/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] consular postDublin and CSO who are authorized to view, update, delete and delete data in NVIS to search. 18.104.22.168CheckingaccessrightstoNVIS Consular PostLondon 96 109. BZ has an up-to-date authorization list of all employees of the Consular Post in London at the AP submitted. 110. At the time of the survey, 17 staff were working with the at the Consular Post in London access rights to NVIS. These employees are assigned the following (several) NVIS roles: [CONFIDENTIAL]. Most employees had more than two NVIS roles, with a maximum of six NVIS roles which one employee had. 111. The AP has checked the role [CONFIDENTIAL] more closely. On the authorization list that BZ has the AP providedwasoneemployee(hereafter:employeeX)listedwiththisNVIS role.[CONFIDENTIAL]. Employee X hadn't worked in the Consular department for a long time, but did as [CONFIDENTIAL]withanotherdepartmentoftheembassy.Forcurrentactivities, employeeXnoaccesstoNVISnecessary.During the AP check it was found that logging into the system underroleof[CONFIDENTIAL]wasstillpossible.Afterlogin,employeeX view and update current NVIS data. 112. The authorization list provided also shows that some employees of the London Consular Post 97 possessed authorization with mutually incompatible NVIS roles, such as those of [CONFIDENTIAL].NVIS did not include a justification in the award of this conflicting roles had been explained. 113. At the time of the inquiry at the Consular Post in London, the BZ also stated that the NVIS Authorizations granted are checked once a year by [CONFIDENTIAL]. At the consular postLondon[CONFIDENTIAL]responsible for transmitting all mutations in the NVIS 98 access rights. The operational manager was not present during the investigation and it was unknown how often the changes related to NVIS access rights to [CONFIDENTIAL] become passed on. BZ has not provided any documents proving when the last check of the authorizationsand NVIS roles at the Consular PostLondonhas taken place. 114. The AP determines that at the time of its check at the consular post in London an employee was wrongly had access rights to NVIS. This employee was at the time of the AP investigation appointed to another position at the embassy, which did not require the use of NVIS. Further 9File document3, appendix7:OverviewNVIS authorizationsZMAlonden. 9 The mutually incompatible NVIS roles are listed in File Document 12, Appendix 06a: Tasks-roles-incompatible-NVIS. 9File 7:Report of the official acts and consular postLondon. 9File document10:Information requestAPvan12july2019. 30/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] several employees of the Consular Post in London had NVIS roles that mutually are incompatible. During the investigation, the AP has no justification for the incompatible roles in NVISaffectedandreceiveddocumentationprovingwhenthelastcheckofthe authorizations and NVIS roles has occurred. Consular PostDublin 115. BZ has submitted an overview of the authorizations granted to the consular post in Dublin to the AP. 100 At the consular post, at the time of the investigation, there were six employees working on had access rights to NVIS, in the following assigned NVIS roles: [CONFIDENTIAL]. Two employees had NVIS [CONFIDENTIAL] roles that are mutually incompatible. The assignment of these conflicting roles in NVISist times of the investigation by or on behalf of BZ unmotivated. 116. During the investigation of the AP, employees of the consular postDublin stated that one The list of all authorized authorizations is checked at the consular post every year. 101 The Functional Management department in The Hague carries out checks on the assigned authorizations. CSO 117. The CSO stated during the investigation that the assigned NVIS roles are focused on the segregation of duties.The roles of registration and decision making are mutually incompatible according to the functional design of the NVIS application. 102 103 [CONFIDENTIAL] The AP found no justification in NVIS with regard to [CONFIDENTIAL]. 104 118. The overview provided to the AP 'NVIS role distribution per function' shows that at the CSO79 employees have access to NVIS. The following positions are listed: [CONFIDENTIAL]. Three or more NVIS roles have been assigned to these roles. it appears from the research of the AP that these rollers have not been in use for several years. 105 119. The above overview also shows that some NVIS roles, over which some employees of the CSO, are marked as mutually incompatible. 10This is about the next one NVIS Roles:[CONFIDENTIAL]. 10File 26, Appendix 4.1:Employee-Roles–Dublin. 10File document27:ReportofOfficial OperationsOTPConsular PostDublin. 10File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019. 10File document16, attachment3.1:ProcessDescriptionDepartmentRegistration,version1August2019. 10File 14, appendix 23.2: NVISrole division by function. 10File piece5, appendix2and3andfilepiece11. 10File 14, appendix 23.2: NVISrole division by function. 31/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] The CSO did not submit any documents to the AP during the investigation that provided the substantive motivation contain about the conflicting NVIS roles. 120. During the investigation on July 18, 2019, the CS clarified that the control of the granting of authorizations according to an internal control plan year-by-year[CONFIDENTIAL].In addition, an audit is performed once a year by [CONFIDENTIAL]. 107 [CONFIDENTIAL] The CSO also submitted the management report to the AP on 8 August 2019. evidencing that the assigned authorizations to NVIS, including the NVIS roles, have been verified last check took place in 2018. 121. The AP establishes that the granted authorizations for access to NVIS are checked at the CSO. Furthermore, the AP notes that several employees at the CSO are under the award of mutually incompatible NVIS roles, and that [CONFIDENTIAL] employees default over have access rights with [CONFIDENTIAL] in NVIS there is no incompatible roles in NVIS. Finally, some CSO employees did not have a role was more in use. Processor2 122. At the time of the investigation, the AP concluded that BZ did not provide any documentation which shows (sufficiently) which agreements have been made with Processor2 about the procedures and respect of access rights between the controller and a processor. 123. In its view, BZ states that the agreements between it and Processor2 about the access rights to NVIS followfromagreementsbetweenBZenProcessor2.BZalsohasaquarterlyreportinthat context 109 submitted about the control of these access rights of Processor2. The AP has these documents assessed and comes to the conclusion that on this point no violation of article 32, paragraph 2 can be established subk,VISOrdinanceswillnotcoverthiswithinthelegal review below. 2.5.3Legal review Consular postsLondonDublinenCSO 124. As a result of its investigation, the AP notes that the consular posts in London and Dublin CSO have access to NVIS. [CONFIDENTIAL] 107 File14:BZ response of August 8, 2019 to the AP information request of July 25, 2019. Written answer to the AP's question: 'Wieis 10File piece14, appendix24.1:Management reportingvisapril2018,version30may2018.andseBusinessandspecificattheCSO?' 10Written ViewBZof15October2021,p.8. 32/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] Procedures about granting and checking access rights to NVIS environment 125. When allocating access rights, including NVIS roles, the Ministry of Foreign Affairs uses the method the practice is almost identical for the staff of the investigated consular posts and the CSO in The Hague.The AP notes that the Ministry of Foreign Affairs did not have formal registration and deregistration procedures regarding the assignment of access rights to NVIS employees although a manual is used to the system, which contains all kinds of practical steps have been explained, but that this is an unformally established user access grant procedure 111 includes with regard to registering and unsubscribing from authorizations authorization procedures have been provided by BZ, concerning an undated, summary description of the working method that BZ uses when authorizing employees of the consular posts and are no formally established registration and deregistration procedures. The AP determines that BZ conflicts with this point acts with article 32, paragraph 1, AVG and further elaborated in BIO standards 9.2.1 and 9.2.2. 126. In its view, BZ has indicated that the existing work instructions will be formally be determined. The AP has received that document on January 9, 2022, and is of the opinion that it the procedure for applying for, changing and canceling access rights in NVIS is sufficient described.113 Personnel profiles 127. During the investigation, the AP established that the Ministry of Foreign Affairs has not drawn up any personnel profiles in which the tasksand responsibilities are described of the staff of the consular posts LondonandDublindareauthorizedtosee,record,update,delete in NVIS data and search. With regard to the provided personnel profiles of the employees at the CSO, the AP considers that these profiles do not provide sufficient insight into the tasks and responsibilities of the CSO staff who are authorized to process data in NVIS. 128. In its view, BZ states that the access rights assigned to the functions are determined on the basis of of tasks and responsibilities. As a result of this, the AP again has documentation requested what this should be shown. BZ has issued an authorization matrix dated 7 January 2014. 116 On the basis of this, the AP concludes that BZ still has personnel profiles that are sufficient provide insight into the tasks and responsibilities of authorized employees. It follows that In the opinion of the AP, BZ has acted on this point in accordance with article 32, paragraph 2, under g,VIS Regulation. This provision also prescribes that personnel profiles must be available and must be provided at the request of the AP. The AP must conclude that BZ at the time of the investigation by AP has not provided the complete personnel profiles, at the moment that the AP so requested. It follows that B Zo has acted contrary to article 32, paragraph 2, sub, FISH Regulation. 111 case piece3, appendix1 and file piece26, appendix1.1:ManualData ManagementNVISFebruary2018. File document12, appendix 4: Authorization procedure NVIS consular postLondon; and File document 26, annex 3.1: Authorization procedure NVIS 112sulairepostDublin. 113Christian ViewBZof October 15, 2021, p.6. 114-mailBZaandeAPvan9jan2022,BZprocessNVISauthorization. 115ossspiece16,appendix2.1:Function profilesCSOvisa. 116ScripturalViewBZof15October2021,p.7. 