AP (The Netherlands) - 14.01.2022: Difference between revisions
No edit summary |
m (Ar moved page AP (The Netherlands) - DPG Media fined for unnecessarily requesting proof of identity to AP (The Netherlands) - 14.01.2022) |
(No difference)
|
Latest revision as of 17:05, 12 December 2023
AP (The Netherlands) - DPG Media Magazines B.V. | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 5(1)(c) GDPR Article 12(2) GDPR Article 12(6) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 24.02.2022 |
Published: | 24.02.2022 |
Fine: | 525,000 EUR |
Parties: | DPG Media |
National Case Number/Name: | DPG Media Magazines B.V. |
European Case Law Identifier: | n/a |
Appeal: | Pending appeal |
Original Language(s): | Dutch |
Original Source: | DPA's Fine Decision Letter (in NL) |
Initial Contributor: | Giel Ritzen |
The Dutch DPA issued a €525,000 fine against a media company for a violation of Article 12(2) GDPR by asking data subjects to upload a copy of their ID to verify their identity in order to exercise their rights of access and erasure.
English Summary
Facts
The controller is DPG Media, a Dutch company that exploits books, magazines, and (news)papers. Between May 2018 and January 2019, the Dutch DPA received several complaints from data subjects who did not have an account with DPG Media, and had to provide a copy of their ID, as verification, before they could submit an access request pursuant to Article 15, or an erasure request pursuant to Article 17 GDPR (the same was not requested from users who had an account).
DPG Media argued that the ID request was justified under Article 12(6) GDPR, as there were no other options to correctly verify the data subject’s identity. The DPA then started an investigation into how DPG Media dealt with access- and erasure requests of data subjects that did not have an account with DPG Media.
Holding
The DPA noted that, although the controller must verify the data subject’s identity, it possibly violates Article 12(2) GDPR if it hinders the data subject from exercising their rights. Moreover, as follows from the principle of data minimisation, the identity verification must suffice the requirements of proportionality and subsidiarity. Hence, the controller must, in principle try to verify a data subject’s identity based on the information it already has on this data subject. The DPA further noted that, considering the very sensitive information an ID contains, one can only request a copy of the ID if there is a legal basis to do so.
The DPA found that, considering the sensitive information on an ID, and that it is possible to verify the data subject’s identity based on other information (like subscription details, name, and email), it is disproportionate to request, in all cases, a data subject’s ID for verification. Hence, the DPA concluded that DPG Media violated Article 12(2) GDPR for not facilitating the data subject’s rights sufficiently. The DPA imposed a fine of € 525,000 and considered that this was appropriate, due to the sensitivity of the personal data, the systemic nature of the infringement, and the fact that DPG Media did not change the privacy policy on their website until 18 October 2021.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
AuthorityPersonal Data PO Box93374,2509AJ The Hague Bezuidenhoutseweg30,2594AV The Hague T0708888500-F0708888501 authority data.nl Confidential/Registered DPGMediaMagazinesB.V. Attn.the board PO Box1900 2130JHHoofddorp Date Unidentified 14 January 2022 [CONFIDENTIAL] Contact [CONFIDENTIAL] Subject Decisiontoimposeafine Dear Sir / Madam, The Data Protection Authority (AP) has decided to join DPGMediaMagazinesB.V.(DPG)a to impose an administrative fine of €525,000.TheAPisconcludedthatDPGwithitspolicy and has hindered the active dissemination of the right to see a data erasure of data subjects. DPG has raised unnecessary barriers to being able to use these rights DPG infringed article 12, second paragraph, of the General Data Protection Regulation (GDPR). The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the facts. TheAPassessesinchapter3oferreferencetoprocessingofpersonaldata,the controller of the violation. Chapter 4 discusses the (height of) administrative fine elaborated and chapter 5 contains the operative part and the remedies clause. 1,Date Unidentified 14 January 2022 [CONFIDENTIAL] 1 Introduction 1.1Involved organization This decision relates to DPGMediaMagazinesB.V. (DPG), located at 65 Capellalaan main village. DPG is a media house that publishes and exploits magazines, magazines and books. on April 20 2 2020, the statutory name of SanomaMediaNetherlandsB.V.has changed to DPGMediaMagazinesB.V. DPG's activities have remained unchanged. In the period from May 2018 to January 2019, the AP received complaints about the conduct of DPG with requests for information and requests for the erasure of data of data subjects (hereinafter: ‘complainants’).According totheplaintiffs,DPGasaskedforacopyofanidentitycardofthe complainantstarverification of their identity, as a condition for (further) processing their request for information or deletion. The AP then investigated DPG's policy on querying and processing ofacopyoftheidentitycardwithsubmittedrequestswithinspectingordeletionof personal data. The AP focused the investigation exclusively on the policy and conduct of DPG with regarding access and erasure requests that are outside the secure login environment of an account with DPG were submitted. This concerns requests that data subjects receive by letter, e-mail or via a web form.DPG's policy and behavior with regard to requests that were submitted within an account's digital login environment, were beyond the scope of the research. 