Dutch regulator fines advertising company for mismanaging data handling

The DDPA fined DPG Media, a company headquartered in Belgium, €525,000 for a disproportionate identification process when dealing with requests to access and delete personal data.

An investigation found that DPG always asked data subjects for a copy of an identity document, such as a passport, when it received a data subject rights (DSR) request. The company said it only processed DSR requests after the identity document had been provided.

According to its report (19 page / 663KB PDF, in Dutch) the DDPA said the company did not inform the data subject they should redact sensitive data such as a national identification number in their identity documents.

The regulator also found that where no identity document was provided, DPG did not comply with the request to delete data.

The DDPA said a data controller should not create barriers for data subjects to exercise their rights to access their personal information. While it was important to verify the identity of applicants wishing to exercise DSR requests, any further information required should be proportionate.

According to the DDPA, it was disproportionate to require a copy of an identity document if someone’s identity could be verified in another way. For instance, identity documents show, among others, the very sensitive and strictly regulated citizen service number of Dutch citizen. It noted DPG had, since December 2020, begun verifying identities through verification e-mails, which was appropriate.

The DDPA said the policy to ask for identity documents had been systematic and would have affected “several hundred” data subjects, who were hindered in exercising their rights under the Dutch implementation of the EU’s General Data Protection Regulation.

Amsterdam-based data protection expert Andre Walter of Pinsent Masons said the ruling confirms that enforcing data subject rights is one of the priority areas of the DDPA.

“Mentioning the existence of data subject rights in your website privacy notice, and expressing the willingness to grant those rights, is not sufficient anymore four years after the GDPR came into force.” Walter said. “Companies must make sure their DSR procedures are detailed enough and properly implemented.”

Nienke Kingma, data protection expert at Pinsent Masons, said this is not the first time that the DDPA has imposed a GDPR fine for non-compliance with the rules on data access requests. In 2020, the DDPA fined a credit registration agency for €830,000 for imposing too high thresholds for data subjects requesting access to their data by, amongst others, charging a fee to data subjects.