On the 6th of July 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) published its decision to impose a fine of 830,000 EUR on Stichting Bureau Krediet Registratie (BKR). BKR keeps an electronic file of the loans and debts people have in the Netherlands, stored in a central database. Companies like financial institutions and telecom providers use this information, for example, to assess whether new customers can pay a loan. The fine has been imposed due to the fact that BKR’s procedure for data subjects to obtain access to their personal data was not in line with GDPR. More in particular, it appeared that BKR charged a fee for any digital requests to access personal data: BKR offered different subscription forms – ranging from 4,95 to 12,50 euros a year – to gain digital access. Alternatively, a cost-free request was offered via post. Such request via post was however limited to one request per year.
Article 12(2) GDPR states that the controller shall facilitate the exercise of, inter alia, the right of access (Article 15 GDPR). In addition, Article 12(5) GDPR states that access to personal data shall be provided free of charge, unless requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character. In that case a reasonable fee may be charged or the request may be refused. The Dutch DPA concluded that the barriers imposed by BKR to exercise the right of access were too high and as such constitute a breach of the GDPR. (Digital) access to personal data should be provided free of charge and at reasonable intervals.
Although BKR already had changed its procedure after the investigation of the DPA – data subjects were allowed to access personal data digitally free of charge and the number of times that data subjects can access their personal data via post was also adjusted – the DPA imposed a fine for the infringements that lasted for a period of nine months. Given the length of this period, the large amount of data subjects involved and the fact that financial data was involved justified the fine imposed according to the DPA. BKR appealed the decision.
Demi Rietveld and Stephanie Reinders Folmer