BKR fine for violation of free access of personal data

 in Privacy

On 6 July, the Dutch DPA imposed a fine amounting to € 830,000 on the Dutch Credit Registration Office (Stichting Bureau Krediet Registratie (BKR) for violation of data subject rights.

BKR maintains the central credit information system in the Netherlands and which has information about all Dutch credit registrations and payment records. BKR provides lenders with information on current loans of consumers and their payment history.

The Dutch DPA has received numerous complaints about BKR’s excessive and unreasonably complicated procedures for accessing personal data and has therefore initiated an investigation.

BKR charges fees to individuals who want to access their personal data. It only provides free of charge access to personal data once a year, via regular post. Thus BKR violates the requirement for transparent information, communication, and modalities for the exercise of the rights of the data subject (GDPR Article 12).

Individuals are required to send a written request via regular post, with a copy of their passport in order to be allowed to access their personal data. For every additional request or immediate digital access, individuals are requested to agree to a payment up to € 12.50 a year.

BKR justifies their practice by relying on GDPR Article 12(5a), which states if the data subject’s requests are unfounded or excessive, the organization or company is allowed to charge a reasonable fee, taking into account the administrative costs of providing the information, or can even refuse to act on the request.

BKR could not convince the Dutch DPA that free access to personal data once a year is reasonable, without proper assessments and documentation in place.

Taking into account the seriousness of the violation, the time period of nine months in which the violations took place, the number of data subjects involved, the Dutch DPA, applying its own fine policy, classified the violation of Article 12(2), as a category III violation, which resulted in a €650,000 fine, and the violation of Article 12(5), as a category II violation, for which a € 385,000 fine was set. The total fine could not exceed the maximum of €20,000,000 or up to 4% of total global annual revenue in the previous fiscal year, resulting in a € 830,000 fine in total. BKR lodged an appeal against the decision of the Dutch DPA.

It is interesting to see that the Dutch DPA consistently uses its own fine policy. The fines so far have not been extremely high. No 50 million fines, as the French CNIL imposed on Google in January 2019. The Spanish DPA has already imposed about seventy fines, in general lower amounts than in the Netherlands. I understand that the financial funding of the Spanish DPA is based on the GDPR fine revenues.

Recente berichten
  • 5 januari 2022

    Massa is kassa!

    Sil Kingma
    Dat is niet alleen de goudenregel voor de succesvolle exploitatie van Mark Gilles’ vakantieparken, maar ook voor de exploitatie van de Wet afwikkeling massaschade door investeringsfondsen. Eerst even kort terug in de tijd. Op 4 december 2019 zijn in het Staatsblad twee Koninklijke Besluiten gepubliceerd op het gebied van collectieve acties. Deze Besluiten bevestigen de
    Lees verder
  • 22 december 2021

    Interview in Advocatenblad 2021 | 10 ‘Teamspelers in de IT’

    Hanneke Slager
    Lees hier het gehele artikel dat recent is gepubliceerd in het Advocatenblad over ons IT-kantoor. Teamspelers in de IT, door Erik Jan Bolsius, Beeld Jean-Pierre Jans  
    Lees verder
  • 16 december 2021

    Het verbetertraject voor een HR-professional en de waarde van achteraf opgestelde verklaringen. 

    Marion Hagenaars
    Een verbetertraject is onder andere afhankelijk van het niveau en de kennis van de werknemer. Maar  wat betekent dit voor een (HR-)professional? En kan het ontbreken van een verbetertraject worden gerepareerd met achteraf opgestelde verklaringen?
    Lees verder

Plaats een reactie