Dutch DPA Issues €830,000 Fine For Subject Access Request Policy

The Dutch Data Protection Authority (DPA) has issued a record €830,000 fine against the Dutch Credit Registration Bureau (BKR). This amount equates to over 900,000 US dollars. The fine was given to the BKR for violating data subject rights by charging fees to individuals wanting to access their personal data. 

This fine was issued under GDPR, the EU’s General Data Protection Regulation. Under this law, individuals have the right to access their personal information that companies collect about them. Within this right, they must be able to access this information easily. 

The BKR is The Netherlands’ central credit information system, and is responsible for maintaining all information regarding Dutch credit and repayments, for example information on insolvency and sanction screening. This system is used by many companies when individuals apply for things like loans, credit cards and mortgages to check whether the person is eligible. 

BKR’s Subject Access Request Policy

The Dutch DPA received complaints from individuals who had tried to access their personal data, saying that the BKR had set high standards for access. In short, it was made too difficult for individuals to access their personal information from BKR. BKR set out in its terms that in order to get free access to their personal data, a written request had to be sent via post in addition to a copy of the individual’s passport. BKR stated that it only allowed these requests to be made once a year and once made, would be handled within 28 days. Should an individual want or need multiple requests as well as immediate access, they would have to subscribe to BKR with a yearly minimum annual payment of €4.95. 

A Violation Of Article 12

However, the Dutch DPA believes that these policies contravened article 12 of the GDPR, by not providing a sufficiently easy right of access, and by charging for this data. BKR stated that their policies were reasonable and that they would see multiple annual data subject access requests as ‘repetitive’ and needless. Though, the Dutch DPA disagrees with this and states that access requests should only be denied if they are unfounded or excessive, but should be done on a case-by-case basis, but not applied as a general rule. 

The fine is divided between violations of two different GDPR articles. A  €385,000 was given for violating article 12(5) of GDPR and €650,000 for violating article 12(2) of the GDPR. Both violations are linked as they surround the transparency principle giving individuals control of personal data. Therefore, the fine was mitigated by 20% giving a total of €830,000. 

Your Responsibilities In Responding To A Subject Access Request 
  1. Provide the requested information free of charge 
  2. The information must be provided without undue delay (within a month)
  3. If you require an extension, you must let the individual know within a month that you’ve received their request and explain why an extension is necessary.

Get in touch with us for bespoke guidance on drafting a GDPR compliant Subject Access Request policy.

Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.