AP (The Netherlands) - PVV Overijssel

From GDPRhub
AP (The Netherlands) - PVV Overijssel
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 4(12) GDPR
Article 9(1) GDPR
Article 33(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: 11.05.2021
Published:
Fine: 7500 EUR
Parties: Stichting Ondersteuning Provinciale Fractie Overijssel Partij voor de Vrijheid
Autoriteit Persoonsgegevens
National Case Number/Name: PVV Overijssel
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Decision to fine (in NL)
Initial Contributor: Kave Noori

The Dutch DPA fined a provincial political party €7,500 for the unauthorised disclosure of a mailing list containing 101 email addresses, and for failing to notify this breach to the DPA. The email addresses constituted special category data revealing political party opinions.

English Summary[edit | edit source]

Facts[edit | edit source]

The Dutch DPA, Autoriteit Persoonsgegevens (AP) launched an investigation into a possible breach of the GDPR against the provincial political party PVV Overijsssel after an individual filed a complaint. PVV is an acronym for Partij voor de Vrijheid, which means Party for Freedom. PVV Overijsssel, whose legal form is a foundation, is a provincial political party that participates in elections in the Dutch province of Overijssel.

On 10 January 2019, the PVV Overijssel sent out an invitation to an event for the party's constituency evening ("achterbanavond"). At this event, the party planned to present its list of candidates for the provincial elections in March 2019. The PVV members of the national parliament would also be present and the participants would have the opportunity to talk to representatives of the party.

The invitation was sent by email with the introductory phrase "Dear friends of the PVV". Each recipient was able to view the entire mailing list of 101 email addresses. On 11 January 2019, the complainant who had received the invitation sent an email to the PVV asking the party to remove him/her from the list and confirming that this had been done. In addition, the recipient expressed that the publication of the e-mail addresses was questionable from a data protection point of view. On the same day, a PVV employee confirmed that the person had been removed from the email list and apologised for the incident.

Just a few days later, on January 15, 2019, the complainant again received an email inviting him/her to the same event, but this time the recipient list was not visible. The complainant again tried to get PVV to remove him/her from the list. When the AP investigated the matter, it found that at least some of the email addresses in the recipient list made the owners of the email addresses directly or indirectly identifiable. The AP also considered this as a special category (sensitive) of personal data concerning political opinions under Article 9(1) GDPR.

Dispute[edit | edit source]

Was it sensitive personal data?[edit | edit source]

PVV Overijssel doubted that the email addresses were indeed sensitive personal data about political opinions. According to PVV Overijssel, people have different reasons for registering to receive information about the party's activities. According to PVV Overijssel, registering to receive information does not automatically mean that the person sympathizes with the views of the PVV. The fact that someone wanted to receive invitations to party events could not in itself constitute personal data revealing a political opinion.

Was PVV Overijssel obligated to report the breach?[edit | edit source]

PVV Overijssel questioned that it was obliged to report the data breach. According to the WP29 guidance on notifying data breaches, the obligation to report occurs only when one of the following legal thresholds is reached: if the breach is unlikely to pose a (normal) risk to rights and freedoms; and if the breach is likely to pose a high risk to rights and freedoms. As PVV Overijssel considered that it was processing normal personal data (not sensitive data), it considered that these thresholds were not met. PVV Overijssel also argued that the breach was unlikely to result in physical, material or non-material harm.

Amount of the fine[edit | edit source]

PVV Overijssel considered that no fine should be imposed on it because it had provided an explanation and justification as to why it did not consider that it was obliged to report the data breach.

Holding[edit | edit source]

Was it sensitive personal data?[edit | edit source]

The AP disagreed with how the PVV Overijssel concluded that email addresses were not sensitive personal data revealing political opinions. The AP claimed that it could not be excluded that at least some of the individuals had registered because of their political views. The AP therefore decided that the e-mail addresses constituted sensitive personal data.

Was the PVV Overijssel obliged to report the breach?[edit | edit source]

First, the AP found that the disclosure of the list of email recipients constituted a personal data breach under Article 4(12) GDPR. Second, the AP found that PVV Overijssel was obliged to notify the data breach to the AP within 72 hours pursuant to Article 33(1) GDPR. The AP recalled that the main purpose of this obligation is to encourage a data controller to take immediate action to mitigate the data breach, to recover compromised personal data if possible, and to seek advice from the DPA.

Third, the AP considered that, in all the circumstances, PVV Overijssel knew about the data breach at least on 11 January 2019, the day on which they apologized to the complainant. The AP concluded that PVV Overijssel was obliged to report the incident without delay, but no later than 14 January 2019. The AP found that PVV Overijssel failed to report the breach within the required timeframe.

Fourth, the AP considered that the breach did in fact pose a high risk to individual rights and freedoms and should have been reported. The AP clarified that whenever sensitive personal data revealing a political opinion is involved, it must hypothetically be considered that the data subject is likely to be at risk of suffering harm, which may be material, reputational or discriminatory in nature. The AP explained that political parties process sensitive personal data, which poses a greater risk to an individual whose personal data is breached. Therefore, the AP clarified that a political party has a greater responsibility to maintain a high level of data protection.

Fifth, the AP considered the context of the email. The AP considered the subject and intended audience of the email, that it was an invitation to a constituency meeting of a political party, and what was to happen at the event. When considering all these circumstances, the AP concluded that it was very likely that at least some of these 101 email addresses belonged to people who signed up because they sympathized with the ideas of the PVV.

