AP (The Netherlands) - Boete ICS
From GDPRhub
| AP - Boete ICS | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 35(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 18.12.2023 |
| Published: | |
| Fine: | 150000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Boete ICS |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Dutch DPA (in NL) |
| Initial Contributor: | CBMPN |
The Dutch DPA fined ICS (a debit and credit card provider) €150,000 for failing to conduct a mandatory DPIA before processing sensitive customer data within the customer re-identification process, which was implemented in 2019.
English Summary
Facts
International Card Services B.V. (ICS) failed to conduct a Data Protection Impact Assessment (DPIA) before implementing a customer re-identification process (ID&V) in 2019. The process involved the large-scale processing of sensitive personal data, including names, birthdates, addresses, BSN (Dutch citizen service number), and ID document details, for approximately 1.5 million customers in the Netherlands.
ICS is a 100% subsidiary of ABN AMRO. Since 2015, ABN AMRO has been using an application from Mitek Systems B.V. (Mitek app) to determine the identity of its customers.
Holding
The Dutch DPA held that ICS violated Article 35(1) GDPR by failing to conduct a DPIA for its ID&V process. The processing involved sensitive personal data on a large scale, which posed a high risk to individuals' rights and freedoms.
Although ICS had implemented a risk assessment process (CRA), it did not meet the GDPR's requirements for a DPIA, as it primarily focused on fraud prevention and compliance with anti-money laundering laws rather than data protection risks. It lacked a systematic evaluation of data protection risks and failed to involve key stakeholders, such as the Data Protection Officer (DPO). In performing the CRA process, ICS did take into account the risks to the rights and freedoms of data subjects in the processing of personal data, but did not sufficiently recognise that this should have led to the execution of a DPIA.
According to the Dutch DPA Guidelines, processing that is likely to entail a high risk for the rights and freedoms of natural persons is generally the case when two (of the nine) criteria listed in the Guidelines are met. In this case, two criteria listed in the Guidelines apply. These are: 1) sensitive data or data of a very personal nature; and 2) data processed on a large scale. For ID&V, the following data os a data subject are processed: the first and last name, date of birth, place of birth, address details, e-mail address, telephone number, gender, BSN, number of the ID document as well as the photo therein and a (liveness) photo. These personal data are, as follows from the Guidelines, to be regarded together as sensitive data and data of a very personal nature.
The Dutch DPA, upon closer examination of the facts, held the opinion that in this case there were no vulnerable data subjects whose personal data were processed. According to the Dutch DPA guidelines, vulnerable data subjects can be children, but also employees or a part of the population that requires special protection. The point is that there is an unbalanced relationship between data subjects and the controller. In this context, ICS has rightly argued that a credit card is not an essential financial product for the daily life of a data subject. A credit card does not have the function of a bank account and cannot be equated with one. This means that there is no unbalanced relationship between ICS and its customers and therefore ICS customers cannot be regarded as vulnerable data subjects as described in the Guidelines. Furthermore, it is not excluded that other credit card providers use a different method for identifying their customers. As a result, data subjects who are interested in a credit card have the choice to use the services of other providers.
In determining the seriousness of the violation, it was also found relevant that ICS processes personal data of a large number of data subjects, namely 1.5 million customers.
