CP&A – €15,000 Fine (Netherlands, 2020)

€15,000Autoriteit Persoonsgegevens24 March 2020Netherlands
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Dutch privacy authority fined CP&A EUR 15,000 for improperly handling employee health data. The company recorded reasons for sick leave without proper security measures, violating privacy rules. This matters because businesses must protect sensitive information like health data and use strong security practices.

What happened

CP&A recorded employee health reasons for sick leave without proper security measures.

Who was affected

Employees whose health information was recorded and stored online without adequate protection.

What the authority found

The Dutch authority found CP&A unlawfully processed health data and lacked adequate security, violating GDPR's special protection for health information.

Why this matters

This case highlights the importance of securing sensitive health data and ensuring legal grounds for processing. Businesses should review their data handling and security practices to comply with privacy laws.

GDPR Articles Cited

Art. 9 GDPR
Art. 32 GDPR
Netherlands enforcementAutoriteit Persoonsgegevens actionsAll CP&A actions
Full Legal Summary
Detailed

The Dutch DPA (AP) has imposed a fine of EUR 15,000 on CP&A. The controller had documented both the causes of illness and specific complaints of the data subjects as part of the recording of employee absences due to illness. The DPA found that this was unlawful since health data is granted special protection. Employers are not permitted to record either the reasons or causes of sick leave. Furthermore, the DPA found that the controller had not implemented adequate technical and organizational measures to protect the processing when recording absences. Namely, the absence registration was accessible online, without any form of authentication. Yet, when an absence system is accessible via the Internet, the system is to be accessed only through a multi-factor authentication. In the DPA's view, another form of authentication would have been required in addition to the 'normal' login.

Related Enforcement Actions (0)

No other enforcement actions found for CP&A in NL

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

24 March 2020

Authority

Autoriteit Persoonsgegevens

Fine Amount

€15,000

Enforcement Tracker ID

ETid-687

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. CP&A - Netherlands (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: