BKR fine for violation of free access of personal data

 in Privacy

On 6 July, the Dutch DPA imposed a fine amounting to € 830,000 on the Dutch Credit Registration Office (Stichting Bureau Krediet Registratie (BKR) for violation of data subject rights.

BKR maintains the central credit information system in the Netherlands and which has information about all Dutch credit registrations and payment records. BKR provides lenders with information on current loans of consumers and their payment history.

The Dutch DPA has received numerous complaints about BKR’s excessive and unreasonably complicated procedures for accessing personal data and has therefore initiated an investigation.

BKR charges fees to individuals who want to access their personal data. It only provides free of charge access to personal data once a year, via regular post. Thus BKR violates the requirement for transparent information, communication, and modalities for the exercise of the rights of the data subject (GDPR Article 12).

Individuals are required to send a written request via regular post, with a copy of their passport in order to be allowed to access their personal data. For every additional request or immediate digital access, individuals are requested to agree to a payment up to € 12.50 a year.

BKR justifies their practice by relying on GDPR Article 12(5a), which states if the data subject’s requests are unfounded or excessive, the organization or company is allowed to charge a reasonable fee, taking into account the administrative costs of providing the information, or can even refuse to act on the request.

BKR could not convince the Dutch DPA that free access to personal data once a year is reasonable, without proper assessments and documentation in place.

Taking into account the seriousness of the violation, the time period of nine months in which the violations took place, the number of data subjects involved, the Dutch DPA, applying its own fine policy, classified the violation of Article 12(2), as a category III violation, which resulted in a €650,000 fine, and the violation of Article 12(5), as a category II violation, for which a € 385,000 fine was set. The total fine could not exceed the maximum of €20,000,000 or up to 4% of total global annual revenue in the previous fiscal year, resulting in a € 830,000 fine in total. BKR lodged an appeal against the decision of the Dutch DPA.

It is interesting to see that the Dutch DPA consistently uses its own fine policy. The fines so far have not been extremely high. No 50 million fines, as the French CNIL imposed on Google in January 2019. The Spanish DPA has already imposed about seventy fines, in general lower amounts than in the Netherlands. I understand that the financial funding of the Spanish DPA is based on the GDPR fine revenues.

Recente berichten
  • 8 juni 2022

    Vakantiedagen tijdens ziekte, een hoofdpijndossier

    Marion Hagenaars
    “Op vakantie naar Ibiza als je ziek bent, zonder dat deze dagen worden afgeboekt, is dat niet gek?”, werd mij de week gevraagd. Met de zomervakantie in zicht een actueel vraagstuk.  Vakantiedagen, zo eenvoudig is het niet Vakantiedagen, het lijkt zo eenvoudig: je bouwt ze eerst op en daarna neem je ze op. Maar de
    Lees verder
  • 25 mei 2022

    Besmette persoonsgegevens – De Ziggo soap

    Sil Kingma
    Klanten van Ziggo ontvingen afgelopen week een email met de aankondiging dat zij de prijs van haar abonnement met 3,50 Euro gaat verlagen. Sympathiek zou je denken. Er bleek echter een addertje onder het gras te zitten.  In diezelfde email kondigde Ziggo aan haar algemene voorwaarden per 1 juli as eenzijdig aan te passen. Bij
    Lees verder
  • 16 mei 2022

    AP voert cumulatieve boetebevoegdheid maximaal door

    Sil Kingma
    Het is voor het eerst de geschiedenis dat de Autoriteit Persoonsgegevens in een besluit een zestal overtredingen van de AVG constateert. Alle overtredingen hebben betrekking op het gebruik en de beveiliging door de Belastingdienst van haar applicatie Fraude Signalering Voorziening (FSV). FSV was een applicatie waarin signalen werden opgenomen over vastgestelde fraude en signalen die konden wijzen
    Lees verder

Plaats een reactie

Top