Sociale verzekeringsbank – €150,000 Fine (Netherlands, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Dutch Social Insurance Institution (SVB) was fined €150,000 for inadequate data protection measures. A breach allowed unauthorized access to personal data through the helpdesk, revealing weaknesses in their identity verification process. This case highlights the importance of strong security practices to protect personal information.
What happened
SVB experienced a data breach where personal data was accessed without consent through the helpdesk due to weak identity verification.
Who was affected
Individuals whose personal data, including sensitive information, was accessed without consent through SVB's helpdesk.
What the authority found
The Dutch DPA determined that SVB's security measures were insufficient, leading to unauthorized access to personal data, in violation of GDPR.
Why this matters
This enforcement action serves as a warning to organizations about the necessity of implementing effective security measures, particularly in verifying identities during customer interactions, to safeguard personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller in this decision was The ‘Nederlandse Sociale Verzekeringsbank’ (SVB), a Dutch government institution responsible for different forms of social security and benefits. The citizens can reach out to the controller through a telephone helpdesk to ask questions about social security insurances. According to the controller, its 1500 employees receive around 20,000 telephone calls a week in that regard. On 1 November 2019, the Dutch DPA received a complaint from a data subject, who claimed that a family member, in a phone call, had been able to receive personal data concerning them from the controller, without the data subject’s consent. The controller had acknowledged this incident and had reported it as a data breach on an unspecified date. On 15 November 2019, the Dutch DPA decided that it would not continue to investigate the complaint. The reason for this decision was not clear. The data subject appealed this decision, after which the DPA decided to start an investigation after all. The investigation service of the DPA found that a lot of (categories) of personal data were saved in the systems of the controller, such as name, address, mail address, nationality and marital status, but also criminal personal data, which indicated which data subjects were convicted of a crime or were suspected of fraud. The investigation service found that all 1500 employees of the controller had access to the files and personal data of data subjects who received AOW, the basic government pension. At the request of the DPA, which wanted to know how the current policy regarding identity verification questions came to be, the controller provided the DPA with documents from 2006 and 2007 showing that it acknowledged the risk that a third party could request personal data of a data subject. After this, the controller decided to introduce verification questions to confirm the identity of the caller. It appears from another document that concerns were raised in 2007 abou
Related Enforcement Actions (0)
No other enforcement actions found for Sociale verzekeringsbank in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
19 January 2023
Authority
Autoriteit Persoonsgegevens
Fine Amount
€150,000
GDPRhub ID
gdprhub-5802About this data
Cite as: Cookie Fines. Sociale verzekeringsbank - Netherlands (2023). Retrieved from cookiefines.eu
Last updated: