Bureau Krediet Registratie (BKR) has seriously violated the AVG by insufficiently facilitating data subjects' right of inspection. This is the conclusion of the Personal Data Authority (AP) after a two-year investigation. On the one hand, the violation consists of raising a threshold for data subjects by only being able to submit a request for inspection by mail once a year free of charge. On the other hand, the AVG was violated because free electronic inspection was not possible at all. This resulted in BKR being fined EUR 830,000. In this blog you can read more about the penalty decision of the AP.
Affected persons had two options at BKR for access, either through an electronic customer environment or by mail. Electronic access required payment of a fee in the form of a subscription. Once a subscription was purchased, a year's worth of personal data could be accessed. Thus, electronic access was never free.
By mail, data subjects could request access once a year free of charge. According to BKR, multiple requests per year would be excessive and repetitive. A reasonable fee can be charged under the AVG. According to BKR, once a year inspection fits well with the information needs of consumers.
Since the introduction of the AVG, in principle, costs may no longer be charged for access requests from data subjects, unless the requests are manifestly unfounded or excessive, such as in the case of access requests of a repetitive nature. The AP ruled in the penalty decision that repetitive nature must be assessed on a case-by-case basis. According to the AP, BKR cannot therefore rule in advance that more than one inspection request per year is excessive and charge costs.
BKR argued that in practice it often did not charge for multiple requests per year. However, the AP considers this irrelevant because BKR made it known to the outside world that the inspection request can only be made once a year free of charge, thus creating a threshold for making an inspection request. This therefore still constitutes a violation of the AVG.
More from BANNING
The basic fine for not providing access free of charge by electronic means is EUR 310,000 (according to the AP's fining policy). For raising a threshold by making it known that a maximum of one free inspection request per mail per year can be made, there is a basic fine of EUR 525,000. Both penalty amounts were increased by the AP by EUR 75,000 and EUR 125,000, respectively, due to the seriousness of the violations. This is because BKR processes personal data regarding credit registrations. Although these data do not qualify as 'special personal data', they are personal data that by their nature are more sensitive than, for example, a name or age. In addition, the duration of the violation (approximately nine to eleven months), the large number of data subjects affected and the income obtained for these inspection requests makes this a serious privacy violation.
Finally, the total fine was mitigated because of the connection between the two violations. Indeed, both violations were about transparency so that data subjects can maintain control over their personal data.
Costs cannot simply be charged for requests for inspection. After all, the basic principle is that data subjects can do this free of charge. If you do want to charge for a review request, document why it is justified in that specific case.
It should also be avoided that data subjects are discouraged from requesting access. Proper provision of information is important here. This can be done, for example, through a privacy statement on the website. Clearly state how an inspection request can be made.
Incidentally, this fine decision by the AP will have a tailspin. In fact, BKR has indicated it will appeal this decision in court.
View the AP's fine decision here
