The Dutch Data Protection Authority already imposed these 3 massive fines in 2022

did not sit still in 2022 either Dutch Data Protection Authority (AP) . It pursued countless privacy breaches and reprimanded both the government and private companies. Just like in previous years, hefty fines were handed out. These are the heaviest fines already issued by the AP in 2022. They prove that you had better have your privacy affairs in order.

# 3. DPG Media: € 525,000

The third heaviest AP fine of 2022 goes to DPG Media, although it was Sanoma Media Netherlands BV that committed the error. Sanoma was later acquired by DPG Media. At Sanoma, if people wanted to view or delete their data, they first had to upload proof of identity. According to the AP, however, this is not necessary at all. Essentially, the media company therefore requested too much personal data, which also complicated access and deletion requests. The individuals concerned were also not informed that it is permitted to obscure, for example, the ISBN number.

The AP is always strict when it comes to identity documents. After all, if this information is leaked, it can result in identity fraud. DPG Media had already adjusted its procedures following the acquisition, meaning a penalty payment order was not necessary. Nevertheless, a fine of €525,000 was imposed. DPG Media has lodged an objection against this decision.

# 2. Ministry of Foreign Affairs: € 565,000

The second heaviest AP fine was imposed on the Ministry of Foreign Affairs. The ministry was fined no less than 565,000 euros. This is because the ministry had failed to properly secure the NVIS, the National Visa Information System used for applying for and granting visas. As a result, unauthorized persons were able to modify and/or view files for years. As many as 530,000 visa applications were processed during the period in question. All of them contained a great deal of sensitive information, ranging from nationality information to fingerprints. Such a security breach can not only have major consequences for the privacy of the applicants. Moreover, applications could be altered, causing them to be wrongfully rejected.

The Dutch Data Protection Authority was very strict with the ministry. It not only imposed a heavy fine of 565,000 euros, but also a penalty payment order of 50,000 euros for every two weeks that security was not in order. In addition, there was a second penalty payment order of 10,000 euros per week that the ministry was insufficiently transparent about the parties with whom the personal data was shared.

# 1. Tax and Customs Administration: €3.7 million(!)

For years, the Tax and Customs Administration illegally processed personal data in the Fraud Signaling Facility (FSV), a blacklist used to track fraud indicators. The Tax and Customs Administration had no legal basis to process this personal data. Much of the personal data was also incorrect, potentially leading to people being wrongly registered as fraudsters. The Dutch Data Protection Authority (AP) also noted that the security of the list was not up to standard at all.

Furthermore, it turned out that discrimination was also involved: nationality (Turkish, Moroccan, or Eastern European nationality), among other criteria, was used to investigate people more closely. No fewer than 270,000 people were on the list, and their rights were severely violated. This resulted in the highest fine ever imposed by the AP: 3.7 million euros for a total of 6 violations.