1.2Process flow During the investigation, the AP requested information from DPG and the bearing. The AP also has DPG requested to respond separately to the relevant complaints. DPG complied with these requests. By letter dated 7 October 2021, the AP has sent no intention to enforcement and it has been sent to DP basisreportwithfindings.DPG has a written statement on 16 November 2021 Finally, at the request of the AP, DPG provided additional information on December 16, 2021 provided. 1 2 Chamber of Commerce number: 33133064. Where necessary, we will still speak of SanomaMediaNetherlandsB.V. 2/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] 2.Facts 2.1 Customer data DPGpublishedmagazinesthatcustomerscouldsubscribe to.DPGsentto reason for thissubscriptions, magazines to its customers did she have the name, address and place of residence of her ab3nnees DPG about financial data (bank details) of its subscribers. Of persons who had themselves subscribed to a newsletter or who had applied for a School Bank account, DPG available about at least some of this information, such as a name and email address. In the issues of the bearings, it appears that DPG approached the bearings in different ways: - Some of the complainants had/had a subscription to DPG; - One complainant also had/had an account at Schoolbank.nlen; - One complainant stated not to have been a subscriber, but only to advertise (for, among others, Dragonfly) received at her home address, presumably after leaving contact details with a DPG website or magazine. 2.2 Digital customer database DPG supplies its products to its customers in particular by sending (among other things) magazines. In this context, DPG uses the aforementioned data to ship these products by post or by e-mail. The same was true for the advertising works that DPG sent. 5 DPG has stated to the AP that it stores data in a digital customer database. This also turns out from the fact that an online profile of the person concerned could be created using this data. See aboveprint from the DPG website. 6 3 Research reportAP of September 29, 2021, p.5. 4Hetonlineplatformwww.schoolbank.nlwastootmet2020ineigendomvanDPG. 5AP research report of September 29, 2021, p. 4 and 6. 6AP research report of September 29, 2021, p.5. 3/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] 2.3 Privacy PolicyDPG The privacy policy stated that the privacy policy applied to data processing by, among others,SanomaMediaNetherlandsB.V.(now: DPG)andthatSanomaMediaNetherlandsB.V. controller was for the processing of personal data for her Dutch brands (including the Belgian activities of VTWonen fell). 7 2.4 Access and Removal Request Policy 2.4.1.DPG's general working method during the research period Data subjects can request DPG to see an erasure as referred to in article 15 and 17 of the GDPR data subjects can submit these requests in two ways: 1) The most common way was by making such a request within the digital login environment of a DPG account of the data subject. As stated in paragraph 1.1 of this this decision fell outside the scope of the investigation, since in this way of submit no copy of an ID was requested. 2) Another way, in which this decision does look, was to submit a request without seeing deletion of data outside the login environment of the account. This could be done via an online form on the DPG website (then www.sanoma.nl), by e-mail or by letter. 8 DPGinprocessingrequestsusedtonotseeanddelete personal datasubmittedoutsidetheloginenvironmentofanaccountthefollowingstandard method. Upon receipt of a request for information or deletion of personal data, DPG asked the data subject always a copy of an identity document. If the data subject had a request via the online form submitted, was then automatically asked for a copy of an identity document If the request was submitted by e-mail, DP did not send an e-mail with the requesttoprovideacopyoftheidentitydocument.DPGindicatedthatarequestonlyin treatment was taken after a copy of an ID was provided. 9 7 Research reportAP of September 29, 2021, p.6-7. 8Research reportAP of September 29, 2021, p.7. 9 Ditto. 4/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] When asked, DPG described this standard way of working towards the AP as follows. "When ask someone via our online contact form to see and/or delete the data that we of personhaveprocessed,thentherequestforaappearsinthecontactformautomatically Send a copy of identification with the request. Awaiting the copy of the identity document, the request remains open. As soon as we receive a have a copy of the identity document received and the data of the applicant correspond with the details of the customer registered with us, then we will carry out the request for deletion. Requester then also receives confirmation of the processing of the request submitted by him.” DPGalsoadmittedtoitsprivacystatementthatwhenevertheywerealwaysaskedforacopyof a (valid) identity document to identify the applicant. DPGlistedinitsprivacy 11 statement and on the website section that contained Q&As about–among others–privacy: In the communication DPG had with the bearings after receipt of the digital requests and no deletion was also not indicated as a possibility by DPG. This in 12 unlike requests, deeper post were made, where DPG stated in its privacy statement that a shielded copy (including the citizen service number and photo become unrecognizable made) is sufficient. 13 DPG has stated that on the basis of article 12, sixth paragraph, of the AVG it felt entitled to to establish the identity of the persons involved by means of a copy of an identity document, before DPG proceeded to give insight into or erase the data of the present with her person concerned. 14 Only when it was established on the basis of a copy of an identity document that the person concerned was the one it was submitted a request, this request was executed. So DPG suggested–in the event that a request was submitted outside the login environment – the identity of the person concerned only on basis of a copy of the identity document to be provided. 