PVV Overijssel fined for failing to report data breach
The Dutch Data Protection Authority (DPA) has imposed a fine of €7,500 on the Overijssel chapter of the Freedom Party (PVV) for failing to report a data breach to the DPA. The data breach involved information about people's political opinions.
The breach arose from an e-mail about a meeting of supporters, which referred to 101 addressees as ‘friends of the PVV’. Due to an error made by a staff member of the party's group on the provincial council, the email addresses (and therefore also most of the names) of the addressees were visible to everyone who received the invitation. This meant that the political opinions of the addressees were also disclosed.
The DPA became aware of the data breach when it received a complaint from one of the addressees, alleging a privacy infringement. It subsequently transpired that PVV Overijssel had failed to respond appropriately to the breach by reporting it to the DPA within the applicable time limit. This is a serious infringement, particularly in view of the sensitive nature of the information concerned.
The General Data Protection Regulation (GDPR) provides additional safeguards for people's political opinions. These opinions are classified as sensitive personal data. Since this information is extremely private and people are entitled to keep it to themselves, the processing of such information is subject to more stringent requirements.
If the confidentiality of this sensitive personal data is breached, the individual concerned may be exposed to substantial risks, for example of discrimination. There may also be repercussions for a person's current or future position in society.
By their very nature political organisations process sensitive personal data. As a result they bear a heavy responsibility for ensuring a high level of protection. They must also take appropriate action if a breach occurs despite the security precautions taken.
Duty to report data breaches
Serious data breaches must be reported. Specifically, businesses and public authorities have a duty to report such breaches within 72 hours. It is essential that organisations report such breaches promptly.
The DPA can then help them to limit the harm to the affected individuals, for example by giving instructions on how to resolve the breach quickly and prevent future breaches. The DPA may also instruct the organisation to notify the victims promptly.
PVV Overijssel ought to have informed the DPA within 72 hours of becoming aware of the data breach, but failed to do so. However, PVV Overijssel did say that it had taken steps to prevent any similar breaches from occurring in future.