AP (The Netherlands) - PVV Overijssel
|AP (The Netherlands) - PVV Overijssel|
|Authority:||AP (The Netherlands)|
|Relevant Law:||Article 4(12) GDPR|
Article 9(1) GDPR
Article 33(1) GDPR
|Parties:||Stichting Ondersteuning Provinciale Fractie Overijssel Partij voor de Vrijheid|
|National Case Number/Name:||PVV Overijssel|
|European Case Law Identifier:||n/a|
|Original Source:||Decision to fine (in NL)|
|Initial Contributor:||Kave Noori|
The Dutch DPA fined a provincial political party €7,500 for the unauthorised disclosure of a mailing list containing 101 email addresses, and for failing to notify this breach to the DPA. The email addresses constituted special category data revealing political party opinions.
English Summary[edit | edit source]
Facts[edit | edit source]
The Dutch DPA, Autoriteit Persoonsgegevens (AP) launched an investigation into a possible breach of the GDPR against the provincial political party PVV Overijsssel after an individual filed a complaint. PVV is an acronym for Partij voor de Vrijheid, which means Party for Freedom. PVV Overijsssel, whose legal form is a foundation, is a provincial political party that participates in elections in the Dutch province of Overijssel.
On 10 January 2019, the PVV Overijssel sent out an invitation to an event for the party's constituency evening ("achterbanavond"). At this event, the party planned to present its list of candidates for the provincial elections in March 2019. The PVV members of the national parliament would also be present and the participants would have the opportunity to talk to representatives of the party.
The invitation was sent by email with the introductory phrase "Dear friends of the PVV". Each recipient was able to view the entire mailing list of 101 email addresses. On 11 January 2019, the complainant who had received the invitation sent an email to the PVV asking the party to remove him/her from the list and confirming that this had been done. In addition, the recipient expressed that the publication of the e-mail addresses was questionable from a data protection point of view. On the same day, a PVV employee confirmed that the person had been removed from the email list and apologised for the incident.
Just a few days later, on January 15, 2019, the complainant again received an email inviting him/her to the same event, but this time the recipient list was not visible. The complainant again tried to get PVV to remove him/her from the list. When the AP investigated the matter, it found that at least some of the email addresses in the recipient list made the owners of the email addresses directly or indirectly identifiable. The AP also considered this as a special category (sensitive) of personal data concerning political opinions under Article 9(1) GDPR.
Dispute[edit | edit source]
Was it sensitive personal data?[edit | edit source]
PVV Overijssel doubted that the email addresses were indeed sensitive personal data about political opinions. According to PVV Overijssel, people have different reasons for registering to receive information about the party's activities. According to PVV Overijssel, registering to receive information does not automatically mean that the person sympathizes with the views of the PVV. The fact that someone wanted to receive invitations to party events could not in itself constitute personal data revealing a political opinion.
Was PVV Overijssel obligated to report the breach?[edit | edit source]
PVV Overijssel questioned that it was obliged to report the data breach. According to the WP29 guidance on notifying data breaches, the obligation to report occurs only when one of the following legal thresholds is reached: if the breach is unlikely to pose a (normal) risk to rights and freedoms; and if the breach is likely to pose a high risk to rights and freedoms. As PVV Overijssel considered that it was processing normal personal data (not sensitive data), it considered that these thresholds were not met. PVV Overijssel also argued that the breach was unlikely to result in physical, material or non-material harm.
Amount of the fine[edit | edit source]
PVV Overijssel considered that no fine should be imposed on it because it had provided an explanation and justification as to why it did not consider that it was obliged to report the data breach.
Holding[edit | edit source]
Was it sensitive personal data?[edit | edit source]
The AP disagreed with how the PVV Overijssel concluded that email addresses were not sensitive personal data revealing political opinions. The AP claimed that it could not be excluded that at least some of the individuals had registered because of their political views. The AP therefore decided that the e-mail addresses constituted sensitive personal data.
Was the PVV Overijssel obliged to report the breach?[edit | edit source]
First, the AP found that the disclosure of the list of email recipients constituted a personal data breach under Article 4(12) GDPR. Second, the AP found that PVV Overijssel was obliged to notify the data breach to the AP within 72 hours pursuant to Article 33(1) GDPR. The AP recalled that the main purpose of this obligation is to encourage a data controller to take immediate action to mitigate the data breach, to recover compromised personal data if possible, and to seek advice from the DPA.
Third, the AP considered that, in all the circumstances, PVV Overijssel knew about the data breach at least on 11 January 2019, the day on which they apologized to the complainant. The AP concluded that PVV Overijssel was obliged to report the incident without delay, but no later than 14 January 2019. The AP found that PVV Overijssel failed to report the breach within the required timeframe.
Fourth, the AP considered that the breach did in fact pose a high risk to individual rights and freedoms and should have been reported. The AP clarified that whenever sensitive personal data revealing a political opinion is involved, it must hypothetically be considered that the data subject is likely to be at risk of suffering harm, which may be material, reputational or discriminatory in nature. The AP explained that political parties process sensitive personal data, which poses a greater risk to an individual whose personal data is breached. Therefore, the AP clarified that a political party has a greater responsibility to maintain a high level of data protection.
