DDPA imposes fine for fees charged for accessing personal data
The Dutch Data Protection Authority (‘DDPA') has imposed an administrative fine of EUR 830,000 on the Dutch Credit Registration Office ('BKR’) for the limited opportunities it provided to data subjects to access their personal data. Data subjects were only able to access their personal data free of charge once a year (by post) and, if they wanted to access their personal data electronically, they had to pay a fee. According to the DDPA, this is inconsistent with the GDPR. The full text of the decision to impose an administrative fine can be found here (Dutch only).
Article 12(5) GDPR provides that, in principle, data subjects are entitled to access their personal data that has been processed by the controller free of charge. If requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: a) charge a reasonable fee; or b) refuse to act on the request. Article 15(3) GDPR provides that, where a data subject requests personal data by electronic means, and unless otherwise requested by the data subject, the information must be provided in a commonly used electronic form. With respect to the principle of transparency and pursuant to Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights.
According to the DDPA, BKR infringed Article 12(5) GDPR by failing to provide data subjects with electronic access to their personal data free of charge. The DDPA’s position is that Article 12(2) GDPR was infringed, because BKR allowed data subjects to access their personal data just once a year. BKR therefore failed to sufficiently facilitate the right of access. The DDPA states that the policy of BKR discouraged data subjects from exercising their right of access in advance.
The DDPA applied a remarkable construction in determining the amount of the fine. In light of the gravity of the infringements, it increased the standard fines (as laid down in its policy with respect to imposing administrative fines (Dutch only)) by roughly 20%. The DDPA then lowered the total fine by 20%, ending up with the sum of EUR 830,000. Its reasoning was that it did not think it was proportionate to cumulate the fines, because they both pertain to the same principle, namely transparency for data subjects.
We recommend reviewing your internal and external privacy policies on access requests and ensuring that the processes are structured in a way that you can respond to data subject requests free of charge, provided that they are not manifestly unfounded or excessive. Do not forget to consider other requests data subjects may make under the GDPR, including the rights to erasure, rectification and completion of incomplete personal data, data portability, data minimisation and the right to object.
This is a Legal Update by Elze ’t Hart and Frank Heijne.