10Research reportAP of September 29, 2021, p..8 1 Ditto. 1Research reportAP of September 29, 2021, appendix 1 always under AandE. 1AP research report of September 29, 2021, appendix 4 'Website Sanoma'. 14Research reportAP of September 29, 2021, p.8. 5/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] DPG did not have other ways of establishing the identity, she stated. In all cases, after receipt of the request requested a copy of the identity document. According to DPG, this was necessary to prevent access to a person who does not know about this information when viewing requests data should be available. 15 When asked, DPG gave about 11,000 customer questions in the period from January 1, 2019 to June 1, 2019 received customer requests related to the subject privacy, and that the majority of these requests were deletion. According to DPG, about 9,400 of these were requests within the secure login environment of an account (in which case no copy of the identity document was required are provided) and was only a small number of requests for erasure outside the login environment submitted, i.e. about 60 requests. 16 2.4.2DPG's general working method after the statutory name change as of April 20, 2020 In its investigation, the AP has concluded that the method of asking a copy of proof of identity with a request for access or deletion of personal data - submitted outside the login environment of an account since the statutory name change on April 20, 2020 17 continued. On June 18, 2021, the AP also determined that in DPG's privacy and cookie policy it is indicated that DPGO will ask for a valid ID from the person who wants his rights 18 exercise. As a result of the DPG's view, the AP has determined that as of December 17, 2020, DPG has not longer ask for a copy of an ID on a request to see or to delete personal data outside the login environment of an account. DPG then sends a verification email to to establish the identity of an applicant. DPGhasitsprivacystatementin accordance this new method adapted and published on October 18, 2021. 20 2.4.3 Complaints The APreceivesfivecomplaintsaboutthe way in which DPG fulfilled its requests and lack of access to information of personal data. These five complainants only had a request to see or delete personal data done at DPG by means of the online contact form or by e-mail requested DPGo to see personal details and four complainants requested the erasure of their personal data. 21 1Research reportAP of September 29, 2021, p.8. 16AP research report of September 29, 2021, p.9. 1 Ditto. 18 19AP research report of September 29, 2021, p. 9 and appendix 7. Letter dated December 16, 2021 from DPG to the AP, response to information request AP dated November 25, 2021. 20OpinionDPGof16November2021,p.11;Letter of16December2021fromDPG to the AP,response to information requestAP from November 25, 2021; https://privacy.dpgmedia.nl/document/privacystatement. 2Research reportAP of September 29, 2021, p.9. 6/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] In all cases DPG–immediately after submissionoftherequestforprosecutors–prosecutors requested to provide a copy of an identity document as a condition for (further) in handling the submitted requests. 22 Four complainants did not comply with the request of DPG to provide an identity document. DPG subsequently did not consider these erasure requests DPG indicated that they were not prepared to provide a copy of their ID because they found this to be a 'heavy duty'. One complainant sent a copy of an identity document to DPG. However, this complainant did not receive any insight from DPG after sending a copy of the identity document. DPG confirmed that the copy of the ID was by mistake not linked to the account of the The complainant again asked for a copy of ID. After this, the complainant lodged a complaint with the AP. 24 2.4.4DPG's working method with regard to complaints during the investigation period At least four of the complaints submitted showed that DPG, in the cases where a copy of the proof of identity was provided, did not respond to the requests submitted and for the erasure of personal data. DPG subsequently did not (further) process the requests. This method also finds support in the statement of DPG at the time of the investigation: “At the moment that you request through our online contact form to see and/or remove the data that we have processed about that person, then the will automatically appear in the contact form request to send a copy of identification evidence with the request.(…) If a request for access and/or deletion is sent without a copy of ID, the customer serviceinthereactiontotheapplicantanymore.(…) Awaiting the copy of the identity document, the request remains open. As soon as we receive a have a copy of the identity document received and the data of the applicant correspond with the details of the customer registered with us, then we will carry out the request for deletion. Requester then also receives confirmation of the processing of the request submitted by him.(…)” 26 22See also paragraphs 2.4.1 and 2.4.2. 2Research reportAP of September 29, 2021, p.10. 24Research reportAPof29September2021,p.10. 25Idem. 26Idem. 7/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] 3.Rating 3.1Personal data andthe controller DPG processed among other things her name, address, residences/or e-mail address customers/subscribers for one of the Dutch brands of DPG, or of persons who have an account hadonSchoolbank.nl.Withthisdata,DPGcouldidentifynaturalpersons.DPGprocessed thus personal data within the meaning of article 4, part 1, of the AVG. The AP has further established that the privacy policy stated that SanomaMediaNetherlandsB.V. the controller was responsible for the processing of the data for the Dutch notice that the privacy policy applied to all DPG products and services privacy policy was also included how a data subject could get a view into his data and how a data subject could have his data removed. Furthermore, statements from DPG show that they also actually acted as the target of the means certain for the processing of personal data in relation to requests submitted or to see erasure of personal data. These statements show that DPG independently determined which data had to be provided by requesters of i27age erasure requests (resource) and why that data had to be provided (purpose). In view of the foregoing, the AP establishes that DPG is the controller within the meaning of article 4, part 7, of the GDPR for the processing of data relating to the submitted request for information about erasure of personal data. 3.2 Facilitating rights of data subjects 3.2.1Legal framework Pursuant to Article 12, second paragraph, of the GDPR, the controller must exercise to facilitate the data subject's rights under articles 15 to 22 of the GDPR. upright access to personal data (article 15 of the AVG) and the right to erasure of personal data (article 17 of the AVG) are included below. Recital 59 of the GDPR further clarifies the standard in Article 12 of the GDPR: Arrangements should be made available to enable the data subject to exercise his/her rights under this Regulation easier to exercise, such as requesting and renaming mechanisms to see and rectify or erase personal data and, if applicable, to obtain it free of charge, as well as to exercise the right to object.[…] 2Research reportAP of September 29, 2021, appendix 1 always under E. 8/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] Recital 63 of the GDPR mentions, among other things: A data subject must have the right to inspect the data collected about him, and because that right simple and at reasonable intervals so that he can become aware of the processing and can verify its legitimacy.[…] Pursuant to the above, the controller must have an arrangement in place to enable data subjects to easily and easily exercise their rights.A the controller may not thereby create unnecessary barriers for data subjects in order to to exercise the aforementioned rights. When a controller has a policy that the hinder the exercise of the aforementioned rights and actively promote this policy, there may be violation of article 12, second paragraph, of the AVG. 28 Verifying the identity of a natural person who makes a request for access or deletion is an indispensable paragraph of a regulation within the meaning of article 12, second paragraph, of the AVG after all, the controller is required to ensure adequate security for the 29 data processed by it, including against unauthorized or unlawful processing. In addition, when verifying a requester's identity, the controller must observe the principle of data minimization as referred to in article 5, first paragraph at c, of the GDPR. It follows that when verifying the identity of the requester in the context of the exercise of his/her rights, adequate the data requested by a controller should be relevant and limited to what is necessary for the purposes for which they are incorporated.The principles of proportionality and subsidiarity should be taken into consideration here. The data requested to verify the identity of the requester must be in proportion until it serves its purpose (proportionality) with its processing. And this purpose cannot be any less disadvantageous, less radical and way are realized (subsidiarity). It is disproportionate to require a copy of an identity card as the identity of the person concerned can be verified in another way. In addition, the processing of copies of proofs of identity are a major risk to the security of personal data. In addition, the controller do not be sure that the copy is authentic and the owner of the identity card is actually the applicant, for example by (unauthorised) access to identity cards by roommates and forged copies of identity cards. All of the foregoing implies that a controller's policy regarding until the exercise of data subject rights and must be set up in such a way that a data subject is at least must identify in a radical manner. And that this policy is geared to (among other things) the risk to the 2See also ECLI:NL:RBGEL:2020:3159, considerations 9.7 and 9.8. 2See article32 of the AVG. 9/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] rightsandfreedomsofpersons,particularly in view of the nature and amount of data that can be viewed or deletion is requested in the context within which the request is made. In many cases this will be mean that as much as possible is primarily based on data that a controller already processed, the identity of the requester can be established. Should a controller, despite the initial request, request a data subject provideddataifstillhavereasonstodoubttheidentityofthenatural person submitting the request, thanks to the controller under article 12, sixth member,oftheGDPR,asktheperson concernedforadditionalinformation.Article12,sixth,oftheGDPRsees therefore mainly in individual cases, where in the concrete case there are reasons to doubt the identity. In that case, article 12, sixth paragraph, of the GDPR does not allow a controller to request additional information necessary to establish the applicant's identity, provided he can demonstrate that he cannot verify the identity of the data subject without additional data. But here too, the controller may only request (additional) information that necessary.The above principles of proportionality also apply here subsidiarity. 