Fifth, the AP considered the context of the email. The AP considered the subject and intended audience of the email, that it was an invitation to a constituency meeting of a political party, and what was to happen at the event. When considering all these circumstances, the AP concluded that it was very likely that at least some of these 101 email addresses belonged to people who signed up because they sympathized with the ideas of the PVV.
Fine[edit | edit source]
The AP based its fine on two events. First, PVV Overijssel breached its obligation to notify the breach in a timely manner under Article 33 GDPR. Second, PVV Overijssel unauthorizedly disclosed sensitive personal data revealing political opinions of individuals identifiable through email addresses in the mailing list. When PVV Overijssel made the mailing list visible, it violated the privacy of a large number of individuals who lost control over their personal data. The AP also made it clear that it was irrelevant to the case that the data breach concerned individuals who had themselves indicated that they wanted to receive the information.
In deciding on the amount of the fine, AP took into account the nature, gravity and duration of the infringement, whether the act was intentional or negligent and the measures taken by PVV Overijssel to limit the damage caused.
Finally, the proportionality of the fine was assessed, also taking into account the economic situation of the PVV Overijssel. The AP took note of the economic contributions that the party received from the Province of Overijssel for the operation of its parliamentary group in the States of Overijssel (the elected body of the province). At that time, each party in the States of Overijssel received a basic contribution of € 26 460 and an additional contribution of € 3570 per elected member.
The AP found that the standard fine of €525,000 for this type of infringement would be disproportionate for PVV Overijssel. The AP therefore decided that the fine should be €7,500.
Comment[edit | edit source]
The provisions on special categories of (sensitive) personal data in Article 9(1) GDPR are closely linked to the ideas behind discrimination law. The GDPR assumes that this type of information is particularly worthy of protection because it can be misused by someone with the wrong intentions. Political parties, as well as trade unions, organizations for people with a particular disability, religion, sexual orientation and ethnicity, have a stronger obligation to protect information about their members and supporters.
It's common for leaders of these types of nonprofits to feel burdened because they have to maintain a higher level of privacy that is almost as strong as that of health care. Many of them also wonder who might be interested in the members or supporters of their small nonprofit. In this context, the GDPR looks at hypothetical risks because it is not possible to assess actual harm until it is too late because someone has misused the data.
Privacy is a fundamental human right constitutionally protected by the EU Charter. The right to privacy is a gateway to other human rights, such as the right to vote or to form an opinion. If the identities of PVV sympathizers fall into the wrong hands, for example by someone who wants to intimidate a political opponent, there is a real risk of harm. The GDPR is clear that members and sympathizers of political organizations can expect that no one outside the party has the right to know anything about their political affiliation. A person's political views are part of their identity, the GDPR aims to ensure that individuals are in control of their identity online. However, an individual who holds an official position, such as being a candidate or sitting on the board of the political organization, cannot expect the same level of privacy.
Further Resources[edit | edit source]
AP, 'Boete PVV Overijssel vanwege niet melden datalek' (11.05.2021), accessible: https://www.autoriteitpersoonsgegevens.nl/nl/nieuws/boete-pvv-overijssel-vanwege-niet-melden-datalek
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Personal data P.O. Box 93374, 2509AJ The Hague Bezuidenhoutseweg 30,2594AV The Hague T0708888500-F0708888501 authoritypersonal data.nl Confidential / Registered Foundation Support Provincial FractieOverijsselPartijvoordeVrijheid [CONFIDENTIAL] Steenmeijerstraat 57 7555NVHENGELO Date Our reference June 16, 2020 [CONFIDENTIAL] Contact [CONFIDENTIAL] Topic Decides to impose an administrative fine Dear [CONFIDENTIAL], The Dutch Data Protection Authority (hereinafter: AP) has decided on the Foundation Support Provincial PartyOverijsselPartijvoordeVrijheid (PVV) (hereinafter: PVVOverijssel) an administrative fine of € 7,500. Today has failed to breach personal data without unreasonable delays at the latest within 72 hours after the PVVOverijssel on January 11, 2019 at the height of the infringement, to Reporting to AP.DePVVOverijssel has thus made Article 33, first member, of the General Regulation Violation of data protection (hereinafter: GDPR). After this, the decision is explained. Chapter 1 contains the relevant facts and the course of the process. Chapter 2 describes the legal framework. Chapter 3 follows the assessment of the AP, after which In chapter 4, the height of the administration must be motivated. Finally, chapter 5 contains the dictum remedies clause. 1. Facts and course of the proceedings FoundationSupportProvincialeFractionOverijsselPartijvoordeVrijheid (PVV) is statutory established on the Steenmeijerstraat 57,7555NVteHengelo.The foundation has, among other things, the granting of administrative and administrative assistance to the Group (as referred to in Article 5 of the Rules of order for the meetings and other activities of the Provincial States of Overijssel or one 1 Date Our reference June 16, 2020 [CONFIDENTIAL] 1 regulation that enters into place for that purpose). The direction also goes outside under the name "PVVOverijssel". 2 On January 11, 2019, the AP received a complaint about a possible violation of the GDPR by the PVVOverijssel. In summary, the complaint means that the PVVOverijssel on January 10, 2019 e-mail message with “InvitationSupport evening28January2018” as subject group of 101 addressees. The list of addressees and visible in the sender list of the e-mail program. As a result of this complaint, the AP has started an investigation to determine whether the rules in question GDPR are set for reporting a personal data breach by the PVVOverijssel. 