National Credit Register (BKR) fined for personal data access Summary Our remarks The National Credit Register (BKR) in the Netherlands • Providing the data subject with free postal access offered two options for complying with a request for to personal data once per year does not entitle access from a data subject: data controllers to charge a subsequent fee for providing an electronic copy of the personal data. 1. A free option where a data subject could send a manual inquiry by post once per year, or • One cannot set up a general cap restricting the number of free requests a data subject can make 2. a paid yearly subscription option that gave the per year. It must be demonstrated on a case-by- data subject unlimited access to their personal case basis that the given requests are repetitive. data. • The ability to view data in a digital portal for a BKR argued that they were allowed to charge a fee for year after payment does not constitute repetitive electronic access because when a data subject had requests. Therefore, the data controller cannot, on a unlimited access to their personal data, it constituted general basis, charge a fee to provide access to the requests of a repetitive nature. data subjects. They also argued that they could set up a maximum • A data controller may never discourage data of one free access per year because more requests subjects to exercise the right to access their data. than that would be repetitive. They selected that figure The Dutch data protection found that the BKR had because the average number of consumers’ requests actively discouraged the exercise of this right when for access to their credit status was on average once a communicating one free access per year in its year. privacy policy. The decision of the Dutch DPA The Dutch DPA imposed a fine of 830,000 EUR on the BKR for the following violations: • Asking data subjects to pay a fee to provide them with electronic access to their personal data: 385,000* EUR (GDPR, Article 12(5)). • BKR’s practice discouraged data subjects to file an access request: 650,000* EUR (GDPR, Article 12(2)). *The total fine was reduced by 20% due to the similarities between the two violations and so that the DPA did not violate the principle of proportionality. Published: 20-12-2019 Journal number: N/A Tags: 01 Legal basis and principles of processing Published: 30-07-2019 Journal number: N/A Tags: 02 Right of access and obligation to provide information 19