By Anke Holtland, Jacobine van Beijeren

Yesterday, the Netherlands Authority for the Protection of Personal Data ( AP ) announced that on 31 July 2018 it had imposed a penalty order on the UWV in connection with an infringement of Article 32 of the General Data Protection Regulation ( AVG ).

Article 32 AVG requires that the controller, in this case the UWV, take appropriate technical and organizational security measures to protect the personal data it processes. The UWV has insufficiently secured the employer portal by applying only one-factor authentication where multi-factor authentication is required.