The Raad van State has halved the previously imposed fine on DPG Media for violation of the AVG to 262,500 euros. The Autoriteit Persoonsgegevens (AP) had imposed another fine of 525,000 euros on the media company in 2022, because customers who wanted to view or have their personal data deleted were required to show or send a copy of their ID - without being informed that they were allowed to shield their BSN and passport photo.
According to the regulator, with this policy, DPG Media imposed an unnecessary and too far-reaching threshold on people who wanted to exercise their privacy rights. The AP stated at the time that this collected too much personal data, and that the method "unnecessarily limited" the right to access and erase.
The Amsterdam District Court ruled in 2023 that while the AP was correct to find that DPG Media had violated the AVG, it found that imposing a fine was too harsh. On appeal, the Raad van State partially reversed this. According to the highest administrative court, DPG Media had indeed acted negligently and enforcement action by the AP was justified, although the Raad van State considered the amount of the fine disproportionate.
The fine was therefore cut in half, in part because the cases were limited and identity documents were not kept for more than a month. DPG Media had also changed its procedures even before the AP proceeded with enforcement. The company, which previously received a Big Brother Award for the biggest privacy violation in the Netherlands, has indicated that it is now taking a more careful approach to identity verification in requests for access.
