On July 6, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €830,000 fine on the Dutch Credit Registration Bureau (Stichting Bureau Krediet Registration, “BKR”) for non-compliance with Articles 12(2) and 12(5) of the EU General Data Protection Regulation (the “GDPR”) between May 2018 and March 2019.
After receiving multiple complaints from data subjects, the Dutch DPA investigated BKR’s management of data subjects’ access requests. The investigation revealed that BKR had implemented two ways that data subjects could access their data: data subjects could either request digital access to their data by subscribing to an annual paid subscription offered by BKR, or request a copy of their data once a year by post, free of charge.
The Dutch DPA’s Decision
The Dutch DPA found that BKR had infringed the GDPR on the following grounds:
- Free of charge access requests: The Dutch DPA found that BKR had infringed Article 12(5) of the GDPR by charging a fee to data subjects wishing to access personal data in a digital format. In addition, Recital 59 of the GDPR clearly states that controllers should offer the possibility of accessing personal data in an electronic form when data is processed electronically. The Dutch DPA found that providing one free means of access (in this case, paper access) to personal data does not permit data controllers to charge a fee to data subjects for obtaining a copy of their data in another format (in this case, digital access). The Dutch DPA also found that filing a digital access request once a year should not be considered manifestly excessive or repetitive for the purposes of Article 12(5) GDPR, and therefore BKR could not justify the payment of a yearly fee, independent of the number of access requests filed. Whether requests are considered repetitive and therefore subject to the payment of a fee should be assessed on a case-by-case basis. Accordingly, the Dutch DPA evaluated the amount of the fine for such infringement to €385,000.
- Easy access to personal data: The investigation revealed that, by actively communicating in its privacy policy that data subjects only have the right to access their personal data free of charge, once a year and in a paper format, BKR was discouraging data subjects to file an access request and was therefore infringing the requirement of Article 12(2) of the GDPR, according to which the exercise of data subjects’ rights must be facilitated by the data controller. Accordingly, the Dutch DPA set the initial fine for this infringement at €650,000.
Fine
Under the GDPR, non-compliance with requirements relating to data subject rights may be sanctioned with an administrative fine of up to €20 million or 4 percent of the company’s total global annual turnover of the preceding financial year, whichever is higher. In addition, when determining the amount of the fine, the Dutch DPA followed its policy for calculating administrative fines, which was published in 2019. Because both infringements found by the Dutch DPA are related to the same requirement under the GDPR (i.e., the principle of transparency aimed at providing data subjects control over their data), the Dutch DPA decided to mitigate the fines by 20 percent (or €205,000) and imposed a €830,000 fine on BKR.
Read the Dutch DPA’s press release and the decision (only available in Dutch).