Ministry of Foreign Affairs fined for inadequately securing visa applications
The Dutch Data Protection Authority (DPA) fined the Dutch Ministry of Foreign Affairs €565,000 for long-term, large-scale, serious infringements of the General Data Protection Regulation (GDPR) in its visa-issuing process.
NVIS, the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, is inadequately secured. As a result, there is a risk that unauthorised persons could access and change files. Furthermore, the Ministry of Foreign Affairs failed to provide visa applicants with sufficient information about the sharing of their personal data with third parties.
In addition to imposing a fine, the DPA ordered the ministry to ensure an appropriate level of security (subject to a penalty of €50,000 per two weeks) and provide applicants with adequate information (subject to a penalty of €10,000 per week).
The Ministry of Foreign Affairs has processed an average of 530,000 visa applications per year for the past three years. The personal data in all these applications is not sufficiently protected.
The personal data involved includes sensitive information, such as an applicant’s finger prints, name, address, country of birth, purpose of travel, nationality and photograph. Anyone applying for a visa is required to submit this data to the Ministry of Foreign Affairs.
In the words of DPA deputy chair Monique Verdier, ‘When physical and digital data security is insufficient, there is an increased risk of unauthorised staff being able to access and alter personal data and of other errors or abuses remaining undetected for too long. That can have a major impact on individuals.’
‘For example, a visa application could be wrongly refused as a result. And that could lead to a serious infringement of a person’s freedom of movement. To obtain visas, people are dependent on the Ministry of Foreign Affairs. Because of that dependence, the lack of data security is a very serious issue.'
The ministry has been aware of the security risks in its visa system for some time, but the DPA believes that it has not acted swiftly enough and has done too little.
According to Ms Verdier, ‘Given that visa applicants are required to submit personal data, the Ministry of Foreign Affairs should have immediately taken the measures necessary to protect their data properly. Because the security of the system has been insufficient for so many years now, in our view the Ministry of Foreign Affairs has been − and remains − seriously negligent.'
Order subject to penalty for inadequate security
The DPA has instructed the ministry to ensure appropriate security is in place by, for example, introducing information-security policy for NVIS and conducting regular checks of user rights and data logging (registration of users and events in the system). The DPA has imposed an order subject to a penalty of €50,000 for every two weeks that the infringement continues (up to a maximum of €500,000).
The DPA has also determined that the Ministry of Foreign Affairs failed to adequately inform visa applicants about the sharing of their personal data with other parties. The ministry is required by law to ensure transparency so that people know with whom the ministry is sharing their personal data.
This infringement, too, concerns sensitive data contained in hundreds of thousands of applications per year. As a consequence, the DPA has instructed the Ministry of Foreign Affairs to inform people properly and transparently about the processing of their personal data and specifically about which parties their data is being shared with.
The DPA imposed an order subject to a penalty of €10,000 for every week the infringement continues (up to a maximum of €300,000).
In the meantime, the ministry has adapted the information it provides to visa applicants, and in doing so has complied with this order within the time limit.
Open to objection
The fine and the orders subject to penalty were imposed on the Minister of Foreign Affairs because he is responsible for the ministry’s processing of personal data. The minister may lodge an objection to the DPA’s decisions.