117-mailBZfrom December 10, 2021, attachment 14. In view of Article 41, paragraph 1, VIS Regulation, the AP is the competent supervisor 33/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] ControlaccessrightstoNVIS 129. First of all, the AP established that the Ministry of Foreign Affairs did not have formal procedures with regard to periodic check of 118 assigned access rights to NVIS and NVIS roles documentation provided shows that the granted authorizations are issued once a year by [CONFIDENTIAL] are checked. In addition, it has been stated that internal checks are carried out at the consular posting in London and Dublin at the CSO. 119 130. The AP considers that during the investigation it did not receive any documents showing the frequency appears from the checks by [CONFIDENTIAL]. Nor has BZ shown when the most recent control has been performed. With regard to the internal controls, the AP considers that in the case of the consular postLondonnodocumentswereprovidedthatseetheinternalcontrolsof the assigned authorizations. With regard to the CSO and the consular post Dublin, the AP concludes from the 120 information provided that some internal controls related to authorizations in the past have taken place. The late stein internal audit at the CSO took place in April 2018. Deconsular postDubl carries out a check at least once a year; the last check was done in 2019. 121 131. Furthermore, the AP has established that several employees of CSO and one employee of the consular postLondon had NVIS role(s) that were not needed and some of the roles turned out to be hadn't been in use for some time. This indicates that the assigned access rights to NVIS and NVIS roles have been insufficiently checked. 132. During the hearing, BZ stated that [CONFIDENTIAL] at consular posts are responsible for the control of access rights to NVIS. The one-time annual control of [CONFIDENTIAL] acts as a safety net. 12BZfurtherindicatedtheprocedureforchecking will formally determine access rights. 133. In response to this, the AP requested documentation from BZ of the checks that [CONFIDENTIAL] oftheconsularpostLondonandDublinhaveperformedonaccessrightstoNVISfrom2018toten with 2021. BZ has provided the following in response: authorization lists (from 2019, 2020 and 2021), the withdrawal of access rights of one employee in 2019 and two evaluation reports that no longer to give a general picture of the screening of consular posts (from 2018 and 2019). documents submitted do not lead the AP to any other judgment. The AP establishes that BZ has not demonstratedthattheoperationalmanagersoftheconsularpostLondonandDublinregularchecks have performed on the access rights to NVIS. 11File document3, appendix1: ManualData managementNVISFebruary2018;File document12,appendix4: Authorization procedureNVISConsular post London; and File 26, Annex 3.1: Authorization procedure NVIS Consular Post Dublin. 11File document7:ReportofOfficial OperationsConsular PostLondon;File Document27:ReportofOfficial OperationsConsular PostDublin; enDossierstuk11:Report ofCSOCSO18July2019and12September2019. 12File piece14, appendices24.1and24.2:Managementreportingvisaapr2018enManagementreportagevisasep2018;enFile piece27,appendix 6:6.CorrespondenceaboutcustomizingrolesNVIS. 12File document27:ReportofOfficial OperationsOTP ConsulateDublin. 12BZ to AP of 19 November 2021, appendix 1 Interview report, p.30. 34/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 134. With regard to the procedure provided by BZ regarding the control of access rights, the AP notes that the process surrounding the one-time annual audit of [CONFIDENTIAL] is described herein. 12The AP notes that no clarity is provided in this procedure as to how BZ takes care of it that access rights are checked regularly. The one-off annual check functions, like BZ sets,as a safety net.Considering the type of data processing in NVIS considers the APan annual audit insufficient to ensure that only authorized personnel have access to this system working methodmitigatestheriskinsufficientlydateachangeoffunctionandemployeeformonths incorrectly accesses NVIS,[CONFIDENTIAL]. 135. The AP further determined that an employee at the consular post in London was wrongly accessrightstoNVIShastheroleof[CONFIDENTIAL],andthiscouldbeinNVISdata view and change. This employee was appointed to another position at the embassy, for which it was use of NVIS was not necessary. BZ stated in its view that the [CONFIDENTIAL]- application showed flaws at the time of the investigation, so that the role [CONFIDENTIAL] still should be kept in case the [CONFIDENTIAL] application should not function. This argument fails. An employee who has not worked in the consular department for some time, should not have access to NVIS. With regard to the role [CONFIDENTIAL], the AP follows opinion of BZ that the finding about this had an incorrect source finding related to employees of CSO and does the AP above match the correct source corrected. 136. Finally, during the investigation, the AP has established that a statement of reasons for incompatible roles within NVIS is missing. BZ states in its view that in appropriate cases does not occur may be that conflicting roles are assigned to a person. For example, this may concern smaller posts where an employee suddenly drops out. According to BZ, the motivation of conflicting roleswelldocumented.As a result of this, the AP has requested documentation about the responsibility and justification for assigning incompatible roles. Based on this the AP notes that BZ has shown several examples showing that BZincompatible roles in 124 the past has motivated. On this point, the AP follows the opinion of the Ministry of Foreign Affairs. The AP has however, unable to see a policy that shows how BZo deals with incompatible roles and how BZ defines incompatible roles. The NVIS Data Management Guide only states that the incompatible 125 roles in NVIS are not currently set. Job segregation policy is ideally suited to include in the security policy as referred to in section 2.3. 137. In view of the above, the AP is of the opinion that BZ, with regard to procedures regarding access rights until the NVIS environment and its control violates article 32, paragraph 1 AVGGennader elaboratedin32, paragraph2, subch,VISOrdinancesBIO standards9.2.1,9.2.2,9.2.5and9.2.6.(en relevant standards from the BIO about the Plan-Do-Check-Actcycle). 126 123 124-mailBZaandeAPofJanuary9,2022,BZprocessNVISauthorization. 12File piece3, appendix 1: ManualData managementNVISFebruary2018,p.16.Zvan15October2021,appendix22. 12This means that there should be regular checks on whether the security policy is still being adhered to in the practices or the measures should any imperfections come to light, the principle Plan-Do–Check-ActfromtheBIO–in short-that errors 35/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 2.6 MonitoringNVIS usage:log files 2.6.1Legal framework 138. The obligation to maintain and regularly check log files is an essential part of the regulations for information security. In this way an organization can see keep which employee when, for what purpose, consults or changes certain information in addition, it is necessary that periodic monitoring of the recorded log files takes placetom detect unusual patterns and, for example, check whether unauthorized access takes place to the data. 139. Article 32, paragraph 2, including the VIS Regulation stipulates that the Ministry of Foreign Affairs must be able to verify and determine which data when, by whom and for what purpose have been processed in NVIS. BZ must also check the effectiveness of these security measures and with regard to the internal control take necessary organizational measures. Article 32, paragraph 2, sub, VIS Regulation prescribes before those who are authorized to consult the VI, have access only to the data on which their access authorization relates, and only to personal and unique user identities and secret access procedures (control of access to data). 140. Write the BIO standards before BZlog files with the registration of activities of NVIS users should keep and review these logs regularly. The BIO standards specify which information about NVIS usage should be kept in a log file as a minimum registered. BZshould also have an overview of all log files that are placed in the context of NVIS generated. In the BIO, the following rules are particularly relevant: 12.4.1 Log events Logs of events that user activities, exceptions and record information security events, belonging be made, kept and regularly reviewed. 22.214.171.124 A log line contains at least: a. the event; b.thenecessaryinformationnecessarytoconfirm theincident with a high degree of certainty trace back to a natural person; c.the device used; d. the result of the action; e. a date and time of the event. 126.96.36.199 There is an overview of log files that are generated. be corrected and that the policy is adjusted in such a way that the related problems will not recur next time. abovedescribedresultsofthespotcheckbyinspectorsoftheAPshowthatthishasnothappenedconsistingof authorizationsandrolemanagement.This means that an appropriate internal control in the field of access security is missing. the risk of access to NVIS for unauthorized persons, as referred to in article 32 paragraph 2 under b VIS Regulation. 36/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 2.6.2 Factual Findings 141. To check compliance with legal requirements regarding log files, the APrequested a sampleofthelogsatBZ.Theselogscontainlogsofthe consular posts, of CSO and of Processor 2. Also, during the investigation, the AP has 127 questions about the setup of the logging and internal control of this by the Ministry of Foreign Affairs. Furthermore, the AP checked the requested log files and compared them with the corresponding authorization lists that relate to the same period. Logging of NVIS usage at consular posts London and Dublin 142. [CONFIDENTIAL] 143. [CONFIDENTIAL] 128 Analyzesoflogfiles 144. The AP requested two log files related to the NVIS usage by the employees fromtheconsularpostLondon.Thefirstfile(hereaftername:Log1)concernsthelogfileof4 July2019,between9.00am and 12.00pm.ThistimeslotcoincideswiththeresearchoftheAPtersite.It second file (hereafter: Log2) sees the period from April 1 to July 4, 2019. 145. [CONFIDENTIAL] 129 146. [CONFIDENTIAL] 130 12In-placeInvestigationsat the Consular PostLondon(2and4July2019),theCSODenHaag(18July and12September2019), Processor2(1 November 2019) and the Consular Post Dublin (22 and 23 January 2020). 12WrittenOpinionBZof15October2021,appendix2undernumber6.3. 12File document12, appendices40a and 40b: Logging useNVIS, version 25 July 2019 and Explanation. 13File piece16, appendix8.1:LON_01April2019_04July2019_Overview. 