4 By letter of 15 May 2019, the AP has requested the PVVO verijssel information. DePVVOverijssel has on May 24, 2019, in a written response to this request. 5 The findings of the investigation are set out in the report "Do not report the investigation in violation connection with personal data on the AP by the PVVOverijssel ", research report from the department Primary Care Research (EL), from 18 November 2019. By letter of 11 December 2019, the AP has enforced enforcement by PVVOverijssel sent together with the aforementioned research reports and underlying documentation, where ThePVV also has the opportunity to make a point of view. letter of January 28, 2020, in writing, given her views. Based on the report with findings, the underlying documentation and the view of the PVV Overijssel comes the AP to the determination of the following relevant facts. A fraction employee of the PVVOverijssel will send an e-mail message on Thursday, January 10, 2019. the subject "InvitationConstruction evening28January2018 "to 101 addressees. for all recipients of the email, including complainant, the email addresses of all recipients 6 visible in the sending list of the e-mail program. The text of the e-mail reads: “Best friends of the PVV, 1 Excerpt Chamber of Commerce 14 March 2019, No. 52322017, appendix 7 to the investigation report. 2 See printscreen website, appendix 6 to the research report. 3 Notification form, appendix 2 to the investigation report. 4 5 Information request from AP of 15 May 2019, appendix 4 to the investigation report. Response from PVVOverijssel of 24 May 2019, appendix 5 to the investigation report. 6 E-mail correspondence in the period from 10 to 15 January 2019, appendix 3 to the investigation report. Date Our reference June 16, 2020 [CONFIDENTIAL] On Monday, January 28, 2019, the PVVOverijssel organizes a support evening. This evening, the candidates for the Provincial State Elections of March 20 will be 2019 presented. Second MPs of the PVV will also be present on this evening. During this evening, all the candidates will introduce themselves to you and are a number of speakers. After the formal part of the meeting, we all like to talk to the garden and make another cozy one evening of! The evening starts at 19.30 hours and the constituency evening will take place in HotelvanderValkin Hengelo. The address: Bornsestraat400,7556BNHengelo. Because we want to know how many people can expect Let mail know if you can get to many people. Please at firstname.lastname@example.org, stating your name and number persons. Watching your outcome! ste Sincerely, PVVOverijssel. ” In response to this invitation, the complainant sends the request to him the next day. Remove from the mailing list and confirm that as such. displayed – to make available all e-mail addresses of serious carelessness testimonials due to the privacy rules. Overijssel herewith an excuse and confirms that the data from the complainant has been removed from the list. January 2019, the complainant again received a message from the PVVOverijssel with the same invitation. for the event on January 28, 2019, this time without e-mail addresses getting invited and visible Another time, the complainant requests that his contact data be deleted. 7 In some cases, the AP has not received a report from the PVVO verijssel, so that the violation is still continues. 2. Legal framework Pursuant to Article 2, paragraph 1, of the GDPR, this Regulation applies to all or part of the automated processing, as well as the processing of personal data contained in a file recorded or intended to be recorded there. Pursuant to Article 4 of the GDPR, the following is understood: 1. "Personal data" means all information about an identified or identifiable natural person ('The data subject'); considered identifiable and natural person who can be directly or indirectly be identified, in particular by means of an identifier such as a name, a identification number, location data, […]. 7 E-mail correspondence in the period from 10 to 15 January 2019, appendix 3 to the research report. Date Our reference June 16, 2020 [CONFIDENTIAL] 2. “Processing” means an operation or a set of operations related to personal data, or a set of personal data, if not performed through automated processes […]. 7. “Controller” means a [...] legal entity who, alone or together with others, has the purpose of and determines the means for the processing of personal data; […]. 12. “Personal data breach” means a security breach deeper accident or on unlawful alteration leading to destruction, loss, alteration or unauthorized disclosure of or the unauthorized access to transmitted, stored or otherwise processed data. Pursuant to Article 33, first paragraph, of the GDPR, the controller is required to In connection with personal data, it has taken place without unreasonable delays, if possible, no later than 72 hours after he has become aware of it, notify the corresponding article 55 authorized supervising authority unless it is unlikely that the infringement is related to personal data poses a risk to the rights and freedoms of natural persons report to the supervisory authority does not take place within 72 hours, it will be accompanied by a person justification for the delay. The AVG considerations 75 and 76 include the following The liberties of persons can flow from persons processing which results in material and immaterial damage.This risk is, in particular, felt as processing can lead to discrimination and reputational damage. Also, this risk can be felt when personal data is processed from which shows what someone's political view is. The assessment of risk must be taken into account with both the probability and the severity of the risk for the rights and freedoms of those involved. The risk must be determined based on an objective assessment determined if processing is associated with a risk or a high risk. The above considerations flow, for example, for appropriate protective measures must be taken, which belong to the processing of personal data with such a load a political view. 3. Assessment 3.1 Processing of personal data and material scope AVG The aforementioned email message from January 10, 2019 is an invitation to an invitation constituency evening on January 28, 2019 and is addressed to a group of 101 addressees, indicated as “friends of the PVV”. The e-mail addresses are visible to all invitees in the address line of the 9 e-mail. In the sea-mail addresses, there are combinations of a first and last name, initial (s) and last name, first and / or last name with a number, letters and / or numbers that are not as (personal) name as well as info addresses, etcetera. 