Dutch Foreign Ministry: Insufficient technical and organisational measures to ensure information security

The Dutch DPA has imposed a fine of EUR 565,000 on the Dutch Foreign Ministry. As part of its investigation, the DPA found that the National Visa Information System (NVIS) suffered from significant security deficiencies. This is particularly serious as the Foreign Ministry has processed an average of 530,000 visa applications per year over the last three years and the personal data processed in the course of the applications was therefore inadequately secured. The data included sensitive information such as fingerprints, name, address, place of residence, country of birth, purpose of travel and nationality. Due to the inadequate security measures, it would have been possible for unauthorized persons to access the data. According to DPA, the Foreign Ministry had been aware of the security flaws in the visa system for some time. Despite this knowledge, the Ministry did not adjust the security measures in time. For this reason, the DPA finds that the Ministry acted with gross negligence. The DPA also found that the Foreign Ministry did not adequately inform individuals who applied for visas that their personal information would be shared with other parties.

GDPR Articles: Art. 13 (1) e) GDPR, Art. 32 (1) GDPR
Industry: Public Sector and Education