Dutch company issued record EUR 830,000 fine . . not for refusing a Data Subject Access Request . . but for doing it incorrectly.14th July 2020
This is a big fine and the company were aware of the GDPR regulation regarding this; they did have procedures to supply individuals with a copy of their data, however they were doing it wrong and the Dutch DPA came down hard.
Let’s start at the beginning: What is ‘Right of access’?
The GDPR gives individuals the ‘right to access’ their personal data. This is known as Subject Access Request (SAR). A person can make a Subject Access Request either in writing or verbally. Organisations have one month to respond to these requests and they cannot charge a fee to deal with this ‘in most circumstances’. (www.ico.org.uk).
So, what did they do wrong?
The fine was issued against the Dutch Credit Registration Bureau (The BKR) for violating GDPR data subject rights.
In short, where they went wrong, was making it too difficult for people to access their data. To get free access, individuals had to send a written request via the post, along with a copy of their passport. Their procedures did state that it would be handled within 28 days, but also that it could only be requested once per year.
The BKR did offer immediate digital access, or allow multiple access request per year, however this was chargeable albeit starting from just EUR4.95.
So they have done two things in direct contravention to the GDPR.
- They have said they need the request to be in writing (for it to be free).
- They have charged for the Subject Access Request
Whilst there is a slight grey area over how often ‘multiple times per year’ is considered reasonable, and when it becomes chargeable (a charge is allowed if it becomes unreasonable), the Dutch DPA was absolutely clear that this decision should be done on a case by case basis at the time of the individual request.
How should I manage Subject Access Requests?
As you can tell from the scenario above, this is a minefield and the cost of getting it wrong, even when you have procedures in place, can be huge. So, don’t take any chances and if you are unsure, please do take the advice of a specialist. In the meantime, a few thoughts to get you started:
- Do you know what an SAR is and when it applies?
- Do you have a policy in place for how to deal with them?
- Are you aware that you can refuse a request under certain circumstances?
- Did you know that best practice is for you to provide the information to the data subject electronically?
We have put together a brief video as part of our Compliance Elementals Series on Data Subject Access Requests and this is free for you to view here, however if you require specific guidance relating to your organisation, please do get in touch with one of the specialists here at The Griffin House Consultancy where we provide training, advice and project management on all matters relating to the GDPR and data protection; for corporates, businesses, civil service and the third sector.
Contact us here >> firstname.lastname@example.org