Incremental penalty payment demanded for failure to comply with request for inspection
The Dutch Data Protection Authority (DDPA) has demanded an incremental penalty payment of €48,000 from a bank for its failure to comply with a customer’s request to review their personal data, thereby violating privacy legislation.
The bank in question is Theodoor Gilissen Bankiers (TGB), currently named InsingerGilissen Bankiers. Two years ago a customer asked the bank to provide a complete overview of the customer’s personal data that the bank had in its possession. After the bank had not given the customer access, the customer filed an enforcement request with the DDPA. The DDPA gave the bank two months to allow the customer to inspect their data subject to an incremental penalty payment of €12,000 per week that the request was not complied with. Only one month after expiry of the deadline was the customer given full access. The DDPA has therefore collected €48,000 in total.
The incremental penalty payment was imposed under the Personal Data Protection Act. However, the General Data Protection Regulation (GDPR) also provides for the power to impose an incremental penalty payment.
The fact that the DDPA demands an incremental penalty payment is, however, striking. The DDPA often imposes an incremental penalty payment, but hardly ever actually claims it. The DDPA has been criticised for many years. The privacy watchdog was said to be a toothless paper tiger, partly because the DDPA is a small organisation and has few powers. The DDPA is working hard to improve its reputation by employing more people, starting various investigations under the GDPR and the above publication.
We recommend that you review your internal and external policies regarding access requests and ensure that the internal technical and organisational processes are set up in such a way that a request can be met in a timely manner. While you are at it, do not forget the other requests that data subjects can make under the GDPR, such as the right to removal, rectification and supplementation, data portability, restriction of processing and the right to object.
This is a Legal Update from Elze ‘t Hart.