Banner2.png

Rb. Gelderland - ARN 20/2537

From GDPRhub
Revision as of 11:17, 13 March 2025 by Tjk (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Rb. Gelderland - ARN 20/2537
Courts logo1.png
Court: Rb. Gelderland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 12(2) GDPR
Article 12(5) GDPR
Decided: 17.07.2023
Published:
Parties: Stichting Bureau Krediet Registratie (BKR)
Dutch DPA
National Case Number/Name: ARN 20/2537
European Case Law Identifier: ECLI:NL:RBGEL:2023:4071
Appeal from: AP (The Netherlands)
BKR fined for hindering and charging fees for access requests
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Uitspraak (in Dutch)
Initial Contributor: CBMPN

A Dutch credit registration agency, was fined €830,000 by the Dutch DPA. They appealed this decision. The court upheld the finding of violations but reduced the fine from €830,000 to €668,000.

English Summary

Facts

In May 2018, Stichting Bureau Krediet Registratie (BKR, the controller) began charging a fee to data subjects for requesting access to their data in a digital format. Data subjects could obtain a paper copy of their data for free, but only once a year.

Following the DPA’s investigation, the controller has modified its processes. Since April 2019 data subjects have been able to access their data for free. In addition, in March 2019 the controller changed the number of times a year data subjects can receive a paper copy of their data by post.

The Dutch DPA found that this practice was an infringement of privacy legislation, and imposed a fine of €830,000. controller then appealed in court.

Holding

The court ruled that controller violated both Article 12(2) and Article 12(5) GDPR. The court found that controller's policy of limiting free access to once a year and charging for electronic access was inconsistent with the GDPR's requirements. The court emphasized that the GDPR requires data controllers to facilitate individuals' rights to access their data easily and free of charge, especially when data is processed electronically.

The court rejected controller's argument that the GDPR's rules were unclear, stating that controller, as a professional organization, should have been aware of its obligations.

The court acknowledged that the violations were related and reduced the fine by 20% due to the interconnected nature of the breaches. However, the court also found that the original fine of €830,000 was disproportionate and further reduced it to €668,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Central government
Go directly toContentorMenu

Main navigation
Search
Source data
Help
Document with links
Subject:
Case law

ECLI:NL:RBGEL:2023:4071 - Gelderland District Court, 17-07-2023 / AWB - 20 _ 2537
Subtype

Judgment

Institution

Gelderland District Court

Source

Judiciary Council

Location

Rechtspraak.nl

Date

17-07-2023

Show more >

Relations 29 0 Document with links > Original document Permanent link Object information 
This topic contains the following sections.

Judgment
Content indication
The authority has imposed a fine of €830,000 on BKR for two violations of the GDPR. The authority is of the opinion that BKR violated Article 12, paragraph 5, because it did not provide free electronic access to personal data to data subjects in the context of the right of access. In addition, the authority has concluded that BKR violated Article 12, paragraph 2, of the GDPR, because BKR did not facilitate the right of access pursuant to Article 15 of the GDPR. BKR actively promoted the policy that a data subject could obtain written access to personal data once a year free of charge. The court is of the opinion that the authority was right to conclude that BKR committed these two violations. There is no conflict with the lex certa principle. There is no question of a single act of concurrence. The authority was allowed to impose a fine for two violations. There is, however, a certain connection between the violations. The court therefore considers it reasonable that the authority reduced the fine amount by 20% because of that connection. The Fine Policy Rules of the Dutch Data Protection Authority 2019 are not unreasonable and the authority was allowed to apply them to determine the amount of the fine. The court is of the opinion that the fine is disproportionately high. There were not only aggravating circumstances, but also mitigating circumstances. There was therefore no reason to use higher amounts than the basic fine amounts from the policy, as the authority did. The court therefore further reduces the fine and sets it at € 668,000.

Text
GELDERLAND COURT

Heading location Arnhem

Administrative law

case number: ARN 20/2537

judgment of the multi-member chamber of
in the case between

Stichting Bureau Krediet Registratie (BKR), from Tiel,
(attorneys: Mr. E.E. Troll and Mr. H.H. de Vries),

and

the Dutch Data Protection Authority,
(attorneys: Mr. W. van Steenbergen and Mr. E. Nijhof).

Introduction
1. In this judgment, the court assesses BKR's appeal against the administrative fine of €830,000 imposed on it by the authority for violations of Article 12, second and fifth paragraphs, of the General Data Protection Regulation (GDPR). The authority imposed this fine in its decision of 30 July 2019.

1.1.
With the contested decision of 8 April 2020, the authority upheld that decision.

1.2.
The authority responded to the appeal with a statement of defence. BKR responded to the statement of defence with a written response.

1.3.
The court heard the appeals at a hearing on 25 May 2023. The following appeared on behalf of BKR: [name], [name], [name] and [name], assisted by their authorised representatives and Mr S.A.M. Meijer. The following appeared on behalf of the authority: its authorised representative and Mr E. Nijhof.

1.4.
On 26 May 2023, the court received a further document from BKR, containing a written account of the closing argument held on its behalf, with the request to include this in the documents in the proceedings. The court rejects this request, because the document was received after the investigation at the hearing had been closed.

Assessment by the court
2. The court assesses the legality of the fine imposed. She does this on the basis of the grounds for appeal of BKR.

2.1.
The fine was imposed because, according to the authority, BKR committed two violations. The authority is of the opinion that BKR violated Article 12, paragraph 5, of the GDPR from 25 May 2018 to 28 April 2019, because it did not provide free electronic access to personal data to data subjects in the context of the right of access. In addition, the authority concluded that BKR violated Article 12, paragraph 2, of the GDPR between 25 May 2018 to 12 March 2019, because BKR did not facilitate the right of access pursuant to Article 15 of the GDPR. BKR actively promoted the policy that a data subject could obtain written access to the personal data once a year free of charge.

3. The court finds that the authority was allowed to impose a fine on BKR for violations of the GDPR. However, the court sees reason to moderate the fine imposed. The appeal is well-founded to that extent. The court will explain below how it arrived at this conclusion and what the consequences of this conclusion are.

Did BKR violate Article 12, paragraph 5 of the GDPR?

4. The authority based its position that BKR violated Article 12, paragraph 5 of the GDPR on the fact that it charged data subjects for electronic access to their personal data during the relevant period. Data subjects could access their credit information via the paid services BKR Basic, Plus or Premium.

4.1.
BKR argues that it did not violate Article 12, paragraph 5 of the GDPR. It fulfilled the data subjects' right to access information by offering them the opportunity to submit a written request for access via an access form provided by BKR. The requested information was then sent in writing to their home address. In doing so, it has complied with the GDPR, because it does not oblige it to offer free electronic access, certainly not in unlimited form. If data subjects wanted access more than once a year, this could be done electronically, with the paid services. Payment was permitted in that case because in the case of excessive requests it is permitted to request a reasonable fee for administrative costs. BKR's own experience figures show that data subjects do not request access to their personal data more than once a year on average. If data subjects want access more than once a year, this can be regarded as an excessive request for which BKR was allowed to charge a fee. The paid services that BKR offered must therefore be seen as voluntary services, or services for which BRK was allowed to charge a fee.

4.2.
It follows from the GDPR that a data subject has the right to obtain from the controller access to the personal data concerning him that is processed by the controller. The controller is obliged to provide a copy of the personal data that is processed. If the data subject submits his request electronically and does not request another arrangement, the information shall be provided in a common electronic form. On the basis of Article 12, paragraph 5 of the GDPR, this provision shall in principle be free of charge. The controller may charge a reasonable fee if the request is manifestly unfounded or excessive.

4.3.
The ground for appeal fails. It follows from Article 12, paragraph 3, and 15, paragraph 3 of the GDPR that if data subjects submit a request for access electronically, BKR must provide this information in electronic form if possible. Recital 59 of the GDPR shows that a controller such as BKR must provide means to submit requests electronically, “especially when personal data are processed electronically”. Since BKR processes personal data electronically, it should have an electronic access option available. It then follows from Article 12, paragraph 5, of the GDPR that, as a general rule, the provision of access must be free of charge. The system used by BKR, in which a data subject had to take out a subscription for electronic access, is in conflict with this. BKR's argument that requesting a fee in this case is justified, because unlimited access is provided and they may request a fee in the event of excessive requests, fails. After all, in the system used by BKR, the data subject also had to pay the subscription fee for their very first electronic access request, which was clearly not excessive in nature. In doing so, they completely ruled out the possibility of free electronic access, in violation of the GDPR.

Did BKR violate Article 12, paragraph 2 of the GDPR?

5. The authority based the violation of Article 12, paragraph 2 of the GDPR on the fact that BKR actively communicated to data subjects that the possibility of free access to personal data is limited to once a year. In doing so, they refer to BKR's privacy statement . At the time, the following was included:

“Everyone has the right to view all personal and credit data registered in the CKI once a year, free of charge. The access is provided on paper at the specified home address. [...]

If you want to view your data in the PEP registration system, you can use the same form as for viewing your personal data in the Central Credit Information System (CKI). This access is also provided once a year, free of charge. [...]

If you want to view your data in the VIS registration system, you can use the same form as for viewing your personal data in the Central Credit Information System (CKI). This access is also provided once a year, free of charge.”

In addition, the authority points to the information on the BKR website. The following was stated there:

“You can view your data once a year, free of charge. Do you want quick insight or do you need the overview for credit applications? Then choose BKR Basic, Plus or Premium. The AVG access is provided on paper within 28 days.”

