It’s unlikely the regulated community wants to learn the consequences of GDPR noncompliance the hard way. But to avoid significant fines and attention from enforcement authorities, these organizations will likely need to go beyond de minimis compliance with the data protection law’s requirements.
The Dutch Data Protection Authority’s July 2020 action is a noteworthy reminder of just how costly GDPR rule-breaking can be. The authority issued a fine of €830,000 to the Dutch Credit Registration Bureau for noncompliance with data access request elements of the European Union’s privacy laws.
The issue here was the management of data access requests by the Dutch Credit Registration Bureau, also known as the Stichting Bureau Krediet Registratie or BKR. A number of people — also referred to as data subjects — complained to the Dutch Data Protection Authority about BKR’s handling of requests to access data. Under GDPR, people generally have the right to learn what personal information is being collected about them.
The investigation by the Dutch Data Protection Authority revealed that BKR only allowed people to request copies of their data once a year by mail without charge. Otherwise, they had to purchase an annual paid subscription to access this information.
Why Did This Violate GDPR?
These practices didn’t fly with the Dutch Data Protection Authority. It determined that BKR violated GDPR Article 12(5), a provision specifying that when people request data that’s collected about themselves, it’s to be provided free of charge unless the requests are unfounded or excessive. What qualifies as an excessive number of requests should be determined on a case-by-case basis, according to the Dutch Data Protection Authority.
The authority also deemed BKR in violation of GDPR Article 12(2). Under this provision, data controllers are to “facilitate the exercise of data subject rights.” The Dutch Data Protection Authority found that by limiting the number of free personal data inquiries to once-a-year paper requests, BKR actually discouraged people from seeking access to their data.
Costly Consequences of GDPR Noncompliance
Under GDPR Article 83, organizations deemed noncompliant with the law’s data subject rights requirements may be fined up to €20 million or 4% of their annual turnover from the previous financial year. When determining the amount to fine an entity, GDPR enforcement authorities consider a number of factors, such as:
- The duration and gravity of the violation.
- Cooperation by data controllers or processors in the investigation.
- Actions taken by data controllers to mitigate damages to data subjects.
In BKR’s case, the Dutch Data Protection Authority opted to reduce the overall fine by 20% because while deemed in violation of GDPR, its data request procedure was transparent — a requirement of Article 12.
Key GDPR Noncompliance Takeaways
For entities subject to GDPR, bare-minimum adherence to the law’s requirements likely won’t pass muster with enforcement authorities. As much as lawyers like to discuss gray areas of the law, enforcement authorities seem to be seeking robust GDPR compliance.
So to avoid attracting unwanted attention and penalities, organizations will want to practice due diligence in ensuring they’re completely compliant with the European privacy law.