AP (The Netherlands) - 14.01.2022

From GDPRhub
Revision as of 11:44, 2 March 2022 by Cms (talk | contribs)
AP (The Netherlands) - DPG Media fined for unnecessarily requesting proof of identity
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 5(1)(c) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 24.02.2022
Published: 24.02.2022
Fine: 525,000 EUR
Parties: DPG Media
National Case Number/Name: DPG Media fined for unnecessarily requesting proof of identity
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Dutch
Original Source: DPA's Fine Decision Letter (in NL)
Initial Contributor: Giel Ritzen

The Dutch DPA issued a €525,000 fine against a media company for a violation of Article 12(2) GDPR by asking data subjects to upload a copy of their ID to verify their identity in order to exercise their rights of access and erasure.

English Summary

Facts

The controller is DPG Media, a Dutch company that exploits books, magazines, and (news)papers. Between May 2018 and January 2019, the Dutch DPA received several complaints of data subjects. These data subjects did not have an account with DPG Media, and had to provide a copy of their ID, as verification, before they could submit an access request pursuant to Article 15, or an erasure request pursuant to Article 17 GDPR (contrary to users that did have an account). According to the DPG Media, it should request a copy of the data subject’s ID pursuant to Article 12(6) GDPR, as there were no other options to verify the data subject’s identity properly.

The DPA then started an investigation into how DPG Media dealt with access- and erasure requests of data subjects that did not have an account with DPG Media.

Holding

The DPA noted that, although the controller must verify the data subject’s identity, it possibly violates Article 12(2) GDPR if it hinders the data subject from exercising their rights. Moreover, as follows from the principle of data minimisation, the identity verification must suffice the requirements of proportionality and subsidiarity. Hence, the controller must, in principle try to verify a data subject’s identity based on the information it already has on this data subject. The DPA further noted that, considering the very sensitive information an ID contains, one can only request a copy if there is a legal basis to do so.

The DPA found that, considering the sensitive information on an ID, and that it is possible to verify the data subject’s identity based on other information (like subscription details, name, and email), it is disproportionate to request, in all cases, a data subject’s ID for verification. Hence, the DPA concluded that DPG Media violated Article 12(2) GDPR for not facilitating the data subject’s rights sufficiently. The DPA imposed a fine of € 525,000 and considered that this was appropriate, due to the sensitivity of the personal data, the systemic nature of the infringement, and the fact that DPG Media did not change the privacy policy on their website until 18 October 2021.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                          AuthorityPersonal Data
                                                          PO Box93374,2509AJ The Hague
                                                          Bezuidenhoutseweg30,2594AV The Hague

                                                          T0708888500-F0708888501
                                                          authority data.nl

Confidential/Registered
DPGMediaMagazinesB.V.
Attn.the board
PO Box1900
2130JHHoofddorp








Date Unidentified
14 January 2022 [CONFIDENTIAL]


                          Contact
                          [CONFIDENTIAL]




Subject
Decisiontoimposeafine



Dear Sir / Madam,

The Data Protection Authority (AP) has decided to join DPGMediaMagazinesB.V.(DPG)a
to impose an administrative fine of €525,000.TheAPisconcludedthatDPGwithitspolicy
and has hindered the active dissemination of the right to see a data erasure of data subjects.

DPG has raised unnecessary barriers to being able to use these rights
DPG infringed article 12, second paragraph, of the General Data Protection Regulation
(GDPR).

The AP explains the decision in more detail. Chapter 1 concerns an introduction chapter 2 contains the facts.

TheAPassessesinchapter3oferreferencetoprocessingofpersonaldata,the
controller of the violation. Chapter 4 discusses the (height of) administrative
fine elaborated and chapter 5 contains the operative part and the remedies clause.










                                                                                          1,Date Unidentified
14 January 2022 [CONFIDENTIAL]





1 Introduction


1.1Involved organization

This decision relates to DPGMediaMagazinesB.V. (DPG), located at 65 Capellalaan
main village. DPG is a media house that publishes and exploits magazines, magazines and books. on April 20
                                                                                             2
2020, the statutory name of SanomaMediaNetherlandsB.V.has changed to DPGMediaMagazinesB.V.
DPG's activities have remained unchanged.


In the period from May 2018 to January 2019, the AP received complaints about the conduct of
DPG with requests for information and requests for the erasure of data of data subjects (hereinafter:
‘complainants’).According totheplaintiffs,DPGasaskedforacopyofanidentitycardofthe complainantstarverification
of their identity, as a condition for (further) processing their request for information or deletion.


The AP then investigated DPG's policy on querying and processing
ofacopyoftheidentitycardwithsubmittedrequestswithinspectingordeletionof
personal data. The AP focused the investigation exclusively on the policy and conduct of DPG with

regarding access and erasure requests that are outside the secure login environment of an account with
DPG were submitted. This concerns requests that data subjects receive by letter, e-mail or via a
web form.DPG's policy and behavior with regard to requests that
were submitted within an account's digital login environment, were beyond the scope of the

research.