Finally, the authority refers to e-mails that BKR has sent to data subjects. Here too, BKR explicitly states that the right to free access is limited to once a year. According to the authority, this policy actively promoted by BKR means that it has not facilitated the right to access. This constitutes a violation of Article 12, paragraph 2 of the GDPR.

5.1.
BKR argues that by offering a free written inspection opportunity once a year, it complied with the obligations under the GDPR. By informing data subjects of this right and offering an inspection form on its website, BKR facilitated the right of inspection. The authority's position that BKR uses an incorrect interpretation of the term "excessive nature" and that there is no question of "facilitation" does not follow from the GDPR. To the extent that there is a violation, BKR argues that imposing a fine would be in conflict with the lex certa principle. The GDPR contains a number of open standards and vague concepts that had not yet been further defined by case law at the time the fine was imposed. BKR could therefore not have known what was expected of it.

5.2.
According to settled case law, the lex certa principle, which is enshrined in Article 7 of the ECHR, requires the legislator to define the prohibited conduct as clearly as possible, with a view to legal certainty. It should not be forgotten that the legislator sometimes describes prohibited conduct with a certain vagueness, consisting of the use of general terms, in order to prevent conduct that is punishable from falling outside the scope of that description. That vagueness may be unavoidable, because it is not always possible to foresee how the interests to be protected will be violated in the future and because, if this can be foreseen, the descriptions of prohibited conduct would otherwise become too refined, with the result that clarity is lost and thus the interest of the general clarity of legislation suffers.

5.2.1.
On the basis of Article 12, paragraph 2 of the GDPR, the controller must facilitate the exercise of the rights of the data subject under Articles 15 to 22. The GDPR does not define the term “facilitate”. According to the Van Dale Groot Woordenboek, this term can mean both “simplify” and “make possible”. However, it is sufficiently clear what is meant by this term. As the authority rightly states with reference to the Cilfit judgment, support for the interpretation of terms in European law regulations can be found in the comparison of different language versions. It follows unmistakably from the English (facilitate), French (faciliter) and German (erleichtern) language versions that facilitating in this case must be interpreted as “simplify”. This is supported by recital 59 of the GDPR, which states that “arrangements should be in place to enable the data subject to exercise his or her rights under this Regulation more easily”. Finally, the system of Article 12, first and second paragraphs, also points to this interpretation. The first paragraph already describes that the controller must take appropriate measures to provide the data subject with the communication referred to in (among others) Article 15 in a transparent, comprehensible and easily accessible form and in simple language. If the term “facilitate” in the second paragraph were to be understood as meaning only “making possible”, this paragraph would have no added value compared to the first paragraph.

5.2.2.
The foregoing leads to the conclusion that the question of whether BKR has acted in accordance with Article 12, paragraph 2 of the GDPR is determined by whether BKR has simplified the exercise of the rights of data subjects mentioned therein.

5.3.
The answer to that question is then determined by whether the statements made by BKR under 5 are in accordance with the GDPR. The court considers the following in this regard.

5.3.1.
BKR based its position that data subjects were entitled to one free inspection per year on its interpretation of the term “excessive”, within the meaning of Article 12, paragraph 5 of the GDPR. It follows from this article that the repetitive nature of requests in particular means that they can be regarded as excessive. According to BKR, the meaning of this is the same as the phrase in recital 63 of the GDPR, which states that a data subject has the right to exercise the right of inspection “at reasonable intervals”. This means the same as the reasonable intervals referred to in Article 12 of Directive 95/46/EC (the Data Protection Directive) that preceded the GDPR. This article was transposed in the Netherlands into Article 35 of the Personal Data Protection Act (Wbp). The Explanatory Memorandum to that Act stated that as a result of these reasonable intervals, the data subject is not permitted to approach the controller with a request for information more than average and necessary. According to BKR, the average number of requests for access within its sector is once per year.

5.3.2.
With the above, BKR demonstrates an incorrect interpretation of Article 12, paragraph 5 of the GDPR. After all, the article stipulates that it is up to the controller to demonstrate the manifestly unfounded or excessive nature of the request. A single reference to an average number of requests per year does not demonstrate that a second or subsequent specific request is excessive. This also requires an assessment of the facts and circumstances related to the individual request, for which BKR's approach does not allow for.

Regardless of whether BKR's assertion is correct that its customers do not request access to their personal data more than once per year on average, this does not mean that this cannot be different for groups of customers. It cannot be ruled out that many BKR customers do not or hardly request access, while others need multiple accesses in quick succession at some point in their lives. It is important to note that BKR processes data that can change in the short term due to their nature. To the extent that the interpretation of the term excessive can be based on what is customary, it cannot be based on the average number of requests for access to the entire BKR customer base, but must instead look at the relevant group to which the applicant in question belongs. The fact that many customers do not have enough with one access per year is also evident from BKR's acknowledgement in its appeal and at the hearing that it is not likely that a consumer takes out a subscription and then only uses it once. (At least some of) the customers of its paid service therefore have a need for multiple access per year. A method in which in all cases in which a second request is submitted in the same year, it is assumed in advance that there is 'manifest' excessiveness, is therefore in conflict with Article 12, paragraph 5, of the GDPR. This follows sufficiently clearly from the article itself.