Comment
Credit card clients were not considered vulnerable data subjects because credit card was not considered an essencial financial product for daily life.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Date December 18, 2023 Subject Our reference [CONFIDENTIAL] Contact person [CONFIDENTIAL] Decision to impose an administrative fine for violating the General Data Protection Regulation Dear members of the board, The Dutch Data Protection Authority (AP) has decided to impose an administrative fine of € 150,000 (in words: one hundred and fifty thousand euros) on International Card Services B.V. (ICS) for violating Article 35, first paragraph, of the General Data Protection Regulation (GDPR). This is because ICS failed to carry out a Data Protection Impact Assessment (hereinafter: DPIA). This decision explains the administrative fine. To this end, the reason and the course of the proceedings, the established facts, the violation and the amount of the fine are discussed in turn. Finally, the operative part follows. Dutch Data Protection Authority Postbus 93374, 2509 AJ Den Haag Bezuidenhoutseweg 30, 2594 AV Den Haag T 070 8888 500 - F 088-0712140 autoriteitpersoonsgegevens.nl 1 Date Our reference December 18, 2023 [CONFIDENTIAL] 1. ReasonInvestigation 1. ICS is a company based in Amsterdam and active in offering financial products, in particular issuing so-called debit and credit cards.1 2. The Customer Contact and Control Investigation department of the AP has started an investigation into a possible violation of the GDPR by ICS after signals and complaints from consumers about ICS. These complaints and signals were received by the AP after ICS started re-identifying its customers (online) with the 'identification and verification process' (ID&V) in 2019. 3. The purpose of the investigation was to determine whether ICS complied with the rules laid down in Article 35 GDPR when it failed to carry out a DPIA in preparation for the ID&V process. 2. Findingsinvestigation reportsprocess 4. The findings of the investigation are set out in a report.2 This shows that the introduction of ID&V involved the processing of personal data that probably entailed a high risk to the rights and freedoms of natural persons. ICS should therefore have carried out a DPIA prior to the processing. The report concluded that ICS failed to carry out a DPIA. In doing so, it acted in violation of Article 35, paragraph 1, GDPR, according to the report. 5. The report was signed on 23 June 2022 and sent to ICS on 7 July 2022.3 ICS provided its views on the report on 14 September 2022. On 20 October 2022, ICS provided an oral explanation of its point of view. 6. The AP submitted written questions to ICS on 2 December 2022 and 13 February 2023, to which ICS responded on 21 December 2022 and 24 March 2023 respectively. 3. Legal framework 7. For better readability of this decision, the relevant legal framework is included in Appendix 1. The legal framework forms part of this decision. 1 Appendix 21 to the investigation report:. 2 Investigation report of 23 June 2022. 3 File document 1. 2/20 Date Our reference 18 December 2023 [CONFIDENTIAL] 4. OpinionICS 8. ICS provided the following opinion on the report. 9. ICS has set up an extensive risk process, called Change Risk Assessment (CRA process). The CRA process identifies, mitigates and monitors risks. A Privacy Impact Assessment is part of the CRA process and, if necessary, a DPIA is performed. 10. ICS is a 100% subsidiary of ABN AMRO. Since 2015, ABN AMRO has been using an application from Mitek Systems B.V. (Mitek app) to determine the identity of its customers. ABN AMRO also uses the CRA process to analyse risks and, for the use of the Mitek app, ABN AMRO has conducted an extensive analysis of the use of the Mitek app. ICS used the same technique to re-identify its customers. There was no reason for ICS to conduct a new analysis, because ABN AMRO had already conducted an analysis. 11. ICS also states that it has investigated whether additional measures should be included in the CRA process for ID&V. A Privacy Officer was involved at an early stage and the nature and purpose of ID&V were determined. It was also determined which personal data are processed, who has access to these personal data, which retention periods apply, whether there is any transfer outside the EU and the measures taken for this transfer. 12. Furthermore, ICS states that there was no high risk of misuse of personal data when ID&V was introduced. The personally identifying data used at ID&V are not inherently sensitive and are necessary to meet the legal requirements. When processing the citizen service number, the strictest security level applies, which is partly based on legislation from the financial sector. Furthermore, strict requirements are imposed on encryption, the use of secure connections, the performance of penetration tests and the audit requirements for checking personal data when collaborating with third parties. 