The Netherlands

Dutch Foreign Ministry

565,000 €

GDPR enforcement action by Dutch Supervisory Authority for Data Protection (AP) on 2022-02-24.

Rank · Sector

#12

of 356 in Public Sector and Education

Rank · The Netherlands

#14

of 43

Rank · All fines

#224

of 3,042

Case details

Authority: Dutch Supervisory Authority for Data Protection (AP)
Date: 2022-02-24
Controller / Processor: Dutch Foreign Ministry
Sector: Public Sector and Education
Quoted Articles: Art. 13 (1) e) GDPR, Art. 32 (1) GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Dutch DPA has imposed a fine of EUR 565,000 on the Dutch Foreign Ministry.
As part of its investigation, the DPA found that the National Visa Information System (NVIS) suffered from significant security deficiencies.

This is particularly serious as the Foreign Ministry has processed an average of 530,000 visa applications per year over the last three years and the personal data processed in the course of the applications was therefore inadequately secured.

The data included sensitive information such as fingerprints, name, address, place of residence, country of birth, purpose of travel and nationality.

Due to the inadequate security measures, it would have been possible for unauthorized persons to access the data.

According to DPA, the Foreign Ministry had been aware of the security flaws in the visa system for some time. Despite this knowledge, the Ministry did not adjust the security measures in time. For this reason, the DPA finds that the Ministry acted with gross negligence.

The DPA also found that the Foreign Ministry did not adequately inform individuals who applied for visas that their personal information would be shared with other parties.