5.3.3.
The reference to the Explanatory Memorandum to the previously applicable Wbp is also unfounded. The mere fact that the preamble to the GDPR also uses the term “reasonable intervals” and that the same preamble states in general terms that the objectives of Directive 95/46/EC are maintained does not mean that this is decisive for the interpretation of the term “manifestly excessive” within the meaning of Article 12, paragraph 5 of the GDPR.

5.3.4.
Contrary to what BKR argues, its interpretation of Article 12, paragraph 5 of the GDPR is not supported by Article 15, paragraph 3 of the GDPR, insofar as it states that the controller may charge a reasonable fee for “additional copies”. This refers to an additional copy in the context of the same request for access. The GDPR does not support the position that a second request is meant here, or that this article should be seen as a special rule that further defines the term ‘excessive’ within the meaning of Article 12, paragraph 5. The judgment of the Court of Justice of 4 May 2023 cited by BKR also does not support this position. In this judgment, the Court emphasises that the term “copy” refers to the personal data and does not refer to a document as such, but it also considers that the right of access under certain circumstances entails that extracts or even entire copies of documents must be provided. This therefore does not preclude the interpretation that it concerns the provision of an additional copy in the context of the same request. The judgment therefore does not support the position that a new request would also constitute an “additional copy”.

5.3.5.
The position expressed by BKR that data subjects were entitled to a one-off free annual access to their personal data is therefore in conflict with Article 12, paragraph 5, of the GDPR. This provision is sufficiently clear in itself, so that BKR should have realised that this interpretation was incorrect and that there can be no conflict with the lex certa principle in this respect. In this context, the authority also rightly states that BKR, as a professional organisation, could be expected to properly inform itself about the obligations that apply to it. BKR's argument that the rules were also unclear to the authority, since the authority itself initially only offered an inspection option by post, fails. After all, this does not alter the fact that the GDPR made it sufficiently clear to BKR what was expected of it. Moreover, BRK's situation is not entirely comparable to that of the authority, since BKR was concerned with personal data that were processed entirely electronically.

5.4.
The authority rightly takes the position that BKR, with the policy it actively promoted, has obstructed the right of inspection of data subjects. By repeatedly and in various places proclaiming a too limited interpretation of the right of inspection, BKR has misled data subjects, as a result of which they may not have exercised this right. In view of the explanation of the term "facilitating" given under 5.2.1., it follows that BKR has violated Article 12, paragraph 2 of the GDPR. Since simply communicating this policy constitutes a violation, BKR's position that in practice it also provided free access in the event of a second request for access in the same year cannot alter this.

5.5.
The ground for appeal fails.

Should the authority impose a fine?

6. BKR argues in the alternative that, even if it had violated the GDPR, the authority was not allowed to impose the fine. Based on its own Policy Rules on Prioritization of Complaints Investigations, the authority should have limited itself to a warning. The imposition of the fine is based on a limited number of complaints and the findings report on which the authority based the decision to impose a fine contains exaggerations. BRK has also cooperated. By imposing a fine despite this, the authority has acted in violation of the principle of due care and the principle of equality. In this context, BKR refers to a number of procedures in which it considers comparable, in which the authority did not conduct an investigation, or limited itself to a reprimand or a lower fine. In doing so, she specifically points to the way in which the authority dealt with an alleged violation of the Vehicle Authority (RDW). This also involved a situation in which, according to the authority, an organisation wrongly charged for access to personal data. Finally, the authority damaged BKR's image through its statements in the media at the time the investigation was still ongoing.

6.1.
The authority takes the position that it does not need a compelling fact to initiate an investigation into an alleged violation. It is sufficient that there are concrete signals that the GDPR is not being complied with. Due to its limited supervisory and enforcement capacity, the authority must itself assess in which cases it is appropriate to initiate an investigation. In the case of BKR, the signals that the authority received were sufficient reason to assume that there had been a serious violation of the GDPR. That is why the investigation was initiated. In order to enforce credibly and effectively, it is precisely important that a sanction is imposed following such a process if the investigation does indeed reveal a violation. This was the case in the case of BKR. The authority did not act in violation of the principle of equality in the other cases mentioned by BKR. The facts, circumstances and (alleged) violations are always different, so that there is no legally comparable situation. The authority also does not consider the situation of the RDW to be comparable. In this context, it again points to the limited supervision and enforcement capacity. In the case of the RDW, it saw insufficient reason to initiate an investigation. It was important in this respect that in the case of the RDW, it only concerned access to historical license plate data. The number of parties involved who had an interest in this information was much lower and the social interest involved in (quick) access to this data, as in the case of BKR, did not play a role here. Moreover, in the case of the RDW, there were no indications of strongly controlling information on the website.