37/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] Logging of NVIS usage at CSO The Hague 147. During the on-site survey at the CSO, the AP conducted interviews with the employees of B As far as the various aspects of security in relation to NVIS, where the subject ‘logging of NVIS’ has been investigated. The AP also has additional documentation on this subject at BZ queried and analyzed. In addition, the AP has performed log file analysis. Processofloggingandcheckinglogfiles 133 148. [CONFIDENTIAL] 149. [CONFIDENTIAL] 134 135 13File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019. 13File document13:Information requestAP of 25 July 2019; and File document17:Information requestAP of 1 October 2019. 13File document11:ReportofOfficial OperationsOTPCSO18July2019and12September2019. 13File document13:Information requestAPfrom25july2019. 13File document14, appendix18.1:Responsibility controlNVIS usage. 38/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 150. The AP has requested (extensive) documentation in the field of security from BZ analyzedforrelevantinformationaboutlogging.HeretheAPhasfocusedoninformationabout the logging of the actions within the NVIS platform, in particular how the logging process and control on this are configured, which log files are generated, and how log files are checked concerns the following documents: [CONFIDENTIAL]; 136[CONFIDENTIAL]; 13[CONFIDENTIAL]; 138 139 140 141 [CONFIDENTIAL]; [CONFIDENTIAL]; [CONFIDENTIAL]. 151. [CONFIDENTIAL] Analyzesoflogfiles 152. Furthermore, the AP requested NVIS from BZlog files in which the NVIS actions of the employees of the CSO have been recorded. BZ has submitted the following log files to the AP that relate to the following periods: 142 (1) September 1, 2018 to November 30, 2018; (hereinafter: Log3); (2) April 1 to July 18, 2019, (hereinafter: Log4); 143 144 (3) on September 12, 2019 (hereinafter: Log5). 153. [CONFIDENTIAL] 154. [CONFIDENTIAL] 145 13File 14, attachment[CONFIDENTIAL] 13File document12, attachment[CONFIDENTIAL] 13File 14, attachment[CONFIDENTIAL] 13File 14, attachment[CONFIDENTIAL] 140 File 14, attachment[CONFIDENTIAL] 14File 14, attachment[CONFIDENTIAL] 14File piece16, appendix9.1:CSO_01Sept2018_30Nov2018_Overview. 14File piece16, appendix9.2:CSO_01April2019_18Juli2019_Overview. 14File document16, appendix9.3:CSO_12Sept2019_Overview. 14WritingViewBZof15October2021,p.10and11. 39/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] Processor2 155. [CONFIDENTIAL] 156. [CONFIDENTIAL] 146 157. [CONFIDENTIAL] 147 158. The AP has analyzed down to some of Processor2's logs. The AP determines that, by lack of sufficient evidence about the actual situation in combination with the explanation of the Ministry of Foreign Affairs, for what regardingthecontentoftheselogfilescannotidentifyviolenceandsowillnotcontinue deal with the legal assessment below. 148 2.6.3Legal review 159. The AP has assessed how far BZ has taken appropriate measures in the field of logging of the NVIS environment. 160. The AP notices that log files are kept related to NVIS. In the log files standing names of employees registered only a very limited amount of other data with relating to actions in NVIS, such as an indication of some steps in the context of the visa process(eg [CONFIDENTIAL]). 14File document13:Information requestAPof 25 July 2019;andFile document15:Information requestAPof1October2019andannouncementOTP Processor2on1November2019. 14File document17:ReportofOfficial OperationsOTP Processor21November2019,p.7and8. 14WritingViewBZof15October2021,p.11. 40/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 161. Log1 does not show which actions in NVIS by the staff of the Consular Post in London are performed at whatever time that happened. With regard to Log2, AP determines that it is not going which data of visa applicants the consular post staff have processed, with which target, when this happened and what device was used here. The AP sets in addition, there are discrepancies between the two log files. Since Log1 is about July 4, 2019 and Log2 over the period 1 July 2019 up to 3 July 2019, Log 2 and Log 1 close chronologically. 149 However, both files differ in their structure. 162. InLog3,Log4andLog5 is next to the employee's name also the visa application number and a global designation of the part of the visa process that has been performed and the time at which part has been completed. However, these log files do not show which data of visa applicants have processed the employees of the CSO, for what purposes at what time this occurred. 163. In view of the above findings, the AP notes that the Ministry of Foreign Affairs does not have an adequate overview of the logfilesgeneratedintheNVISenvironment.TheNVISuseistrueloged, butshowthesubmittedlogfilesin terms of buildupandtypedatathatisincluded inconsistencies. The log files that the AP has received and assessed also show that not all mandatory actions are logged.[CONFIDENTIAL] 151 164. In its opinion (to the extent that it is relevant to the violation) BZ sets out in its opinion on the log files next.As to log file1, according to BZ, it was located on the road from the AP to point out that not only the access log data was requested, but also what actions in NVIS performed and at what time. This argument fails. In its request for information, the AP has a log file 152 asked about the use of NVIS at the embassy in London. It needs the AP's judgment little argues that when using NVIS, in which-undisputedly personal data is processed, the AP is not only interested in information about logging in to this system. 165. With regard to log file2, BZ states that article 32 paragraph 2 under the VIS Regulation, to which AP logging tests,requiresthatwhichdataisprocessedberecorded.Butthisarticledoesnotrequire that any data being processed is logged. An indication of which data is being processed can therefore, according to BZ, suffice without an exact representation of that data. article32AVG.The purpose of the logging is to verify the legitimate use of access rights. Because BZ determines which application data is processed, therefore it is sufficiently precise which data have been processed. According to BZ, the visa application number is also known from which person concerned personal data have been processed For example, NVIS employee has processed only the name or only the date of birth or both. 14The differences concern the number of the logged variables and their names in the log files. 15 For example, compare the type of actions that are recorded in Log1 with the type of actions that are recorded in Log 2. 1InformationprovidedbyBZduringOTPsCSOon16July2019and12September2019(see file document11:Report of Official ActsOTP CSO16July2019and12September2019). 15File piece10, appendix1under point40. 41/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 166. The AP does not follow the BZ's view. Article 32 paragraph 2 under the VIS Regulation requires that it it should be possible to check and determine which data when, by whom and for what purpose the VIS have been processed. Logging a visa application number does not provide sufficient indication which data is being processed. This makes it impossible to see afterwards which data has been processed when. The more sensitive the personal data that is being processed, the higher the requirements for logging in this regard In this context, in which a great deal–also–special data are processed, it is It is very important that changes in data are traceable. BZshould be able to check which data who have changed, not only after an incident. This information may also be from a combination of (log) files are derived. The purpose of logging is therefore not limited, as BZ states, only to the checklegitimateuseofaccessrights. 167. BZ further states in its written opinion that the conclusion of the AP, that checks on the NVIS usethatBZperformstargetthegrantedauthorizationsandnotlogfilesandactions carried out in NVIS by staff members is incorrect and premature. BZ believes that it information request about this was formulated in general by the AP.According to BZ, there are many opportunities to report on the actual use of NVIS. Finally, BZ states that the question from the AP was unclear about logging and how control of this was in the security policy tuned. 168. Although the AP is of the opinion that it is on the road to the Ministry of Foreign Affairs in due time–and not only in an opinion– to make known that an information request raises questions, the DPS again has the opportunity askedtoconsultproceduresthatdescribehowBZregardingNVISlogs carries out checks on this.3BZreactedtothiswithanundateddocumentwithseveralparagraphs 154 provided with where 155 actual description water is logged when using NVIS. [CONFIDENTIAL] 169. Given the shortcomings in log files in combination with the fact that BZ the log files do not regularly assesses and there is no procedure in this regard, the AP concludes that BZin acts contrary to article 32, paragraph 1, AVG and further elaborated in article 32, paragraph 2, sub f, each of the VIS RegulationsandBIOstandardsconcerninglogfiles(namestandard12.4.1). 2.7 Control of NVIS usage: security incidents 2.7.1Legal framework 170. Article 32, paragraph 2, subcend, of the VIS Regulation provides, respectively, that BZ has appropriate take measures to prevent data carriers from being illegally read, copied, 153 15EmailBZaanAPvan10December2021, attachment16. 15See paragraph 2.6.2 and letter from the Ministry of Foreign Affairs to AP of 19 November 2021, appendix 1 Interview report, p.36. 42/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] changed or deleted, and that data is illegally viewed, changed or deleted. If there is unauthorized (external or internal) access to data carriers and/or personal data stored in the NVIS environment, then there is talk of a security incident. Under the requirements of article32, subsection2, subsection, VISRegulation applies that the necessary organizational measures have been taken should be used for the follow-up of such security incidents before placing internal controls on NVIS data carriers and storage of NVIS data and that the effectiveness of the security measures should be checked. Chapter 16.1 of the BIO describes the mandatory standards for the management of the security incidents and improvements. These include the following BIO standards from application: 16.1.11 Responsibilities and procedures: Management responsibilities and procedures should be established with a rapid, effective and orderly response to information security incidents accomplish. 16.1.2 Reporting information security events: Information security events should be sent as soon as possible via the correct managerial levels are reported. 188.8.131.52 There is a reporting desk where security incidents can be reported. 184.108.40.206 There is a reporting procedure that includes tasks and responsibilities of the reporting desk described. 220.127.116.11 All employees and contractors have demonstrably taken note of the incident reporting procedure. 18.104.22.168 The process owner is responsible for resolving security incidents. 