1.2Process flow


During the investigation, the AP requested information from DPG and the bearing. The AP also has DPG
requested to respond separately to the relevant complaints. DPG complied with these requests.


By letter dated 7 October 2021, the AP has sent no intention to enforcement and it has been sent to DP
basisreportwithfindings.DPG has a written statement on 16 November 2021
Finally, at the request of the AP, DPG provided additional information on December 16, 2021
provided.







1
2 Chamber of Commerce number: 33133064.
 Where necessary, we will still speak of SanomaMediaNetherlandsB.V.
                                                                                           2/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





2.Facts


2.1 Customer data


DPGpublishedmagazinesthatcustomerscouldsubscribe to.DPGsentto
reason for thissubscriptions, magazines to its customers

did she have the name, address and place of residence of her ab3nnees
DPG about financial data (bank details) of its subscribers. Of persons who had themselves
subscribed to a newsletter or who had applied for a School Bank account, DPG available

about at least some of this information, such as a name and email address.

In the issues of the bearings, it appears that DPG approached the bearings in different ways:

    - Some of the complainants had/had a subscription to DPG;
    - One complainant also had/had an account at Schoolbank.nlen;
    - One complainant stated not to have been a subscriber, but only to advertise (for, among others, Dragonfly)

        received at her home address, presumably after leaving contact details with a
        DPG website or magazine.


2.2 Digital customer database

DPG supplies its products to its customers in particular by sending (among other things) magazines.

In this context, DPG uses the aforementioned data to ship these products by post or by
e-mail. The same was true for the advertising works that DPG sent.

                                                                                     5
DPG has stated to the AP that it stores data in a digital customer database. This also turns out
from the fact that an online profile of the person concerned could be created using this data. See
aboveprint from the DPG website. 6












3
 Research reportAP of September 29, 2021, p.5.
4Hetonlineplatformwww.schoolbank.nlwastootmet2020ineigendomvanDPG.
5AP research report of September 29, 2021, p. 4 and 6.
6AP research report of September 29, 2021, p.5.
                                                                                               3/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]




2.3 Privacy PolicyDPG


The privacy policy stated that the privacy policy applied to data processing
by, among others,SanomaMediaNetherlandsB.V.(now: DPG)andthatSanomaMediaNetherlandsB.V.

controller was for the processing of personal data for her Dutch
brands (including the Belgian activities of VTWonen fell). 7


2.4 Access and Removal Request Policy

2.4.1.DPG's general working method during the research period

Data subjects can request DPG to see an erasure as referred to in article 15 and 17 of the GDPR
data subjects can submit these requests in two ways:


    1) The most common way was by making such a request within the digital
        login environment of a DPG account of the data subject. As stated in paragraph 1.1 of this
        this decision fell outside the scope of the investigation, since in this way of

        submit no copy of an ID was requested.


    2) Another way, in which this decision does look, was to submit a request without seeing
        deletion of data outside the login environment of the account. This could be done via
        an online form on the DPG website (then www.sanoma.nl), by e-mail or by letter. 8


DPGinprocessingrequestsusedtonotseeanddelete
personal datasubmittedoutsidetheloginenvironmentofanaccountthefollowingstandard

method.

Upon receipt of a request for information or deletion of personal data, DPG asked the data subject

always a copy of an identity document. If the data subject had a request via the online form
submitted, was then automatically asked for a copy of an identity document
If the request was submitted by e-mail, DP did not send an e-mail with the

requesttoprovideacopyoftheidentitydocument.DPGindicatedthatarequestonlyin
treatment was taken after a copy of an ID was provided. 9







7
 Research reportAP of September 29, 2021, p.6-7.
8Research reportAP of September 29, 2021, p.7.
9 Ditto.
                                                                                              4/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





When asked, DPG described this standard way of working towards the AP as follows. "When

ask someone via our online contact form to see and/or delete the data that we of
personhaveprocessed,thentherequestforaappearsinthecontactformautomatically
Send a copy of identification with the request.

Awaiting the copy of the identity document, the request remains open. As soon as we receive a
have a copy of the identity document received and the data of the applicant correspond with the

details of the customer registered with us, then we will carry out the request for deletion. Requester
then also receives confirmation of the processing of the request submitted by him.”


DPGalsoadmittedtoitsprivacystatementthatwhenevertheywerealwaysaskedforacopyof
a (valid) identity document to identify the applicant. DPGlistedinitsprivacy
                                                                                                     11
statement and on the website section that contained Q&As about–among others–privacy:









In the communication DPG had with the bearings after receipt of the digital requests and no
deletion was also not indicated as a possibility by DPG. This in 12
unlike requests, deeper post were made, where DPG stated in its privacy statement

that a shielded copy (including the citizen service number and photo become unrecognizable
made) is sufficient. 13


DPG has stated that on the basis of article 12, sixth paragraph, of the AVG it felt entitled to
to establish the identity of the persons involved by means of a copy of an identity document, before DPG

proceeded to give insight into or erase the data of the present with her
person concerned. 14


Only when it was established on the basis of a copy of an identity document that the person concerned was the one it was

submitted a request, this request was executed. So DPG suggested–in the event that a
request was submitted outside the login environment – the identity of the person concerned only on
basis of a copy of the identity document to be provided.





