BKR is responsible for maintaining the Dutch central credit information system, which holds information about all Dutch credit registrations and repayment behaviour by individuals, including information on insolvency, sanction screening, and publicly exposed persons registrations. The system is generally checked by various companies, including financial institutions, municipalities, payment service providers, and car lease companies (e.g., verify whether the person is eligible for a loan, mortgage, or credit card).
Under the European Union’s General Data Protection Regulation (GDPR), individuals have the right to access personal data collected about them, and to exercise that right easily and at reasonable intervals. It follows from article 12 GDPR that the controller “shall facilitate the exercise of [these rights],” and that such information should be “provided free of charge.” Where possible the controller should be able to provide remote access to a secure system which would provide the individual with direct access to his or her personal data (recital 63 GDPR).
The Dutch Data Protection Authority received complaints about the high standard BKR had set for accessing personal data. In brief, to get free access to their personal data, individuals had to send a written request via post, together with a copy of a passport. In its “GDPR Access” procedure, the BKR indicated that submitting an access request via post “would be handled within 28 days” and that it could “only be requested once a year.” For immediate digital access to their personal data or multiple access requests per year, individuals would have to subscribe with BKR for a minimum annual payment of EUR 4.95 (or higher depending on the subscription form). Multiple access requests per year were considered to have a repetitive character and therefore BKR claimed that it could charge a reasonable fee (based on article 12(5)(a) GDPR).
The Dutch DPA views that these practices violate article 12 GDPR for not facilitating the right of access (article 12(2) GDPR) and for not providing personal data free of charge (article 12(5) GDPR).
The Dutch DPA denies the arguments put forward by BKR that it considers free access to personal data once a year as reasonable, and that multiple annual access requests are considered “repetitive” without a need to assess this on an individual basis. Also its argument that allowing a one-time free access on an annual basis was legitimate on the basis of the report “ACCIS 2017 Survey of Members, Analysis of Credit Reporting in Europe,” which provided that 8 out of the responding 32 bureaus provided free access to personal data once per year only, was denied. In response, the Dutch DPA states that this report is not relevant for the implementation of the right of access and that the report cannot be used as an argument in favour of the BKR’s practices.
The Dutch DPA states that access requests may only be denied where requests from an individual are manifestly unfounded or excessive, in particular because of their repetitive character. This however, should be assessed on a case-by-case basis, which should be done at the moment the request is submitted, prior to the handling of the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
In consideration of the Dutch DPA’s fining structure, the EUR 830,000 fine consists of a fine of EUR 385,000 for violation of article 12(5) GDPR and a fine of EUR 650,000 for violation of article 12(2) GDPR. As the violations are both linked to the transparency principle aimed at giving individuals control over their personal data, the total fine is mitigated with 20% to EUR 830,000.
Authored by Joke Bodewits and Benjamino Blok.
