Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Netherlands: AP fines International Card Services €150,000 for failing to conduct acceptable DPIA
On January 15, 2024, the Dutch data protection authority (AP) announced its decision, as issued on December 18, 2023, to impose a fine of €150,000 on International Card Services B.V. (ICS) for violation of the General Data Protection Regulation (GDPR), following an investigation.
Background to the decision
In particular, the AP highlighted that ICS started digitally identifying customers in 2019, and that personal information used for identification was sensitive in nature. Personal information included names, addresses, telephone numbers, emails, and a photo that customers had to take of themselves, which were then compared with customer IDs. The AP clarified that financial institutions are required to identify their customers.
Findings of the AP
Following its investigation, the AP found that ICS processes the personal data of approximately 1.5 million customers in the Netherlands and that such data is retained by ICS so long as they remain a customers. Further, the AP determined that because the personal data processed by ICS presents a high risk to the rights and freedoms of natural persons, ICS was required to carry out a data protection impact assessment (DPIA). More specifically, the AP held that ICS failed to satisfy the criteria for an acceptable DPIA, not to be confused with the criteria for whether a DPIA should be carried out. The procedure carried out by ICS was determined not to provide a systematic description of processing, failing to assess the necessity and proportionality of processing, and the measures contributing to the protection of data subject rights. Additionally, the AP noted that it was unclear whether the data protection officer (DPO) was involved in processing. More generally, the AP outlined that ICS failed to recognize that large-scale processing was involved, thereby violating Article 35 of the GDPR.
Outcomes
The AP therefore deemed it appropriate to impose a fine of €150,000 for the aforementioned violation.
You can read the press release here and the decision here, both only available in Dutch.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
