AP (The Netherlands) - Decision of 18 December 2023
From GDPRhub
| AP - Decision of 18 December 2023 | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 35 GDPR Article 35(1) GDPR Article 35(7) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 23.06.2022 |
| Decided: | 18.12.2023 |
| Published: | 15.01.2024 |
| Fine: | 150,000 EUR |
| Parties: | ICS |
| National Case Number/Name: | Decision of 18 December 2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | autoriteitpersoonsgegevens.nl (in NL) |
| Initial Contributor: | co |
The Dutch DPA imposed a fine in the amount of €150,000 on ICS, a credit card company, for failure to carry out a DPIA under Article 35(1) GDPR.
English Summary
Facts
Following a series of reports and complaints against ICS, a subsidiary of ABN AMRO, as a controller, the Dutch DPA (Autoriteit Persoonsgegevens, AP) decided to start an ex officio investigation into the processing operations carried out by the controller. The AP mainly received complaints concerning the controller's process of re-identifying its customers online by means of a new identification and verification tool, ID&V. The AP found that the controller never conducted a DPIA in 2018, prior to the introduction of its identification system, and asked the controller to provide its submissions on this.
The controller claimed in this respect that it did not need to carry out a DPIA, since the same identification system was used by ABN AMRO before, and ABN AMRO had previously carried out a risk assessment of its own authentication app. Moreover, the controller argued that when ID&V was introduced, there were no risks of potential misuse of personal data, and strict security measures were in place. Also, the controller argued that the only criterion that suggested the need to carry out a DPIA, according to Article 35 GDPR, was the fact that the processing was large-scale, but no other criteria were given that would make its processing activities "high risk". Lastly, the controller claimed that it does not process any special categories of personal data within the meaning of Article 9 GDPR.
Holding
The AP first of all assessed whether the controller’s processing operations presented a high risk to the rights and freedoms of natural persons. The AP made this assessment in light of Article 29 Working Party Guidelines 248 rev.01 on “Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679” and Article 35 GDPR and it stated that in order for processing operations to be considered “high risk”, at least two of the criteria set out in Article 35(3) GDPR must be met. In the case at hand, the AP considered that the processing operations carried out by the controller meet two of these criteria, namely, processing of sensitive data and large-scale processing. As a matter of fact, the controller processes several data about its customers, including ID number and photograph and the controller has around 1,5 million customers, who have all been required to re-identify using ID&V.
In light of this, the AP considered that the controller should have carried out a DPIA. With respect to the claim of the controller that its parent company, ABN AMRO, already assessed the risk of its authentication app and this exempted the controller to carry out its own DPIA, the AP again referred to the Article 29 WP Guidelines. The Guidelines foresee that a DPIA needs to comply with the minimum requirements of Article 35(7) GDPR. The AP evaluated the assessment carried out by ABN AMRO and found that it mainly concerned risks related to fraud and money laundering and only three data protection related risks were included. However, the assessment did not contain any description of processing, nor a proportionality and necessity assessment, nor did it refer to the measures adopted to address the risks. Hence, the AP concluded that the controller’s evaluation of data protection risks in conjunction with ABN AMRO’s assessment cannot be considered to be equivalent to a DPIA under Article 35 GDPR. For this reason, the AP held that the controller violated Article 35(1) GDPR.
In this, the AP considered it appropriate to impose a fine on the controller, in accordance with Article 83 GDPR. The AP made reference to the National Fine Policy of 2019 and to EDPB Guidelines 04/22 when calculating the amount of the fine to be imposed. In its considerations, the AP gave importance to the fact that not conducting a DPIA constitutes a GDPR violation in itself, but it also increases the likelihood of further GDPR violations, as there is no understanding of the risks. Last, taking into account the annual global turnover of the whole ABN AMRO group, the AP decided to impose a fine in the amount of €150,000 on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dutch Data Protection Authority
PO Box93374,2509AJ The Hague
Bezuidenhoutseweg30, 2594AV The Hague
T0708888500-F088-0712140
autoriteitpersoonsgegevens.nl
Confidential/Registered
InternationalCardServicesB.V.