6.2.
What BKR has stated does not provide any starting points for the conclusion that the authority was not allowed to impose the fine. The Policy Rules Prioritising Complaints Investigations do not stand in the way of this. First of all, these policy rules only apply to the manner in which the authority deals with complaints it receives from data subjects about the processing of their personal data. This does not mean that the authority may only initiate an investigation based on complaints, or that a minimum number of complaints must have been received. BKR's argument that the findings report contains an incorrect representation of the reason for the investigation, because in fact there were only four complaints and two tips, therefore fails. BKR's argument that the authority acted in violation of Article 5:13 of the General Administrative Law Act (Awb) in this context cannot succeed, if only because this article concerns the action of a supervisor within the meaning of Article 5:11 of the Awb, and that situation is not at issue here.

6.2.1.
The fact that the authority may, in appropriate cases, as also described in this policy rule, suffice with a less far-reaching measure, such as a warning, does not mean that it should have done so in this situation. In light of the principle of proportionality, the authority is obliged to assess whether imposing a fine is necessary in the appropriate case, or whether a less far-reaching measure would have sufficed. The authority has properly substantiated that the nature and seriousness of the violations in this case gave reason to impose a fine. The court follows the authority in its position that in that situation, certainly in view of the limited supervisory capacity of the authority, effective enforcement justifies the imposition of a fine. In doing so, it also takes into account that the authority, also in light of Article 83 of the GDPR, is obliged to exercise its authority to impose fines in an effective, proportionate and efficient manner.

6.3.
Furthermore, the court is of the opinion that BKR has not made it plausible that the authority violated the principle of equality by imposing the fine. For a successful appeal to the principle of equality, there must be an equal situation that the authority has treated unequally. As the authority states, the facts, circumstances and alleged violations in the cases cited by BKR were not comparable, so that for that reason there is no conflict with the principle of equality. With regard to the RDW, the authority has sufficiently substantiated with the explanation given under 6.1 why it did not initiate an investigation and impose a fine in that case, despite some similarities with the BKR case.

6.4.
BKR's argument that the authority exaggerated the investigation results in its findings report also fails. BKR refers to the fact that the authority has repeatedly given the impression that BKR would have stated that data subjects have free access "only" once a year, while the word "only" was not used by BKR in its statements on the website and in its privacy statement. The parties do not dispute the literal texts used by BKR. In this respect, it has not been demonstrated that the authority based the imposition of the fine on incorrect facts. The court therefore sees no point of contact in BRK's argument that would mean that the fine should not be imposed.

6.5.
Finally, the court also sees no reason in the circumstance that the authority made statements in the media about the ongoing investigation against BKR to conclude that the fine should not be imposed. Regardless of whether or not the authority's statements were in line with its disclosure policy, BKR has not made it plausible that it has been disadvantaged by this and that this disadvantage is of such a nature that, in the context of proportionality, the fine should not have been imposed.

6.6.
This ground for appeal fails.

The amount of the fine

7. BKR argues more subsidiarily that the fine imposed is too high. There is a case of single act, which means that the authority should only have imposed a fine for one violation. The authority then wrongly applied the 2019 policy rule. Furthermore, the authority wrongly considered aggravating aspects to be present and failed to take into account relevant facts and circumstances that should have led to a lower fine.

The assessment framework

7.1.
The amount of an administrative fine based on Article 12, paragraphs 2 and 5, of the GDPR has not been established by law. Based on Article 5:46, paragraph 2, of the General Administrative Law Act, the authority must in that case adjust the amount to the seriousness of the violation and the extent to which it can be attributed to the offender. In doing so, the authority must, if necessary, take into account the circumstances under which the violation was committed. It may use a policy rule for this purpose. Even if the policy as such has not been found to be unreasonable by the court, the authority must, when applying it, assess in each case whether that application is consistent with the aforementioned assessment of proportionality. If this is not the case, the authority must set the fine in addition to or in deviation from the policy at an amount that is appropriate and necessary. The judge will assess without restraint whether the fine decision meets these requirements and therefore leads to a proportionate sanction.

The coherence of the violations

7.2.
It is settled case law that the legislative history of Article 5:8 of the General Administrative Law Act (Awb) shows that the principle of proportionality opposes the accumulation of sanctions if there is a single act of concurrence. This situation occurs if two or more provisions are violated by one act that are so closely related in their scope that in essence only one violation occurs.