3.2.2.Assessment The AP established in chapter 2 that DPG always has a copy outside the account login environment 30 of an ID requested. DPG made this request regardless of any (contact) information at DPG was available about the person concerned without taking into account the earth and quantity personal data of which information or erasure was requested. DPG's working method was also arranged that if a copy of the identity document was not provided by the person concerned, the request to see whether erasure was not (further) taken into consideration for this reason. provided a copy of the ID, which resulted in DPG being needlessly sensitive data was in the process of processing (such as the Citizen Service Number). In view of the above legal framework, arrangements must be made for the exercise of rights of data subjects are set up in such a way that a data subject must act in the less intrusive way can identify. In the opinion of the AP, this means that DP is not involved as much as possible primarilyusingdatathatDPGmustidentifyalreadyprocessed.An example this can be a subscriber/customer number in combination with a name and address and/or e-mail address of a requester. Now a copy of an identity document was required by DPG of data subjects and by default without first after against whether DPG (already) had other (identifying) (contact) information and without account taking into account the nature and amount of data, the AP is of the opinion that data subjects do not easy and simple way to claim their rights under the GDPR. With other 3For example, via an automatic request that appeared in the contact form or a follow-up e-mail. 10/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] words, DPG did not ask for a copy of the ID based on a concrete assessment per individual case as referred to in article 12, sixth paragraph, of the AVG. But DPG asked in advance about copy of the identity document, because this was the policy in force. This policy of DPG and actively promote it of it on the website and through DPG customer service, among other things, also ensured that a unnecessary threshold was raised around the submission of requests and no access to and deletion of personal data. DPG's policy has also acted as a barrier in practice – with regard to complainants – at the requestnoseedeletion. It appears from the complaints submitted that this method of DPG provoked resistance, which resulted in the bearings (in some cases) not being prepared for a to provide a copy of their identity card. The refusal to provide a copy of the identity card providing had the consequence that DPG did not (further) accept the requests of a number of complainants for these reasons treatment took. The policy and implementation of DPG also threw the view of the lower bearings effectively an obstacle to the exercise of the right to access or erasure. The AP would particularly like to note that the condition used by DPG until the submission of a copy of an identity document in a request from a data subject was disproportionate to the earths amount of data on which interest was requested. In addition, organizations may only process the Citizen Service Number if this is determined by a specific law. When requesting a copy of the identity document is more important, because it is recommended by the central government to be careful with providing (protected) copies of the identity document. This documentcontainssensitivedata.Thecombinationofdatalistedon moreover, the proof of identity makes identity fraud possible.The AP also points out to its website that it providing a copy of an identity document entails a risk. 32 3.3OpinionDPGenresponseAP DPG has put forward a point of view on the research findings of the AP. The AP puts the DPG's view, briefly summarized below, with a response from the AP. 3.3.1Necessary copy of ID DPG argues in its view that the identity of a small group of people involved cannot be determined by personal security data, as the information they provide not verified/linked to information in DPG's systems (because they are not logged in). One the requester who submits a request for access or erasure outside the secure environment must therefore provide additional information. In this way, DPG can check and show that this person is a appeal belongs to access or deletion of the personal data (i.e. qualifies as a 3See section 2.4.3. 3https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/identification/identity proof. 11/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] data subject) and DP has no legal basis for any data that they process on delete or provide this requester to this requester (i.e. determine whether the requester involved is whothey say they are). As long as DPG cannot establish the identity of the requester, DPG believes that the AVG is not of 33 application. For the handling of the AVG request, it is sufficient that DPG indicates that it is not able to determine the identity of the applicant and ask for additional information compliance with article 12, second paragraph, second sentence, of the AVG. DPG furthermore deems it necessary to request a copy of proof of identification wayeffectivelylimitstheriskthatDPDoesnotprovideacopyofthedataor removes personal data from the 'wrong' data subject, which would entail a violation of article 6 of the GDPR. The use of a copy of ID is the least intrusive way to to establish identity properly and is moreover attuned to the real risk for the rights and 34 freedoms of persons. Without a copy of proof of identity, the identity of an applicant cannot be identified according to DPG cannot be (properly) established and DPG may be determined by virtue of article 5 and 6 of the AVG refuse to follow up on such requests as desired by the requester. The AP does not follow DPG's view. The AP emphasizes that in this decision it has assessed how DPG has facilitated or determined the rights of data subjects and in the end whether or not they were identifiable. The case law cited by DPG in which judgment was made about the identification of an individual within the framework of article 15 of the AVG and 35 of the Protection Act personal data (Wbp) is therefore not considered relevant by the AP in this case. Dateacopyofa proof of