Fine[edit | edit source]

The AP based its fine on two events. First, PVV Overijssel breached its obligation to notify the breach in a timely manner under Article 33 GDPR. Second, PVV Overijssel unauthorizedly disclosed sensitive personal data revealing political opinions of individuals identifiable through email addresses in the mailing list. When PVV Overijssel made the mailing list visible, it violated the privacy of a large number of individuals who lost control over their personal data. The AP also made it clear that it was irrelevant to the case that the data breach concerned individuals who had themselves indicated that they wanted to receive the information.

In deciding on the amount of the fine, AP took into account the nature, gravity and duration of the infringement, whether the act was intentional or negligent and the measures taken by PVV Overijssel to limit the damage caused.

Finally, the proportionality of the fine was assessed, also taking into account the economic situation of the PVV Overijssel. The AP took note of the economic contributions that the party received from the Province of Overijssel for the operation of its parliamentary group in the States of Overijssel (the elected body of the province). At that time, each party in the States of Overijssel received a basic contribution of € 26 460 and an additional contribution of € 3570 per elected member.

The AP found that the standard fine of €525,000 for this type of infringement would be disproportionate for PVV Overijssel. The AP therefore decided that the fine should be €7,500.

Comment[edit | edit source]

The provisions on special categories of (sensitive) personal data in Article 9(1) GDPR are closely linked to the ideas behind discrimination law. The GDPR assumes that this type of information is particularly worthy of protection because it can be misused by someone with the wrong intentions. Political parties, as well as trade unions, organizations for people with a particular disability, religion, sexual orientation and ethnicity, have a stronger obligation to protect information about their members and supporters.

It's common for leaders of these types of nonprofits to feel burdened because they have to maintain a higher level of privacy that is almost as strong as that of health care. Many of them also wonder who might be interested in the members or supporters of their small nonprofit. In this context, the GDPR looks at hypothetical risks because it is not possible to assess actual harm until it is too late because someone has misused the data.

Privacy is a fundamental human right constitutionally protected by the EU Charter. The right to privacy is a gateway to other human rights, such as the right to vote or to form an opinion. If the identities of PVV sympathizers fall into the wrong hands, for example by someone who wants to intimidate a political opponent, there is a real risk of harm. The GDPR is clear that members and sympathizers of political organizations can expect that no one outside the party has the right to know anything about their political affiliation. A person's political views are part of their identity, the GDPR aims to ensure that individuals are in control of their identity online. However, an individual who holds an official position, such as being a candidate or sitting on the board of the political organization, cannot expect the same level of privacy.

Further Resources[edit | edit source]

AP, 'Boete PVV Overijssel vanwege niet melden datalek' (11.05.2021), accessible: https://www.autoriteitpersoonsgegevens.nl/nl/nieuws/boete-pvv-overijssel-vanwege-niet-melden-datalek

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                       Authority Personal data
                                                       P.O. Box 93374, 2509AJ The Hague

                                                       Bezuidenhoutseweg 30,2594AV The Hague
                                                       T0708888500-F0708888501
                                                       authoritypersonal data.nl

Confidential / Registered
Foundation Support Provincial
FractieOverijsselPartijvoordeVrijheid
[CONFIDENTIAL]
Steenmeijerstraat 57

7555NVHENGELO






Date Our reference
June 16, 2020 [CONFIDENTIAL]


                          Contact
                          [CONFIDENTIAL]


Topic

Decides to impose an administrative fine


Dear [CONFIDENTIAL],


The Dutch Data Protection Authority (hereinafter: AP) has decided on the Foundation Support Provincial
PartyOverijsselPartijvoordeVrijheid (PVV) (hereinafter: PVVOverijssel) an administrative fine of
€ 7,500.
Today has failed to breach personal data without unreasonable delays

at the latest within 72 hours after the PVVOverijssel on January 11, 2019 at the height of the infringement, to
Reporting to AP.DePVVOverijssel has thus made Article 33, first member, of the General Regulation
Violation of data protection (hereinafter: GDPR).

After this, the decision is explained. Chapter 1 contains the relevant facts and the course of the process.

Chapter 2 describes the legal framework. Chapter 3 follows the assessment of the AP, after which
In chapter 4, the height of the administration must be motivated. Finally, chapter 5 contains the
dictum remedies clause.


1. Facts and course of the proceedings

FoundationSupportProvincialeFractionOverijsselPartijvoordeVrijheid (PVV) is statutory established
on the Steenmeijerstraat 57,7555NVteHengelo.The foundation has, among other things, the granting of
administrative and administrative assistance to the Group (as referred to in Article 5 of the Rules of

order for the meetings and other activities of the Provincial States of Overijssel or one






                                                                                           1 Date Our reference

June 16, 2020 [CONFIDENTIAL]


                                                  1
regulation that enters into place for that purpose). The direction also goes outside under the name
"PVVOverijssel". 2



On January 11, 2019, the AP received a complaint about a possible violation of the GDPR by the
PVVOverijssel. In summary, the complaint means that the PVVOverijssel on January 10, 2019
e-mail message with “InvitationSupport evening28January2018” as subject

group of 101 addressees.
The list of addressees and visible in the sender list of the e-mail program.


As a result of this complaint, the AP has started an investigation to determine whether the rules in question

GDPR are set for reporting a personal data breach
by the PVVOverijssel.

