Intensified surveillance at Eindhoven municipality terminated

In March 2023, the AP decided to intensify supervision of the Municipality of Eindhoven. At the time, the AP had already been in discussions with the municipality for some time. This was prompted by signals from the Data Protection Officer and the Audit Committee that the municipality was structurally failing to meet its obligations under the General Data Protection Regulation (AVG). For example, data breaches were not reported or reported too late, retention periods were exceeded, and risk analyses for new processing of personal data, DPIAs were missing or not carried out in a timely manner. The AP ordered the municipality to quickly provide reports and concrete improvement plans.

However, the submitted improvement plan did not address the AP's concerns. The AP states in a letter that the college does not yet have sufficient insight into what capacity is needed to implement improvements. In the letter, the AP expresses the expectation that the college will provide clarity on concrete goals, required capacity and timeline by July 1. If this is not forthcoming, it writes, the AP does not rule out further enforcement action. And that happened: supervision was intensified and the mayor of Eindhoven and the alderman responsible were invited by the AP for a meeting.

What shortcomings were there?

The AP found the following deficiencies.

1. Retention deadlines: Due in part to technical limitations and capacity problems, the municipality has been failing to meet retention periods for years. The AP concluded that this problem will continue at least until 2025. In doing so, the AP notes that this includes processing that involves special data of residents.
2. DPIAs (Data Protection Impact Assessments): The processing register is not up to date, so it is not clear which processing operations require a DPIA. Also, the intention to use "umbrella DPIAs" is not consistent with the AVG. The idea is to categorize processing operations and then conduct an umbrella DPIA for similar processing operations. Moreover, it is unclear when measures must be completed before high-risk processing operations are allowed to start.
3. Data breaches: Research shows incomplete and inconsistent reporting in registries. Data subjects are often not properly or timely informed, and AP notifications are regularly late or inconsistent with the registry.
4. Position of the FG: The improvement plan assigns tasks and powers to the FG that do not fit its independent role. The AP finds this unacceptable. The letter mentions the following two tasks, among others. The FG must give direction and direction to the overall improvement program, ensuring that the program remains 'viable' and within any set preconditions. The second fact from the improvement plan that the FG falls foul of is that the FG has decision-making authority with respect to any deviation from the scope of the plan and escalated issues. The AP considers this contrary to the independence of the FG's position.
5. Governance and organizational culture: The AP considers the so-called culture scan, a baseline measurement, of limited use due to low participation and a focus on information security rather than privacy. Additional research shows, among other things, that sectors have insufficient privacy knowledge, privacy officers do not get enough to their core tasks and the FG has insufficient room for supervision.

Improvement process and termination of intensified supervision

During the following approximately two years, the municipality took significant steps in the area of privacy and data protection. This resulted in the AP informing the municipality by letter on Oct. 13, 2026, that the intensive supervision is being terminated. It wrote that the municipality of Eindhoven had met all the conditions set for ending the intensified supervision. For example, the college has adopted the privacy policy, of which privacy governance is a part, and shared it with the AP. The municipality has conducted an external maturity measurement that shows a clear improvement: the municipality's overall maturity score has increased from 2.1 at the start of supervision to 3.6.

In addition, the municipality has established with the FG establishment decree that strengthens the position of the FG. Privacy ambassadors are also active and a data breach protocol has been implemented,

In addition, the college indicated its desire to further professionalize and, among other things, appointed a quartermaster Chief Privacy Officer to continue the implementation of the privacy policy.

Conclusion

The AP's intensive supervision of the Eindhoven municipality makes it clear that public organizations are also being judged strictly on their compliance with the AVG. This case shows that shortcomings in privacy processes such as incomplete data breach notifications or the lack of risk analyses weigh heavily. In addition, it appears crucial that the Data Protection Officer is firmly and independently positioned and that a clear privacy policy with an appropriate governance structure is in place. Finally, a maturity measurement provides valuable insights into the level of privacy maturity within the organization.