The Personal Data Authority (AP) inadvertently placed analytical and tracking cookies on its own job website werkenbij.autoriteitpersoonsgegevens.nl. This collected visitors' personal data, when it should not have done so. The incident exposes pain points in the regulator's own control mechanisms.
Due to a technical error at a third-party vendor, Google Analytics was accidentally activated, causing analytical and tracking cookies to be set. This collected IP addresses and technical data about web browsers used. Although the AP states that the data was not stored in the supplier's Google account due to a second error, this cannot be guaranteed with complete certainty. The AP has asked Google to delete all collected data.
In addition, functional cookies from Cloudflare were placed on behalf of video service Vimeo, intended to protect the video service from overload. These cookies tracked who viewed a video at what time. After discovery, the AP immediately took the video offline and asked the provider to remove the collected data.
The AP cannot rule out that personal data has been exported to countries outside the European Economic Area (EEA) without appropriate safeguards. According to Google, cookie information is anonymized or deleted within 18 months, but it is possible that data is kept elsewhere for longer. Cloudflare also indicates that data will be deleted or destroyed after the retention period expires, but concrete timeframes are lacking.
The AP acknowledges that the controls on the job site were inadequate. The process has been tightened with additional checks for high-risk processing before anything goes online. In addition, the regulator apologizes for the late communication to data subjects.
The AP advises data controllers to avoid similar situations:
Evaluate agreements with suppliers regularly and adjust as needed.
Before publication, check that all settings are correct and errors can be avoided.
Use methodologies such as OTAP (Development, Test, Acceptance, Production) for greater control.
Check that a data processing is truly necessary and in line with the processing register and privacy notice.
Have a clear cookie policy that complies with laws and regulations.
The incident with the job site is not the first time the AP has failed to comply with its own rules. Late last year, it was revealed that two newsletters had accidentally included a tracking pixel. This pixel registered whether a newsletter was opened, in violation of the AP's policy.
With recent events, the question arises as to how far the AP is able to combine strict enforcement on privacy rules with its own compliance with those same rules.
