September 22, 2020

Volume X, Number 266

September 21, 2020

Subscribe to Latest Legal News and Analysis

Dutch Supervisory Authority Imposes GDPR Security Standard for Processing Broadly Defined Health Data

In early November, the Dutch Supervisory Authority released an injunction imposed against the public insurance body Uitvoeringsinstituut Werkgeversverzekering (“UWV”) last July.

The UWV allows employers to submit data about their employees for social security purposes.  The data includes dates of employee absences due to general illness (and when an employee is pregnant or gave birth, including dates of associated absences and parental leave).  While the actual illness is not disclosed, the Supervisory Authority held that the data must be qualified as health data because the mere fact that someone is ill is indicative of their health.

In addition, the Supervisory Authority holds that the UWV violated the security standard of the GDPR by only applying one-factor authentication (e-mail address and password) on its portal.  According to the Authority, state-of-the-art security for a platform with this level of risk requires multi-factor authentication.  The Authority relies on Dutch guidelines for public authorities offering digital services and the Dutch NEN-7510 security standard for the health sector.

The UWV was ordered to conduct a new privacy impact assessment by October 1, 2018, and to implement appropriate security by October 31, 2019, with a penalty of €150,000 for each month delay (with a maximum of €900,000).  The long transition period for improving its security is explained by delays in the roll-out of a standardized authentication tool for public bodies.

© 2020 Covington & Burling LLPNational Law Review, Volume VIII, Number 326


About this Author

Kristof Van Quathern, Covington, data privacy attorney
Special Counsel

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Mr. Van Quathem has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.