The Autoriteit Persoonsgegevens (AP) is stepping up its supervision of the municipality of Eindhoven. The AP has signals that the municipality fails to report data breaches or does not report them on time, omits mandatory scans for privacy risks and stores personal data of citizens for too long. The improvement plan submitted by Eindhoven has not addressed the AP's concerns.
The AP has been in talks with the municipality of Eindhoven for some time, due to various indications that the municipality is not handling personal data properly.
For example, the municipality's internal privacy regulator, the data protection officer (FG), reported in the 2020 and 2021 annual report that the municipality is conducting mandatory risk assessments (called data protection impact assessments, DPIAs) did not always carry out (on time) and reported data breaches too late.
The municipality's Audit Commission also warned that the municipality did not have its privacy policies in order and that the municipality omitted mandatory DPIAs.
Among other things, the municipality would have introduced an environmental pass and a pressure meter without doing that risk analysis, and a trial of an app that uses an algorithm to match job seekers with vacancies.
'Citizens must be able to trust that their municipality handles their personal data with care,' says AP vice president Monique Verdier. 'As a citizen, you cannot choose: the municipality in which you live collects and uses your personal data. Moreover, municipalities manage a lot of sensitive data on their residents.'
'Then it is of great importance that a municipality checks in advance whether the collection and use of your personal data is allowed and can be done safely. And that a municipality reports a data leak in time, so that measures can be taken quickly, the people affected can be informed and a recurrence can be prevented. That nota bene one of the largest municipalities, the 'brainport' of the Netherlands, does not seem to have this in order is very serious.
After a letter in July and a conversation between the AP and the municipality in September, the AP directed the municipality to prepare an improvement plan.
Verdier: "That improvement plan is substandard. For example, it seems that the municipality does not comply with retention periods for personal data and the policy for carrying out DPIAs does not seem to be in order. There are also concerns about the handling of data breaches and questions about whether the municipality properly follows the FG's advice. All in all, the municipality does not seem to recognize the seriousness and urgency of the concerns sufficiently. This requires extra attention from the AP.
The first step in this intensified oversight is that the AP ordered the municipality to send a report within two months with more information and documents on data breaches, DPIAs, retention periods, the position of the FG and some other topics from the improvement plan.
Depending on that information, the AP will see what further steps are necessary. 'In doing so, we will emphatically keep open the option of scaling up our intervention,' Verdier said.
