For years, the State Department has broken the law in granting Schengen visas. The Personal Data Authority (AP) speaks of serious violations on a large scale and has therefore fined the Ministry of Foreign Affairs 565.000 euros.
The security of the National Visa Information System (NVIS) is insufficient, with the risk, for example, that unauthorized persons can view and change files. In addition, visa applicants were insufficiently informed about the sharing of their data with other parties.
In addition to the fine, the AP imposes an order subject to periodic penalty payments for putting the security in order (50.000 euros every two weeks) and the provision of information (10.000 euros per week).
Visa applications insufficiently secured
The Ministry of Foreign Affairs has processed an average of 530.000 visa applications per year for the past three years. The personal data of citizens from all these applications are insufficiently secured. Visa applications are processed by the Consular Service Organization (CSO), which is an independent service unit within the Ministry of Foreign Affairs. The organization processes all visa applications and applications for Dutch travel documents abroad.
This concerns sensitive information, such as passport, fingerprints, name, address, place of residence, country of birth, purpose of the trip, nationality and photo. And also supporting documents that accompany a visa application, such as income data, bank statements and the policy of a medical travel insurance. When applying for a visa, people are obliged to provide this personal data to the Ministry of Foreign Affairs.
Monique Verdier, vice-chairman of the AP: 'Inadequate physical and digital security increases the chance that unauthorized employees can view and change personal data, but also the risk that other errors or abuses can go unnoticed for too long. That can have major consequences for citizens.'
'For example, if their visa application is wrongfully refused because of this. This can mean a serious infringement on their freedom of movement. Precisely because citizens are so dependent on the Ministry of Foreign Affairs for their visas, the inadequate security is very serious.'
The Ministry of Foreign Affairs has been aware of security risks in the visa system for some time, but the AP believes that the ministry has not done enough about it quickly enough.
Load under periodic penalty security
The AP instructs the ministry to put security in order. Such as drawing up an information security policy on the National Visa Information System, regular checks on user rights and logging (registration of users and actions within the system, among other things).
The AP imposes an order subject to periodic penalty payments of 50.000 euros for every two weeks, as long as the violation continues (up to a maximum of 500.000 euros).
Insufficient information to visa applicants
The AP has also established that the Ministry of Foreign Affairs does not sufficiently inform visa applicants about sharing their personal data with other parties. While the ministry is legally obliged to ensure that it is transparent to citizens with which recipients the ministry shares their personal data.
This violation also involves sensitive information with hundreds of thousands of requests every year. The AP has therefore instructed the Ministry of Foreign Affairs to inform citizens in a proper and transparent manner about the processing of their personal data and with which parties that data is shared.
Source: Dutch Data Protection Authority (AP)
Related articles: