The Personal Data Authority (AP) is fining DPG Media 525,000 euros. The media company gets the fine because people who wanted to view their data or have it deleted had to upload proof of identity first. That is not required in this situation. As a result, the media company requested too much personal data.
The AP received several complaints about how Sanoma Media Netherlands B.V. (before Sanoma was acquired by DPG Media in April 2020) handled such requests. For example, the people who complained had a subscription to a magazine or they received advertising from Sanoma.
Anyone who wanted to know what personal data Sanoma and DPG Media kept, or wanted to have data erased, first had to upload or send proof of identity. These people were also not informed by Sanoma and DPG Media, when sending the ID digitally, that they were allowed to shield data from it.
It involved customers of DPG Media who had not created an online account with DPG Media. These customers had a harder time accessing their data to view or change it. DPG Media changed its practices after the Sanoma acquisition. DPG Media now sends a verification email to establish an applicant's identity. This ended the violation.
Sanoma and DPG Media requested far too much data by requiring a copy of ID. And thereby made it far too complicated for customers to view data or have it deleted.
Monique Verdier, vice president AP: "An identity card should never be requested just like that. It contains a lot of personal data. Even if parts of an identity document are shielded, a copy often remains too heavy a means to determine whether someone is who they say they are. Copies of identity documents must also be kept with great care.
You shouldn't think about copies getting into the wrong hands through a ransomware attack or another data breach. That could lead to identity fraud and have major consequences for the people behind this personal data."
DPG Media objected to the decision.
