The Bottom Line
- Your Vendor Contracts Are Not Optional: A verbal agreement or an incomplete contract with a data processor is legally worthless under the GDPR. This ruling confirms that a formal, written Data Processing Agreement (DPA) is a non-negotiable requirement, and failing to have one is a fineable offense on its own.
- Basic Security Is No Longer Enough: The court has effectively set a new baseline for “appropriate” security. For systems containing personal data, a simple username and password combination is now considered insufficient. Regulators and courts expect modern standards like two-factor authentication (2FA) to be the norm.
- “We Didn’t Know” Is Not a Defense: The court dismissed arguments that compliance was too complex or standards were unclear. The responsibility to understand and implement fundamental GDPR requirements—both contractual and technical—lies squarely with the company acting as the data controller.
The Details
This case provides a crucial lesson in GDPR compliance, centering on a company’s appeal against a significant fine from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The court’s decision to uphold the fine was based on two fundamental, and entirely avoidable, failures. The ruling sends a clear signal that regulators and judicial bodies are losing patience with companies that neglect the foundational pillars of data protection law, regardless of their size or industry.
The first violation concerned the absence of a compliant Data Processing Agreement (DPA) as mandated by Article 28 of the GDPR. The company had engaged a software supplier to process personal data on its behalf but had failed to put a formal, written contract in place that detailed the specific obligations required by the regulation. The court flatly rejected the company’s claim that an informal understanding was sufficient. It affirmed that the requirements listed in Article 28(3) are not a checklist of suggestions but a set of mandatory contractual clauses. This decision underscores that for any third-party vendor handling your data, a robust, compliant DPA is the essential legal bedrock of the relationship.
The second, and perhaps more impactful, violation involved a breach of Article 32 of the GDPR, which demands “appropriate technical and organizational measures” to ensure data security. The company’s system was protected only by a username and password. The court agreed with the regulator that this level of security was inadequate for the nature of the data being processed. In a critical statement on modern security standards, the ruling established that in today’s threat landscape, measures like two-factor authentication (2FA) are no longer a “nice-to-have” but a required component of “appropriate” security. This puts all businesses on notice: your security measures must evolve with technology and the risks you manage.
Source
Source: Rechtbank Zeeland-West-Brabant