22.214.171.124 Follow-up of incidents is reported monthly to the responsible person. 16.1.3 Reporting of information security vulnerabilities: From employees and contractors who use the information systems and - servicesoftheorganizationshouldberequiredthatsideinsystemsorservices observed or alleged vulnerabilities in information security record and report. 16.1.6 Lessons learned from information security incidents: Knowledge acquired by analyzing information security incidents andsolveshouldbeusedtotheprobabilityor reduce the impact of future incidents. 126.96.36.199 Security incidents are analyzed with target learning and prevent future security incidents. 171. The above BIO standards indicate that a consistent approach should be an effective approach be effected of the management of information security incidents, including communication about security events and security vulnerabilities responsibilities and procedures are established, a reporting desk is set up, in which security incidents are reported, including the reporting procedure. Information security incidents and the follow-up of this is reported to the responsible person on a monthly basis 43/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] security incidents analysed, among others, metals targeting and future prevent security incidents. 2.7.2 Factual Findings 172. As part of its investigation, the AP has checked whether BZo has a procedure for the reporting and following up on security incidents/data breaches in relation to NVIS and the visa process In connection, the APBZ has requested an extract from the notification register for 2018 and 2019, in which all NVIS-related security incidents are recorded. During the investigation, the AP inspectors asked about this relevant documentation about security incidents requested. Consular posts:LondonDublin andCSODenThe Hague Procedural security incidents 173. The Consular PostsLondon andDublinandCSOnextsame BZ-wide method with regard to until reporting security incidents/data breaches: a security incident is reported directly to [CONFIDENTIAL] reported, and if there is a data breach, a [CONFIDENTIAL] created and sent digitally to [CONFIDENTIAL]. This procedure is set to [CONFIDENTIAL], consultation by employees of the Ministry of Foreign Affairs [CONFIDENTIAL]. 174. On site at the consular posts, employees also make use of 'Factsheets data leaks' which are Dutch and English have been prepared. These fact sheets are a schematic representation of the procedure a listing of all steps that employees must follow in the event of a data breach. During the investigations, the aforementioned fact sheets data leaks were shown to the AP inspectors [CONFIDENTIAL]. 156 175. As a result of the investigation in London, the DPS asked for the procedure report provide data leaks. BZ has submitted the following documents: 157 - Factsheets dated August2018, in both Dutch and English.See these factsheets on the schematic representation of the method in case of data leaks, as described above and shown at the consular posts. - Instructional videos about data leaks : these short films provide information about data leaks. - Printout of the information material about data leaks on [CONFIDENTIAL], with examples of data leaks 15 and description of the working method for BZ employees in case of 160 data breaches .This last document contains a description of the steps that employees of 15File document10:Information requestAPvan12july2019. 15Dossier12,appendix11a:FactsheetdatalekNLaug2018;Dossier12,appendix11b:FactsheetdatalekENAug2018;en Dossier 12, attachment 11d: Sharepoint data breach. 15File Document12,Appendix11c: Instructional video-Help,adata breach;andFilepiece12,Appendix11f:Databreachmovie.Thesefilepiecesare video files. 15File document12, attachment11e:Data leaksexamplesandsharepoint. 16File document12, appendix 12c: Data leak information for BZ employees. 44/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] BZshould take submitters of data leaks, in accordance with the procedure used during the InvestigationsinLondonandDublinisexplained. 176. The AP notes that the staff of the consular posts in London and Dublin and the CSO, with regarding the reporting of security incidents/data breaches, follow the procedure for all employeesofBZapplies.Thisprocedureisapracticalmanualonthestepsthat employees must act in the event of security incidents: they must report as soon as possible [CONFIDENTIAL] be reported in the event of data leaks, a report will be made to [CONFIDENTIAL]. The procedure mentioned is not established at a management level, and gives furthermore no insight into the steps that are followed after a report about a security incident/ data breach has occurred. The procedure also does not describe the tasks and responsibilities of the hotline chainwhoseprocessownerisresponsibleforresolvingsecurityincidentsand the reporting on this. Security Incidents 177. [CONFIDENTIAL] 178. The AP has requested a security incident register from BZe in which all security incidents in relationship to NVIS and the visa process are stated, with respect to the following periods: (1) October 1 2018 to December 31, 2018, and(2) April 1, 2019 to July 1, 2019. The AP has nine notifications of incidents 16 received at the Consular Post in London.[CONFIDENTIAL].Due to the lack of a further explanation on these reports was the AP during the investigation assuming that BZ did not provide a copy of the Security Incidents Register. 179. [CONFIDENTIAL] 163 180. [CONFIDENTIAL] 164 16File document10:Information requestAPfrom12july2019. 16[CONFIDENTIAL] 16[CONFIDENTIAL] 16File piece11:ReportofOfficial OperationsOTPCSO18July2019and12September. 45/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 181. An employee of [CONFIDENTIAL] stated during the investigation that BZVereen incident register has in which security incidents are registered. The AP has requested to provide a security incidents register with regard to NVIS and concerning the year 2018 165 and the first half of 2019. [CONFIDENTIAL]. BZ did not supply any (blank) incident register. In addition, the AP also requested six-monthly reporting on security incidents. This documentisprovided.166Itdescribesdataleaksrelatedtotraveldocuments. 182. During the opinion phase, BZ gave, among other things, the following explanation about the process of security incidents. Notifications are handled by [CONFIDENTIAL] in [CONFIDENTIAL]. All actions necessary for handling a report are recorded here saved. These reported incidents/violations, regardless of whether they had reported to the AP must be, after complete completion, are closed, logged, and stored in a protected, only accessible to [CONFIDENTIAL] environment behind the [CONFIDENTIAL] (the data leak register). All executed (continued) steps are recorded in the individual report files in the central register of incident reports that is filled by [CONFIDENTIAL].Finally, the Ministry of Foreign Affairs has stated that all incidents are now in one central place are tracked and preserved. 183. As a result of the foregoing, BZ has answered further questions from the AP about the design of the central register of security incidents. Based on this and on the basis of the above explanation, the AP considers it plausible enough that BZwel has a security incident registerin which security incidents in relation to NVIS are registered. Processor2 184. On November 1, 2019, the AP carried out an investigation at Processor 2. In doing so, the AP 167 procedure that Processor2 uses in case of security incidents. In this escalation procedure describes which steps need to be taken within the organization when a security incident occurs, which roles/functions should be assigned to Processor2 informed and what roles/functions should be escalated to. Processor 2 also has a policy 168 169 submitted that covers security incidents and data breaches . 185. With regard to security incidents, Processor2 stated during the investigation dated in 2018 en2019 have been no incidents in relation to the NVIS environment. This saw specific on incidents [CONFIDENTIAL] 16File 14, appendix 20.1: Explanation. 16File 14, attachment 21.1:[CONFIDENTIAL]. 16File document17, attachment3:IncidentEscalationProcedure. 16File 17, attachment 4: [CONFIDENTIAL]. 16File document17, attachment5:ProcedureDataBreachController. 46/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 186. When asked if Processor2 keeps a log or registry of security incidents, Processor2 has stated that they use different registers depending on the incident. Processor2 explained that two incident registers are used. [CONFIDENTIAL] 170 171 187. [CONFIDENTIAL]. Processor2 has indicated that there are no security incidents at Processor2 have been related to NVIS in the study period. There were no internal reports because of this 172 dieProcessor2 to AP. 188. On the basis of the above and the explanation of BZ during the opinion phase, the AP considers the division of tasks between BZenProcessor2 with regard to security incidentssufficiently clear. 2.7.3Legal assessment 189. The AP concludes that the general procedure provided by the Ministry of Foreign Affairs at the time of the investigation does not meet the requirements for reporting security incidents by BZ employees. This procedure is a no more than a manual on the steps that employees should take when security incidents: they must be reported to [CONFIDENTIAL] as soon as possible in case data leaks are reported to [CONFIDENTIAL]. The procedure mentioned is not on management level established and provides no further insight into the specific steps that are followed after a report about a security incident/data breach has occurred. The procedure describes alsonotthetasksandresponsibilitiesofthereportingdeskchainwheelprocessownerresponsible is for resolving security incidents and reporting about them. 190. During the opinion phase, BZ reacted to this with an AVG manual (approved on 13 October 2021)andaProcessdescriptionIncidentmanagementsecurityincidentsanddata breaches(July2020) provided to the AP. The AP has assessed this documentation and comes to the conclusion that BZ from 13 October 2021 does provide full insight into the steps to be followed after a notification about a security incident/data breach has occurred. Also, the duties and responsibilities of mentioning the reporting desk has established who the process owner is responsible for resolving security incidents and reporting about them. 170 17File piece23, appendix06.1:-AP-z2019-12207-06-Incidentenregisterextract.enmet1November2019. 17WritingViewBZof15October2021,p.13. 47/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 191. On the basis of the above, the AP comes to the conclusion that BZ, with regard to the defects in the procedure for reporting security incidents, until 13 October 2021 insufficiently appropriate has taken organizational measures to prevent unlawful data processing in NVIS. As a result, BZ has breached the requirements laid down in article 32, paragraph 1, AVG elaborated in article 32, paragraph 2, subcend, VIS Regulations and BIO standards 16.1.1 and 188.8.131.52. As of 13 October 2021, the aforementioned defects have been repaired by BZ, the infringement is thus point ended. 