13. ICS has acknowledged that the PIA triage of 28 August 2018 wrongly concluded that there was no large-scale processing of personal data. The PIA form has been adjusted since 2020 so that such an error will no longer occur. 14. According to ICS, there is no power imbalance between its customers and ICS. ICS is legally obliged to identify its customers, customers have the option of identifying themselves non-digitally and a credit card is not an essential payment service. 3/20 Date Our reference 18 December 2023 [CONFIDENTIAL] 15. The Data Protection Officer (FG) of ICS has been indirectly involved in data protection risks via the Privacy Officer. ICS has not previously communicated this circumstance clearly. 16. The Decision on the list of processing operations of personal data for which a DPIA is mandatory provides a number of criteria and according to ICS, only one criterion, namely large-scale processing, is involved in this case. In order to be able to conclude that a processing operation is likely to pose a high risk to the data subjects, two elements mentioned in the Decision must be present. Since this was not the case, ICS was also not obliged to carry out a DPIA. In addition, the aforementioned decision was published after the start of the implementation of ID&V. 5. Assessment 5.1 Controller and authority of AP 17. It is established and not disputed that ICS is the controller (Article 4, opening words and under 7, GDPR) and that the AP is the competent supervisory authority (Article 56, first paragraph, GDPR). 5.2 Obligation to carry out DPIA 18. In summary, the GDPR states that a DPIA must be carried out prior to processing when that processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 35, first paragraph, GDPR). 19. The Guidelines WP 248 rev. 014 (hereinafter: the Guidelines) describe the criteria that apply when determining whether a DPIA must be carried out. The AP has taken into account the provisions in the GDPR (Article 35) and the aforementioned Guidelines and has adopted the Decision5 on the list of processing operations of personal data (the Decision). This decision stipulates, among other things, that a DPIA is mandatory for the processing of biometric data. 20. It is not disputed that ICS did not carry out a DPIA in 2018 prior to the introduction of ID&V. The obligation to carry out a DPIA arises directly from Article 35, paragraph 1, GDPR, read in conjunction with the aforementioned Guidelines. The fact that the Decision was only adopted and published by the AP on 27 November 2019 does not mean that ICS should not have carried out a DPIA for that reason. The Decision contains requirements that are also mentioned in the GDPR and the Guidelines and that arise from them. 4 Guidelines on data protection impact assessments and determining whether a processing operation is “likely to result in a high risk” within the meaning of Regulation 2016/679 (WP 248 rev. 01). The EDPB has endorsed these Guidelines. 5 Decision on the list of processing operations of personal data for which a data protection impact assessment (DPIA) is mandatory, of the Dutch Data Protection Authority of 19 November 2019, Stcrt. 2019, 64418. This decision is based on the GDPR and on Guidelines WP 248 rev. 01. 4/20 Date Our reference 18 December 2023 [CONFIDENTIAL] 21. The first question to be answered in this case is whether there is a type of processing operation that is likely to result in a high risk to the rights and freedoms of natural persons. If this is the case, ICS is obliged to carry out a DPIA prior to the introduction of ID&V. 22. Processing that is likely to entail a high risk for the rights and freedoms of natural persons is generally the case when two (of the nine) criteria listed in the Guidelines are met. In this case, three criteria listed in the Guidelines apply. These are: 1) sensitive data or data of a very personal nature; 2) data processed on a large scale; and 3) data relating to vulnerable data subjects. 23. It has been shown that for ID&V, the first and last name, date of birth, place of birth, address details, e-mail address, telephone number, gender, BSN, number of the ID document as well as the photo therein and a (liveness) photo of a data subject are processed.6 These personal data are, as follows from the Guidelines7, to be regarded together as sensitive data and data of a very personal nature. 