                                                                               4
By letter of 15 May 2019, the AP has requested the PVVO verijssel information. DePVVOverijssel has
on May 24, 2019, in a written response to this request. 5


The findings of the investigation are set out in the report "Do not report the investigation in violation

connection with personal data on the AP by the PVVOverijssel ", research report from the department
Primary Care Research (EL), from 18 November 2019.


By letter of 11 December 2019, the AP has enforced enforcement by PVVOverijssel
sent together with the aforementioned research reports and underlying documentation, where

ThePVV also has the opportunity to make a point of view.
letter of January 28, 2020, in writing, given her views.


Based on the report with findings, the underlying documentation and the view of the PVV

Overijssel comes the AP to the determination of the following relevant facts.


A fraction employee of the PVVOverijssel will send an e-mail message on Thursday, January 10, 2019.
the subject "InvitationConstruction evening28January2018 "to 101 addressees.
for all recipients of the email, including complainant, the email addresses of all recipients
                                                      6
visible in the sending list of the e-mail program.


The text of the e-mail reads:


        “Best friends of the PVV,


1 Excerpt Chamber of Commerce 14 March 2019, No. 52322017, appendix 7 to the investigation report.
2 See printscreen website, appendix 6 to the research report.
3 Notification form, appendix 2 to the investigation report.
4
5 Information request from AP of 15 May 2019, appendix 4 to the investigation report.
 Response from PVVOverijssel of 24 May 2019, appendix 5 to the investigation report.
6 E-mail correspondence in the period from 10 to 15 January 2019, appendix 3 to the investigation report.



                                                                                                      Date Our reference
June 16, 2020 [CONFIDENTIAL]



        On Monday, January 28, 2019, the PVVOverijssel organizes a support evening.
        This evening, the candidates for the Provincial State Elections of March 20 will be

        2019 presented.
        Second MPs of the PVV will also be present on this evening.
        During this evening, all the candidates will introduce themselves to you and are a number of speakers.

        After the formal part of the meeting, we all like to talk to the garden and make another cozy one
        evening of!
        The evening starts at 19.30 hours and the constituency evening will take place in HotelvanderValkin
        Hengelo.

        The address: Bornsestraat400,7556BNHengelo.
        Because we want to know how many people can expect
        Let mail know if you can get to many people.
        Please at secretariaat@pvvoverijssel.nl, stating your name and number

        persons.
        Watching your outcome! ste
        Sincerely,

        PVVOverijssel. ”

In response to this invitation, the complainant sends the request to him the next day.
Remove from the mailing list and confirm that as such.

displayed – to make available all e-mail addresses of serious carelessness
testimonials due to the privacy rules.
Overijssel herewith an excuse and confirms that the data from the complainant has been removed from the list.

January 2019, the complainant again received a message from the PVVOverijssel with the same invitation.
for the event on January 28, 2019, this time without e-mail addresses getting invited and visible
Another time, the complainant requests that his contact data be deleted. 7


In some cases, the AP has not received a report from the PVVO verijssel, so that the violation is still
continues.

2. Legal framework


Pursuant to Article 2, paragraph 1, of the GDPR, this Regulation applies to all or part of the
automated processing, as well as the processing of personal data contained in a file
recorded or intended to be recorded there.


Pursuant to Article 4 of the GDPR, the following is understood:
1. "Personal data" means all information about an identified or identifiable natural person
('The data subject'); considered identifiable and natural person who can be directly or indirectly

be identified, in particular by means of an identifier such as a name, a
identification number, location data, […].

7
 E-mail correspondence in the period from 10 to 15 January 2019, appendix 3 to the research report.



                                                                                                 Date Our reference
June 16, 2020 [CONFIDENTIAL]



2. “Processing” means an operation or a set of operations related to personal data, or

a set of personal data, if not performed through automated processes […].
7. “Controller” means a [...] legal entity who, alone or together with others, has the purpose of
and determines the means for the processing of personal data; […].
12. “Personal data breach” means a security breach deeper accident or on

unlawful alteration leading to destruction, loss, alteration or unauthorized disclosure of
or the unauthorized access to transmitted, stored or otherwise processed data.


Pursuant to Article 33, first paragraph, of the GDPR, the controller is required to
In connection with personal data, it has taken place without unreasonable delays, if
possible, no later than 72 hours after he has become aware of it, notify the corresponding article

55 authorized supervising authority unless it is unlikely that the infringement is related to
personal data poses a risk to the rights and freedoms of natural persons
report to the supervisory authority does not take place within 72 hours, it will be accompanied by a person
justification for the delay.


The AVG considerations 75 and 76 include the following
The liberties of persons can flow from persons processing which results in material and

immaterial damage.This risk is, in particular, felt as processing can lead to discrimination
and reputational damage. Also, this risk can be felt when personal data is processed from which
shows what someone's political view is. The assessment of risk must be taken into account

with both the probability and the severity of the risk for the rights and freedoms of those involved.
The risk must be determined based on an objective assessment
determined if processing is associated with a risk or a high risk.


The above considerations flow, for example, for appropriate protective measures
must be taken, which belong to the processing of personal data with such a load
a political view.