10Research reportAP of September 29, 2021, p..8
1 Ditto.
1Research reportAP of September 29, 2021, appendix 1 always under AandE.
1AP research report of September 29, 2021, appendix 4 'Website Sanoma'.
14Research reportAP of September 29, 2021, p.8.

                                                                                                      5/19,Date Unidentified

14 January 2022 [CONFIDENTIAL]





DPG did not have other ways of establishing the identity, she stated. In all cases, after
receipt of the request requested a copy of the identity document. According to DPG, this was necessary

to prevent access to a person who does not know about this information when viewing requests
data should be available. 15


When asked, DPG gave about 11,000 customer questions in the period from January 1, 2019 to June 1, 2019
received customer requests related to the subject privacy, and that the majority of these

requests were deletion. According to DPG, about 9,400 of these were requests within the secure
login environment of an account (in which case no copy of the identity document was required

are provided) and was only a small number of requests for erasure outside the login environment
submitted, i.e. about 60 requests. 16


2.4.2DPG's general working method after the statutory name change as of April 20, 2020
In its investigation, the AP has concluded that the method of asking a

copy of proof of identity with a request for access or deletion of personal data - submitted
outside the login environment of an account since the statutory name change on April 20, 2020
           17
continued. On June 18, 2021, the AP also determined that in DPG's privacy and cookie policy
it is indicated that DPGO will ask for a valid ID from the person who wants his rights
            18
exercise.


As a result of the DPG's view, the AP has determined that as of December 17, 2020, DPG has not
longer ask for a copy of an ID on a request to see or to delete
personal data outside the login environment of an account. DPG then sends a verification email to

to establish the identity of an applicant. DPGhasitsprivacystatementin accordance
this new method adapted and published on October 18, 2021. 20


2.4.3 Complaints

The APreceivesfivecomplaintsaboutthe way in which DPG fulfilled its requests and lack of access to information
of personal data. These five complainants only had a request to see or delete

personal data done at DPG by means of the online contact form or by e-mail
requested DPGo to see personal details and four complainants requested the erasure of their
personal data. 21



1Research reportAP of September 29, 2021, p.8.
16AP research report of September 29, 2021, p.9.
1 Ditto.
18
19AP research report of September 29, 2021, p. 9 and appendix 7.
  Letter dated December 16, 2021 from DPG to the AP, response to information request AP dated November 25, 2021.
20OpinionDPGof16November2021,p.11;Letter of16December2021fromDPG to the AP,response to information requestAP
from November 25, 2021; https://privacy.dpgmedia.nl/document/privacystatement.
2Research reportAP of September 29, 2021, p.9.

                                                                                                       6/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





In all cases DPG–immediately after submissionoftherequestforprosecutors–prosecutors

requested to provide a copy of an identity document as a condition for (further) in
handling the submitted requests. 22


Four complainants did not comply with the request of DPG to provide an identity document. DPG
subsequently did not consider these erasure requests

DPG indicated that they were not prepared to provide a copy of their ID because they
found this to be a 'heavy duty'. One complainant sent a copy of an identity document to DPG.
However, this complainant did not receive any insight from DPG after sending a copy of the identity document.

DPG confirmed that the copy of the ID was by mistake not linked to the account of the
The complainant again asked for a copy of ID. After this, the complainant lodged a complaint with the AP. 24


2.4.4DPG's working method with regard to complaints during the investigation period

At least four of the complaints submitted showed that DPG, in the cases where a copy of the
proof of identity was provided, did not respond to the requests submitted and for the erasure of
personal data. DPG subsequently did not (further) process the requests. This method

also finds support in the statement of DPG at the time of the investigation:


“At the moment that you request through our online contact form to see and/or remove the
data that we have processed about that person, then the will automatically appear in the contact form
request to send a copy of identification evidence with the request.(…)

If a request for access and/or deletion is sent without a copy of ID, the
customer serviceinthereactiontotheapplicantanymore.(…)

Awaiting the copy of the identity document, the request remains open. As soon as we receive a
have a copy of the identity document received and the data of the applicant correspond with the

details of the customer registered with us, then we will carry out the request for deletion. Requester
then also receives confirmation of the processing of the request submitted by him.(…)” 26













22See also paragraphs 2.4.1 and 2.4.2.
2Research reportAP of September 29, 2021, p.10.
24Research reportAPof29September2021,p.10.
25Idem.
26Idem.

                                                                                                    7/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





3.Rating

3.1Personal data andthe controller


DPG processed among other things her name, address, residences/or e-mail address
customers/subscribers for one of the Dutch brands of DPG, or of persons who have an account
hadonSchoolbank.nl.Withthisdata,DPGcouldidentifynaturalpersons.DPGprocessed
thus personal data within the meaning of article 4, part 1, of the AVG.


