The GDPR transparency principle establishes that people must be able to find and understand information that data processors share with them, and that processors must provide the information in a reasonable timeframe. Processors must also inform the data subjects of changes and further processing of their data.
It comes after the Dutch Data Protection Authority (DDPA) found flaws in the way data in the National Visa Information System (NVIS) was handled and shared. The Ministry of Foreign Affairs processes the 'special personal data' of roughly 530,000 visa applicants through the NVIS each year - including fingerprints and passport photos. Stricter security requirements apply to special personal data, which the DDPA said were not followed at various Dutch embassies and consulates abroad that accessed the NVIS.
While a vulnerability analysis of the system had been made, the regulator found that it had not been updated since 2015. There was also a lack of information about the physical security of the NVIS and there were no procedures for logging checks. Logs that were created were incomplete and it was not possible to identify which employees had accessed the data in the system.
The protocols for reporting security issues were also inadequate, according to the DDPA, since the ministry used a manual for recording incidents that only contained general advice for employees. There were no procedures specifically designed for NVIS, as there should have been. While the regulator did find an authorisation procedure for access to data stored in the NVIS, it had only been implemented in January 2022.
The DDPA ordered a raft of reforms to the way the ministry handled data, including a new information security policy for the NVIS, regular checks of user rights and logging actions within the system. The ministry faces an additional penalty of €50,000 for every fortnight while the breach continues - up to a maximum of €500,000.
Nienke Kingma, data protection expert at Pinsent Masons, said: “The cause of this investigation and fine wasn’t a complaint or a hint - as is often the case - but these violations came to the light as part of the regulator’s general legal supervisory tasks.” The DDPA is responsible for supervising the national part of a number of European information systems, including the Visa Information System and the Schengen Information System. As part of this supervisory role, the DDPA must monitor independently the lawfulness of each member state’s data processing.
Andre Walter of Pinsent Masons said: “The decision of the DDPA shows once again the importance of the transparency principle under the GDPR, and in particular full transparency regarding the sharing of personal data with third parties. The Dutch Ministry of Foreign Affairs didn’t inform the visa applicants sufficiently with whom their data will be shared. In times where international data transfer is under scrutiny, this sanction confirms again data sharing, nationally and cross-border, is one of the top focus areas of the data protection authorities.”
The DDPA said the ministry had been informed about the problems with the NVIS but did not address them quickly enough and ordered the ministry to inform applicants about how their personal data is processed and shared. Monique Verdier, vice-president of the DDPA, said: “Inadequate physical and digital security increases the risk that unauthorised staff can view and change personal data, but also the risk that other errors or malfunctions can remain undetected for too long. This can have major consequences for citizens.”
She added: “Since citizens are obliged to hand over their personal data, the Ministry of Foreign Affairs should have immediately taken the necessary measures to ensure that data were properly protected. Because the security has been inadequate for years now, we are of the opinion that the department has been - and still is - seriously negligent.”