3. Assessment

3.1 Processing of personal data and material scope AVG


The aforementioned email message from January 10, 2019 is an invitation to an invitation
constituency evening on January 28, 2019 and is addressed to a group of 101 addressees, indicated
as “friends of the PVV”. The e-mail addresses are visible to all invitees in the address line of the
       9
e-mail. In the sea-mail addresses, there are combinations of a first and last name, initial (s) and
last name, first and / or last name with a number, letters and / or numbers that are not as (personal) name
as well as info addresses, etcetera.



8
9In the subject line of the e-mail, indicate "2018". This is an obvious copy.
 E-mail correspondence in the period from 10 to 15 January 2019, appendix 3 to the research report.



                                                                                             4/16 Date Our reference
June 16, 2020 [CONFIDENTIAL]



(Some of) the recipients of the aforementioned e-mail are here to instantly recognize who can
can be traced back to a single search function.


Now, using this data, a natural person, including the complainant, can become direct or indirect
identified, being they qualify as personal data in the sentence of article 4, heading, and under 1,

of the AVG.

As noted above, data about political attitudes qualify among the AVGs

so-called "special categories of personal data" as described in Article 9, first paragraph, of the
GDPR.


The AP has found that when sending the e-mail from January 10, 2019, there is a
processing personal data showing political views as referred to in Article 9, first paragraph,
of the AVG. As the PVVOverijssel, in a letter of 24 May 2019, has indicated the recipients of the

The invitation for the constituency evening is reported earlier to the PVV and is indicated
interested in receiving invitations. This is the way of the PVVO that is changed
rationale and interest in receiving email messages such as invitations to

activities, can be diverse, do not share the AP. Be interested in a meeting of the PVV
Overijssel does not exclude the fact that there are also interested parties in the presence of their political views.

want to attend the meeting. This weighs in on the AP that is spoken of by the “constituency”.
Finally, the AP points out that the PVVverijssel is also not excluded from this among interested people.
who want to attend this evening because of their political views.


Based on the above, the AP concludes that it is the responsibility of processing personal data of
persons from whom a political viewpoint appears.


3.2 Controller


In the context of the question whether Article 33, first paragraph, of the AVG is complied with, it is important to determine
who makes it clear as data controller as referred to in article 4, introductory part, and under 7 of the
GDPR. This determines who is the purpose of the means for the processing of personal data

establishes.

The PVVOverijssel is a foundation that has the purpose of administrative and administrative assistance.
                                                                  11
fractionofPVVinProvincialStatesofOverijsseltlend. The PVVOverijssel has none
corporate relationship with another legal entity, such as the association Party for Freedom.
the board represents the foundation. 12




1 Letter PVVOverijssel of 24 May 2019, appendix 5 to the investigation report.
1 Excerpt Chamber of Commerce 14 March 2019, No. 52322017, appendix 7 to the investigation report.
1 See deed of establishment of the Foundation Support ProvincialeFractionOverijsselPartijvoordeVrijheid (PVV), act date15
March 2011, accessed on August 29, 2019, Appendix 8 to the Investigative Report.




                                                                                                 Date Our reference
June 16, 2020 [CONFIDENTIAL]



Every contribution is posted on the website https://www.pvvoverijssel.nl/heeftuitluitendbetrekenop

The provincial politics of the province of Overijssel. All contributions are placed on behalf of "Party forde
VrijheidOverijssel’. On the website, various image fragments, from YouTube, about
public appearances of the PVVverijssel shared.

Overijssel’splaced on Youtube. Via the website you can also contact the PVVOverijssel only.
From this determination, the AP makes that the website management is in the hands of the PVVOverijssel.


The supporters of the PVVOverijssel are formed by donors, volunteer sympathizers.

that can associate and mobilize recruits the PVVverijsselvolunteers.
Overijsseld by, the active electability of the PVV in the province of Overijsseld by,

among others, in three municipalities of the province to recruit candidates for the list of elections of the PVV for
The municipal council elections of 2018.

municipal elections in Overijssel in the municipalities of Almelo, Enschede and Twenterand
coordinated. 13


The aim to recruit volunteers and candidates for the 2018 municipal elections

PVVOverijssel designed by a web form and places on its website in which, among other things
Name and address details, e-mail address, availability for municipal councilors and / or volunteers, and the upload of
                                                       14
A resume is required to be processed by the PVVOverijssel.

                                                   15 16
In its letter of 24 May 2019, the PVVO, verijssel, responded to the information request from the AP.
indicated that she organizes different activities and works with different mailing lists
She has sent an invitation for the constituency evening to people who have reported to her before

and have indicated that they are interested in receiving invitations. By a human
error from a fraction of the employee that e-mail addresses are visible to everyone in question
The invitation has been received. The PVVOverijssel says this has been the case with scholars internally

have taken measures.


From the foregoing, the AP made so that the PVVOverijssel independently determines which means they
necessarythoughtforreachingandactivatinghersteadersinOverijssel
is the sending of e-mail. The PVVOverijssel has control over which

personal data are processed and sets the purposes and means of data processing in the
framework of this activity is fixed.


On the basis of the above, the AP considers the PVVOverijssel as a data controller
referred to in Article 4, introductory part, and under 7 of the GDPR.



1 Print screen, appendix 6 to the research report.
1 Print screen, appendix 6 to the research report.
1 Letter PVVOverijssel of 24 May 2019, appendix 5 to the investigation report.
1 Information request from AP of 15 May 2019, appendix 4 to the investigation report.