24. Furthermore, it has emerged that ICS has approximately 1.5 million customers in the Netherlands who have had to re-identify themselves and whose data ICS retains for as long as a data subject remains a customer of ICS.8 In the opinion of the AP, this also means that large-scale processing of personal data is taking place. 25. Contrary to what is described in the investigation report, the AP, upon closer examination of the facts, is of the opinion that in this case there are no vulnerable data subjects whose personal data are processed. Vulnerable data subjects can be children, but also employees or a part of the population that requires special protection, as follows from the Guidelines.9 The point is that there is an unbalanced relationship between data subjects and the controller. In this context, ICS has rightly argued that a credit card is not an essential financial product for the daily life of a data subject. A credit card does not have the function of a bank account and cannot be equated with one. This means that there is no unbalanced relationship between ICS and its customers and therefore ICS customers cannot be regarded as vulnerable data subjects as described in the Guidelines. Furthermore, it is not excluded that other credit card providers use a different method for identifying their customers. As a result, data subjects who are interested in a credit card have the choice to use the services of other providers. 6 Appendix 3, p. 5, research report. 7 Guidelines mentioned above, p. 11. 8 Appendix 3, p. 4, research report. 9 Guidelines mentioned above, p. 12. 5/20 Date Our reference 18 December 2023 [CONFIDENTIAL] 26. Since at least two criteria from the Guidelines apply, there is a type of processing that probably entails a high risk for the rights and freedoms of natural persons. This means that ICS was required to carry out a DPIA. 27. According to ICS, it did not have to carry out a DPIA because the CRA process analysed risks of misuse of personal data and, according to ICS, this process is equivalent to a DPIA in that respect. The follow-up question that must be answered in view of this is whether ICS's CRA process is equivalent to a DPIA. 28. The AP rules as follows. The Guidelines provide criteria for an acceptable DPIA (not to be confused with criteria for assessing whether a DPIA should be carried out).10 It is then up to a controller to choose a method that meets the criteria set. The controller is obliged to meet these (main and sub) criteria. For example, the following must be done: 1. a systematic description of the processing; 2. the necessity and proportionality of the processing are assessed; 3. the risks to the rights and freedoms of data subjects are managed; 4. the stakeholders (their representatives) and the data protection officer (DPO) are involved. For example, the advice of the DPO must be sought or the opinion of data subjects must be sought. 29. ICS has used the ABN-AMRO CRA process.11 The ABN-AMRO CRA process consists of 22 risks (threats) with an associated code. The vast majority of the risks described relate directly or indirectly to combating fraud and compliance with the Money Laundering and Terrorist Financing (Prevention) Act (Wwft). Only three risks (risk key r007, r011, r025) relate to the protection of personal data. ICS thus meets one of the main criteria from the Guidelines mentioned in paragraph 28 above, namely the third criterion: “management of risks to the rights and freedoms of data subjects”. ABN-AMRO’s CRA process was insufficiently focused on the protection of personal data on the other three criteria, so that the CRA process is not complete enough to comply with the GDPR. 30. In addition to ABN-AMRO’s CRA process, ICS carried out its own CRA process in April 2020.12 This CRA process also does not provide a systematic description of the processing. Furthermore, it has not been demonstrated that the necessity and proportionality of the processing have been assessed, in particular the measures that contribute to the protection of the rights of data subjects. In addition, it has not been demonstrated that interested parties, their representatives or the data protection officer were involved in the processing. For example, the FG of ICS was unable to issue advice 10 Guidelines mentioned above p. 28-29. 11 Annex 9b, investigation report. 12 Annex 9a, investigation report. 6/20 Date Our reference 18 December 2023 [CONFIDENTIAL] on carrying out a DPIA. This means that ICS has not assessed three of the four (main) criteria for an acceptable DPIA. 31. It follows from the foregoing that the criteria mentioned in the Guidelines for an acceptable DPIA have not been applied in the CRA process of ICS. In the opinion of the AP, the CRA process of ICS, viewed in conjunction with that of ABN-AMRO, cannot therefore be equated with a DPIA. The CRA processes of ICS and ABN-AMRO were mainly aimed at preventing and combating (identity) fraud and were not (also) specifically aimed at the protection of personal data.13 32. Furthermore, the Privacy Impact Assessment triage of 18 June 2019, as part of the CRA process, did not result in a DPIA being carried out because that triage wrongly failed to recognise that large-scale processing was involved. 33. The AP is of the opinion that ICS should have carried out a DPIA. By failing to do so, ICS violated Article 35, first paragraph, GDPR. The AP sees reason to impose a fine. 6. Administrative fine 34. The AP is authorised to impose an administrative fine on the basis of Article 58, paragraph 2, opening sentence and under i, in conjunction with Article 83 GDPR and read in conjunction with Article 14, paragraph 3, UAVG. 35. In paragraph 33 above, it was concluded that ICS wrongly failed to carry out a DPIA and thus violated Article 35, paragraph 1, GDPR. This means that there is one act for which a fine will be imposed. 6.1 System for determining the amount of the fine 36. When exercising its authority to impose an administrative fine, the AP takes into account both the AP Policy Rules regarding the determination of the amount of administrative fines (Stcrt. 2019, 14 586) (hereinafter: Fine Policy Rules) and the Guidelines on the calculation of administrative fines under the GDPR (hereinafter: Guidelines). 14 This is in accordance with the explanatory notes to the Fine Policy Rules on establishing common principles for calculating fines and the temporary nature of the AP's policy on this matter. 13Appendix 3, p. 12, research report. 14 A Dutch translation of the Guidelines is currently not available. The Guidelines can be consulted at < https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en >. 7/20 Date Our reference 18 December 2023 [CONFIDENTIAL] 37. The fine amount will be determined as follows: 1. Determining the starting amount of the fine on the basis of the Fine Policy Rules 2019; 2. Considering the circumstances on the basis of the Fine Policy Rules; 3. Consideration of the circumstances based on the Guidelines; 4. Determining the amount of the fine and assessing effectiveness, proportionality, and deterrence. 38. These components are discussed in turn below. 6.2 Determining the starting amount based on the 2019 Fine Policy Rules 39. As stated above, in this case the starting point is the applicable bandwidth of the Fine Policy Rules. When determining the amount of the fine, the AP takes into account the factors mentioned in Article 7 of the Fine Policy Rules, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act (Awb). These factors are also mentioned in Article 83, paragraph 2, GDPR and in the Guidelines. 40. For a violation of Article 35, paragraph 1, GDPR, the AP may impose an administrative fine of up to €10,000,000. In the case of a company, a fine of up to 2% of the total worldwide annual turnover in the previous financial year can be imposed, if this figure is higher. The AP has established that the total worldwide annual turnover of the parent company of ICS in 2022 will amount to €7.841 billion15, and that the statutory maximum fine therefore amounts to €156.8 million. 41. Under the Fine Policy Rules, an infringement is classified in a category based on the provision infringed, ranging from category I to IV. The following applies: the more important the provision is for the protection of personal data, the higher the category of infringement. The Fine Policy Rules state that infringements of Article 35, paragraph 1, GDPR fall into category II.16 The bandwidth of this category runs from €120,000 to €500,000, with a basic fine of €310,000. This amount will be taken as the starting point for the further calculation of the final fine, after consideration of the relevant factors. 6.3 Consideration of the circumstances based on the Fine Policy Rules 42. When determining the amount of the fine, the relevant circumstances in this case are assessed on the basis of the factors stated in Article 7 of the Fine Policy Rules. 15 A calculation based on the worldwide turnover of €7.841 billion of ABN-AMRO, as the parent company of ICS. See the Integrated Annual Report ABN-AMRO 2022, p.237. 16 See Fine Policy Rules 2019, Appendix 1. 8/20 Date Our reference 18 December 2023 [CONFIDENTIAL] 43. One of these factors is the seriousness of the violation. In determining this, the nature, seriousness and duration of the violation are taken into account in any case. Other circumstances that are taken into account in any case are the categories of personal data involved and whether the infringement is intentional or negligent in nature. 