The Dutch data protection authority ('AP') announced, on 24 February 2022, its decision issued on, 14 January 2022, to impose a fine of €525,000 on DPG Media Magazines B.V. (formerly known as Sanoma Media Netherlands B.V.) for violation of Article 12(2) of the General Data Protection Regulation (Regulation (EU) 2016/679), following complaints submitted by its customers and subscribers for unnecessarily requesting ID.

Background to the case

In particular, the AP provided that, in the period of May 2018 to January 2019, they received five complaints about DPG Media's conduct with regards to requests for access to and request for erasure of personal data of data subjects. Moreover, the AP noted that according to the complainants, DPG Media asked for a copy of an identity document from the complainants to verify their identity, as a condition for further processing their request for access or deletion.

Findings of the AP

Subsequently, the AP investigated DPG Media's policy regarding retrieval and processing of a copy of proof of identity with submitted requests for access to or erasure of personal data. Furthermore, the AP highlighted that the scope of the investigation was requests made by complainants outside the secure login environment of an account with DPG Media, which included submissions made via letter, email or web form for access to or erasure of personal data.

In its finding, the AP detailed, among other things, that DPG Media as a data controller processed personal data, including the name, address, place of residence and/or email address of its customers or subscribers for one of DPG Media's Dutch brands, or of persons who had an account on Schoolbank.nl.

In addition, the AP confirmed that, when receiving a request for access to or erasure of personal data made outside the secure login environment of an account with DPG Media, DPG Media always requested a copy of proof of the data subject's identity, including sensitive data, regardless of what contact information was available at DPG Media, about the data subject, and without taking into account the nature and amount of personal data that was requested to be viewed or deleted. Further to this, the AP emphasised, disagreeing with DPG Media's view, that the exercise of rights of data subjects must be set up in such a way that a data subject must be able to identify themselves in the least intrusive manner pursuant to Article 12 of the GDPR. As a result, the AP pointed out that the condition applied by DPG Media to submit a copy of an identity document with a request from a data subject was disproportionate to the nature and amount of personal data about which a request was made.

Outcomes

In conclusion, the AP deemed it appropriate in view of the seriousness of the violation to impose a fine of €525,000 on DPG Media for acting in violation of Article 12(2) of the GDPR. Moreover, the AP notes that DPG Media has objected to the decision.

You can read the press release here and the decision here, both only available in Dutch.

UPDATE (30 March 2022)

EDPB publishes English summary of AP's decision to fine DPG Media €525,000 for unnecessarily requesting ID

The European Data Protection Board ('EDPB') published, on 28 March 2022, an English summary of the AP's decision to fine DPG Media €525,000 for unnecessarily requesting ID.

You can read the summary here.