8 9In the subject line of the e-mail, indicate "2018". This is an obvious copy. E-mail correspondence in the period from 10 to 15 January 2019, appendix 3 to the research report. 4/16 Date Our reference June 16, 2020 [CONFIDENTIAL] (Some of) the recipients of the aforementioned e-mail are here to instantly recognize who can can be traced back to a single search function. Now, using this data, a natural person, including the complainant, can become direct or indirect identified, being they qualify as personal data in the sentence of article 4, heading, and under 1, of the AVG. As noted above, data about political attitudes qualify among the AVGs so-called "special categories of personal data" as described in Article 9, first paragraph, of the GDPR. The AP has found that when sending the e-mail from January 10, 2019, there is a processing personal data showing political views as referred to in Article 9, first paragraph, of the AVG. As the PVVOverijssel, in a letter of 24 May 2019, has indicated the recipients of the The invitation for the constituency evening is reported earlier to the PVV and is indicated interested in receiving invitations. This is the way of the PVVO that is changed rationale and interest in receiving email messages such as invitations to activities, can be diverse, do not share the AP. Be interested in a meeting of the PVV Overijssel does not exclude the fact that there are also interested parties in the presence of their political views. want to attend the meeting. This weighs in on the AP that is spoken of by the “constituency”. Finally, the AP points out that the PVVverijssel is also not excluded from this among interested people. who want to attend this evening because of their political views. Based on the above, the AP concludes that it is the responsibility of processing personal data of persons from whom a political viewpoint appears. 3.2 Controller In the context of the question whether Article 33, first paragraph, of the AVG is complied with, it is important to determine who makes it clear as data controller as referred to in article 4, introductory part, and under 7 of the GDPR. This determines who is the purpose of the means for the processing of personal data establishes. The PVVOverijssel is a foundation that has the purpose of administrative and administrative assistance. 11 fractionofPVVinProvincialStatesofOverijsseltlend. The PVVOverijssel has none corporate relationship with another legal entity, such as the association Party for Freedom. the board represents the foundation. 12 1 Letter PVVOverijssel of 24 May 2019, appendix 5 to the investigation report. 1 Excerpt Chamber of Commerce 14 March 2019, No. 52322017, appendix 7 to the investigation report. 1 See deed of establishment of the Foundation Support ProvincialeFractionOverijsselPartijvoordeVrijheid (PVV), act date15 March 2011, accessed on August 29, 2019, Appendix 8 to the Investigative Report. Date Our reference June 16, 2020 [CONFIDENTIAL] Every contribution is posted on the website https://www.pvvoverijssel.nl/heeftuitluitendbetrekenop The provincial politics of the province of Overijssel. All contributions are placed on behalf of "Party forde VrijheidOverijssel’. On the website, various image fragments, from YouTube, about public appearances of the PVVverijssel shared. Overijssel’splaced on Youtube. Via the website you can also contact the PVVOverijssel only. From this determination, the AP makes that the website management is in the hands of the PVVOverijssel. The supporters of the PVVOverijssel are formed by donors, volunteer sympathizers. that can associate and mobilize recruits the PVVverijsselvolunteers. Overijsseld by, the active electability of the PVV in the province of Overijsseld by, among others, in three municipalities of the province to recruit candidates for the list of elections of the PVV for The municipal council elections of 2018. municipal elections in Overijssel in the municipalities of Almelo, Enschede and Twenterand coordinated. 13 The aim to recruit volunteers and candidates for the 2018 municipal elections PVVOverijssel designed by a web form and places on its website in which, among other things Name and address details, e-mail address, availability for municipal councilors and / or volunteers, and the upload of 14 A resume is required to be processed by the PVVOverijssel. 15 16 In its letter of 24 May 2019, the PVVO, verijssel, responded to the information request from the AP. indicated that she organizes different activities and works with different mailing lists She has sent an invitation for the constituency evening to people who have reported to her before and have indicated that they are interested in receiving invitations. By a human error from a fraction of the employee that e-mail addresses are visible to everyone in question The invitation has been received. The PVVOverijssel says this has been the case with scholars internally have taken measures. From the foregoing, the AP made so that the PVVOverijssel independently determines which means they necessarythoughtforreachingandactivatinghersteadersinOverijssel is the sending of e-mail. The PVVOverijssel has control over which personal data are processed and sets the purposes and means of data processing in the framework of this activity is fixed. On the basis of the above, the AP considers the PVVOverijssel as a data controller referred to in Article 4, introductory part, and under 7 of the GDPR. 1 Print screen, appendix 6 to the research report. 1 Print screen, appendix 6 to the research report. 1 Letter PVVOverijssel of 24 May 2019, appendix 5 to the investigation report. 