The Credit Registration Bureau (BKR) in the Netherlands has been order to pay a €830,000 ($937,000) General Data Protection Regulation (GDPR) fine after being found guilty of infringing data subjects’ rights.
BKR was found to be charging fees and making it difficult for data subjects to access their personal data, a right which is given to data subjects in GDPR legislation.
Official complaints had been filed in relation to the Dutch Data Protection Authority as a result of the stringent conditions that BKR required to be met before they would hand over personal data to data subjects. Included among those conditions were the submission of a written request by post with an accompanying copy of a passport. BKR then needed 28 days to process the request and limited the data subject to one request per year. BKR also had a provision where a data subject could pay €4.95 to submit more than one request per year and have a quicker turnaround time for processing.
After reviewing the evidence at hand, the Dutch DPA came to the conclusion that BKR was in breach of GDPR due to not processing personal data free of charge and for making access to the data difficult for data subjects. BKR had argued that it was reasonable to allow one free request per year; however, the DPA did not accept this defense. The DPA said entities are only entitled to refuse access requests if they are deemed ‘manifestly unfounded or excessive’.
BKR is the authority that manages the Netherlands’ central credit information system. Its duties include overseeing Dutch credit registrations and repayment behavior by individuals, including details on insolvency, sanction screening, and publicly exposed persons’ registrations. This system is accessed by groups such as financial institutions, municipalities, payment service providers, and car lease firms (e.g. to verify whether the person is eligible for finance such as a loan, mortgage, or credit card).
Reacting to this ruling, Peter van den Bosch, chairman of the BKR Foundation board, said: “Privacy and reliability of data are at the top for the BKR Foundation. The privacy of consumer data has always been guaranteed. The fine is not about that. We believe that legislation has always been followed by us.”
“Since the introduction of the GDPR, consumers have always had free access to their own data within the legal term. Initially, only written access was given, to ensure that personal data came to the right person. As soon as the AP’s position became clear, the BKR Foundation also provided digital free access to consumers. The BKR foundation is now submitting the fine decision to the court to request clarity on this.”