The AP has further established that the privacy policy stated that SanomaMediaNetherlandsB.V.
the controller was responsible for the processing of the data for the Dutch
notice that the privacy policy applied to all DPG products and services
privacy policy was also included how a data subject could get a view into his data and how a

data subject could have his data removed.

Furthermore, statements from DPG show that they also actually acted as the target of the means
certain for the processing of personal data in relation to requests submitted or to see
erasure of personal data. These statements show that DPG independently determined which

data had to be provided by requesters of i27age erasure requests (resource) and
why that data had to be provided (purpose).

In view of the foregoing, the AP establishes that DPG is the controller within the meaning of article
4, part 7, of the GDPR for the processing of data relating to the submitted
request for information about erasure of personal data.


3.2 Facilitating rights of data subjects

3.2.1Legal framework

Pursuant to Article 12, second paragraph, of the GDPR, the controller must exercise
to facilitate the data subject's rights under articles 15 to 22 of the GDPR.
upright access to personal data (article 15 of the AVG) and the right to erasure of
personal data (article 17 of the AVG) are included below.


Recital 59 of the GDPR further clarifies the standard in Article 12 of the GDPR:
Arrangements should be made available to enable the data subject to exercise his/her rights under this Regulation
easier to exercise, such as requesting and renaming mechanisms to see and rectify or erase
personal data and, if applicable, to obtain it free of charge, as well as to exercise the right to object.[…]



2Research reportAP of September 29, 2021, appendix 1 always under E.
                                                                                        8/19,Date Unidentified

14 January 2022 [CONFIDENTIAL]




Recital 63 of the GDPR mentions, among other things:
A data subject must have the right to inspect the data collected about him, and because that right
simple and at reasonable intervals so that he can become aware of the processing and

can verify its legitimacy.[…]

Pursuant to the above, the controller must have an arrangement in place to

enable data subjects to easily and easily exercise their rights.A
the controller may not thereby create unnecessary barriers for data subjects in order to
to exercise the aforementioned rights. When a controller has a policy that the

hinder the exercise of the aforementioned rights and actively promote this policy, there may be
violation of article 12, second paragraph, of the AVG. 28


Verifying the identity of a natural person who makes a request for access or deletion is
an indispensable paragraph of a regulation within the meaning of article 12, second paragraph, of the AVG
after all, the controller is required to ensure adequate security for the
                                                                                               29
data processed by it, including against unauthorized or unlawful processing.

In addition, when verifying a requester's identity, the controller must
observe the principle of data minimization as referred to in article 5, first paragraph at c, of the GDPR.

It follows that when verifying the identity of the requester in the context of the exercise
of his/her rights, adequate the data requested by a controller
should be relevant and limited to what is necessary for the purposes for which they are

incorporated.The principles of proportionality and subsidiarity should be taken into consideration here.
The data requested to verify the identity of the requester must be in proportion
until it serves its purpose (proportionality) with its processing. And this purpose cannot be any less

disadvantageous, less radical and way are realized (subsidiarity).

It is disproportionate to require a copy of an identity card as the identity of the person concerned

can be verified in another way. In addition, the processing of copies of
proofs of identity are a major risk to the security of personal data. In addition, the
controller do not be sure that the copy is authentic and the owner of the

identity card is actually the applicant, for example by (unauthorised) access to
identity cards by roommates and forged copies of identity cards.


All of the foregoing implies that a controller's policy regarding
until the exercise of data subject rights and must be set up in such a way that a data subject is at least
must identify in a radical manner. And that this policy is geared to (among other things) the risk to the


2See also ECLI:NL:RBGEL:2020:3159, considerations 9.7 and 9.8.
2See article32 of the AVG.
                                                                                              9/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]




rightsandfreedomsofpersons,particularly in view of the nature and amount of data that can be viewed or

deletion is requested in the context within which the request is made. In many cases this will be
mean that as much as possible is primarily based on data that a
controller already processed, the identity of the requester can be established.


Should a controller, despite the initial request, request a data subject
provideddataifstillhavereasonstodoubttheidentityofthenatural
person submitting the request, thanks to the controller under article 12, sixth

member,oftheGDPR,asktheperson concernedforadditionalinformation.Article12,sixth,oftheGDPRsees
therefore mainly in individual cases, where in the concrete case there are reasons to doubt the
identity. In that case, article 12, sixth paragraph, of the GDPR does not allow a controller to
request additional information necessary to establish the applicant's identity, provided he can

demonstrate that he cannot verify the identity of the data subject without additional data. But
here too, the controller may only request (additional) information that
necessary.The above principles of proportionality also apply here

subsidiarity.