1 Information request from AP of 15 May 2019, appendix 4 to the investigation report. Date Our reference June 16, 2020 [CONFIDENTIAL] 3.3 Report obligation in connection with personal data on AP 3.3.1 Breach of Personal Data On the basis of Article 33, first paragraph, of the GDPR, the controller notifies the breach of related to personal data without unreasonable delays, if possible, no later than 72 hours after he has finished has acknowledged, to the competent supervisory authority in accordance with Article 55, unless it is unlikely that the personal data breach poses a risk to it rights and freedoms of natural persons. For the question whether there is a violation of the reported obligation in the sentence of Article 33, first paragraph, of the GDPR, It is first of all important to confirm that the e-mail of January 10, 2019 is sent. of a so-called security breach in the sense of Article 4, headings under 12, of the GDPR. What should be clear is that a breach is some type of security incident Article 4, headings under 12, of the GDPR However, only applicable when there is a infringement of personal data controller will not be able to guarantee that the principles relating to the Processing of personal data as described in Article 5 of the GDPR are complied with emphasizes the difference between a security incident and a breach of personal data - It came to be aware of minor breaches in connection with personal data security incidents but not all security incidents and necessarily violations in connection with personal data. It should be noted that a security incident is not limited to threat models that attack an organization from the outside, but also include incidents resulting from internal processing. 17 On January 10, 2019, a fraction employee of the PVVOverijssel sends an e-mail message immediately. invitation for a grassroots evening to a group of 101 addressees recipients of the e-mail, including complainant, hot e-mail address of recipients and visible in the mailinglistofhot-mailprogram.ThePVVOverijssel recognizesinherreactionof May 24, 2019 APThat this was very undesirable and never could happen. Considering the above, the sending of the e-mail with the subject “InvitationFollowers evening28January2018 ”toagroupof101addresses on10January2019bythePVVOverijssel notice as a breach of security, a deeper accident has led to an unauthorized provision of personal data to all recipients of the e-mail. to the advantage of the AP therewith spoke of a breach of personal data as referred to in Article 4, Section 12, of the AVG. 18 1 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 8. 1 Compare example direct marketing email, Guidelines for reporting breaches in connection with personal data by virtue of Regulation 2016/679, p. 39. Date Our reference June 16, 2020 [CONFIDENTIAL] 3.3.2 Obligatory notification of AP Disclosure requirement as laid down in Article 33, first paragraph, of the GDPR, is especially established Encourage the data controller to act immediately in the event of a breach, the breach Restricting, restoring the compromised personal data if possible supervisory authority to ask for advice the supervisory authority, the controller can make sure that decisions about not informing people are correct. 19 18.104.22.168The moment at which the PVVOverijssel took knowledge of the infringement On the basis of the sending of e-mail from the PVVOverijssel on January 10, 2019, the complainant stated January 11, 2019 responded the PVVOverijsselrequested his e-mail address from her address file. Another message complaining about the PVVO that makes it available for all- e-mail addresses and thereby traceable personal data testify of serious carelessness The PVVverijssel responded with an email on January 11, 2019 with excuses. Overijsselinany case on 11 January 2019 Acknowledged of the infringement. 20 22.214.171.124 Risk assessment infringement in connection with personal data AVG imposes a notification requirement on all controllers unless unlikely that an infringement involves a risk for the rights and freedoms of natural persons. case be assessed. 21 According to the PVVOverijssel, the AP goes into part 3.4.2 of its research report instruction to the "Guidelines for reporting personal data breaches Regulation 2016/679 ", wrongly because of the notion that the poses a risk to the rights and freedoms of natural persons. "In the Guidelines (page 26) However, the term is used: "that the infringement represents a high risk for the rights and freedoms of naturally brings people to themselves. "According to the Guidelines, therefore, it is not a normal risk sufficient, it must be a high risk, according to the PVVOverijssel. The AP considers that the PVVOverijssel assumes an incorrect reading of the Guidelines. a distinction is mainly made between the notification of the AP and the notification of the person (s) involved: “IV.Assessment of risk and high risk A. Risk for Notifications / Disclosures 1 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 18. 20 See e-mail correspondence in the period of 10/15 January 2019, appendix 3 to the investigation report. 2 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 9. 2 Purpose 3.5.2 Risk assessment. Date Our reference June 16, 2020 [CONFIDENTIAL] Although AVG implements the obligation to report a breach, this is not all circumstances obligated: An infringement must be reported to the authorized supervisory authority unless it is unlikely that they pose a risk to the rights and freedoms of natural persons implies. An infringement is only communicated to the person if it is likely that it is high 23 risk rights and freedoms. ” In the investigation report, the AP found that the PVVO was held in violation of the Report to the AP. In that context, it must be assessed whether it is unlikely infringement involves a risk to the rights and freedoms of natural persons. In her view, the PVVOverijssel has also disputed that there is any such risk. It carries out, among other things, that the processing is only a processing of ordinary not special personal data. material or immaterial damage which arises that they have identified the right of infringement that it is unlikely that the infringement poses a risk to the rights and freedoms of natural persons.According to the PVVOverijssel, they were not held to report the violation to the AP. The AP considers the following in this regard GDPR considerations 75 and 76, cited factors that are important in assessing risk, namely: nature of the infringement; nature, sensitivity and scope of the personal data; convenience with which personscanbeidentified; severityofconsequencesfor persons; particularcharacteristicsof the person; special characteristics of the controller; the number of persons affected; and general points. The nature and sensitivity of the personal data that are in breach Compromised are therein an important factor. 