                                                                                                 Date Our reference

June 16, 2020 [CONFIDENTIAL]



3.3 Report obligation in connection with personal data on AP

3.3.1 Breach of Personal Data


On the basis of Article 33, first paragraph, of the GDPR, the controller notifies the breach of
related to personal data without unreasonable delays, if possible, no later than 72 hours after he has finished
has acknowledged, to the competent supervisory authority in accordance with Article 55,

unless it is unlikely that the personal data breach poses a risk to it
rights and freedoms of natural persons.


For the question whether there is a violation of the reported obligation in the sentence of Article 33, first paragraph, of the GDPR,
It is first of all important to confirm that the e-mail of January 10, 2019 is sent.
of a so-called security breach in the sense of Article 4, headings under 12, of the

GDPR.

What should be clear is that a breach is some type of security incident

Article 4, headings under 12, of the GDPR However, only applicable when there is a
infringement of personal data
controller will not be able to guarantee that the principles relating to the
Processing of personal data as described in Article 5 of the GDPR are complied with

emphasizes the difference between a security incident and a breach of personal data -
It came to be aware of minor breaches in connection with personal data security incidents
but not all security incidents and necessarily violations in connection with

personal data. It should be noted that a security incident is not limited to
threat models that attack an organization from the outside, but also include incidents
resulting from internal processing. 17


On January 10, 2019, a fraction employee of the PVVOverijssel sends an e-mail message immediately.
invitation for a grassroots evening to a group of 101 addressees

recipients of the e-mail, including complainant, hot e-mail address of recipients and visible in the
mailinglistofhot-mailprogram.ThePVVOverijssel recognizesinherreactionof May 24, 2019
APThat this was very undesirable and never could happen.


Considering the above, the sending of the e-mail with the subject “InvitationFollowers
evening28January2018 ”toagroupof101addresses on10January2019bythePVVOverijssel

notice as a breach of security, a deeper accident has led to an unauthorized
provision of personal data to all recipients of the e-mail. to the advantage of the AP
therewith spoke of a breach of personal data as referred to in Article 4, Section 12,
of the AVG. 18


1 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 8.
1 Compare example direct marketing email, Guidelines for reporting breaches in connection with personal data by virtue of
Regulation 2016/679, p. 39.




                                                                                            Date Our reference
June 16, 2020 [CONFIDENTIAL]





3.3.2 Obligatory notification of AP

Disclosure requirement as laid down in Article 33, first paragraph, of the GDPR, is especially established

Encourage the data controller to act immediately in the event of a breach, the breach
Restricting, restoring the compromised personal data if possible
supervisory authority to ask for advice

the supervisory authority, the controller can make sure that
decisions about not informing people are correct. 19


3.3.2.1The moment at which the PVVOverijssel took knowledge of the infringement
On the basis of the sending of e-mail from the PVVOverijssel on January 10, 2019, the complainant stated

January 11, 2019 responded the PVVOverijsselrequested his e-mail address from her address file.
Another message complaining about the PVVO that makes it available for all-
e-mail addresses and thereby traceable personal data testify of serious carelessness

The PVVverijssel responded with an email on January 11, 2019 with excuses.
Overijsselinany case on 11 January 2019 Acknowledged of the infringement. 20


3.3.2.2 Risk assessment infringement in connection with personal data
AVG imposes a notification requirement on all controllers unless unlikely

that an infringement involves a risk for the rights and freedoms of natural persons.
case be assessed. 21


According to the PVVOverijssel, the AP goes into part 3.4.2 of its research report instruction
to the "Guidelines for reporting personal data breaches

Regulation 2016/679 ", wrongly because of the notion that the
poses a risk to the rights and freedoms of natural persons. "In the Guidelines (page 26)
However, the term is used: "that the infringement represents a high risk for the rights and freedoms of

naturally brings people to themselves. "According to the Guidelines, therefore, it is not a normal risk
sufficient, it must be a high risk, according to the PVVOverijssel.


The AP considers that the PVVOverijssel assumes an incorrect reading of the Guidelines.
a distinction is mainly made between the notification of the AP and the notification of the person (s) involved:


“IV.Assessment of risk and high risk


     A. Risk for Notifications / Disclosures



1 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 18.
20 See e-mail correspondence in the period of 10/15 January 2019, appendix 3 to the investigation report.
2 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 9.
2 Purpose 3.5.2 Risk assessment.




                                                                                                 Date Our reference

June 16, 2020 [CONFIDENTIAL]



Although AVG implements the obligation to report a breach, this is not all circumstances
obligated:
     An infringement must be reported to the authorized supervisory authority unless it is

        unlikely that they pose a risk to the rights and freedoms of natural persons
        implies.
     An infringement is only communicated to the person if it is likely that it is high
                                                 23
        risk rights and freedoms. ”

In the investigation report, the AP found that the PVVO was held in violation of the

Report to the AP. In that context, it must be assessed whether it is unlikely
infringement involves a risk to the rights and freedoms of natural persons.


In her view, the PVVOverijssel has also disputed that there is any such risk.
It carries out, among other things, that the processing is only a processing of ordinary not special

personal data.
material or immaterial damage which arises that they have identified the right of infringement
that it is unlikely that the infringement poses a risk to the rights and freedoms of natural

persons.According to the PVVOverijssel, they were not held to report the violation to the AP.