2.8Training staff on data protection 192. Article 28(5) VIS Regulation prescribes that the personnel of the authorities with access rights to the VIshouldbecompletedequaltrainingondatasecurityandprotectionrules. Staff are also informed of the relevant criminal offenses and sanctions. The AP however, has not tested the content of these courses nor the manner in which they are offered during the investigation. Article 38, paragraph 3, Visa Code continues to write before the 'central authorities of' Member States should train and train both the posted and the local staff in a careful manner provide them with complete, accurate and up-to-date information on the relevant legislation.” 193. The AP establishes on the basis of the statements of employees and documents provided by BZ with regard to the training of employees who have access to data in the NVIS dater of training in data protection and security. In addition, the training offered for both employees who are recently employed and employees who have been with BZ for a long time work. The training courses include, among other things, the systems to be used (including NVIS), relevant laws and regulations and security. The AP also notes that training of both broadcast and localemployees. 194. This is, with regard to the question of whether attention is paid in training to information securityandregulationsontheprocessingofpersonaldata,meettherequirements they are deposited in BIO objective 7.2.2 and article 38, paragraph 3, Visa code. 2.9 Information provision to visa applicants 2.9.1Legal Framework 195.Transparencyaboutdataprocessingandisoneofthegeneralprinciplesforaproper data processing. Informing the data subject about data processing contributes to transparency.Article 37VIS Regulation prescribes that visa applicants are informed about the responsible person, the purposes of the processing of the data of the visa applications, the categories of recipients of processed data, the retention period, the obligation of the collect this data and the rights of the person concerned. This means that BZ the visa applicants 48/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] informs in writing b173 collecting the data for the purpose of the application form, the photo andfingerprints. This obligation also arises from article 13 of the AVG. 2.9.2 Factual Findings 196. The AP has conducted an investigation at the consular post in London and Dublin. From these investigations and the information obtained follows, that data subjects can be informed in three ways about processing their photos, fingerprints and personal data for the purpose of a visa application. Information is provided through (1) a “Privacy Statement Regarding Short-StayVisa” 174 Applications” (hereinafter: Privacy Statement) , (2) an appendix to the application form for the visa application (hereinafter: Annex), and (3) a folder 176 at the location of the consular post. 197. The first option of providing information is the Privacy Statement. On the (in English written)websitesoftheembassiesinIrelandandtheUnited Kingdomstateinformationaboutthe 177 ask how a (Schengen) visa application works. The websites refer to thisPrivacy Statement, which can be found on the BZ website. 178 198. In the Privacy Statement, various privacy components are treated like the goals for the processing the data of the visa applications, the controller, the retention period of 5 years, the obligation to collect the data and rights of stakeholders.In a separate document, the risk countries are listed that could influence the 179 visa process on risk analysis. ThePrivacyStatement further states that there may be sharing data with third parties such as other European authorities within the Schengen area areasinstancessuch asEuropol.InthePrivacyStatementthere isno mention of the possible processors of data, such as, for example, private parties that may be involved in the process of the visa application. The AP further establishes that the national “DataProtectionAuthority”, including the address details, is mentioned in the privacy statement as the designated authority in the case the data subject would like to exercise her/his rights. 180 181 199. The second possibility of providing information takes place via the Annex. TheAppendixbecomes provided in writing to the person concerned at the time the details of the application form are collected.In the Annex, BZ is named as the controller for the data processing, the purposes of the processing of data are stated, the retention periods and is referred to as the obligation to collect the data 17Article 37, paragraph 2, Regulation “The information referred to in paragraph 1 will be communicated in writing to the applicant when collecting the data of the application form, the photo and fingerprint data as referred to in article 9, paragraphs 4, 5 and 6.” 17File 7, attachment 2: PrivacyStatementre.Shortstayvisapplications. 17File 7, attachment 6:SchengenVisaApplication(sample form),provided to the OTP Consular PostLondon. 17File document 7, appendix 4: Information sheet about SISII; and File document 27, appendix 10: Leaflet public information about SISII. 17SeeforIreland:https://www.netherlandsandyou.nl/your-country-and-the-netherlands/ireland/travel-and-residence/applying-for-a-short- stay-schengen-visa(before last consulted on 14 August 2020) and for the United Kingdom: https://www.netherlandsandyou.nl/your-country-and-the-netherlands/united-kingdom/travel-and-residence/applying-for-a-short-stay- schengen visa (last consulted on 14 August 2020). 17https://www.netherlandsandyou.nl/documents/publications/2017/12/06/privacystatement-regarding-short-stay-visa-applications-en(for it was last consulted on February 23, 2022). 17Conformarticle22Visa code. 18Article37, paragraph 1, sub, VIS Regulation. 181 File 7, Attachment 6: SchengenVisaApplication(sample form), provided to the OTP Consular PostLondon. 49/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] explained.TheCollegeProtection of Personal Information is also referred for complaint handling. The AP also notes that permission is requested from the data subject. In the list of categories Recipients of personal data are not referred to as third-party private parties. 200. The third possibility of providing information has been shown in the study in Dublin, 18 when by the employeesoftheconsularposta folderSISII 18isdisplayedwhichwillbemadeavailabletothe visa applicants in the waiting area. This leaflet relates to SISII and does not contain any information about rights of data subjects with regard to a visa application and the exercise of rights of data subjects during the visa application process.Although the folder itself contains information about SISII vs background of the visa application, the leaflet is not applicable to the practice of rights of those involved in the visa process. 2.9.3Legal Review 201. The AP establishes that BZindePrivacyStatementsintheAppendix(1)theobjectivesofthedataprocessing mentions, (2) makes clear that collecting the person is mandatory, (3) includes retention periods, and (4) mention the competent (privacy) supervisor. However, with regard to both documents, not all (categories of) recipients of data are listed by BZ.The AP determines that only a few categories of recipients have been mentioned, such as other European authorities and Europol. ThePrivacyStatementandAttachmentdonotnotstatethesharingofpersonaldatawiththird private parties, such as the processors, Processor2 and Processor3, who are involved in the process of the visa application. This does not meet the requirement of article 37, paragraph 1, sub, VIS Regulations article 13, paragraph 1, below, AVG. 202. In its view, BZ argues that it is not a foregone conclusion that those involved should be informed about the provision of data to a processor. BZ is of the opinion that Processor2 only if processor does not qualify as a recipient of personal data. Without obligation to do so acknowledging BZindePrivacystatements/ortheAppendixincludethatBZleavespersonaldata processing processors. 203. The AP does not follow the statement of BZ. It follows from article 13, paragraph 1 sube, AVG that the controller informs the data subject about the recipients or categories of recipientsofthedata.Article4,section9,GDPRdefinesarecipientasa natural or legal person, a public authority, a service or another body, whether or not one-third, to whom/to whom the data is provided. Processors as Processor2and Processor3 are legal persons who receive the data about the data subjects. The 185 Also specify guidelines on transparency that a recipient may be a processor. 18File document27:ReportofOfficial OperationsOTPConsular PostDublin. 18File document7, appendix 4: Information sheet about SISII; and File document27, appendix 10: Leafletpublic information about SISII.. 18In the Appendix, however, reference is still made to theCollegeProtection of Personal Data. 18Group data protectionarticle29Guidelinesontransparencyaccording toRegulation(EU)2016/679,p.18. 50/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 2.10 Conclusions 204. The AP comes to the following conclusions with regard to the established violations. Security plan 205. The AP comes to the conclusion that BZ has no security plan with regard to NVIS (and therefore also has not evaluated). article 24 and 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2, preamble, VISOrdinances BIO- standards5.1.1,184.108.40.206and220.127.116.11. Physical Security 206. BZ has not explicitly determined which parts of the IT infrastructure should be marked be as critical infrastructure of the visa process, from at least September 1, 2018, until any time case the spring of 2020 acted contrary to article 32, paragraph 1, AVG, which is further elaborated in article 32,lid2,ondera,VISRegulation. 207. The AP further concludes that BZ, where it concerns drawing up emergency plans and protection of equipment against disruptions in utilities, from at least September 1, 2018 until now does not comply with the provisions of article 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2 suba,VISOrdinancesBIO standards11.1.4and11.2.2. 208. Furthermore, the AP is of the opinion that due to the lack of security guarantees when entering the zone that must be extra secured, the physical security of the rooms in which the is being worked on visa process in London was not satisfactory. As a result, BZ has at least September 1, 2018 to April 2020 in acted contrary to article 32, paragraph 1, GDPR, which is further elaborated in article 32, paragraph 2, suba, VIS RegulationsBIO standards11.1.1t/m11.1.5and11.2.2. 