Breach of GDPR Data Subject Rights Leads to Record Fine

The Dutch Credit Registration Bureau (BKR) has been hit with a €830,000 ($937,000) fine in the Netherlands in relation a General Data Protection Regulation breach impacting data subjects rights in the Netherlands.

The fine is a result of BKR charging fees for, and generally discouraging data subjects from, accessing their personal data. GDPR legislation states that data subjects are entitled to access all personal data collected about them.

A number of complaints were submitted to the Dutch Data Protection Authority in relation to the stringent conditions that BKR established in order for personal data to be provided to the data subjects. These conditions included a written request to be submitted via post with an accompanying copy of a passport, 28 days required to complete the process and a limit of once request per data subject per year. If a data subject wished to have access quicker or process more than one request per annum that were asked to subscribe with BKR by paying a minimum annual payment of €4.95.

BKR is the body that manages the Netherlands’ central credit information system and, in this roles, manages data regarding Dutch credit registrations and repayment behaviour by individuals, including information on insolvency, sanction screening, and publicly exposed persons registrations. This system is utilized by groups such as financial institutions, municipalities, payment service providers, and car lease companies (e.g., verify whether the person is eligible for a loan, mortgage, or credit card).

The Dutch DPA ruled that BKR is in breach of article for not processing personal data free of charge and for making access to the data more difficult for data subjects. The argument made by BKR that free access to data once annually is more than reasonable was not accepted by the authority. In its ruling the DPA said that access requests may only be refused in the event of requests being ‘manifestly unfounded or excessive’. Even in such a scenario each case has to be examined on its own merits when a request in received and the onus is on the data controller to show that the request is ‘manifestly unfounded’ or excessive character of the request.

In response to the DPA decision Peter van den Bosch, chairman of the BKR Foundation board, said: “Privacy and reliability of data are at the top for the BKR Foundation. The privacy of consumer data has always been guaranteed. The fine is not about that. We believe that legislation has always been followed by us.

“Since the introduction of the GDPR, consumers have always had free access to their own data within the legal term. Initially, only written access was given, to ensure that personal data came to the right person. As soon as the AP’s position became clear, the BKR Foundation also provided digital free access to consumers. The BKR foundation is now submitting the fine decision to the court to request clarity on this.”