The Dutch Data Protection Authority (DPA) issued a EUR 830,000 (approximately USD 937,000) fine against the Dutch Credit Registration Bureau (BKR) for violating data subject rights. The fine stems from BKR’s practice of charging fees and discouraging individuals who wanted to access their personal data.
BKR is responsible for maintaining the Dutch central credit information system, which holds information about all Dutch credit registrations and repayment behaviour by individuals, including information on insolvency, sanction screening, and publicly exposed persons registrations. The system is generally checked by various companies, including financial institutions, municipalities, payment service providers, and car lease companies (e.g., verify whether the person is eligible for a loan, mortgage, or credit card).
Under the European Union’s General Data Protection Regulation (GDPR), individuals have the right to access personal data collected about them, and to exercise that right easily and at reasonable intervals. It follows from article 12 GDPR that the controller “shall facilitate the exercise of [these rights],” and that such information should be “provided free of charge.” Where possible the controller should be able to provide remote access to a secure system which would provide the individual with direct access to his or her personal data (recital 63 GDPR).
The Dutch Data Protection Authority received complaints about the high standard BKR had set for accessing personal data. In brief, to get free access to their personal data, individuals had to send a written request via post, together with a copy of a passport. In its “GDPR Access” procedure, the BKR indicated that submitting an access request via post “would be handled within 28 days” and that it could “only be requested once a year.” For immediate digital access to their personal data or multiple access requests per year, individuals would have to subscribe with BKR for a minimum annual payment of EUR 4.95 (or higher depending on the subscription form). Multiple access requests per year were considered to have a repetitive character and therefore BKR claimed that it could charge a reasonable fee (based on article 12(5)(a) GDPR).
The Dutch DPA views that these practices violate article 12 GDPR for not facilitating the right of access (article 12(2) GDPR) and for not providing personal data free of charge (article 12(5) GDPR).
The Dutch DPA denies the arguments put forward by BKR…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