209. Finally, since the Ministry of Foreign Affairs has not shown that sufficient guarantees apply for the physical protection of working in NVIS in public spaces and B Seven less has the effectiveness of the policy on this matter checked, the AP comes to the conclusion that BZ is in conflict with at least September 1, 2018 acts with article 32, paragraph 1, AVG, which is further elaborated in article 32, paragraph 2, suba and k, VIS Regulation. Access rights to NVIS 210. The AP concludes that BZ is not over-formal from at least September 1, 2018 to January 1, 2022 registration-and-logoutprocedureshavetoviewtheassignmentofaccessrightsto NVIS.BZ has acted in conflict with article 32, paragraph 1, AVG, which is further elaborated in BIO- standards 9.2.1 and 9.2.2. 211. The AP is further of the opinion that the Ministry of Foreign Affairs, with regard to the procedure for the control of access rights to the NVIS environment and control of this in practice, from at least September 1, 2018 to the present in acts contrary to article 32, paragraph 1, GDPR, which is further elaborated in 32, paragraph 2, subject, VIS Regulations BIO standards9.2.1,9.2.2,9.2.5and9.2.6. 51/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] ControlNVIS usage:logging 212. Given the deficiencies in log files in combination with the fact that BZ the log files do not regularly assesses and there is no procedure in this regard, the AP concludes that BZ van at least 1 September 2018 until now does not act in accordance with article 32, paragraph 1, GDPR that further elaborated in article 32, paragraph 2, sub f, each of the VIS Regulations and BIO standards concerning log files (name standard 12.4.1). ControlNVIS usage:security incidents 213. With regard to the deficiencies in the procedure for reporting security incidents, the AP comes to the conclusion that BZ from at least September 1, 2018 to October 13, 2021 insufficiently appropriate has taken organizational measures to prevent unlawful data processing in NVIS. As a result, B has infringed article 32, paragraph 1, GDPR, which is further elaborated in article 32, lid2,ondercend,VISRegulationsandBIOstandards16.1.1and18.104.22.168. Information provision for visa applicants 214. The AP finally concludes that BZin the framework of the information provision visa applicants do not mention sharing personal data with third private parties, such as Processor2andProcessor3.This violatesBZvanatleastSeptember1,2018todate Article 13, paragraph 1, sub, GDPR, which is further elaborated in article 37, paragraph 1, sub c, VIS Regulation. 52/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] 3Fine 3.1Introduction 215. BZ has acted contrary to article 32, paragraph 1, AVG and article 13, paragraph 1, sub, GDPR. not acted in accordance with the basic principles of data processing as referred to in article 5 AVG. The AP makes use of its for the established violations authority to impose a fine on BZ. In its view, BZ has stated that by several transition processes and improvement measures the imposition of a fine and/or burden under coercion at all is reasonable. Because of the seriousness of the violations, the extent to which they can be blamed on the Ministry of Foreign Affairs and the fact that the violations are still going on after the AP, other than BZ, the imposition of a fine and a load under duress if appropriate. The AP motivates this in the following. 3.2.Finance Policy RulesData Authority2019 216. Pursuant to article 58, second paragraph, preamble and article 83, fourth paragraph, of the AVG, read in in connection with article 14, third paragraph, of the UAVG, the AP is competent to the Ministry of Foreign Affairs in the event of an infringement ofArticle32oftheGDPRNottoimpose anadministrativefineupto€10,000,000. 217. Pursuant to article 58, second paragraph, preamble and article 83, fifth paragraph, of the AVG, read in in connection with article 14, third paragraph, of the UAVG, the AP is competent to the Ministry of Foreign Affairs in the event of an infringement ofarticle13oftheGDPRNottoimpose anadministrativefineupto€20,000,000. 218. The AP has established Penalty policy rules regarding the fulfillment of the above-mentioned authority to imposing an administrative fine, including determining the amount thereof. 186Inde Penaltypolicyruleischosenforacategoryclassificationbandwidthsystem.Violationof article32oftheAVGisingpartincategoryII.CategoryIIhasafinebandwidthbetween€ 120,000 and €500,000 and a basic fine of €310,000.Violation of article 13 of the AVG is shared incategoryIII.CategoryIIIhas a finebandwidthbetween€300,000 and €750,000 and a basic fine from€525,000 219. The amount of the fine adjusts the AP to the factors mentioned in article 7 of the Fine policy rules, by decreasing or increasing the base amount. It is about an assessment of the seriousness of the violation in the specific case, the extent to which the violation can affect the offender be blamed and, if there is reason to do so, other circumstances. 3.3Penalageforviolatingthesecurityofprocessing 220. Any processing of personal data must be done properly and lawfully organizationswithprocessingdatainfringetheprivacyofcitizensitisof 18Stcrt.2019,14586,14March2019. 53/64, Date Unidentified 24 February 2022 [CONFIDENTIAL] It is very important that they apply a level of security appropriate to risk. When determining risk for the data subject include the nature of the personal data and the extent of the processing important: these factors determine potential damage for the individual involved in, for example, loss, alteration or unlawful processing of the data. As the data becomes more sensitive character, or the context in which they are used, pose a greater threat to personal privacy, stricter requirements are imposed on the security of personal data. The APconcludedthatBZonhassufficientlyrisk-adjustedsecuritylevel guaranteed and guaranteed in the context of processing Schengen visa applications. 3.3.1 Nature, seriousness and duration of the infringement 221. The AP has established that BZ processes a great deal of (sensitive) data of those involved. Examples of this are the combination of name and address details, country of birth, purpose of the trip, nationalities photo. Those involved are obliged to provide all these details to BZ in order to obtain a Schengen visa. In such a dependent and unequal position is of it is very important that BZ guarantees and guarantees a sufficient level of security adjusted to risk consequences and the resulting damage for those involved are large in the event of loss, modification or unlawful processing of the data. For example, unauthorized persons may view and change personal data, but also authorized employees can during the treatment of the application make input errors. This can cause applications to be incorrectly refused, which again an infringement results in the freedom of movement of those involved. The AP therefore concludes that as a result due to the fact that the Ministry of Foreign Affairs has failed to take appropriate technical and organizational measures the confidentiality and integrity of the personal data are insufficiently guaranteed. 222. In addition, the AP takes into consideration that BZ processes personal data of very many involved parties. It is established that BZ processes hundreds of thousands of applications per year(682,484in2018,739,248in2019and 169,926in2020).187The personal details of all these applications are therefore insufficiently secured. the AP notices that the violation has been going on for 3.5 years and is still going on. extremely serious. 223. In view of the above, the AP, pursuant to Article 7, preamble and under a, of the Penalty Policy Rules reason to impose a fine and increase the basic amount of the fine from €310,000 to € 390,000. 3.3.2 Negligence of the infringement 224. BZisobligedtouseasecuritylevelthatfitstheearthandsizeofthe processing and that BZ performs. Now B will not ensure an adequate level of security for years, the AP of judge that B has been seriously negligent still is in meeting appropriate security measures and checking and adapting these measures. Citizens who are required to hand over personal data, we must be able to assume that the Ministry of Foreign Affairs, as a government agency, has taken the necessary measures and taken appropriate steps to protect personal data. 18https://ec.europa.eu/home-affairs/policies/schengen-borders-and-visa/visa-policy_en,under 'Statisticsonshort-stayvisasissuedbythe Schengen States', last consulted on February 23, 2022. 54/64, Date Unidentified February 24,2022 [CONFIDENTIAL] 225. The AP also considers that BZin own analyzes (from 2015 and 2020) already pose risks in the areaofinformationsecurityrelatingtoNVIShasdetectedandnotintime/or has taken insufficient action. For example, 188BZ has the risk in 2015 and in 2020 definedthatas a result ofpower failure equipment can break down and that unauthorized persons may make changes in NVIS due to insufficient governance with regard to authorizations. The AP points to this point in addition to the Accountability investigations by the General Court of Auditors 2017, 2018 and 2019, which means that the imperfections in the information security for BZ also on were already known for this. The Court of Audit has established that BZ risks are focus areas governance, organization design and risk management General Court of Audit held that BZ has no management framework for the implementation and implementation of to initiate and control the information security within the organisation. 226. In view of the above, the AP, pursuant to article 7, preamble under b, of the Penalty Policy Rules reason to increase the fine even further, to an amount of €440,000. 3.3.3Categories of personal data 227. The AP has established that the Ministry of Foreign Affairs in the context of processing Schengen visa applications processes special data, such as fingerprints. Such data qualifies as biometric data. For special personal data, an even higher protection is required. The AP has established that the Ministry of Foreign Affairs has determined that there is insufficient risk for a very large group of involved coordinated level of security applies for this category of special data. 228. In view of the above, the AP, pursuant to Article 7, preamble, subsection, of the Penalty Policy Rules reason to increase the fine to €465,000. 3.4 Amount of fines for violation of information provision to those involved 229. The controller must provide the data subject with information that is necessary for to guarantee a proper and transparent processing towards the data subject, taking into account of the specific circumstances and context in which the personal data is processed. 