7.3.
In this case, there is no single act of concurrence. The violation of Article 12, paragraph 5 of the GDPR concerns the failure to provide personal data free of charge when data subjects requested this electronically, while the violation of Article 12, paragraph 2 of the GDPR concerns the repeated communication of the message that data subjects were entitled to free access once a year. This concerns acts that could have been committed separately and that, with regard to the scope of the provisions and the facts, are not so related that BKR can only be blamed for one thing. As the Authority also rightly states, the independent nature of these conducts is further supported by the fact that they ended at different times (28 April 2019 and 12 March 2019 respectively).

7.3.1.
Even if there is no single act of concurrence, the degree to which the violations are related can still be a relevant factor in mitigating the fine. In this case, the authority saw reason to mitigate the total fine by 20%, because although there were separate violations, both violations took place in the context of the same underlying principle from the GDPR, namely transparency with the aim of allowing data subjects to retain control over their personal data. The court agrees with the authority that the connection between the violations gave reason for mitigation. In doing so, it takes into account that both violations arise from the same incorrect view of BKR about how the right of access under the GDPR should be shaped. The court considers a mitigation of 20% of the total fine, as applied by the authority, reasonable in this context.

Did the moment of entry into force of the policy prevent its application?

7.4.
BKR argues that the authority should not have based the amount of the fine on the Fine Policy Rules of the Dutch Data Protection Authority 2019 (fine policy rules 2019), because this is contrary to the principle of legal certainty. The fine policy rules 2019 were only established shortly before the conduct underlying the violation of Article 12, paragraph 2 of the GDPR was terminated by BKR and even after the conduct underlying the violation of Article 12, paragraph 5 was terminated. BKR could therefore not take the existence of the policy rule into account. The authority should have followed its policy from 2016.

7.5.
The fine policy rules 2019 apply from 15 March 2019 and were therefore in force at the time the fine decision was made. Before these policy rules were established, the authority had no fine policy for the application of its powers under the GDPR.

7.6.
The court is of the opinion that the principle of legal certainty does not oppose the application of the 2019 fine policy rules. Article 83 of the GDPR stipulates the maximum fine that may be imposed for violation(s) of the GDPR and which circumstances must be taken into account when determining that fine. The essential characteristics of the power to impose sanctions were therefore known to BKR. The policy largely corresponds to the purport of Article 83 of the GDPR and in particular constitutes a further elaboration of the basic amount and range of fines to be imposed. Even without a policy framework, the authority was authorised to impose a fine within the bandwidth of the GDPR and the principle of proportionality, as follows from Article 5:46, paragraph 2, of the General Administrative Law Act. The circumstance that the authority first included the elaboration of this proportionality assessment in a policy rule at the time when the violations by BKR had already (almost) ended, does not therefore mean that the authority was not allowed to apply the 2019 fine policy rules. In this context, the authority also rightly takes the position that it was not obliged to base the fine decision on the Fine Policy Rules of the Dutch Data Protection Authority 2016. These policy rules were based on the Wbp and the violations that could be committed on the basis of that law. This policy can therefore not apply to the situation of BKR. BKR's reference to the judgment of the Rotterdam District Court of 26 November 2002 is also unfounded. That case concerned the situation in which a more favourable policy rule is established after an administrative fine has been imposed. That situation does not apply here.

Determining the amount of the fine

7.7.
Based on the Fine Policy Rules 2019, a basic fine of €310,000 applies to a violation of Article 12, paragraph 5 of the GDPR. A basic fine of €525,000 applies to a violation of Article 12, paragraph 2 of the GDPR. The authority has seen reason to increase the basic fines by €75,000 and €125,000 respectively. It bases this on the fact that, given the seriousness of the violation and the relatively long period of time that has elapsed, there are aggravating circumstances. In such a case, Article 7 of the 2019 Fine Policy Rules provides the option to increase the fine.

7.8.
The court assesses the amount of the fine according to the framework set out in 7.1. In the court's opinion, the 2019 Fine Policy Rules are not unreasonable in themselves, also in light of the principles of effective, proportionate and deterrent fines as set out in Article 83 of the GDPR. However, it is of the opinion that the authority arrived at an excessively high fine amount when applying BKR in the individual case. In this regard, it considers the following.

7.8.1.
The authority may take the nature and seriousness of the violations into account as aggravating elements. BKR manages credit registrations of approximately 12 million people. These registrations can have a major impact on those people, for example on whether or not they can obtain a (mortgage) loan. It is therefore very important that those involved can check the registrations relating to them. The violations of Article 12, paragraphs 2 and 5 of the GDPR committed by BKR undermine this right of inspection. The violations therefore affect BKR's core task and can have far-reaching consequences for those involved. This means that there are serious violations. An aggravating factor is that BKR stated on its website that those involved who wish to invoke their right of inspection can do so once a year free of charge, but that if there is a need for haste, inspection is only possible by means of electronic inspection, i.e. for a fee. The authority rightly notes that data subjects generally need access to their data at short notice to apply for a mortgage or other loan, for example, so that this notification effectively forced them to request electronic access via the paid version and they could not claim free access, while the GDPR does offer them this right. The more than 30,000 paid subscriptions that BKR had in the period from 25 May 2018 to 28 April 2019 also show that, as a result of violating Article 12, paragraph 5, of the GDPR, it has wrongly generated income and has thereby also financially disadvantaged the data subjects. In this respect, the question of whether this service was profitable for BKR itself is not relevant. The point is that BKR has charged a fee for access that should have been completely free of charge.