PO Box23225
1100DS DIEMEN
Attn: the management
Date Unmarked
December 18, 2023 [CONFIDENTIAL]
Contact
[CONFIDENTIAL]
Subject
Decides to impose an administrative fine for violating the General Regulation
Data protection
Dear members of the management,
The Dutch Data Protection Authority (AP) has decided to appoint InternationalCardServicesB.V. (ICS)
to impose an administrative fine of €150,000 (in words: one hundred and fifty thousand euros) for violation of
Article 35, first paragraph, of the General Data Protection Regulation (GDPR). This is because ICS has
completed a data protection impact assessment (DataProtectionImpactAssessment; hereinafter:
DPIA).
This decision explains the administrative fine. This will be discussed in turn
reasons, the course of the proceedings, the facts established, the violation and the amount of the fine. Finally
follows the dictum.
1 Date Unmarked
December 18, 2023 [CONFIDENTIAL]
1. BackgroundResearch
1. ICS is a company based in Amsterdam and active in offering financial products in
in particular the issuance of so-called debit and credit cards. 1
2. The Customer Contact and Monitoring Investigation department of the AP has received signals and complaints about this
consumers about ICS have started an investigation into a possible violation of the GDPR by ICS.Die
complaints and signals were received by the AP after ICS started again (online) in 2019
identifying its customers with the 'identification and verification process' (ID&V).
3. The purpose of the investigation was to determine whether ICS complied with the rules laid down in Article 35 GDPR, when
she did not carry out DPIA in preparation for the ID&V process.
2. Findings research reports process flow
4. The findings of the investigation have been recorded in a report. It follows that upon the introduction of
ID&Vspeaked of a processing of data that probably entails a high risk
for the rights and freedoms of natural persons. ICSC also preceded the processing
had to carry out a DPIA. The report concluded that ICS failed to carry out a DPIA
In doing so, she acted in violation of Article 35, first paragraph, GDPR, according to the report.
3
5. The report was signed on 23 June 2022 and sent to ICS on 7 July 2022. ICSheeftop
September 14, 2022 gave an opinion on the report. On October 20, 2022, ICS gave its opinion
explained verbally.
6. The AP asked ICS further written questions on 2 December 2022 and 13 February 2023, to which
ICS responded on 21 December 2022 and 24 March 2023 respectively.
3. Legal framework
7. To improve the readability of this decision, the relevant legal framework is included in Appendix 1.
legal framework is part of this decision.
1 Appendix 21 to the research report:.
2Research report of 23 June 2022.
3File document1.
2/20 Date Unmarked
December 18, 2023 [CONFIDENTIAL]
4. ICS view
8. ICS has given the following view on the report.
9. IC has set up an extensive risk process, called ChangeRiskAssessment (CRA process).
In the CRA process, risks are identified, mitigated and monitored. A Privacy Impact
Assessment is part of the CRA process and, when appropriate, becomes a DPIA
executed.
10. ICS is a 100% subsidiary of ABNAMRO. ABNAMRO has been using a
application from MitekSystemsB.V. (Mitek app), to determine the identity of its customers.
ABN AMRO also uses the CRA process to analyze and use risks
Mitek app, ABNAMRO has done an extensive analysis of the use of the Mitek app. IC has
the same technique was used to re-identify its customers. There was none for ICS
reason to carry out another analysis, because ABNAMRO has already had an analysis
executed.
11. ICS further states that it has investigated whether additional measures have been included in the CRA process
should be for ID&V. A Privacy Officer was involved in this at an early stage
the nature and purpose of ID&V are determined. It has also been determined which data are processed, who
has access to these data, which retention periods apply or are not applicable
transfer outside the EU and measures taken for this transfer.
12. Moreover, ICS states, when ID&V was introduced, there was no high risk of misuse of
personal data. The personally identifiable data used at ID&V are not inherent
sensitiveandnecessarytocomplywiththelegalrequirements.Whenprocessingthe
citizen service number applies to the strictest security level, which is partly based on legislation
financial sector. Furthermore, when collaborating with third parties, strict requirements are imposed on encryption
using secure connections, carrying out penetration testing and meeting audit requirements
controlofpersonaldata.
13. ICShe has acknowledged that the PIA triage of August 28, 2018 incorrectly concluded that
there was no large-scale processing of data. The PIA form has been available since 2020
adjusted so that such an error will not occur again.
14. According to ICS, there is no inequality of power between its customers and ICS, because ICS is legal
obliged to identify its customers, the customers have the option to become non-digital
identifyandacreditcardisnotanessentialpaymentservice.