3.2.2.Assessment
The AP established in chapter 2 that DPG always has a copy outside the account login environment
                               30
of an ID requested. DPG made this request regardless of any (contact) information at DPG
was available about the person concerned without taking into account the earth and quantity
personal data of which information or erasure was requested. DPG's working method was also

arranged that if a copy of the identity document was not provided by the person concerned, the request
to see whether erasure was not (further) taken into consideration for this reason.
provided a copy of the ID, which resulted in DPG being needlessly sensitive
data was in the process of processing (such as the Citizen Service Number).


In view of the above legal framework, arrangements must be made for the exercise of
rights of data subjects are set up in such a way that a data subject must act in the less intrusive way

can identify. In the opinion of the AP, this means that DP is not involved as much as possible
primarilyusingdatathatDPGmustidentifyalreadyprocessed.An example
this can be a subscriber/customer number in combination with a name and address and/or e-mail address of
a requester.


Now a copy of an identity document was required by DPG of data subjects and by default without first after
against whether DPG (already) had other (identifying) (contact) information and without account
taking into account the nature and amount of data, the AP is of the opinion that data subjects do not

easy and simple way to claim their rights under the GDPR. With other

3For example, via an automatic request that appeared in the contact form or a follow-up e-mail.

                                                                                          10/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





words, DPG did not ask for a copy of the ID based on a concrete assessment
per individual case as referred to in article 12, sixth paragraph, of the AVG. But DPG asked in advance about
copy of the identity document, because this was the policy in force. This policy of DPG and actively promote it
of it on the website and through DPG customer service, among other things, also ensured that a

unnecessary threshold was raised around the submission of requests and no access to and deletion of
personal data.


DPG's policy has also acted as a barrier in practice – with regard to complainants – at the
requestnoseedeletion. It appears from the complaints submitted that this method of DPG
provoked resistance, which resulted in the bearings (in some cases) not being prepared for a

to provide a copy of their identity card. The refusal to provide a copy of the identity card
providing had the consequence that DPG did not (further) accept the requests of a number of complainants for these reasons
treatment took. The policy and implementation of DPG also threw the view of the lower bearings
effectively an obstacle to the exercise of the right to access or erasure.


The AP would particularly like to note that the condition used by DPG until the submission of a
copy of an identity document in a request from a data subject was disproportionate to the earths

amount of data on which interest was requested. In addition, organizations may
only process the Citizen Service Number if this is determined by a specific law. When requesting
a copy of the identity document is more important, because it is recommended by the central government to

be careful with providing (protected) copies of the identity document. This
documentcontainssensitivedata.Thecombinationofdatalistedon
moreover, the proof of identity makes identity fraud possible.The AP also points out to its website that it
providing a copy of an identity document entails a risk. 32


3.3OpinionDPGenresponseAP


DPG has put forward a point of view on the research findings of the AP. The AP puts the
DPG's view, briefly summarized below, with a response from the AP.


3.3.1Necessary copy of ID
DPG argues in its view that the identity of a small group of people involved cannot be
determined by personal security data, as the information they provide
not verified/linked to information in DPG's systems (because they are not logged in). One

the requester who submits a request for access or erasure outside the secure environment must therefore
provide additional information. In this way, DPG can check and show that this person is a
appeal belongs to access or deletion of the personal data (i.e. qualifies as a


3See section 2.4.3.
3https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/identification/identity proof.

                                                                                           11/19,Date Unidentified

14 January 2022 [CONFIDENTIAL]




data subject) and DP has no legal basis for any data that they process on
delete or provide this requester to this requester (i.e. determine whether the requester

involved is whothey say they are).

As long as DPG cannot establish the identity of the requester, DPG believes that the AVG is not of
           33
application. For the handling of the AVG request, it is sufficient that DPG indicates that it is not able to
determine the identity of the applicant and ask for additional information
compliance with article 12, second paragraph, second sentence, of the AVG.


DPG furthermore deems it necessary to request a copy of proof of identification
wayeffectivelylimitstheriskthatDPDoesnotprovideacopyofthedataor

removes personal data from the 'wrong' data subject, which would entail a violation of
article 6 of the GDPR. The use of a copy of ID is the least intrusive way to
to establish identity properly and is moreover attuned to the real risk for the rights and
                       34
freedoms of persons. Without a copy of proof of identity, the identity of an applicant cannot be identified according to
DPG cannot be (properly) established and DPG may be determined by virtue of article 5 and 6 of the
AVG refuse to follow up on such requests as desired by the requester.


The AP does not follow DPG's view. The AP emphasizes that in this decision it has assessed
how DPG has facilitated or determined the rights of data subjects and in the end

whether or not they were identifiable. The case law cited by DPG in which judgment was made
about the identification of an individual within the framework of article 15 of the AVG and 35 of the Protection Act
personal data (Wbp) is therefore not considered relevant by the AP in this case. Dateacopyofa

proof of identitymaybenecessaryinanindividualcasebetweenacitizengovernment,makes
not yet that asking about this in advance is necessary in all cases.


