Ministry of Foreign Affairs fined for inadequately securing visa applications

16 May 2022

Background information

Date of final decision: February 24 2022
Cross-border case or national case: no
Controller: Minister of Foreign Affairs
Legal Reference: transparency - article 13(1) point e, security of processing - article 32(1).
Decision: infringement of the GDPR, administrative fine, order subject to a financial penalty (corrective order as meant in article 58(2) point d.
Key words: rights data subjects, information to be provided, technical and organisational measures

 

Summary of the Decision

Origin of the case

The Ministry of Foreign Affairs has processed an average of 530,000 visa applications per year for the past three years. The personal data in all these applications is not sufficiently protected. The personal data involved includes sensitive information, such as an applicant’s finger prints, name, address, country of birth, purpose of travel, nationality and photograph. The Dutch Supervisory Authority (SA) has also determined that the Ministry of Foreign Affairs failed to adequately inform visa applicants about the sharing of their personal data with other parties.

Key Findings

The National Visa Information System (NVIS), the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, is inadequately secured. As a result, there is a risk that unauthorised persons could access and change files. Furthermore, the Ministry of Foreign Affairs failed to provide visa applicants with sufficient information about the sharing of their personal data with third parties.

Decision

The Dutch SA fined the Dutch Ministry of Foreign Affairs €565,000 for long-term, large-scale, serious infringements of the General Data Protection Regulation (GDPR) in its visa-issuing process. In addition to imposing a fine, the Dutch SA ordered the ministry to ensure an appropriate level of security (subject to a penalty of €50,000 per two weeks) and provide applicants with adequate information (subject to a penalty of €10,000 per week).

 

For further information:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.