18TheAP has established that the Ministry of Foreign Affairs does not report within the framework of the information provision to visa applicants makes the sharing of personal data with third private parties and with this article 13, paragraph 1, sub, GDPR violating. 230. As mentioned above, BZ processes a lot of (special) data. It must be for those involved be transparent with which (categories of) recipients BZ shares this data personal data, the fact that hundreds of thousands of data subjects are insufficiently informed and violation has lasted for 3.5 years and still continues, the AP considers the imposition of an administrative fine appropriate. 188 189 file3, appendix 5a: Vulnerability analysis and IB plan DCV; Written ViewBZ of 15 October 2021, appendix3. See recital 60 of the AVG. 55/64, Date Unidentified February 24,2022 [CONFIDENTIAL] 231. With regard to the amount of the fine, the AP considers that the consequences of this violation are limited reduce the fine from €525,000 to €100,000. 3.5 Blame and proportionality for both violations 232. Pursuant to article 5:46, second paragraph, of the Awb, the AP reserves the right to impose an administrative fine take into account the extent to which they can be blamed on the offender violation, is not required for the imposition of an administrative fine in accordance with established case law that it is shown that intent may presuppose the AP culpability if it criminal record. 233. The Ministry of Foreign Affairs is obliged to take a risk by means of appropriate technical and organizational measures to use a coordinated security level. In addition, the Ministry of Foreign Affairs must be sufficiently clear make which parties provide the data to. It is the BZ's fault that it does not meets two obligations. The AVG, but also the VISOrdinances BIO with which BZ must comply have emphatically described the security of the processing of personal data that organizations must maintain a risk-adjusted level of security. Furthermore, the AVG(s) providetheguidelinesontransparency)sufficient explanationastowhichinformationwith those involved must be shared. The Ministry of Foreign Affairs may be expected to apply itself to the standards that act accordingly. 234. Finally, pursuant to articles 3:4 and 5:46 of the Awb, the AP assesses the application of its policy for determining the amount of the fines in view of the circumstances of the specific case, not until disproportionate outcome. 190 235. The AP is of the opinion that (the amount of) both fines is proportional. In this judgment, the AP has otherthe seriousness of the infringements and the extent to which they can be blamed on the Ministry of Foreign Affairs. Due to the nature of the data, the duration of the violations, the fact that the violations have not yet ended and the risks involved and run, the AP qualifies the relevant violationsoftheGDPR.serious.With regard tothelevelofthefinefortheviolationforthe information provision to those involved, the AP has already motivated in paragraph 3.4 why the determined fine and its judgment is proportionate. 236. In view of the foregoing, the AP sees no reason for the amount of both fines on the basis of the proportionalityandendFinancepolicy rulesmentionedcircumstances,ifapplicableinthe present case, further increase or decrease. 3.6Conclusion 237. The AP sets the total fine at €565,000. 1See also paragraph 3.3 and 3.4 for the justification. 56/64, Date Unidentified February 24,2022 [CONFIDENTIAL] 4. Compulsory charge 238. Now it concerns a continuous violation of article 32, paragraph 1, GDPR and article 13, paragraph 1, sub, GDPR BZ should end these violations as soon as possible. article58, paragraph2, preamble, AVGjo.article16, paragraph1,UAVGenarticle5:32,lid1,Awbaande Minister also a burden order sum. 239. The AP instructed the Minister of Foreign Affairs in the context of handling applications from Schengen visa: 1. to end the violation of article 32, paragraph 1, GDPR by appropriate technical and organizational to take measures to ensure a security level appropriate to the risk. The Minister serves that purpose for the national information system for the purpose of treating fromSchengen visas: a. draw up an information security policy that also states how BZ this policy will periodically review and adjust if necessary. b. draw up emergency plans and protect equipment against disruptions in utilities. c.takesufficientguaranteeforphysicalsecuritywhenworkinginthisnational system in public areas. d.defining how BZ ensures the regular checks on access rights to this system. This also means that access rights should be checked and checked regularly be adjusted without delay when a check shows that an employee is wrongly authorized to have access to personal data. e.ensure that it is possible to check and determine which data when, by who have been processed for what purpose. f.recordinghowBZloggingandregularcheckonthisinthissystem This also means that BZ should check log files regularly. It is up to the Minister, as controller, to ensure the exact completion of to determine the above remedial measures. 2. to end the violation of article 13, paragraph 1, subparagraph e, GDPR. The Minister should achieve this through information about the recipients or categories of recipients of the data of data subjects (when obtaining the personal data). 57/64, Date Unidentified February 24,2022 [CONFIDENTIAL] Beneficiary terms and level of coercion with regard to part 1 240. The AP connects to part 1 of the ass a stone beneficiaries term that ends at 24 October 2022. 241. If the Minister for Foreign Affairs does not charge before the end of this beneficiary period complies, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of €50,000 for every two weeks after the end of the last day of the term set by which the minister van Foreign Affairs fails to comply with part 1 of the burden, up to a maximum of €500,000. Beneficiary terms and level of coercion with regard to part 2 242. With regard to part 2 of this burden, the AP is of the opinion that with its implementation less efforts are involved. The AP therefore connects to part 2 a beneficiary period that ends March 24,2022. 243. If the Minister for Foreign Affairs does not charge before the end of this beneficiary period complies, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of €10,000 for each (whole) week, after the expiry of the last day of the stipulated period, on which the Minister of Foreign Affairs fails to comply with part 2 of the burden, up to a maximum of €300,000. 244. In the judgment of the AP, the above amounts are for both parts of the burden in reasonable proportion to the gravity of the interests violated by the violations, namely the protection of (special) data and transparency about processing to In addition, the AP considers the amounts to be sufficiently high to move the BZ into action to end. 245. The above measures are in BZ's power to take the time limit for these measures considering the AP realistic. In doing so, the AP took into account that a large part of the measuresthatBZmusttakewithpart1primarilyincludesthedraftingdocumentation.Andfor with regard to part 2, BZ only needs to adjust the information provision on a small part. Follow-up 246. If BZ wanted to forfeit the penalty payments immediately after the beneficiary's term prevent, the DPSZ considers the documents–with which the BZ can demonstrate that it complies aandeburden–on time, but within a week before the end of the beneficiary term at the APter send assessment. 247. Finally, the AP regularly informs the Ministry of Foreign Affairs on the basis of a concrete planning inform the AP about the progress of the measures it is taking to comply with part 1 of the imposed load. 58/64,Date Unidentified 24 February 2022 [CONFIDENTIAL] 5.Dictum TheAP has come to the conclusion that the Minister of Foreign Affairs, as controller in the process of issuance of Schengen visas, data subjects insufficientinformedandsecurityoftheprocessingofdatainsufficient guarantees. In view of the fact that the Minister of Foreign Affairs very much (sensitive) data processed from hundreds of thousands of data subjects and violations still continue after 3.5 years, the AP qualifies the relevant infringements of the AVG as serious. That is why the AP opens an administrative fine to the Minister of Foreign Affairs in addition a foreclosure order. - The AP explains to the Minister of Foreign Affairs for violation of article 32, paragraph 1, AVG and article 13, subsection 1 below, AV No administrative fines, an amount of: € 565,000 (in words: five hundred and sixty-five thousand euros).1 - The AP ordered the Minister of Foreign Affairs in the context of processing applications fromSchengen visas: 1.take appropriate technical and organizational measures for a risk-adjusted to ensure a security level and thus to prevent the violation of article 32, paragraph 1, GDPR end;and 2. information about the recipients or categories of recipients of the data to data subjects (when obtaining the personal data) and thereby violation of article 13, paragraph 1, subparagraph, GDPR. IftheMinisterofForeign Affairsforpart1notbefore24October2022tothe If the order is complied with, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of €50,000 (in words: fifty thousand euros) for every two weeks after the last day of the term within which the Minister of Foreign Affairs fails to comply with part 1 of the order, until maximum of €500,000 (in words: five hundred thousand euros). If the Minister for Foreign Affairs with regard to part 2 not before 24 March 2022 at the If the order is complied with, he forfeits your coercion. The AP fixes the amount of this coercion at an amount of €10,000 (in words: ten thousand euros) for each (entire) week, at the end of the last day of the term, by which the Minister of Foreign Affairs fails to comply with part 2 of the order, until maximum of €300,000 (in words: three hundred thousand euros). 19The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). article 4: 87, first paragraph, Awb to be paid within six weeks. For information and/or instructions about the payment can contact be recorded with the aforementioned contact person at the AP. 59/64,Date Unidentified 24 February 2022 [CONFIDENTIAL] Yours faithfully, AuthorityPersonal Data, w.g. ir.M.J.Verdier Vice President Remedies Clause If you do not agree with this decision, you can within six weeks of the date of shipment of the decide to submit an objection digitally or on paper to the Data Protection Authority. In accordance with Article 38 of the UAVG suspends the submission of an objection to the effect of the decision imposition of the administrative fine. Filing an objection suspends the effect of the charge under duress not opposing this decision. For submitting a digital objection, see www.autoriteitpersoonsgegevens.nl,onderhetkopjeBezwaarmakentegeneenbesluit,bottom page under the heading Contact with the Data Authority. The address for submission on paper is: Authority for Personal Data, PO Box93374, 2509AJDenHaag. Mentioned on the envelope 'Awb-objection' and put 'objection' in the title of your letter. In your letter of objection, write at least: - your name and address; - the date of your notice of objection; - the reference (case number) mentioned in this letter; or attach a copy of this decision; - the reason(s) why you do not agree with this decision; -your signature. 