On the 6 July 2020, the Dutch DPA (De Autoriteit Persoonsgegevens or AP) issued a decision to impose an 830.000 euro fine (or around 939.000 USD) to the Dutch Credit Registration Bureau (BKR) for violation of data subject rights.
BKR Foundation maintains the Dutch central credit information system, which holds information about all Dutch credit registrations and payment records. As stated on their website; the BKR Foundation maps out the loans of all Dutch people, and when a consumer is about to make an important financial choice, the BKR provides lenders with insight into individuals’ current loans and payment history.
The AP received numerous complaints about the BKR’s excessive and unreasonably complicated procedures for accessing personal data and initiated an investigation.
Investigation revealed that from May 2018 till April 2019, the BKR charged a fee to individuals who wanted to access their personal data and only provided free of charge access to their data once a year via post, therefore violating Transparent information, communication, and modalities for the exercise of the rights of the data subject (GDPR Article 12).
The General Data Protection Regulation grants individuals easy access to their personal data in reasonable intervals while providing information and any communication has to be free of charge in a “concise, transparent, intelligible and easily accessible form…”.
However, in this case, individuals were required to send a written request via post with a copy of their passport in order to access their personal data. The BKR access policy stated that it could only be requested once a year free of charge and for every additional request or immediate digital access, individuals were requested to sign with BKR with a minimum annual payment of 4.95 euros, up to 12,50 euros a year.
The BKR justified their practice relying on the GDPR Article 12(5a), that states if the data subject requests are unfounded or excessive, the organization or a company is allowed to charge a reasonable fee, taking into account the administrative costs of providing the information, or can even refuse to act on the request.
However, the BKR did not take into account that the burden of demonstrating the unfounded or excessive requests remains with the data controller, or in this case -them. They did not convince the Dutch DPA that free access to personal data once a year is reasonable or that multiple annual access requests are repetitive since they did not conduct an assessment for each individual case.
This showcased how relying on GDPR exemptions can not be used without proper assessments and documentation in place.
Reasons behind high fine
The AP took into account the seriousness of the violation, the time period of 9 months in which the violations took place, the number of data subjects involved, and following their fining structure for the violation of the GDPR, determined two fines.
The violation of Article 12(2), classified as category III, which resulted in €650,000 fine, and violation of Article 12(5), classified as category II, for which € 385,000 fine has been determined.
However, since both fines are regarding the transparency principle, the total fine could not exceed the maximum of €20,000,000 or up to 4% of total global annual revenue in the previous fiscal year, leading to € 830,000 fine in total.
You can read the entire decision in Dutch here!