Furthermore, the AP disagrees with DPG's statement that it is necessary in all cases to have a copy
to obtain the identity card from the requester
what data she already possesses about the requester

identification is possible, thanks to a controller, requests and shielded
to show proof of identity.DPG has also stated itself during the investigation that in some
casesacustomercanalreadyidentifybynameandaddress,sometimesadditionaldataareas
                                           35
subscriber number or email address necessary. In addition, DPG currently uses the custom
method by which a verification email is sent to verify the identity of a requester
to determine.Processing copies of identity cards containing sensitive data such as

the citizen service number, photo, length and nationality in this case conflict with the principle of


3DPG refers to ECLI:NL:RBOVE:2021:1296,r.o.8.
3DPG refers to ECLI:NL:RVS:2020:2833,r.o.5.2.
3Research reportAP of September 29, 2021, appendix 1 always under E.
                                                                                              12/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





data minimization and lawfulness (article 5, paragraph 1 at sub and article 6 of the AVG).Dat DPGat
in advancerequires a copy of the – moreover, unscreened-identity – at all

processing a request does not facilitate the exercise of the rights of
involved.


3.3.2 Facilitate the concept
DPG indicates that the AP states in its research report that article 12, second paragraph, of the AVG means

that the controller should facilitate the exercise of data subjects' rights
However, DPG is of the opinion that the AP has not been proved right in this explanation and by the AP

cited judgment of a preliminary relief judge. According to DPG, 'facilitating' entails a
controller does not (unnecessarily) hinder the exercise of these rights 'possibly'
have to make'. DPG further states that the Belgian regulator of the AVG in its Dutch-speaking

sample letter for AVG requests by default included that the person concerned has a copy of the
can enclose an identity card. Finally, DPG accuses the AP that they are rather (explicitly) distant

has expressed a position in a letter from a 2003 case from her right predecessor the College
protection data (CBP). 37


The AP is not going with DPG's view. First, in its research report, the AP has the
relevant judgment of the Court of Gelderland cited as an example in another statement.

Namely, in the event that a controller has a policy that the exercise of said
hinder rights and also actively promote this policy, there is a violation of article 12, second paragraph,
from the AVG. Secondly, the relevant injunction judge also has the discussion or 'facilitation'

it includes 'easier' in which case is not considered relevant, because in any case impediment cannot
are regarded as facilitating the right of access. So the AP is based on article 12,
second paragraph,oftheGDPR,recital59and63oftheGDPR, of the opinion that 'facilitation' should be understood as such

be that the controller must have an arrangement to enable the data subjects
make their rights unimpeded, easy and simple to exercise.


Furthermore, the AP is of the opinion that the quotes from a CBP letter from 2003, cited by DPG, are one-sided
calling up images of the contents of that letter. In this letter, the CBP refers to a request for mediation between

two parties. The DPA has considered that in establishing the identity, the nature of the data


36DPG refers to ECLI:NL:RBGEL:2020:3159,r.o.9.8.
3DPG quoted the following from this letter: “In the opinion of the CBP, the importance of properly establishing the
the applicant's identity not to be set aside too quickly in favor of a faster or easier treatment of a
request for access.[…]In certain cases (such as in this case) the person concerned does not want to send a copy of the identity document because there
personal data. If the data subject does not want to send a copy of an identity document, there is always the possibility that
the person concerned or his authorized representative shows the identity document on site to the responsible person and obtains insight in this way.
[…]It is also conceivable that [the controller] will be satisfied with a copy of a passport on which, for example
the social security number has been made illegible.”
38ECLI:NL:RBGEL:2020:3159,r.o.9.7.
39
  ECLI:NL:RBGEL:2020:3159,r.o.9.8.
                                                                                                  13/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





and of the processing are important. The CPB has also stated that upon a written request for inspection by
alawyeracopyofthelawyer'sidentityinprincipleisnotnecessaryinthe scope ofarticle
37, second paragraph, of the Personal Data Protection Act. For the person concerned or his authorized representative there is also a possibility to
show proof of identity on the spot to the person in charge, according to the CPB. Finally, in view of the

long time that has passed since 2003, located on the road of DPG for the coming into force of the
AVGper May 24, 2016 and come into force of May 25, 2018 (again) of the applicable law
and to ascertain and act in accordance with regulations; all the way now

going on digitized society (fifteen years later) unfortunately brought with it that it
providing data is not without risk. The AP already provides on its website for quite some time
comprehensive information about the rules for identification. A Belgian model letter, of which one

shield the copy if an option is given next to, for example, an assigned customer number, does that
not after.


3.3.3How to identify
DPG does not agree with the statement of the AP included in the investigation report that DPG is outside a
copy of the identity document had no other way of establishing the identity. Those involved
could, according to DPG, choose to submit a request through his/her account

according to DPG's procedure, if the applicant refused to provide a copy of the identity document,
the privacy officer was consulted and a copy of ID was not found necessary when
verification of identity could be done in another way.DPG finally states that it is through its

formerprivacystatementactivepromotedthepolicytousea
shielded copy ID.

