CP&A B.V. – €15,000 Fine (Netherlands, 2020)

CP&A B.V., a company specializing in inspection and maintenance of public infrastructure, maintained an online absence registration system containing sensitive health data of 25 employees. The system, stored in a Google Drive file, was accessible without authentication or access controls from 12 March 2019, to 2 May 2019. The data included names, addresses, phone numbers, email addresses, BSN (Dutch citizen service number), dates of birth, and detailed health information such as reasons for absence, prognoses, and medical comments. The Dutch DPA found that CP&A violated the GDPR by processing special category data (health information) without adequate legal grounds and failing to implement appropriate security measures. The Dutch DPA held that CP&A unlawfully processed health data, a special category of personal data, without a valid legal basis under Article 9 GDPR#1. The processing of such data is prohibited unless an exception applies, and CP&A failed to demonstrate that the processing was necessary for employee reintegration or other permissible purposes under Article 9 GDPR#2b and Dutch law. Based on Article 9, paragraph 2, opening sentence and under b of the GDPR, the controller may process health data if this is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the field of employment law and social security and social protection law. Under Article 9 GDPR#2b, health data can be processed if it is necessary for fulfilling obligations or exercising specific rights in employment, social security, or social protection law. Article 30 GDPR#1b further allows such processing if it is necessary for employee reintegration or guidance related to illness or disability. However, the Dutch DPA found that processing specific health details like illness names, complaints, or pain indications is not necessary for reintegration. Therefore, CP&A could not rely on Article 30 GDPR#1b to justify its proces