24 the risk of damage to the data subjects. When the breach involves personal data evidencing a political view, material or immaterial damage (such as discrimination and reputational damage) for the persons whose data is the object of the infringement are considered. 25 The e-mail sent from January 10, 2019 to 101 recipients contains e-mail addresses with personal data of data subjects ofpersonal data that show political views the email, an invitation to a constituency meeting of a political party, as well as the content of meeting, it is most likely that among the addressees and persons interested In the mind of the PVV, such information could have consequences for a existing or a future societal position 2 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 26. 2 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 28ff. 2 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, pp. 26 and 27. 9/16 Date Our reference June 16, 2020 [CONFIDENTIAL] factor "special features of the controller" indicating that the nature and role of the controller and its activities may affect the risk of an infringement for persons means. As much as a political organization means special categories of personal data, which means that there is a greater threat to persons if their personal data has been breached. This means that a greater responsibility of the political organization is often high level of protection.Finally, in this context, it is still noted that the breach is a relative large number of persons affects, namely (part of) the involved and behind the mailing list of interested in invitations for activities of the PVVOverijssel. Given these conditions, there is no mention that it is unlikely that the infringement is a risk includes the rights and freedoms of data subjects. The PVVOverijssel was more or less persistent report a violation to the AP. 126.96.36.199 From the date on which PVVO must have reported the icebreaking violation to the AP Nude with the personal data, she had no unreasonable delays at the latest within 72 hours and reported has to do on AP as the competent supervisory authority. on January 14, 2019, should report to AP, but left this up to date. In view of the foregoing, the AP has judged that PVVOverijssel has article 33, first member, of the AVG. violation by allowing to breach personal data without unreasonable Delays at the latest within 72 hours, after PVVOverijssel on January 11, 2019 at the height of the infringement, notify AP. 4. Fine 4.1 Introduction If a data controller is not involved in any breach of personal data knowledge the supervisory authority, despite the fact that the requirements of Article 33 of the GDPR is complied with, the supervisory authority is offered a choice in which to standing corrective measures should be considered, as well as the imposition of a monetary fine. In her opinion, the PVVOverijssel has elucidated the reasons why she thinks they are not It is obligatory to make a report to the AP. It is then also judged that no ground exists for imposing a measure or an administrative fine. Overijssel would not follow, she makes an explicit and motivated appeal on Article 7 "Relevant Factors of the Fine Policy Rules. 6 26 Policies of the Authority Personal data of February 19, 2019 with regard to determining the height of administrative fines (Fines Policy Rules Authority for Personal Data 2019), Government Gazette No. 14586,14 March 2019. 10/16 Date Our reference June 16, 2020 [CONFIDENTIAL] The AP marks this up about the following. By sending an invitation for a constituency evening in which for all recipients of the e-mail message, the list of recipients is visible in the end mailing list of the e-mail program, the PVV has given unauthorized insight into e-mail addresses and in all of the recipients, being people with interest in the thoughts of the PVV. By sending the e-mail, half are personal data from which political views are Evidence shared with all recipients of the e-mail and there has been a violation of the right to respect the personal sphere of life and the right to the protection of personal data of a large number data subjects who have lost their personal data as a result of this failing to report this breach in connection with personal data on AP is to the judgment of the APa serious violation. created, because the people who have indicated that they want to receive periodic mail, makes 27 that nothing else. The AP sees reason to use its authority to fine under Article 58, second paragraph, preamble below Article 83, fourth paragraph, of the AVG, read in conjunction with Article 14, third member, of the UAVG, to the PVVOverijssel. Pursuant to Article 83, paragraph 4, sub a, of the AVG, there are violations of Article 33 of the AVG in accordance with paragraph 2 subject to administration, fines up to € 10,000,000 or, for one company, up to 2% of total worldwide annual turnover in the previous financial year, if this figure higher. 4.2 Fines Policy Rules, Authority for Personal Data, 2019 (Fines Policy Rules, 2019) The AP has adopted fine policy rules in 2019 in the implementation of the aforementioned authority imposing an administrative fine, including determining the height thereof. Pursuant to Article 2.1 of the Fines Policy Rules 2019, there is provision for a violation of of which the AP may impose an administrative fine of the highest amount of € 10,000,000 […] in Annex 1 Classified in Category I, Category II or Category III. In Annex 1 is the violation of Article 33, first member of the AVG classified in category III. Pursuant to Article 2.3 of the 2019 Fine Policy Rules, the AP sets the basic fine for violations for which a statutory maximum fine of € 10,000,000 […] applies within the fines bandwidths.For violations in category III of Annex 1 of the Fines Policy Rules 2019 applies a fine bandwidth between € 300,000 and € 750,000 and a basic fine of € 525,000. Pursuant to Article 6 of the 2019 Fine Policy Rules, the AP determines the amount of the fine by the amount. from base to above (up to the maximum of the bandwidth from one violation linked to fine category) or down (to the lowest minimum of that 27 Letter PVVOverijssel of 24 May 2019, appendix 5 to the investigation report. 