The AP also does not follow this view of DPG. If data subjects do not use the contact form or by email

want to provide a copy of their ID, then they should not be coerced
to create an account on the DPG website. Also this is an (unnecessary) hindrance for
data subjects to be able to exercise their rights under the GDPR

consultation took place with the privacy officer, as DPG states but does not substantiate with evidence, the AP deems
not relevant to the assessment of the policy propagated by DPG to the parties involved in advance
incidentally, this statement is inconsistent with what DPG stated during the investigation

about hair policy.

Finally, the AP cannot follow DPG in the assertion that it has actively propagated the policy to use
making a shielded copy of identification. DPG has stated in its privacy statement that

a shielded copy is only sufficient for requests by post. Via the contact form, the e-mail and in
the case that a person concerned refuses to provide a copy of ID card has DPG not on
pointed out that it is a shielded copy. This also follows from the communication submitted between

DPG complainants.

4https://www.autoriteitpersoonsgegevens.nl/nl/onderwerpen/identification/identity proof.

                                                                                           14/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]




3.3.4Article 12, sixth paragraph, of the GDPR
DPG finds the statement of the APdate included in the investigation report
controllertheidentityoftheapplicant(until knowledgeof erasure)“without reasonable doubt”
wants to determine to prevent a data leak or abuse of rights, an incomplete, incorrect

interpretation of the AVG. The 'doubtful' test of article 12, sixth paragraph, of the AVG comes according to DPG
not addressed if the controller at all cannot identify the requester
determine.


The AP does not follow DPG's argument. If the controller is not able to identify the identity
of a data subject, then he informs the data subject. When the data subject
after that no additional data is provided that makes it possible to identify him, then his article
15to20oftheAVGinthatcasenotapplicable. Although there is another reason also the

AP concluded that article 12, sixth paragraph, of the GDPR in the present assessment of the violation
irrelevant.

3.3.5 Complaints
DPG believes that the AP has wrongly included five complaints in its investigations assessment.

The complaints do not relate or are insufficiently related to the findings of the AP on the basis of which
violation finds that DPG is in violation of article 12, second paragraph, of the AVG. DPG requests the
Therefore, do not include these complaints in an enforcement decision.


The AP will not grant this request. The communication between the bearings and DPG represents a representation of
the way in which DPG has implemented its policy regarding the rights of data subjects
turns out that Sanoma, or parts that fell under Sanoma, the time to start treatment of a
request a copy of the ID require that the complainants have this as a hindrance

to experience.

3.4Conclusion

The AP concludes that DPG is insufficiently exercising its rights at the time of the infringement

of those involved has facilitated. As a result, DPG has acted contrary to article 12, second paragraph, of
the AVG.










                                                                                       15/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





4.Penance

4.1 Introduction


DPG has acted contrary to article 12, second paragraph, of the AVG. The AP makes for the established
violationuseofitsauthoritytonotfind DP.Consideringtheseriousnessofthe
violation and the extent to which it can be blamed on DPG, the AP considers the imposition of a fine
appropriate. The AP motivates this in the following.


4.2 Fine policy rules of the Dutch Data Protection Authority 2019

Pursuant to article 58, second paragraph, opening words and article 83, fifth paragraph, of the GDPR, read in
in connection with article 14, third paragraph, of the UAVG, the AP is authorized to DPG in the event of a violation

of Article 12 of the GDPR Not to impose an administrative fine up to € 20,000,000 or, for a company,
up to 4% of total worldwide annual sales in the previous financial year, if this figure is higher.

The AP has established Penalty Policy Rules regarding the fulfillment of the above-mentioned authority to the
                                                                        41
imposing an administrative fine, including determining the amount thereof. In the
Penalty policy rules has been chosen for a category classifications bandwidth system.
Violationofarticle12(2)oftheAVGisingpartincategoryIII.CategoryIIIhasa
fine bandwidth between €300,000 and €750,000 and a basic fine of €525,000.


4.3 Fine amount

4.3.1Seriousnessoftheviolation
Under the principle of transparency, the controller must exercise the

facilitate data subject rights. For data protection it is essential that data subjects
an easy way to exercise their rights under the GDPR
able to learn in a simple way which personal data a
controllerprocessed. A proper fulfillment of the right to be inspected is further necessary

to exercise other rights, such as the right to rectification and the right to erasure.

DPG argues in its view that a balancing of the interests in this case should at most lead to a
reprimand. If it concerns a minor breach, thank the AP instead of a gel, choose a fine

reprimand. In view of the present violation, a judge, in the opinion of the AP, spoke of a
serious infringement, in which DPG has insufficiently facilitated the rights of the data subjects. The AP considers it



4Stcrt.2019,14586,March 14,2019.
                                                                                      16/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]




to impose a reprimand therefore insufficiently effective, neither proportionate nor deterrent.
The AP motivates this as follows.


