The Dutch Data Protection Authority (DPA) has issued a record subject access request fine to BKR. The fine totalling €830,000 was for charging fees and discouraging individuals who wanted to access their personal data.
Under the GDPR individuals have the right to access personal data collected about them. The Dutch DPA received complaints about the restrictions BKR had set for accessing personal data:
- To get free access individuals had to send a written request via post, together with a copy of a passport.
- BKR indicated that submitting an access request via post could “only be requested once a year.”
- For immediate digital access to their personal data or multiple access requests per year, individuals would have to subscribe with BKR for a minimum annual payment of €4.95.
The Dutch DPA, unsurprisingly, concluded that these practices violated the GDPR. It stated that access requests may only be denied where requests from an individual are manifestly unfounded or excessive, in particular because of their repetitive character, (something that should be assessed on a case-by-case basis). The organisation bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
Requests by individuals to access their personal information are often challenging for organisations to deal with and it’s understandable that BKR would want to minimise the number of such requests. However, one of the fundamental intentions of the GDPR was to give individuals more control over their personal information. As this case shows, placing barriers in the way of people wanting to exercise that control run a risk of incurring a very significant subject access request fine.