The AP considers the following in this regard

GDPR considerations 75 and 76, cited factors that are important in assessing risk,
namely: nature of the infringement; nature, sensitivity and scope of the personal data; convenience with which
personscanbeidentified; severityofconsequencesfor persons; particularcharacteristicsof

the person; special characteristics of the controller; the number of persons affected;
and general points. The nature and sensitivity of the personal data that are in breach
Compromised are therein an important factor.
                                      24
the risk of damage to the data subjects. When the breach involves personal data
evidencing a political view, material or immaterial damage (such as discrimination and
reputational damage) for the persons whose data is the object of the infringement
are considered. 25


The e-mail sent from January 10, 2019 to 101 recipients contains e-mail addresses with

personal data of data subjects
ofpersonal data that show political views

the email, an invitation to a constituency meeting of a political party, as well as the content of
meeting, it is most likely that among the addressees and persons interested
In the mind of the PVV, such information could have consequences for a

existing or a future societal position


2 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 26.
2 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, p. 28ff.
2 Guidelines for reporting personal data breaches pursuant to Regulation 2016/679, pp. 26 and 27.




                                                                                              9/16 Date Our reference
June 16, 2020 [CONFIDENTIAL]



factor "special features of the controller" indicating that the nature and role of the
controller and its activities may affect the risk of an infringement

for persons means. As much as a political organization means special categories of personal data,
which means that there is a greater threat to persons if their personal data has been breached.

This means that a greater responsibility of the political organization is often high
level of protection.Finally, in this context, it is still noted that the breach is a
relative large number of persons affects, namely (part of) the involved and behind the mailing list of

interested in invitations for activities of the PVVOverijssel.

Given these conditions, there is no mention that it is unlikely that the infringement is a risk

includes the rights and freedoms of data subjects. The PVVOverijssel was more or less persistent
report a violation to the AP.


3.3.2.3 From the date on which PVVO must have reported the icebreaking violation to the AP
Nude
with the personal data, she had no unreasonable delays at the latest within 72 hours and reported
has to do on AP as the competent supervisory authority.

on January 14, 2019, should report to AP, but left this up to date.

In view of the foregoing, the AP has judged that PVVOverijssel has article 33, first member, of the AVG.

violation by allowing to breach personal data without unreasonable
Delays at the latest within 72 hours, after PVVOverijssel on January 11, 2019 at the height of the
infringement, notify AP.


4. Fine

4.1 Introduction


If a data controller is not involved in any breach of personal data knowledge
the supervisory authority, despite the fact that the requirements of Article 33 of the
GDPR is complied with, the supervisory authority is offered a choice in which to

standing corrective measures should be considered, as well as the imposition of a monetary fine.

In her opinion, the PVVOverijssel has elucidated the reasons why she thinks they are not

It is obligatory to make a report to the AP. It is then also judged that no ground exists
for imposing a measure or an administrative fine.
Overijssel would not follow, she makes an explicit and motivated appeal on Article 7 "Relevant
Factors of the Fine Policy Rules. 6



26
 Policies of the Authority Personal data of February 19, 2019 with regard to determining the height of
administrative fines (Fines Policy Rules Authority for Personal Data 2019), Government Gazette No. 14586,14 March 2019.



                                                                                          10/16 Date Our reference
June 16, 2020 [CONFIDENTIAL]



The AP marks this up about the following. By sending an invitation for a constituency evening
in which for all recipients of the e-mail message, the list of recipients is visible in the end

mailing list of the e-mail program, the PVV has given unauthorized insight into
e-mail addresses and in all of the recipients, being people with interest in the thoughts of
the PVV. By sending the e-mail, half are personal data from which political views are

Evidence shared with all recipients of the e-mail and there has been a violation of the right to respect
the personal sphere of life and the right to the protection of personal data of a large number
data subjects who have lost their personal data as a result of this
failing to report this breach in connection with personal data on AP

is to the judgment of the APa serious violation.
created, because the people who have indicated that they want to receive periodic mail, makes 27
that nothing else.


The AP sees reason to use its authority to fine under Article 58,
second paragraph, preamble below Article 83, fourth paragraph, of the AVG, read in conjunction with Article 14,
third member, of the UAVG, to the PVVOverijssel.


Pursuant to Article 83, paragraph 4, sub a, of the AVG, there are violations of Article 33 of the AVG
in accordance with paragraph 2 subject to administration, fines up to € 10,000,000 or, for one
company, up to 2% of total worldwide annual turnover in the previous financial year, if this figure

higher.

4.2 Fines Policy Rules, Authority for Personal Data, 2019 (Fines Policy Rules, 2019)


The AP has adopted fine policy rules in 2019 in the implementation of the aforementioned authority
imposing an administrative fine, including determining the height thereof.


Pursuant to Article 2.1 of the Fines Policy Rules 2019, there is provision for a violation of
of which the AP may impose an administrative fine of the highest amount of € 10,000,000 […] in
Annex 1 Classified in Category I, Category II or Category III. In Annex 1 is the violation of Article 33,

first member of the AVG classified in category III.

Pursuant to Article 2.3 of the 2019 Fine Policy Rules, the AP sets the basic fine for violations
for which a statutory maximum fine of € 10,000,000 […] applies within the

fines bandwidths.For violations in category III of Annex 1 of the Fines Policy Rules 2019 applies
a fine bandwidth between € 300,000 and € 750,000 and a basic fine of € 525,000.

