On 6 July, the Dutch DPA imposed a fine amounting to € 830,000 on the Dutch Credit Registration Office (Stichting Bureau Krediet Registratie (BKR) for violation of data subject rights.

BKR maintains the central credit information system in the Netherlands and which has information about all Dutch credit registrations and payment records. BKR provides lenders with information on current loans of consumers and their payment history.

The Dutch DPA has received numerous complaints about BKR’s excessive and unreasonably complicated procedures for accessing personal data and has therefore initiated an investigation.

BKR charges fees to individuals who want to access their personal data. It only provides free of charge access to personal data once a year, via regular post. Thus BKR violates the requirement for transparent information, communication, and modalities for the exercise of the rights of the data subject (GDPR Article 12).

Individuals are required to send a written request via regular post, with a copy of their passport in order to be allowed to access their personal data. For every additional request or immediate digital access, individuals are requested to agree to a payment up to € 12.50 a year.

BKR justifies their practice by relying on GDPR Article 12(5a), which states if the data subject’s requests are unfounded or excessive, the organization or company is allowed to charge a reasonable fee, taking into account the administrative costs of providing the information, or can even refuse to act on the request.

BKR could not convince the Dutch DPA that free access to personal data once a year is reasonable, without proper assessments and documentation in place.

Taking into account the seriousness of the violation, the time period of nine months in which the violations took place, the number of data subjects involved, the Dutch DPA, applying its own fine policy, classified the violation of Article 12(2), as a category III violation, which resulted in a €650,000 fine, and the violation of Article 12(5), as a category II violation, for which a € 385,000 fine was set. The total fine could not exceed the maximum of €20,000,000 or up to 4% of total global annual revenue in the previous fiscal year, resulting in a € 830,000 fine in total. BKR lodged an appeal against the decision of the Dutch DPA.

It is interesting to see that the Dutch DPA consistently uses its own fine policy. The fines so far have not been extremely high. No 50 million fines, as the French CNIL imposed on Google in January 2019. The Spanish DPA has already imposed about seventy fines, in general lower amounts than in the Netherlands. I understand that the financial funding of the Spanish DPA is based on the GDPR fine revenues.