7.8.2.
Unlike the authority, the court does not see the duration of the violation as an aggravating circumstance and sees the extent to which BKR has made efforts to remedy the violations as a mitigating circumstance. In doing so, the court takes into account that the authority's investigation into BKR's compliance started at a time when the GDPR had only just come into effect and that the authority did not express a preliminary conclusion during the investigation as to whether BKR's actions were in conflict with the GDPR. The authority only made this position known for the first time when it sent the "draft report on final findings" of 25 February 2019. BKR announced almost immediately after receiving this report that it would adjust its working methods and that it wanted to discuss this with the authority. It then actually implemented these changes in the short term. The court regards this as a relevant, mitigating factor as referred to in Article 7, opening words and under f of the 2019 fine policy rules.

7.8.3.
Weighing these aggravating and mitigating circumstances against each other, the court concludes that there was no reason to deviate from the basic fine amounts to BKR's advantage or disadvantage. Since the authority wrongly increased the basic fine amounts, there is reason to reduce the fine imposed.

7.8.4.
The other circumstances put forward by BKR do not provide grounds for further reduction of the fine. Although BKR rightly states that its ability to pay, in view of, among other things, article 5:46, paragraph 2, of the General Administrative Law Act and article 9 of the 2019 fine policy rules, must be taken into account when assessing the amount of the fine, it has not made it plausible with the documents it submitted that its financial circumstances would prevent it from paying the fine. The documents in the case show that the authority took this circumstance into account when taking the contested decision, so that the decision on this point was also taken carefully. The appeal to Article 2a of the General Data Protection Regulation Implementation Act is also unsuccessful. This article states that the authority must take into account the needs of, among others, medium-sized enterprises, such as BKR, when applying the regulation. According to the legislative history, this article is a codification of the objective of recital 13 of the GDPR to prevent unnecessary administrative burdens for smaller enterprises. The court sees no reason for further mitigation of the fine in this regard.

7.8.5.
Finally, the circumstance put forward by BKR that at the time of the fine decision an administrative fine of this amount had not previously been imposed for violating the GDPR does not provide grounds for further mitigation. The amount of the fine must be tailored to the circumstances of the individual case. The fact that the authority had not previously imposed a fine of this amount at the time of the fine is not in itself an indication that there is disproportionality. In doing so, the court also takes into account that the GDPR had only recently come into effect and that for that reason few other fine procedures had been conducted. The authority has sufficiently explained that in the cases known up to that point in which it imposed a fine under the GDPR, there were other violations, based on other facts and circumstances, so that these cases were not comparable to its situation in that respect. Another factor is that in the case of BRK, unlike in those earlier fine decisions, there were two violations.

7.9.
In view of what the court considered under 7.8 to 7.8.3, the fine imposed is disproportionately high. The contested decision must be annulled in this respect due to a conflict with the principle of proportionality. The court itself provides for the case by taking a decision on the amount of the fine. In doing so, it follows the basic fine amounts from the 2019 fine policy of € 310,000 for the violation of Article 12, fifth paragraph of the GDPR and € 525,000 for the violation of Article 12, second paragraph of the GDPR. Subsequently, in view of what was considered under 7.3.1, it applies a moderation of 20% to the total amount due to the coherence of the violations. This results in a fine amount of € 668,000. The court considers this fine appropriate and necessary.

7.10.
This ground for appeal is successful.

Conclusion and consequences
8. The appeal is well-founded because the contested decision is in conflict with article 5:46, paragraph 2 of the General Administrative Law Act. The court therefore annuls the contested decision.

8.1.
The court, applying article 8:72a of the General Administrative Law Act, provides for the case itself and sets the fine at €668,000.

8.2.
Because the appeal is well-founded, the authority must reimburse the court fee to BKR and BKR will also receive compensation for its legal costs. The authority must pay this compensation. The court sets these costs on the basis of the Administrative Law Costs Decree for legal assistance provided professionally by a third party at €2,868 (1 point for filing the notice of objection, 1 point for appearing at the hearing, 1 point for filing the notice of appeal, 1 point for appearing at the hearing, with a value per point of €597 in objection and €837 in appeal and a weighting factor of 1).