60/64,Date Unidentified 24 February 2022 [CONFIDENTIAL] ATTACHMENT 1 The following legislation forms the basis of the legal framework for the present Decree: The General Data Protection Regulation (GDPR) determines the overall general legal framework for the processing of personal data, and the supervision of the AP. The Regulation on the Visa Information System (VIS) and the exchange between the 192 Member States of data in the field of short-stay visas (hereinafter: the VIS Regulation) gives the specific frameworks regarding the European Visa Information System that the member states use for mutual cooperation in the issuance of visas.This Regulation regulates including which authorities are responsible for data processing via the VIS VIS Regulation prescribes for which data of persons involved who obtain a visa for the Schengen area applications must be included in the (national) visa information system.193 The VIS Regulation further describes, among other things, the objectives of the functions of VIS and sets requirements for 194 the parties responsible for using the VIS. This includes safeguards in the field of integrity, confidentiality of the visa information. 195 The Regulation establishing a Common Visa Code (hereinafter: Visa Code) 196 outline the general framework which Member States must comply with in the context of the application and issuanceofvisa.9Thisframeworkdeterminesamongotherwhichdatamustbeprocessedforthe applying for and issuing a visa for the Schengen areas various preconditions value Member States must comply with this process. The AP has thereby assessed the following provisions: Explanation The AVG contains the general legal framework for the processing of personal data relevant standards from the AVG are: Definitions Article 4GDPR defines a number of basic concepts from data protection law that are used in this decision have been applied. Specifically the notion “personal data198”, the processing of personal data, the controller and the processor. 19Location:https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=celex%3A32008R0767 19See Article 9 of the VIS Regulation 19See, for example, Articles1and47VISRegulation 19See, for example, Articles1and28VISRegulation 19Location:https://eur-lex.europa.eu/legal-content/NL/ALL/?uri=CELEX%3A32009R0810 19Article 1Visa Code: This Regulation establishes the procedures and conditions for the issuance of visas for transit through the territory of the Member States or an intended stay in the territory of the Member States for a maximum of three months within a period ofsix months. 19Article4,part1,2,7and8. 61/64,Date Unidentified 24 February 2022 [CONFIDENTIAL] Principles Article 5 GDPR describes a number of basic principles that must generally be met in order to process personal data in accordance with the Regulation. In particular the principles transparency, integrity, confidentiality play a role in this case. These principles from article 5 paragraph 1, bottom and bottom f, of the AVG, are further elaborated by the more specific provisions in the AVG, in the context of this Decree, in the specific legal framework with regard to visa information systems. Processing security Article32AVGwrites-briefly-before the controller and the processor must take appropriate technical and organizational measures in order to match the risk to ensure the level of security. The general standards regarding the securing of personal data in article 32 GDPR means that the controller, taking into account with the state of the art, the implementation costs, as well as with the nature, scope, context and processing purposes and in terms of probabilities and serious risks to the rights and freedomsofpersons,shouldtakeappropriatetechnicalandorganizationalmeasuresonthe risk-adjusted security level. The term 'appropriate' also indicates a proportionality between security measures and the nature of the data to protect. The more sensitive data is, or the context in which it are used, mean a greater threat to privacy, become more serious requirements for the security of this data. 199 To further determine which security measures are appropriate in most sectors more specific standards for information security. The master relevant security standards for the governmentarecontainedinTheBaselineInformationsecurityGovernment(BIO). 200TheBIOiswhole structured according to NEN-ISO/IEC27001:2017, appendixAandNEN-ISO/IEC27002:2017.HetForum Standardization has included these standards in the 'apply-or-explain' list of mandatory standards for the public sector, according to the complyor explain principle. This means that the government applied they are explicitly formulated reasons for not doing so. The AP hereby notes that the Baseline information security government has been in effect since January 1, 2020. are various baselines and standards from various public sectors united into an overarching standard for the whole government. At the start of the investigation in 2019, the relevant security aspects were further elaborated in the BaselineInformation SecurityNational Service (hereinafter: BIR). based on the ISO27002 standards and valid until the end of 2019. The APhasthestateofdataprocessingsecuritythroughthenational visa information system also specifically tested against article 32, paragraph 2, VIS Regulation. This article looks at the taking security measures, including a security plan. These provisions from the VIS 19Authority of Personal Data: Policy Rules for the Security of Personal Data, February 2013, page 10 and Parliamentary Papers II1997-1998, 25892, 2003, p.99. For the government, the Baseline Information Security Government (BIO) is the leading standard, in this case its predecessor is also the ISO27000 standards in the field of information security. and the research up to the end of 2019. Both standards are based on the 62/64,Date Unidentified February 24,2022 [CONFIDENTIAL] Regulation is a lex specialist, of what is described in Article 32AVG as 'appropriate' measures'. The AP has considered the scope of this decision on the following aspects of this article tested: - Article32,paragraph2,VISRegulationwritefirstbeforeasecurityplanmustbeto the confidentiality and integrity of data processing through NVISte guarantee. - Member States must take measures to protect data physically, including drawing up emergency plans for the protection of critical infrastructure, according to article 32 paragraph 2 suba,VISRegulation. - According to article 32, paragraph 2, under f, VIS Regulation, Member States must take measures to ensure that those who are authorized to consult the VI only have access to the data to which their access authorization relates, and only with personal and unique user identities and secret access procedures (control of the access to the data) This means that an appropriate authorization policy must be in place for the access to NVIS and that the roles assigned in that framework must be managed. - To monitor in the organization which persons can qualify for authorizations for the use of NVIS, article 32, paragraph 2, subject, VISOrdinanceasadditionalguarantee that all authorities with right of access to the VIS draw up personnel profiles in which the tasks and responsibilities are described of the persons authorized to transfer data in to view, record, update, delete, and search. These profiles must be can be made available to the AP without delay upon request. - Article 32, paragraph 2, sub i, VIS Regulation prescribes that each Member State with regard to its national system, adopts the necessary measures to ensure that it is possible to to check and determine which data are in the VIS, when, by whom and for what purpose processed. That means BZ must keep log files. - In article32, paragraph 2, subparagraph, VIS Regulation it is determined that the efficiency of the security measures is checked and related to this internal control the necessaryorganizationalmeasuresaretakentoensurethattheregulations of this Regulation are complied with (checking the log files). security regulations of article 32 AVG. Integrity in the processing of visa information Article 28(5) VIS Regulation prescribes that personnel who want to process data that are in the VIS stored,received the same trainingontherulesofdatasecurityand protection.Only after receiving this training, can personnel be authorized to enter the VIS to process stored data. This article can be seen as a concrete elaboration of the principle of integrity, which is laid down in article 5 paragraph 1, sub f, GDPR. Based on this principle, a controllerorganizationalguaranteesimplementandensureintegrity and confidentiality of data processing. Providing information to the person concerned Being transparent about data processing is, as mentioned above, one of the general principles for proper data processing. Informing the data subject about a 63/64,Date Unidentified 24 February 2022 [CONFIDENTIAL] data processing contributes to transparency. In this context, article 13 AVG and in particular article 37 VISRegulationrelevant.Article 37VISRegulation is a specialization of what is laid down in article 13 AVG. The AP has checked whether at the start of the procedure for applying for aSchengen visa is satisfied with the obligation to provide adequate information about it to the person who is applying for a visa. This produces the following picture of relevant norms, arranged from general to specific for the visa process. Figure 1: Schematic representation of the legal framework: General Special Confidentialities and Data Security Security Plan: BIO Version 1.0.4, Part2, Chapter 5 integrity of NVIS: Art32lid2 preambleVISVo (p.27): data processing Art.32lid2VISVo standardssubsection 5.1. Art5lid1(f)AVG Art24AVG Art.32AVG Physical Security: BIOversion1.0.4,part2,chapter Art32lid2subaVISVo 11(p.43): standardssubsection 11.1and 11.2. Access rightsand BIOversion1.0.4,part2,chapter9 personnel profiles (p.37): Art6lid1VISVo standardssubsection9.2. Art32lid2subfenkjo VISVo ArtArt32lid2subgVIS fo. Logging(internal BIOversion1.0.4,part2,chapter control): 12(p.50): Art32lid2 subf, ienk standards subsection 12.4. VISVo. Security Incidents BIO version 1.0.4, part2, chapter (internal control): 16(p.63): Art32lid2subc,think standardsundersection16.1. VISVo. Art.5lid1(f)(guarantee Training staff intheorganizationon regarding area of data protection integrity: confidentiality) Art28lid5VisVo Art38lid3Visa code. Information to Upright Information: data subjects Art.37VISVo. Art.5lid1(a)GDPR Art.13AVG 64/64