Dutch Data Protection Authority shows its serious:
New record-breaking fine imposed for inadequate data subject access procedures
22 July 2020
The Dutch data protection authority (DPA) announced, on 6 July 2020, its decision (Decision) to impose a fine of EUR 830.000 on Stichting Bureau Krediet Registration (BKR) for imposing specific thresholds before allowing data subjects to access and inspect their personal data. In particular, BKR required the payment of a fee for individuals to electronically access their personal data as well as only allowing individuals to access their data at no cost once a year via post.
It is interesting to note that the Decision was only announced on 6 July 2020, but that the fine was already imposed by the DPA on 30 July 2019. The reason for this delay in publication follows from BKR appealing the decision of the DPA to publicise the Decision in court on, amongst others, the grounds that the publication would lead to negative media attention, (irreparable) reputational damage and additional administrative costs for BKR. The district court of Gelderland denied the appeal of BKR on 29 June 2020.
The Decision marks the highest fine imposed by the DPA to date and is the latest in a set of developments shaping the Dutch data protection landscape. In addition to the first string of fines being imposed, the DPA has launched an investigation into TikTok's processing of children's personal data, their findings expected to be published towards the end of the year. Earlier this month, the Dutch Consumer Association and Dutch Privacy Foundation filed a class-action claim (currently standing at 30,000) for damages against Facebook for its privacy breaches between 2010-2020. It is the first of its kind in the Netherlands and could be indicative of a broader trend, not only in the Netherlands but throughout the EU.
In the case at hand, the fine was imposed against BKR, which is a Dutch (non-profit) foundation that collects and manages credits registration (i.e. loans) of every individual in the Netherlands and offers this information in a central credit information overview. Among other things, BKR's chief purpose is to limit the risks for lenders and prevent over-indebtedness among borrowers. In principle, lenders in the Netherlands are required to report every loan they grant to BKR. This information gives BKR an overview of all registered loans and the repayment behaviour of individuals. Based on that information, lenders can make a decision about whether or not to grant (another) loan to a particular individual. BKR has been the complainant in various 'right to erasure' and 'right-to-be-forgotten' claims where individuals requested their personal data to be deleted from the register.
Under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), individuals have a right of access to personal data that is collected about them, which gives them the right to obtain a copy of their personal data as well as other supplementary information. This right also imposes a number of obligations on the controller, including that controllers should allow data subjects access to - and inspection of - their personal data free of charge (Article 12(5) GDPR) and that data controllers should facilitate the exercise of data subjects rights (Article 12(2) GDPR). A controller must respond to an access request without undue delay and in principle within one month after receipt of the request (Article 12(3) GDPR). The DPA had received various complaints about the high thresholds raised by BKR when individuals wanted to access their personal data. Given these complaints, the DPA considered there to be sufficient grounds to initiate an investigation into how BKR (as controller) facilitates this right of access.
The website of BKR offered two possibilities to an individual to obtain access to his or her personal data. The first option was a paid subscription service that provided the individual access to an electronic customer environment, with a minimum payment option of EUR 4.95 per year (depending on the chosen subscription service this amount could be higher). The second and free option was that individuals could download an access form from the website that they had to print out, fill in manually and send via post to BKR together with a copy of an identification document. Individuals had the right to choose the second (free) option once per year only and their access requests through this option would be handled within 28 days.
The DPA ruled that BKR had violated article 12(2) and 12(5) of the GDPR with the procedure it had in place to handle individual's data access requests. Arguments put forward by BKR against this decision were refuted by the DPA, including BKR's position that it was justified to charge a reasonable fee for its electronic access option, because this provided an individual with one-year access to his or her personal data, which BKR considered to have a 'repetitive character' (an exemption that follows from Article 12(5) GDPR). The DPA stated that the question whether an individual's request has a 'repetitive character', should be assessed on an individual case-by-case basis and cannot generally be stated.
Another argument put forward by BKR was, that allowing a one-time free access request was legitimated based on the report ''ACCIS 2017 Survey of Members, Analysis of Credit Reporting in Europe'. According to the information in this report, 8 out of 32 credit reporting agencies in 2017 provided an individual with a one-time free access per year to his or her personal data. The DPA stated that the report is not relevant for BKR's implementation of the individual's right of access to his or her personal data. In addition, the DPA did not consider the findings in the report a (relevant) argument for BKR to adopt a similar practice.
The DPA further stated that BKR may only deny an individual's data access request when such requests are 'manifestly unfounded' or have an 'excessive character', in particular because of the 'repetitive nature' of such request (Article 12(5) GDPR). As said, the DPA indicated that this requires an individual assessment on a case-by-case basis, at the time the request is made and prior to any substantive processing of the request. The burden of proof in that respect lies with the data controller (i.e. BKR). In addition, The DPA states that BKR's procedure for handling data subject requests is also not in line with recital 36 of the GDPR, that states that data subjects should be able to exercise their right of access 'easily' and at 'reasonable intervals'.
Based on the circumstances described in the DPA's ruling, in our view the actions of BKR constitute a clear violation of the GDPR. Given that the business model of BKR was in part to create revenue by having a subscription model in place for the access request, the breach was intentional. It is important that the Dutch DPA takes action to protect consumers against such practice. With this decision, the Dutch DPA has in our view given a clear signal to the market that it does not take such breaches lightly. The fine eventually imposed by the DPA for violation by KBR of Articles 12(2) and 12(5) of the GDPR consisted of EUR 830.000. The total fine of EUR 1.035.000 (which was mitigated with 20%), consisted of EUR 650.000 for violation of Article 12(2) GDPR and EUR 385.000 for violation of Article 12(5). Surprisingly, the DPA does not consider in its ruling a breach of Article 12(3) GDPR. The main rule is for a response on the data subject access request to be submitted without undue delay. Given the fact that BKR could reply faster if a fee was paid, the response within 28 days without payment could never be 'without undue delay'.
BKR has appealed the Decision before the court and is therefore not yet final. However, now that the Decision has been made public, BKR may be exposed to another potential risk for BKR by means of the new act on mass damage settlement in collective actions which entered into force in the Netherlands on 1 January 2020 (Wet afwikkeling massaschade in collectieve actie, 'WAMCA'). The WAMCA allows for claim compensation in collective actions, which was not possible before in the Netherlands. It is conceivable that companies in the future will have to face an increase in collective actions against them. As mentioned, this already happened to Facebook, where the Dutch Consumer Association and Dutch Privacy Association recently announced on 7 July 2020 that they will initiate a mass claim against Facebook for various privacy violations of its users.
 Rechtbank Gelderland 29 June 2020 (ECLI:NL:RBGEL:2020:3159)