identitymaybenecessaryinanindividualcasebetweenacitizengovernment,makes not yet that asking about this in advance is necessary in all cases. Furthermore, the AP disagrees with DPG's statement that it is necessary in all cases to have a copy to obtain the identity card from the requester what data she already possesses about the requester identification is possible, thanks to a controller, requests and shielded to show proof of identity.DPG has also stated itself during the investigation that in some casesacustomercanalreadyidentifybynameandaddress,sometimesadditionaldataareas 35 subscriber number or email address necessary. In addition, DPG currently uses the custom method by which a verification email is sent to verify the identity of a requester to determine.Processing copies of identity cards containing sensitive data such as the citizen service number, photo, length and nationality in this case conflict with the principle of 3DPG refers to ECLI:NL:RBOVE:2021:1296,r.o.8. 3DPG refers to ECLI:NL:RVS:2020:2833,r.o.5.2. 3Research reportAP of September 29, 2021, appendix 1 always under E. 12/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] data minimization and lawfulness (article 5, paragraph 1 at sub and article 6 of the AVG).Dat DPGat in advancerequires a copy of the – moreover, unscreened-identity – at all processing a request does not facilitate the exercise of the rights of involved. 3.3.2 Facilitate the concept DPG indicates that the AP states in its research report that article 12, second paragraph, of the AVG means that the controller should facilitate the exercise of data subjects' rights However, DPG is of the opinion that the AP has not been proved right in this explanation and by the AP cited judgment of a preliminary relief judge. According to DPG, 'facilitating' entails a controller does not (unnecessarily) hinder the exercise of these rights 'possibly' have to make'. DPG further states that the Belgian regulator of the AVG in its Dutch-speaking sample letter for AVG requests by default included that the person concerned has a copy of the can enclose an identity card. Finally, DPG accuses the AP that they are rather (explicitly) distant has expressed a position in a letter from a 2003 case from her right predecessor the College protection data (CBP). 37 The AP is not going with DPG's view. First, in its research report, the AP has the relevant judgment of the Court of Gelderland cited as an example in another statement. Namely, in the event that a controller has a policy that the exercise of said hinder rights and also actively promote this policy, there is a violation of article 12, second paragraph, from the AVG. Secondly, the relevant injunction judge also has the discussion or 'facilitation' it includes 'easier' in which case is not considered relevant, because in any case impediment cannot are regarded as facilitating the right of access. So the AP is based on article 12, second paragraph,oftheGDPR,recital59and63oftheGDPR, of the opinion that 'facilitation' should be understood as such be that the controller must have an arrangement to enable the data subjects make their rights unimpeded, easy and simple to exercise. Furthermore, the AP is of the opinion that the quotes from a CBP letter from 2003, cited by DPG, are one-sided calling up images of the contents of that letter. In this letter, the CBP refers to a request for mediation between two parties. The DPA has considered that in establishing the identity, the nature of the data 36DPG refers to ECLI:NL:RBGEL:2020:3159,r.o.9.8. 3DPG quoted the following from this letter: “In the opinion of the CBP, the importance of properly establishing the the applicant's identity not to be set aside too quickly in favor of a faster or easier treatment of a request for access.[…]In certain cases (such as in this case) the person concerned does not want to send a copy of the identity document because there personal data. If the data subject does not want to send a copy of an identity document, there is always the possibility that the person concerned or his authorized representative shows the identity document on site to the responsible person and obtains insight in this way. […]It is also conceivable that [the controller] will be satisfied with a copy of a passport on which, for example the social security number has been made illegible.” 38ECLI:NL:RBGEL:2020:3159,r.o.9.7. 39 ECLI:NL:RBGEL:2020:3159,r.o.9.8. 13/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] and of the processing are important. The CPB has also stated that upon a written request for inspection by alawyeracopyofthelawyer'sidentityinprincipleisnotnecessaryinthe scope ofarticle 37, second paragraph, of the Personal Data Protection Act. For the person concerned or his authorized representative there is also a possibility to show proof of identity on the spot to the person in charge, according to the CPB. Finally, in view of the long time that has passed since 2003, located on the road of DPG for the coming into force of the AVGper May 24, 2016 and come into force of May 25, 2018 (again) of the applicable law and to ascertain and act in accordance with regulations; all the way now going on digitized society (fifteen years later) unfortunately brought with it that it providing data is not without risk. The AP already provides on its website for quite some time comprehensive information about the rules for identification. A Belgian model letter, of which one shield the copy if an option is given next to, for example, an assigned customer number, does that not after. 