11/16 Date Our reference June 16, 2020 [CONFIDENTIAL] bandwidth). Factors mentioned in Article 7 of the Fine Policy Rules 2019 give rise to this. Pursuant to Article 7 of the 2019 Fines Policy Rules, the AP does not prejudice Articles 3: 4 and 5:46 of the General Administrative Law Act (Awb), taking into account the following factors derived from Article 83, second paragraph, of the AVG, referred to in the Policy Rules under notes withk: a. nature, seriousness of the duration of the infringement, taking into account the nature, size or purpose of the processingin question as to the number of affected data subjects and the size of the members affected damage; b. the intentional or negligent nature of the infringement; c. the controller took […] measures against the affected members limit damage; d. the degree to which the controller […] is responsible in view of technical and organizational measures he has carried out in accordance with the articles 25 and 32 of the AVG; e) any relevant infringements by the controller […]; f) the degree in which the supervising authority has cooperated to remedy the breach limit the potential negative consequences thereof; g. the categories of personal data to which the infringement relates; h. the manner in which the supervising authority has been informed of the infringement, particularly or, and if so to what extent, the controller […] has reported the infringement; (i) compliance with the measures referred to in article 58, second paragraph, of the GDPR, to the extent that with regard to the controller […] in relation to the same matter taken; j. to adhere to approved codes of conduct in accordance with Article 40 of AVG or of approved certification mechanisms in accordance with Article 42 of the GDPR; and k. any other circumstances of such an aggravating or mitigating factor, such as Financial gains made, or losses avoided, which are not directly from the breach arise. Pursuant to Article 8.1 of the 2019 Fine Policy Rules, the AP, if the violation of fine category in the specific case does not allow appropriate punishment, when determining the height of the fines, the width of the fines, in addition to the higher category, respectively, the fines, the width of the fines apply next to bearing category. Pursuant to Article 9 of the 2019 Fine Policy Rules, the AP does not require the determination of the fine taking into account the financial circumstances in which the offender is subject inadequate capacity of the offender to further moderate the AP after application of Article 8.1 of the policy rules, determination of a fine within the fine range From the next category to her judged, nevertheless, it would result in an inconsistent fine. 12/16 Date Our reference June 16, 2020 [CONFIDENTIAL] 4.3 Fine height According to the AP, in this case with the following factors mentioned in Article 7, these factors are relevant to the Determiningfineheight: a. Earth, serious and the duration of the infringement; b. the intentional or negligent nature of the infringement (culpability); c. the measures taken by the controller or processor to be taken by the controller Limit the damage involved. 4.3.1 Nature, severity and duration of the infringement Pursuant to Article 7, preamble under a, of the Fines Policy Rules 2019, the AP keeps the nature in mind, seriously the duration of the infringement. The protection of natural persons in the processing of personal data is a fundamental right. Pursuant to Article 8, first paragraph, of the Charter of Fundamental Rights of the European Union and Article 16, first member of the Treaty on the functioning of the European Union (TFEU) everyone has the right to protection of his personal data. Principles and rules concerning the protection of Of course, persons in the processing of their personal data must be in accordance with their fundamental rights and fundamental freedoms, especially their right to protection of personal data.The AVG aims to contribute to the creation of a space of freedom, security and rights of an economic union, as well as economic and social progress, the strengthens the convergence of the economies within the internal markets and the well-being of natural persons. Processing of personal data must be at the service of man Protection of personal data has no absolute rule, but must be considered in relation The function of societies must be in accordance with the principle of proportionality against others fundamental rights are weighed up. Any processing of personal data must be proper and lawful Personal data should be sufficient to serve and limited to what is necessary for the purposes for which they are processed processes in a way that ensures appropriate security and confidentiality of data, also to prevent unauthorized access to or unauthorized use of personal data the equipment used for processing personal data. Reporting of breaches should be seen as a means of compliance with the rules improve the protection of personal data personal data takes place or has taken place, can result in physical, material or immaterial damage to natural persons or any other economic or social disadvantage to the person in question. Therefore, the controller must, as soon as he has received it a breach of personal data by the supervisor immediately as possible within 72 hours of the breach of personal data. is set to properly perform its duties and powers, as laid down in AVG. 13/16 Date Our reference June 16, 2020 [CONFIDENTIAL] The PVVOverijssel believes that the earthing of the scope of the infringement is limited, now that the mail message with a general indication concerns without any information regarding the data subject is processed differently than the e-mail address. The AP does not follow the PVVOverijssel here. 14 January 2019 Obligatory statutory notice of this violation has not been made to the AP. its assessment relates to the AP that the infringement affects 101 persons, for which there is a presumption of a special category of personal data, namely that which shows political views. The A Consider the violation seriously, but there is a reason for the basic amount of the fine here. increase or decrease. 