Pursuant to Article 6 of the 2019 Fine Policy Rules, the AP determines the amount of the fine by the amount.

from base to above (up to the maximum of the bandwidth from one
violation linked to fine category) or down (to the lowest minimum of that


27
 Letter PVVOverijssel of 24 May 2019, appendix 5 to the investigation report.



                                                                                         11/16 Date Our reference
June 16, 2020 [CONFIDENTIAL]



bandwidth).
Factors mentioned in Article 7 of the Fine Policy Rules 2019 give rise to this.

Pursuant to Article 7 of the 2019 Fines Policy Rules, the AP does not prejudice Articles 3: 4 and 5:46 of

the General Administrative Law Act (Awb), taking into account the following factors derived from Article 83,
second paragraph, of the AVG, referred to in the Policy Rules under notes withk:
a. nature, seriousness of the duration of the infringement, taking into account the nature, size or purpose of the
processingin question as to the number of affected data subjects and the size of the members affected

damage;
b. the intentional or negligent nature of the infringement;
c. the controller took […] measures against the affected members
limit damage;

d. the degree to which the controller […] is responsible in view of technical and
organizational measures he has carried out in accordance with the articles 25 and 32 of the AVG;
e) any relevant infringements by the controller […];
f) the degree in which the supervising authority has cooperated to remedy the breach

limit the potential negative consequences thereof;
g. the categories of personal data to which the infringement relates;
h. the manner in which the supervising authority has been informed of the infringement, particularly or, and
if so to what extent, the controller […] has reported the infringement;

(i) compliance with the measures referred to in article 58, second paragraph, of the GDPR, to the extent that
with regard to the controller […] in relation to the same
matter taken;
j. to adhere to approved codes of conduct in accordance with Article 40 of AVG or of

approved certification mechanisms in accordance with Article 42 of the GDPR; and
k. any other circumstances of such an aggravating or mitigating factor, such as
Financial gains made, or losses avoided, which are not directly from the breach
arise.


Pursuant to Article 8.1 of the 2019 Fine Policy Rules, the AP, if the violation of
fine category in the specific case does not allow appropriate punishment, when determining the height of
the fines, the width of the fines, in addition to the higher category, respectively, the fines, the width of the fines

apply next to bearing category.

Pursuant to Article 9 of the 2019 Fine Policy Rules, the AP does not require the determination of the fine
taking into account the financial circumstances in which the offender is subject

inadequate capacity of the offender to further moderate the AP
after application of Article 8.1 of the policy rules, determination of a fine within the fine range
From the next category to her judged, nevertheless, it would result in an inconsistent fine.








                                                                                        12/16 Date Our reference
June 16, 2020 [CONFIDENTIAL]



4.3 Fine height

According to the AP, in this case with the following factors mentioned in Article 7, these factors are relevant to the
Determiningfineheight:

a. Earth, serious and the duration of the infringement;
b. the intentional or negligent nature of the infringement (culpability);
c. the measures taken by the controller or processor to be taken by the controller
Limit the damage involved.


4.3.1 Nature, severity and duration of the infringement

Pursuant to Article 7, preamble under a, of the Fines Policy Rules 2019, the AP keeps the nature in mind,

seriously the duration of the infringement.

The protection of natural persons in the processing of personal data is a fundamental right.
Pursuant to Article 8, first paragraph, of the Charter of Fundamental Rights of the European Union and Article 16,

first member of the Treaty on the functioning of the European Union (TFEU) everyone has the right to
protection of his personal data. Principles and rules concerning the protection of
Of course, persons in the processing of their personal data must be in accordance with
their fundamental rights and fundamental freedoms, especially their right to protection of

personal data.The AVG aims to contribute to the creation of a space of freedom,
security and rights of an economic union, as well as economic and social progress, the
strengthens the convergence of the economies within the internal markets and the well-being of natural
persons. Processing of personal data must be at the service of man

Protection of personal data has no absolute rule, but must be considered in relation
The function of societies must be in accordance with the principle of proportionality against others
fundamental rights are weighed up. Any processing of personal data must be proper and lawful
Personal data should be sufficient to serve and limited to

what is necessary for the purposes for which they are processed
processes in a way that ensures appropriate security and confidentiality of data,
also to prevent unauthorized access to or unauthorized use of personal data
the equipment used for processing

personal data.

Reporting of breaches should be seen as a means of compliance with the rules
improve the protection of personal data

personal data takes place or has taken place, can result in physical, material or
immaterial damage to natural persons or any other economic or social disadvantage to
the person in question. Therefore, the controller must, as soon as he has received it
a breach of personal data by the supervisor immediately as possible within 72 hours

of the breach of personal data.
is set to properly perform its duties and powers, as laid down in AVG.




                                                                                      13/16 Date Our reference
June 16, 2020 [CONFIDENTIAL]




The PVVOverijssel believes that the earthing of the scope of the infringement is limited, now that the

mail message with a general indication concerns without any information regarding the data subject
is processed differently than the e-mail address.


The AP does not follow the PVVOverijssel here.
14 January 2019 Obligatory statutory notice of this violation has not been made to the AP.
its assessment relates to the AP that the infringement affects 101 persons, for which there is a presumption

of a special category of personal data, namely that which shows political views. The
A Consider the violation seriously, but there is a reason for the basic amount of the fine here.
increase or decrease.