3.3.3How to identify DPG does not agree with the statement of the AP included in the investigation report that DPG is outside a copy of the identity document had no other way of establishing the identity. Those involved could, according to DPG, choose to submit a request through his/her account according to DPG's procedure, if the applicant refused to provide a copy of the identity document, the privacy officer was consulted and a copy of ID was not found necessary when verification of identity could be done in another way.DPG finally states that it is through its formerprivacystatementactivepromotedthepolicytousea shielded copy ID. The AP also does not follow this view of DPG. If data subjects do not use the contact form or by email want to provide a copy of their ID, then they should not be coerced to create an account on the DPG website. Also this is an (unnecessary) hindrance for data subjects to be able to exercise their rights under the GDPR consultation took place with the privacy officer, as DPG states but does not substantiate with evidence, the AP deems not relevant to the assessment of the policy propagated by DPG to the parties involved in advance incidentally, this statement is inconsistent with what DPG stated during the investigation about hair policy. Finally, the AP cannot follow DPG in the assertion that it has actively propagated the policy to use making a shielded copy of identification. DPG has stated in its privacy statement that a shielded copy is only sufficient for requests by post. Via the contact form, the e-mail and in the case that a person concerned refuses to provide a copy of ID card has DPG not on pointed out that it is a shielded copy. This also follows from the communication submitted between DPG complainants. 4https://www.autoriteitpersoonsgegevens.nl/nl/onderwerpen/identification/identity proof. 14/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] 3.3.4Article 12, sixth paragraph, of the GDPR DPG finds the statement of the APdate included in the investigation report controllertheidentityoftheapplicant(until knowledgeof erasure)“without reasonable doubt” wants to determine to prevent a data leak or abuse of rights, an incomplete, incorrect interpretation of the AVG. The 'doubtful' test of article 12, sixth paragraph, of the AVG comes according to DPG not addressed if the controller at all cannot identify the requester determine. The AP does not follow DPG's argument. If the controller is not able to identify the identity of a data subject, then he informs the data subject. When the data subject after that no additional data is provided that makes it possible to identify him, then his article 15to20oftheAVGinthatcasenotapplicable. Although there is another reason also the AP concluded that article 12, sixth paragraph, of the GDPR in the present assessment of the violation irrelevant. 3.3.5 Complaints DPG believes that the AP has wrongly included five complaints in its investigations assessment. The complaints do not relate or are insufficiently related to the findings of the AP on the basis of which violation finds that DPG is in violation of article 12, second paragraph, of the AVG. DPG requests the Therefore, do not include these complaints in an enforcement decision. The AP will not grant this request. The communication between the bearings and DPG represents a representation of the way in which DPG has implemented its policy regarding the rights of data subjects turns out that Sanoma, or parts that fell under Sanoma, the time to start treatment of a request a copy of the ID require that the complainants have this as a hindrance to experience. 3.4Conclusion The AP concludes that DPG is insufficiently exercising its rights at the time of the infringement of those involved has facilitated. As a result, DPG has acted contrary to article 12, second paragraph, of the AVG. 15/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] 4.Penance 4.1 Introduction DPG has acted contrary to article 12, second paragraph, of the AVG. The AP makes for the established violationuseofitsauthoritytonotfind DP.Consideringtheseriousnessofthe violation and the extent to which it can be blamed on DPG, the AP considers the imposition of a fine appropriate. The AP motivates this in the following. 4.2 Fine policy rules of the Dutch Data Protection Authority 2019 Pursuant to article 58, second paragraph, opening words and article 83, fifth paragraph, of the GDPR, read in in connection with article 14, third paragraph, of the UAVG, the AP is authorized to DPG in the event of a violation of Article 12 of the GDPR Not to impose an administrative fine up to € 20,000,000 or, for a company, up to 4% of total worldwide annual sales in the previous financial year, if this figure is higher. The AP has established Penalty Policy Rules regarding the fulfillment of the above-mentioned authority to the 41 imposing an administrative fine, including determining the amount thereof. In the Penalty policy rules has been chosen for a category classifications bandwidth system. Violationofarticle12(2)oftheAVGisingpartincategoryIII.CategoryIIIhasa fine bandwidth between €300,000 and €750,000 and a basic fine of €525,000. 4.3 Fine amount 4.3.1Seriousnessoftheviolation Under the principle of transparency, the controller must exercise the facilitate data subject rights. For data protection it is essential that data subjects an easy way to exercise their rights under the GDPR able to learn in a simple way which personal data a controllerprocessed. A proper fulfillment of the right to be inspected is further necessary to exercise other rights, such as the right to rectification and the right to erasure. DPG argues in its view that a balancing of the interests in this case should at most lead to a reprimand. If it concerns a minor breach, thank the AP instead of a gel, choose a fine reprimand. In view of the present violation, a judge, in the opinion of the AP, spoke of a serious infringement, in which DPG has insufficiently facilitated the rights of the data subjects. The AP considers it 4Stcrt.2019,14586,March 14,2019. 