05 Jun GDPR exists five years, fines for privacy breaches are significant
The GDPR will soon celebrate its first lustrum. Since 25 May 2018, organisation in the Netherlands have been obliged to comply with the General Data Protection Regulation (GDPR). This is not always easy, so sometimes things go wrong. Anyone who falls victim to a GDPR-blunder can file a complaint with the Dutch Data Protection Authority (DPA). That has the power to impose hefty fines on organisations that violate the GDPR.
In recent years, it took some time to get used to the GDPR. That compliance with this regulation was not always entirely successful is shown by the number of complaints files with the Dutch DPA since 2018. In the first year the GDPR was in force, 15,600 complaints were received. In the years since, this has risen to above 25,000 complaints a year. In fact, the Dutch DPA was so busy in 2021 that the complaints hotline was closed for some time.
That things sometimes go wrong when complying with the GDPR rules, is not surprising. The regulation imposes a lot of obligations on organisations, which are quite complex.
Organisations should record exactly what personal data they process and for what purposes. The wording of those purposes should be neither too broad nor too vague. Subsequently, organisations must strictly adhere to the processing operations and the purposes they have defined and not go beyond them; not even accidentally. This is not always easy to manage in large organisations with many employees. This is because the privacy protection envisaged by the GDPR also means that an organisation cannot constantly keep an eye on its own employees.
Every organisation must also understand in detail – and constantly monitor – how personal data in their organisation is secured, where it is stored and which parties can (potentially) access it. This is more complicated than it might seem. Almost every organisation uses online tools, SaaS applications or cloud storage, and the providers of such services (‘processors’, according to the GDPR) usually use various auxiliary services (‘sub-processors’) in turn. Not infrequently, processors and sub-processors are part of large multinational companies (international groups). Organisations must find out what the chain of group companies and sub-processors looks like for each service provider they want to use for personal data processing and check for each party in that chain whether personal data is in safe hands there.
Towards the people about whom an organisation processes personal data (‘data subjects’), the organisation must be transparent about what happens to their personal data. The organisation must provide detailed and complete information, including on complex topics such as security, processors and sub-processors, and all countries where personal data may end up. But at the same time, the GDPR says the information must be clear and easy to understand.
According to the GDPR, all people have to right to ask any organisation what personal data that organisation is processing about them and require the organisation to prove that this is done in accordance with the rules of the GDPR. Answering these types of questions is subject to strict time limits. Organisations may not refuse to answer and they may not make the threshold for getting access to personal data too high (for example, not asking for identification with a passport by default). But of course, it is also not allowed to give people (accidentally) access to someone else’s personal data.
The examples above are just some of the obligations. There are also obligations for internal recording policies, balancing of interests, and risk assessments. There are strict requirements for responding to data breaches. And so on.
In short: the GDPR rules are complex, sometimes mutually contradictory and compliance requires great precision.
Those who make mistakes risk sanctions from the Dutch DPA. Sanctions can include a formal warning, an instruction to correct wrongdoing under threat of a penalty, but fines can also be imposed. The very first fine imposed by the Dutch DPA, after the introduction of the GDPR, was on the Dutch branch of Uber (fine € 600,000.00) because Uber had failed to report a data breach to the Dutch DPA within 72 hours.
Next was the Haga Hospital (fine € 460,000), because the hospital did not monitor well enough which employees looked into which patient files. As a result, it was possible for employees to look into a file out of curiosity when their work did not require it.
The highest fines in the Netherlands so far have been for the Tax Administration: 2,75 and 3,7 million euros, for years of keeping track of unjustified fraud suspicions on discriminatory grounds (childcare benefits scandal and Fraude Signalering Voorziening).
But smaller organisations have also been audited and fined. To be at risk of a fine, it really does not always have to be large-scale wrongdoing or wilful carelessness.
For example, a local branch of a political party was fined for failing to report a data breach. An employee had accidentally put all addressees of an invitation to a ‘constituency meeting’ in the ‘cc’ line instead of ‘bcc’. Thus, 101 people got to see each other’s e-mail addresses and could immediately guess each other’s political preferences. The department’s leadership believed it was no big deal that the (politically like-minded) invitees had seen each other’s e-mail addresses and did not file a data breach notification with the Dutch DPA. However, the Dutch DPA did find the leak serious and imposed a fine of € 7,500. This is a lot lower than the fine Uber received for not reporting a data leak, but still an expensive mistake for such a small organisation.
A more recent example is an orthodontics practice, which did not realise it had an old-fashioned website. The website did not have an https connection, so communication with the web server was not encrypted. Somewhere on the website was a form where new patients could register. If people used that form, others could see the information (medical details and BSNs) sent through the form. The registration form was used very infrequently and it was quickly taken offline when the encryption flaw was discovered, but the Dutch DPA took the case very seriously anyway. Fine: € 12,000.00.
Again, compared to the fines of tons and sometimes millions imposed on larger organisations, this is a modest amount. But it is still a nasty penalty for a single technical error, of which the organisation was unaware. A factor in the Dutch DPA’s decision was that healthcare organisations have more concrete requirements for securing their IT-systems (application of the ISO 7510 standard, for example, is mandatory when processing the BSN). The orthodontic practice had its internal systems in order, but it had overlooked the registration form on its website.
It is possible to go into detail about the fines imposed by the Dutch DPA in blogs such as this one. This is because the fine decisions are published online, with all facts of the case included. And (with a few exceptions) also with the name of the sanctioned organisation included. So, the financial impact is not the only drawback of a fine. It also puts you in the news in a nasty way.
Therefore, our privacy lawyer Inge Lakwijk concludes: “Over the past five years, we have been able to experience that setting up and monitoring personal data protection in accordance with the GDPR can be complicated and laborious. But it is important. It is also in your organisation’s own interest to pay the necessary attention to it, as it can prevent fines, reputational damage, and a lot of stress.”
Do you have questions about the GDPR and making your organisation GDPR-compliant? If so, feel free to contact Inge Lakwijk. She is ready to help you further.