44. The following is relevant to this. The obligation to carry out a DPIA is intended to describe the process of processing personal data, so that not only the necessity and proportionality of the processing are mapped out, but also the risks to the rights and freedoms of data subjects in the processing of personal data. Failure to carry out a DPIA is therefore in itself (therefore) a violation of the GDPR, while it also increases the chance of new violations of the GDPR because risks of possible (other) violations of the GDPR are not recognized in a timely manner. 45. In determining the seriousness of the violation, it is also relevant that ICS processes personal data of a large number of data subjects, namely 1.5 million customers. This fact contributes to the seriousness of the violation. The AP has designated the personal data that ICS has processed as sensitive data and data of a very personal nature. At the same time, the AP takes into account the circumstance that ICS has started the process of re-identification of its customers on the basis of an obligation arising from the Wwft. In complying with this, the AP has not found that ICS has deliberately failed to carry out the said DPIA. In the opinion of the AP, there is negligence. The failure to carry out a DPIA is due to an incorrect assessment by ICS. It has used fraud prevention and compliance with the Wwft as leading principles, but in that context ICS should also have independently assessed compliance with the GDPR. The AP considers the element of negligence in this case as “neutral”, because it cannot be said that ICS was not compliant at all by not carrying out a DPIA, in which context the AP attaches significance to the circumstance that ICS does meet one of the main criteria from the aforementioned Guidelines for an acceptable DPIA when applying the CRA process, namely the management of risks to the rights and freedoms of data subjects. In this respect, ICS has therefore paid (some) attention to the aforementioned risks that may arise when processing personal data. 46. It has been established that ICS wrongly failed to carry out a DPIA. In determining the seriousness of the violation, the AP does take into account the circumstance that ICS carried out the aforementioned CRA process at the start of the re-identification of its customers. Part of that process, as ICS stated in its opinion, is a Privacy Impact Assessment, in which a Privacy Officer is involved. This assessment determined which personal data are processed, who has access to these personal data, which retention periods apply and whether there is a transfer outside the EU and the measures that have been taken for this transfer. ICS, as the AP also considered above, did take into account the risks to the rights and freedoms of data subjects in the processing of personal data, but did not sufficiently recognise that this should have led to the execution of a DPIA. 9/20 Date Our reference 18 December 2023 [CONFIDENTIAL] 47. The AP has taken into account the other circumstances as mentioned article 7, opening and subsection, Fine policy rules. The AP has taken into account the long period between the publication of the investigation report and the issuance of an enforcement decision as other circumstances. This part has been considered as a mitigating factor with regard to the amount of the fine. 48. Furthermore, no other circumstances mentioned in Article 7 of the Fine Policy Rules have been found to have occurred with regard to the infringement by ICS. 49. Taking the above circumstances into account, the AP is of the opinion that in this case the seriousness of this infringement should be qualified at a low level. 6.4 Consideration of the circumstances based on the Guidelines 50. The European Data Protection Committee adopted the final text of the Guidelines on 24 May 2023. As mentioned above, the EDPB has established common principles with regard to the calculation of fines for infringements of the GDPR. 51. The Guidelines describe a methodology that successively considers: 1. Which and how many acts and infringements are subject to assessment; 2. Which starting amount forms the starting point for calculating the fine for this; 3. Whether there are mitigating or aggravating circumstances that require an adjustment of the amount from step 2; 4. What maximum amounts apply to the violations and whether any increases from the previous step do not exceed this amount; 5. Whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, and is adjusted accordingly if necessary. 52. The number of actions that resulted in violations of the GDPR and the starting amount for calculating the fine have already been qualified under section 6.2. 