Dutch DPA fines UWV again: EUR 450.000

After the Dutch Data Protection Authority (“Dutch DPA”) had already given the Dutch labor agency (the “UWV”) a slap on the wrist because of the security level of the employer portal and the absence management system, the implementing body has now also been fined. This time it went wrong with the “My Workbook” environment; a personal environment on the UWV website where job seekers are in contact with the UWV. The UWV was fined EUR 450,000.

Nine data breaches

Through My Workbook, the UWV can send group messages to job seekers. These messages then end up in the individual environments of the individuals concerned. Between August 2016 and the end of 2018, nine wrong group messages were sent.

Instead of just the message, nine times an Excel file with personal data of all addressees was sent along. All addressees thus gained access to all personal data of the other persons who received that same message. This concerned both name and address data and more sensitive information such as personal identification number (BSN) and medical data. Only after the eighth data leak (in September 2018) did the UWV decide to implement a technical measure to make it impossible to attach Excel files, among other things. This decision was subsequently implemented in December 2018.

It was only after the eighth data leak (in September 2018) that the UWV decided to introduce a technical measure to make it impossible to attach Excel files, among other things.

The Dutch DPA therefore concludes that the UWV has guaranteed and ensured a security level that is insufficiently appropriate to the risk when it comes to sending group messages via My Workbook. The Dutch DPA reproaches the UWV, among other things, that it (i) did not sufficiently map out the risks; (ii) did not implement technical measures or did so too late; and (iii) did not sufficiently monitor and evaluate the measures that were in place over the years.

Fine

The UWV’s breach took place from August 2016, when the predecessor of the current privacy act Wet bescherming persoonsgegevens (Wbp) was still in force, and continued until the end of 2018. Therefore, the Dutch DPA does not base its penalty policy on the 2019 Penalty Policy, but on the previous version from 2016. As a result, the Dutch DPA is calculating, among other things, a lower “base fine” for a Category II violation than would apply based on the current 2019 Penalty Policy Rules: EUR 245,400 instead of the current EUR 310,000. However, the Dutch DPA does increase the base fine to EUR 450,000 due to the seriousness of the violation. The fine is thus comparable to the fines that the HagaZiekenhuis and the OLVG respectively received for taking insufficient security measures.