Regarding the nature of the infringement, the AP weighs heavily regardless of what (contact) information
when DPG was available about the data subject, DPG did not process the requests as the
The person concerned did not provide a copy of the identity document
provide a lot of data, but also very sensitive data such as a photo and the

Citizen Service Number. Data subjects should not be urged to provide personal data
that are not necessary for the exercise of their rights under the GDPR.

Also the systematic – and therefore not incidental – nature of the violation in which DPG lasts for a long time

has systematically (actively) propagated its policy, the AP takes into account in determining the seriousness of the
violation.Although as of December 17, 2020, DPG no longer asks for a copy of an ID,
DPG did not adjust its privacy policy on the website until October 18, 2021.
size of the number of affected persons, the AP takes into account that the number of persons involved

was limited in relative sense, but substantial in absolute sense
months it turned out that it concerned 60 people involved.
may2018totinooctober2021istheAPconsideredthatitmustbeseveral hundredthose involved
These stakeholders, as well as other individuals affected by this policy and through various

DPG's means of communication waived their rights, so were unnecessarily impeded in the
exercising their rights under the GDPR. DPG's policy has resulted in data subjects who
did not provide their copy of their identity card, did not have access to their
personal data or have not been able to have their data deleted.


Based on the above, the AP considers that there is a serious violation, on the basis of
of which a basic fine of €525,000 is suitable. In this case, the AP sees no reason to apply the basic fine
to increase or decrease.


4.3.2 Blame and Proportionality
Pursuant to article 5:46, second paragraph, of the Awb, the AP reserves the right to impose an administrative fine
take into account the extent to which this can be blamed on the offender.


DPG states that the violation cannot be blamed on it, because DPG with its actions
GDPR compliance. This argument cannot succeed. From absence of culpability is
no question. Since this concerns a violation, the AP is allowed to impose an administrative fine

in accordance with established case law, presume culpability if the offender status is established. DPG has
actively pursued a policy that conflicted with the AVG. DPG failed to adapt that policy to the
guarantees that the AVG gives, among other things, the right to see and to erase data. The AP considers this
culpable.


                                                                                      17/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]




DPG further argues in its view that it would conflict with the lexcerta principle if the AP

would impose a punitive sanction on the basis of open standards. The AP does not follow DPG's view.
hinder the exercise of the rights referred to in articles 15 to 22 of the GDPR can
no case shall be considered for the facilitation of those rights. The legal text of the AVG, recital 59

and63oftheAVGgivedetailedinformationabouttherulesforidentificationontheAPwebsite
sufficient clarity.A professional market party such as DPG may be expected to
in order to make sure of the norms that apply to her, especially that silk is alive.


Finally, pursuant to Articles 3:4 and 5:46 of the Awb, the AP assesses the application of its policy for
determining the amount of the fine in view of the circumstances of the specific case, not until
disproportionate outcome.

                                                       42
The AP is of the opinion that (the amount of) the fine is proportional. In this judgment, the AP has among other things
the seriousness of the infringement and the extent to which it can be blamed on DPG.
nature of the data, the duration of the violation and the consequences of DPG's policy for
the parties involved, the AP qualifies this infringement of the AVG as serious. Considering the financial size of DPG

the AP finds the amount of the fines appropriate and deterrent.

In view of the foregoing, the AP sees no reason to set the amount of the fine on the basis of the proportionality
endendFinancepolicy rulesmentionedcircumstances,ifapplicableinthesubject

case, either increase or decrease.

4.4 Conclusion


The AP sets the total fine at €525,000.


















4For the justification, see paragraphs 4.3.1 and 4.3.2.

                                                                                       18/19,Date Unidentified
14 January 2022 [CONFIDENTIAL]





5.Dictum

TheAP explains to DPGMediaMagazinesB.V.forviolatingarticle12,second paragraph,oftheGDPRNo

administrative fines up to the amount of:
€525,000 (say five hundred twenty-five thousand euros).3

Yours faithfully,

AuthorityPersonal Data,

w.g.


ir.M.J.Verdier
Vice President








Remedies Clause
If you do not agree with this decision, you can within six weeks of the date of shipment of the
decide to submit an objection digitally or on paper to the Data Protection Authority
article 38 of the UAVG suspends the submission of an objection to the effect of the decision

imposition of the administrative fine. For submitting a digital objection, see
www.autoriteitpersoonsgegevens.nl,onderhetkopjeBezwaarmakentegeneenbesluit,bottom
page under the heading Contact with the Data Authority. The address for submission on paper
is:Authority Personal Data, PO Box93374,2509AJDenHaag.

Mention 'Awb-objection' on the envelope and put 'objection' in the title of your letter.
Write in your letter of objection at least:
- your name and address;
- the date of your notice of objection;

-enclose the reference (case number) mentioned in this letter; or attach a copy of this decision;
- the reason(s) why you do not agree with this decision;
-your signature.



4The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).
article 4: 87, first paragraph, Awb to be paid within six weeks. For information and/or instructions about the payment can contact

be recorded with the aforementioned contact person at the AP.
                                                                                        19/19