Decision
The court:

 declares the appeal well-founded;

 annuls the decision of 8 April 2020;

 revokes the decision of 30 July 2019 insofar as the administrative fine is set at €830,000;

 determines that the administrative fine is set at €668,000;

 determines that this ruling replaces the contested decision in that respect;

 determines that the authority must reimburse the court fee of €354 to BKR;

 orders the authority to pay €2,868 in legal costs to BKR.

This ruling was made by Mr. G.A. van der Straaten, chairman and Mr. W.P.C.G. Derksen, and Mr. T. Mol members, in the presence of Mr. F.E.M. Rosmalen, clerk. The judgment was pronounced in public on

clerk

chair

A copy of this judgment was sent to the parties on:

Information about appeal
A party that disagrees with this judgment may send an appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party disagrees with this judgment. The appeal must be filed within six weeks after the date on which this judgment was sent. If the submitter cannot await the hearing of the appeal because the case is urgent, the submitter may request the provisional relief judge of the Administrative Jurisdiction Division of the Council of State to make an interim provision (a temporary measure).

Annex: important laws and regulations for this ruling
General Data Protection Regulation

Article 121. The controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13 and 14 and with the communication referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2. The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

[...]5. The provision of the information referred to in Articles 13 and 14 and the provision of the communication and the taking of the measures referred to in Articles 15 to 22 and Article 34 shall be free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

a)

charge a reasonable fee taking into account the administrative costs of providing the requested information or communication and taking the measures requested; or

b)

refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive nature of the request.

[...]

Article 151. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

[...]3. The controller shall provide the data subject with a copy of the personal data undergoing processing. If the data subject requests further copies, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested, the information shall be provided in a commonly used electronic form.

Article 831. Each supervisory authority shall ensure that the administrative fines imposed pursuant to this Article for the infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.

[...]5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:[...]

b)

the rights of the data subjects in accordance with Articles 12 to 22;

General Administrative Law Act Article 5:46:

1. The law shall determine the maximum administrative fine that may be imposed for a specific infringement.

2. Unless the amount of the administrative fine is laid down by law, the administrative body shall tailor the administrative fine to the seriousness of the infringement and the extent to which it can be attributed to the offender. The administrative body shall, if necessary, take into account the circumstances under which the violation was committed.

[...].

Fine Policy Rules 2019

Article 2[...]2.2The provisions relating to violations for which the Dutch Data Protection Authority may impose an administrative fine of up to €20,000,000 or, for an enterprise, up to 4% of the total worldwide annual turnover in the preceding financial year, if this figure is higher, are classified in Annex 2 into category I, category II, category III or category IV.

2.3The Dutch Data Protection Authority shall set the basic fine for infringements for which a statutory maximum fine applies of €10,000,000 or, for an undertaking, up to 2% of the total worldwide annual turnover in the preceding financial year, if this figure is higher, or €20,000,000 or, for an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, if this figure is higher, within the following fine ranges:

Picture
[...]

Article 7Without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act, the Dutch Data Protection Authority shall take into account the factors referred to under a to k, insofar as applicable in the specific case:

a)the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of data subjects affected and the extent of the damage suffered by them;

b)the intentional or negligent nature of the infringement;

c)the measures taken by the controller or processor to limit the damage suffered by data subjects;

d)the extent to which the controller or processor is responsible in view of the technical and organisational measures implemented in accordance with Articles 25 and 32 of the General Data Protection Regulation;

e)previous relevant breaches by the controller or processor;

f)the extent to which cooperation was obtained with the supervisory authority to remedy the breach and limit its possible negative consequences;[...]

BKR has also lodged an appeal against the authority's decision to publish the fine decision. BKR has withdrawn this appeal, registered under number ARN 20/2536.

Article 15, paragraph 1 of the GDPR.

This is stipulated in both Article 12, paragraph 3 of the GDPR and in Article 15, paragraph 3 of the GDPR.

See for example ABRvS 26 October 2022, ECLI:NL:RVS:2022:3077.

Court of Justice of the European Communities of 6 October 1982, case 283/81 (Cilfit)

ECJ 4 May 2023, ECLI:EU:C:2023:369.

ABRvS 2 February 2022, ECLI:NL:RVS:2022:285.

See for example ABRvS 26 November 2014, ECLI:NL:RVS:2014:4257.

Explanatory Memorandum, Parliamentary Papers II 2003/04, 29702, no. 3, pp. 90-92)

ABRvS 6 December 2017, ECLI:NL:RVS:2017:3362.

Stcrt. 2019, 14586, 14 March 2019.

Stcrt 2016, 34960, 6 July 2016.

Rb Rotterdam 26 November 2002, ECLI:NL:RBROT:2002:AR4219.

Amendment by member Van der Staaij, Parliamentary Papers II, 2017-2018, 34851, no. 15.

As follows in this case from article 5:46, second paragraph of the Awb.

Support
Services
Feedback
About this site
Proclaimer
Source data
Government data
data.overheid.nl