Foreign office fined for poor security Summary Our remarks Over the last three years, The Dutch Ministry of Foreign • If a controller must live up to certain security Affairs has processed approximately 530,000 visa requirements due to specialist legislation, these applications per year. requirements will often align with GDPR, Article 32. This is because Article 32 of the GDPR obliges To facilitate the Schengen visa process, the Ministry the data controller to ensure appropriate security used the National Visa Information System (NVIS) as measures in light of the nature, scope, context and its digital platform. However, the security measures of purposes of processing personal data. the NVIS were inadequate, leading to the possibility of unauthorized access and tampering of files. • When the sensitivity of the personal data is high, the requirements for safety measurements also rise. Additionally, the Ministry failed to inform visa applicants When dealing with highly sensitive personal data, about the sharing of their personal data with the requirements for safety measures also increase third-party entities. correspondingly. The decision of the Dutch DPA • Within an organization, user access should always The Dutch DPA imposed an administrative fine of be limited in a way so that employees only have 55,000 EUR on the Ministry of Foreign Affairs for access to necessary personal data corresponding inadequate security regarding visa applications (GDPR, to their role. This can be achieved by implementing Article 32). procedures for granting and revoking user access to different employees at different points in time. • Logging is an effective way to ensure technical security. However if the logs contain personal data, procedures must be implemented to ensure compliance with data processing regulations. Published: 29-04-2021, Journal number: N/A Tags: 01 Legal basis and principles of processing Published: 06-04-2022, Journal number: N/A Tags: 05 Data security 23