53. Like the Fine Policy Rules, the Guidelines prescribe that the AP investigates whether there are mitigating or aggravating circumstances that could lead to an adjustment in the qualification of the violation. This must be done on the basis of the circumstances stated in Article 83, paragraph 2, opening sentence and under a to k, GDPR. 10/20 Date Our reference December 18, 2023 [CONFIDENTIAL] 54. First of all, attention should be paid to the gravity of the infringement.17 This takes into account the nature, seriousness and duration of the infringement, as well as the intentional or negligent nature of the infringement and the categories of personal data processed. These factors have already been discussed in paragraphs 43 to 46. This has led to the seriousness of the infringement being qualified as not low in paragraph 49. 55. The Guidelines stipulate that, for reasons of fairness, the size of the undertaking must be taken into account when calculating the amount of the fine. The size of the undertaking is determined on the basis of the turnover. According to the case law18 of the Court of Justice of the European Union, the turnover of the entire group must be used to determine the upper limit of the fine. ICS is a wholly owned subsidiary of ABN-AMRO. Therefore, the size of the undertaking will be determined on the basis of ABN-AMRO’s global turnover.19 ABN-AMRO achieved a turnover of €7.841 billion in 2022. Since ABN-AMRO’s turnover exceeds €156.8 million, the GDPR prescribes a maximum fine of 2% of the total global annual turnover.20 56. The Guidelines then prescribe that the other circumstances of Article 83 GDPR are taken into account. As already mentioned, parts c to f and parts h to j of Article 7 of the Fine Policy Rules were not found to be relevant in the case of ICS. These parts correspond to the prescribed parts that must be taken into account under the Guidelines and are therefore not relevant in the case of ICS. 57. The AP has taken into consideration the other circumstances as mentioned in the opening and closing paragraphs of Article 7 of the Fine Policy Rules. This provision corresponds to Article 83, paragraph 2, opening sentence and under k, GDPR. The AP has taken into account the long period between the publication of the investigation report and the issuance of an enforcement decision as other circumstances. This component has been designated as mitigating with regard to the amount of the fine under paragraph 6.2. 6.5 Determining the amount of the fine and assessing effectiveness, proportionality and deterrence 58. In this case, however, the amount of the fine will be determined by applying the basic fine from the relevant category of the Fine Policy Rules. Moreover, and as outlined above, in this specific case the amount of the fine based on both the Fine Policy Rules and the Guidelines will lead to the same outcome. 59. This case concerns an infringement for which category II of the Fine Policy Rules applies. The fine range for category II is between €120,000 and €500,000. 17 Guidelines, p. 17. 18 Groupe Gascogne SA v European Commission (Case C-58/12P, judgment of 26 November 2013), ECLI:EU:C:2013:770, § 52-57. 19 A calculation based on the worldwide turnover of €7.841 billion of ABN-AMRO, as the parent company of ICS. See the Integrated Annual Report ABN-AMRO 2022, p.237. 20 See Article 83 paragraph 5 of the GDPR. 11/20 Date Our reference 18 December 2023 [CONFIDENTIAL] 60. Finally, it must be assessed whether the fine is effective, proportionate and dissuasive. On the basis of Article 49 of the Charter of Fundamental Rights of the EU, the administrative fine may not, given the circumstances of the specific case, lead to a disproportionate outcome. This is also laid down in Articles 3:4 and 5:46, paragraph 2, Awb. 61. Based on Article 83, paragraph 5, opening sentence and under b, GDPR, the AP can impose an administrative fine for the violations described above. The purpose of imposing an administrative fine may be to punish unlawful conduct on the one hand and to promote compliance with the applicable regulations on the other. 62. Given the nature, seriousness and duration of the violation, as well as the other factors from Article 83, paragraph 2, GDPR as assessed in this chapter, imposing an administrative fine under these circumstances has an effective and deterrent effect. Furthermore, it has not been demonstrated that the violation cannot be attributed to ICS. 63. In view of all the aforementioned circumstances, the AP concludes that a fine of €150,000 for a violation of not carrying out a DPIA (Article 35, first, GDPR) is appropriate and necessary in this case. 7. Judgment 64. The AP imposes an administrative fine of €150,000 (in words: one hundred and fifty thousand euros) on InternationalCardServicesB.V. for violation of Article 35, first paragraph, GDPR.21 Yours sincerely, Dutch Data Protection Authority, signed Mr. A. Wolfsen Chairman