16/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] to impose a reprimand therefore insufficiently effective, neither proportionate nor deterrent. The AP motivates this as follows. Regarding the nature of the infringement, the AP weighs heavily regardless of what (contact) information when DPG was available about the data subject, DPG did not process the requests as the The person concerned did not provide a copy of the identity document provide a lot of data, but also very sensitive data such as a photo and the Citizen Service Number. Data subjects should not be urged to provide personal data that are not necessary for the exercise of their rights under the GDPR. Also the systematic – and therefore not incidental – nature of the violation in which DPG lasts for a long time has systematically (actively) propagated its policy, the AP takes into account in determining the seriousness of the violation.Although as of December 17, 2020, DPG no longer asks for a copy of an ID, DPG did not adjust its privacy policy on the website until October 18, 2021. size of the number of affected persons, the AP takes into account that the number of persons involved was limited in relative sense, but substantial in absolute sense months it turned out that it concerned 60 people involved. may2018totinooctober2021istheAPconsideredthatitmustbeseveral hundredthose involved These stakeholders, as well as other individuals affected by this policy and through various DPG's means of communication waived their rights, so were unnecessarily impeded in the exercising their rights under the GDPR. DPG's policy has resulted in data subjects who did not provide their copy of their identity card, did not have access to their personal data or have not been able to have their data deleted. Based on the above, the AP considers that there is a serious violation, on the basis of of which a basic fine of €525,000 is suitable. In this case, the AP sees no reason to apply the basic fine to increase or decrease. 4.3.2 Blame and Proportionality Pursuant to article 5:46, second paragraph, of the Awb, the AP reserves the right to impose an administrative fine take into account the extent to which this can be blamed on the offender. DPG states that the violation cannot be blamed on it, because DPG with its actions GDPR compliance. This argument cannot succeed. From absence of culpability is no question. Since this concerns a violation, the AP is allowed to impose an administrative fine in accordance with established case law, presume culpability if the offender status is established. DPG has actively pursued a policy that conflicted with the AVG. DPG failed to adapt that policy to the guarantees that the AVG gives, among other things, the right to see and to erase data. The AP considers this culpable. 17/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] DPG further argues in its view that it would conflict with the lexcerta principle if the AP would impose a punitive sanction on the basis of open standards. The AP does not follow DPG's view. hinder the exercise of the rights referred to in articles 15 to 22 of the GDPR can no case shall be considered for the facilitation of those rights. The legal text of the AVG, recital 59 and63oftheAVGgivedetailedinformationabouttherulesforidentificationontheAPwebsite sufficient clarity.A professional market party such as DPG may be expected to in order to make sure of the norms that apply to her, especially that silk is alive. Finally, pursuant to Articles 3:4 and 5:46 of the Awb, the AP assesses the application of its policy for determining the amount of the fine in view of the circumstances of the specific case, not until disproportionate outcome. 42 The AP is of the opinion that (the amount of) the fine is proportional. In this judgment, the AP has among other things the seriousness of the infringement and the extent to which it can be blamed on DPG. nature of the data, the duration of the violation and the consequences of DPG's policy for the parties involved, the AP qualifies this infringement of the AVG as serious. Considering the financial size of DPG the AP finds the amount of the fines appropriate and deterrent. In view of the foregoing, the AP sees no reason to set the amount of the fine on the basis of the proportionality endendFinancepolicy rulesmentionedcircumstances,ifapplicableinthesubject case, either increase or decrease. 4.4 Conclusion The AP sets the total fine at €525,000. 4For the justification, see paragraphs 4.3.1 and 4.3.2. 18/19,Date Unidentified 14 January 2022 [CONFIDENTIAL] 5.Dictum TheAP explains to DPGMediaMagazinesB.V.forviolatingarticle12,second paragraph,oftheGDPRNo administrative fines up to the amount of: €525,000 (say five hundred twenty-five thousand euros).3 Yours faithfully, AuthorityPersonal Data, w.g. ir.M.J.Verdier Vice President Remedies Clause If you do not agree with this decision, you can within six weeks of the date of shipment of the decide to submit an objection digitally or on paper to the Data Protection Authority article 38 of the UAVG suspends the submission of an objection to the effect of the decision imposition of the administrative fine. For submitting a digital objection, see www.autoriteitpersoonsgegevens.nl,onderhetkopjeBezwaarmakentegeneenbesluit,bottom page under the heading Contact with the Data Authority. The address for submission on paper is:Authority Personal Data, PO Box93374,2509AJDenHaag. Mention 'Awb-objection' on the envelope and put 'objection' in the title of your letter. Write in your letter of objection at least: - your name and address; - the date of your notice of objection; -enclose the reference (case number) mentioned in this letter; or attach a copy of this decision; - the reason(s) why you do not agree with this decision; -your signature. 4The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). article 4: 87, first paragraph, Awb to be paid within six weeks. For information and/or instructions about the payment can contact be recorded with the aforementioned contact person at the AP. 19/19