4.3.2 Intentional or negligent nature of the infringement (culpability)


Pursuant to Article 5:46, subsection 2, of the Awb, the AP retains the imposition of an administrative fine
account of the extent to which she can be blamed for the offender. Now this is happening
violation, is not required for the imposition of an administrative fine, in accordance with case law

It is shown that there is a tendency to set up and may assume the AP removability as it
perpetrator is established 29


The PVVOverijssel believes that there is no liability for an intentional or negligent nature of the infringement.
immediately made the assessment that she must make in accordance with Article 33 of the GDPR

and has legitimately considered that there is no obligation to report the violation to the AP.

The AP brand is top that if such a consideration would have taken place, the PVVOverijssel

this has not been done correctly. As a ground for not reporting the breach to AP, it has
indicated: “it concerns an invitation which has been sent to people who have previously reported to
We have indicated that we are interested in receiving our invitations. ”And“ we

have not reported this, because the times mixed that have been reported periodically
want to receive us by e-mail. ”Furthermore, the PVVOverijssel in that framework indicated that it“ did not
an involuntary group of people goes ”. However, this is not a criterion on the basis of which you can

to be concluded that they would not report a worthy violation.
that the PVVOverijssel had known of the incident, based on the nature of the food
personal data provided must make a risk assessment and then report the breach

nevertheless, the AP.PVVOverijssel failed to make a report to the AP.




28
  Compare CBb29 October 2014, ECLI: NL: CBB: 2014: 395, ground 3.5.4, CBb2 September 2015, ECLI: NL: CBB: 2015: 312, ground 3.7 and CBb7 March 2016,
ECLI: NL: CBB: 2016: 54, ground 8.3, ABRvS29 August 2018, ECLI: NL: RVS: 2018: 2879, ground 3.2 and ABRvS5 December 2018,
ECLI: NL: RVS: 2018: 3969, ground 5.1.
29 Chamber documents II2003 / 04, 29702, no.3, p.134.
3 Letter PVVOverijssel of 24 May 2019, appendix 5 to the investigation report.




                                                                                             14/16 Date Our reference
June 16, 2020 [CONFIDENTIAL]



In view of the foregoing, it is accused that the PVV has not reported
the AP, but on the basis of this observed removability does not see any reason for it

increase or decrease the base amount of the fine.

4.3.3 Measures taken to limit the damage suffered by those involved


DePVVOverijssel has indicated that she has immediately after detecting her working methods and processes.
adapted to prevent such an error from being made again
measures have been proven to be effective.


The AP considers that there has been no evidence of measures to cause (possible) damage by those involved
A political organization such as the PVVOverijssel may be expected to be very careful.
is aware of the sensitivity of the personal data that they process accordingly

level of protection guarantees.First after the incident she indicated that no one would
proficient in AVG.


In the circumstances invoked, the AP does not see any reason to set the base amount of the fine
under Article 7, under c of the 2019 Policy Rules.

4.3.4 Proportionality


Ultimately, the AP judges on the basis of Articles 3: 4 and 5:46 of the AWB (principle of proportionality) or the
application of its policy to determine the height of the due to the circumstances of the

case, does not lead to a disproportionate outcome.
According to the 2019 Fine Policy Rules, the AP will be required to determine the fine
takes into account the financial circumstances of the offender.


The PVVOverijssel has indicated that they are a no-profit political foundation
financial means available.


The AP considers in this respect as follows.
SupportProvincialFractionOverijsselPartijforFreedom, the realization of it
purpose of the foundation destined to the capital formed by the financial contribution of the province
Overijssel, and that which is obtained by this means.

fraction support province of Overijssel receiving fractions annual and financial contribution as
allowance for the costs of the functioning of the fraction
highest of € 3,570 for each of the member states belonging to the fraction plus € 26,460 per fraction (per1
January 2019) .1




31
 Official assistance faction support province of Overijssel 2016, Provincial Journal no. 33,2 January 2017 no. 2734,
April 11, 2019.



                                                                                           15/16 Date Our reference
June 16, 2020 [CONFIDENTIAL]



The A, however, has limited the capacity of the PVV verijssel, and comes to the conclusion that the PVV
Overijssel cannot financially bear the fine of € 525,000.
reason to reduce the amount of the fine

The AP is considering in this context that it has not been shown that the PVVO iced it should not
can wear.


4.3.5 Conclusion

The AP sets the total fine amount to € 7,500.

5. Operative part


Fine

The AP is imposed on the PVVOverijssel, for violation of Article 33, first paragraph, of the GDPR in the period

of January 14, 2019, currently, an administrative fine and amount of € 7,500 (in words: seven thousand
five hundred euros) 2

Yours sincerely,

Authority Personal data,




Mr. A. Wolfsen
Chairman


Remedies Clause
If you do not agree with this decision, you can send it within six weeks
Decide digitally or on paper and submit an objection to the Personal Data Authority
of an objection suspends the effect of this decision.

www.autoriteitpersoonsgegevens.nl, under the heading Objection against a decision, below
page bottom header Contact the Authority Personal data. The address for submitting and on paper
is: AutoriteitPersoonsgegevens, PO Box93374,2509AJDenHaag.
On the envelope, state "Awb objection" and put in the title of your letter "notice of objection".

At least write in your notice of objection:
-your name and address;
-the date of your notice of objection;
-the attribute mentioned in this letter (case number); or attach a copy of this decision;

-the reason (s) why you do not agree with this decision;
-your signature.

32
  The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).




                                                                                         16/16