Netherlands: AP fines BKR €830,000 for inadequate data subject access procedures
The Dutch data protection authority ('AP') announced, on 6 July 2020, its decision ('the Decision') to fine Bureau Krediet Registration ('BKR') €830,000 for imposing specific thresholds before allowing data subjects to access and inspect their data. In particular, the BKR had asked for the payment of a fee when individuals requested access to data as well as only allowing individuals to access their data at no cost once a year via post. Specifically, the AP decided that the data subjects request for inspection of their data was not excessive and that the BKR had violated Article 12(5) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which provides that data controllers should allow data subjects access to and inspection of their personal data free of charge. In addition, AP noted that its decision on the fine is not final as BKR has appealed its decision before the judge.