A lot went wrong when the Municipality of Eindhoven introduced a new sports pass for residents a few years ago. Privacy checks were skipped and they did nothing with the warnings. This is evident from research that the municipality had carried out.
According to Eindhovens Dagblad (newspaper), which saw the investigation results, the new sports pass was introduced in 2021 for regular visitors to municipal swimming pools. This happened before a legal privacy assessment had been carried out. The sports pass was supposed to succeed the city pass. That pass was abolished because of problems with the privacy of Eindhoven residents.
Risks
When introducing the sports pass, the municipality did not ask the internal Functionaris Gegevensbescherming (data protection officer, FG) for advice. ‘Without the assessment of the FG, there is a risk that critical privacy issues will go unnoticed and not be addressed, which can lead to violations of privacy legislation, data leaks and reputational damage’, according to the external researchers. Furthermore, the risks were not properly assessed and nothing was done with the warnings from the FG, according to the judgment. According to the newspaper, the Eindhoven city council therefore based itself on incomplete information.
Hack
The municipality had the investigation carried out when an ethical hacker pointed out the problems with the QR code to the municipality last year, among other things. When the hacker contacted the municipality, the digital gates of Ottenbad and swimming centre Tongelreep were immediately closed. The hack and the data leak were reported to the privacy watchdog Autoriteit Persoonsgegevens (authority personal data) a day later.
Source: Studio040
Translated by: Bob