4.3.2 Intentional or negligent nature of the infringement (culpability) Pursuant to Article 5:46, subsection 2, of the Awb, the AP retains the imposition of an administrative fine account of the extent to which she can be blamed for the offender. Now this is happening violation, is not required for the imposition of an administrative fine, in accordance with case law It is shown that there is a tendency to set up and may assume the AP removability as it perpetrator is established 29 The PVVOverijssel believes that there is no liability for an intentional or negligent nature of the infringement. immediately made the assessment that she must make in accordance with Article 33 of the GDPR and has legitimately considered that there is no obligation to report the violation to the AP. The AP brand is top that if such a consideration would have taken place, the PVVOverijssel this has not been done correctly. As a ground for not reporting the breach to AP, it has indicated: “it concerns an invitation which has been sent to people who have previously reported to We have indicated that we are interested in receiving our invitations. ”And“ we have not reported this, because the times mixed that have been reported periodically want to receive us by e-mail. ”Furthermore, the PVVOverijssel in that framework indicated that it“ did not an involuntary group of people goes ”. However, this is not a criterion on the basis of which you can to be concluded that they would not report a worthy violation. that the PVVOverijssel had known of the incident, based on the nature of the food personal data provided must make a risk assessment and then report the breach nevertheless, the AP.PVVOverijssel failed to make a report to the AP. 28 Compare CBb29 October 2014, ECLI: NL: CBB: 2014: 395, ground 3.5.4, CBb2 September 2015, ECLI: NL: CBB: 2015: 312, ground 3.7 and CBb7 March 2016, ECLI: NL: CBB: 2016: 54, ground 8.3, ABRvS29 August 2018, ECLI: NL: RVS: 2018: 2879, ground 3.2 and ABRvS5 December 2018, ECLI: NL: RVS: 2018: 3969, ground 5.1. 29 Chamber documents II2003 / 04, 29702, no.3, p.134. 3 Letter PVVOverijssel of 24 May 2019, appendix 5 to the investigation report. 14/16 Date Our reference June 16, 2020 [CONFIDENTIAL] In view of the foregoing, it is accused that the PVV has not reported the AP, but on the basis of this observed removability does not see any reason for it increase or decrease the base amount of the fine. 4.3.3 Measures taken to limit the damage suffered by those involved DePVVOverijssel has indicated that she has immediately after detecting her working methods and processes. adapted to prevent such an error from being made again measures have been proven to be effective. The AP considers that there has been no evidence of measures to cause (possible) damage by those involved A political organization such as the PVVOverijssel may be expected to be very careful. is aware of the sensitivity of the personal data that they process accordingly level of protection guarantees.First after the incident she indicated that no one would proficient in AVG. In the circumstances invoked, the AP does not see any reason to set the base amount of the fine under Article 7, under c of the 2019 Policy Rules. 4.3.4 Proportionality Ultimately, the AP judges on the basis of Articles 3: 4 and 5:46 of the AWB (principle of proportionality) or the application of its policy to determine the height of the due to the circumstances of the case, does not lead to a disproportionate outcome. According to the 2019 Fine Policy Rules, the AP will be required to determine the fine takes into account the financial circumstances of the offender. The PVVOverijssel has indicated that they are a no-profit political foundation financial means available. The AP considers in this respect as follows. SupportProvincialFractionOverijsselPartijforFreedom, the realization of it purpose of the foundation destined to the capital formed by the financial contribution of the province Overijssel, and that which is obtained by this means. fraction support province of Overijssel receiving fractions annual and financial contribution as allowance for the costs of the functioning of the fraction highest of € 3,570 for each of the member states belonging to the fraction plus € 26,460 per fraction (per1 January 2019) .1 31 Official assistance faction support province of Overijssel 2016, Provincial Journal no. 33,2 January 2017 no. 2734, April 11, 2019. 15/16 Date Our reference June 16, 2020 [CONFIDENTIAL] The A, however, has limited the capacity of the PVV verijssel, and comes to the conclusion that the PVV Overijssel cannot financially bear the fine of € 525,000. reason to reduce the amount of the fine The AP is considering in this context that it has not been shown that the PVVO iced it should not can wear. 4.3.5 Conclusion The AP sets the total fine amount to € 7,500. 5. Operative part Fine The AP is imposed on the PVVOverijssel, for violation of Article 33, first paragraph, of the GDPR in the period of January 14, 2019, currently, an administrative fine and amount of € 7,500 (in words: seven thousand five hundred euros) 2 Yours sincerely, Authority Personal data, Mr. A. Wolfsen Chairman Remedies Clause If you do not agree with this decision, you can send it within six weeks Decide digitally or on paper and submit an objection to the Personal Data Authority of an objection suspends the effect of this decision. www.autoriteitpersoonsgegevens.nl, under the heading Objection against a decision, below page bottom header Contact the Authority Personal data. The address for submitting and on paper is: AutoriteitPersoonsgegevens, PO Box93374,2509AJDenHaag. On the envelope, state "Awb objection" and put in the title of your letter "notice of objection". At least write in your notice of objection: -your name and address; -the date of your notice of objection; -the attribute mentioned in this letter (case number); or attach a copy of this decision; -the reason (s) why you do not agree with this decision; -your signature. 32 The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). 16/16