Dutch DPA: PVV Overijssel fined for failing to report data breach

11 May 2021

The Dutch Data Protection Authority (DPA) has imposed a fine of €7,500 on the Overijssel chapter of the Freedom Party (PVV) for failing to report a data breach to the DPA. The data breach involved information about people's political opinions.

The breach arose from an e-mail about a meeting of supporters, which referred to 101 addressees as ‘friends of the PVV’. Due to an error made by a staff member of the party's group on the provincial council, the email addresses (and therefore also most of the names) of the addressees were visible to everyone who received the invitation. This meant that the political opinions of the addressees were also disclosed.

Complaint
The DPA became aware of the data breach when it received a complaint from one of the addressees, alleging a privacy infringement. It subsequently transpired that PVV Overijssel had failed to respond appropriately to the breach by reporting it to the DPA within the applicable time limit. This is a serious infringement, particularly in view of the sensitive nature of the information concerned.

Additional safeguards
The General Data Protection Regulation (GDPR) provides additional safeguards for people's political opinions. These opinions are classified as sensitive personal data. Since this information is extremely private and people are entitled to keep it to themselves, the processing of such information is subject to more stringent requirements.

Risk
If the confidentiality of this sensitive personal data is breached, the individual concerned may be exposed to substantial risks, for example of discrimination. There may also be repercussions for a person's current or future position in society.

Heavy responsibility
By their very nature political organisations process sensitive personal data. As a result they bear a heavy responsibility for ensuring a high level of protection. They must also take appropriate action if a breach occurs despite the security precautions taken.

Duty to report data breaches
Serious data breaches must be reported. Specifically, businesses and public authorities have a duty to report such breaches within 72 hours. It is essential that organisations report such breaches promptly.

The DPA can then help them to limit the harm to the affected individuals, for example by giving instructions on how to resolve the breach quickly and prevent future breaches. The DPA may also instruct the organisation to notify the victims promptly.

PVV Overijssel ought to have informed the DPA within 72 hours of becoming aware of the data breach, but failed to do so. However, PVV Overijssel did say that it had taken steps to prevent any similar breaches from occurring in future.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.