3/20 Date Unmarked
December 18, 2023 [CONFIDENTIAL]
15. The Data Protection Officer (FG) of ICS has been directly involved via the Privacy Office
data protection risks.ICS has not clearly communicated this circumstance before.
16. The Decree on the list of processing and processing of personal data for which a DPIA is mandatory provides a
number of criteria and of only one criterion, namely large-scale processing, is this case according to ICS
in order to be able to draw the conclusion that processing probably poses a high risk to the
involved, there must be two elements that are mentioned in the Decree. Now
this was not the case, and ICS was also not obliged to carry out a DPIA
the said decision was published after the start of the introduction of ID&V.
5. Assessment
5.1 Controller and authorityAP
17. It is established and not in dispute that ICS is responsible for the processing (Article 4, opening paragraph 7, GDPR).
and that the AP is the competent supervisory authority (Article 56, first paragraph, GDPR).
5.2 Obligation to implement DPIA
18. In summary, it follows from the GDPR that a DPIA must be carried out before any processing
where such processing is likely to involve a high risk to the rights and freedoms of
natural persons (Article 35, first paragraph, GDPR).
19. The Guidelines WP248rev.01 (hereinafter: the Guidelines) describe which criteria apply to
question whether a DPIA should be carried out. The AP has taken into account the provisions in the GDPR (Article 35) and
5
in view of the aforementioned Guidelines and the Decree on the list of processing of personal data
established (the Decree). That Decree stipulates, among other things, that for the processing of biometric data
data aDPIA is mandatory.
20. It is not in dispute that ICS did not carry out DPIA in 2018 prior to the introduction of ID&V.
obligation to carry out a DPIA flows directly from Article 35, first paragraph, GDPR read
in connection with the aforementioned Guidelines. The circumstance that it decides to stop
November 27, 2019, established and published by the AP, does not mean that ICs for that reason
DPIA should have been implemented. The Decision contains requirements that are also included in the GDPR Guidelines
mentioned and result from it.
4Guidelinesfordataprotectionimpactassessmentsanddeterminationwhetheraprocessing“islikelytohighrisk
entails” within the meaning of Regulation 2016/679 (WP248rev.01). TheEDPB has endorsed these Guidelines.
5 List of decisions on processing and personal data for which a data protection impact assessment (DPIA) is mandatory, from the
Dutch Data Protection Authority of 19 November 2019, Government Gazette 2019, 64418. This decision is based on the GDPR and the Guidelines WP
248rev.01.
4/20 Date Unattribute
December 18, 2023 [CONFIDENTIAL]
21. The first question that needs to be answered in this case is whether there is a type of processing that
is likely to pose a high risk to the rights and freedoms of natural persons. When
If this is the case, ICS is obliged to carry out a DPIA prior to implementation
fromID&V.
22. From processing likely to result in a high risk to the rights and freedoms of
natural persons are the rules when two (of the nine) criteria are met
the Guidelines are listed. In this case there are three criteria that are the Guidelines
listed. This concerns: 1) sensitive data or data of a very personal nature; 2) on a large scale
processed data; and 3) data relating to vulnerable data subjects.
23. It has been found that for ID&V the first and last name, date of birth, place of birth, address details,
e-mail address, telephone number, gender, BSN, number of the ID document as well as the photo in it
6
and a (liveness) photo of a data subject is processed. These data are, as follows
Guidelines together qualify as sensitive data and data of a highly personal nature.
24. It has also emerged that ICS has approximately 1.5 million customers in the Netherlands who have had to register again
identify and whose data ICS stores for as long as an involved customer remains with ICS. This
in the opinion of the AP, this also means large-scale processing of
personal data.
25. Contrary to what is described in the investigation report, the AP is conducting a further study of the facts of
considers that in this case there is no question of vulnerable data subjects whose personal data are collected
processed. Vulnerable persons involved can be children, but also employees or part of the
9
population that requires special protection, as follows from the Guidelines. It's basically because one
unbalanced relationship between data subjects and controller. ICHS has that
It has been rightly argued that a credit card is not an essential financial product for everyday life
of a data subject. A credit card does not have the function of a bank account
cannot be equated. This means that there is no question of an unbalanced relationship between ICS and her
customers and therefore ICS customers cannot be regarded as vulnerable data subjects such as
described in the Guidelines. Furthermore, it is not excluded that other providers of credit cards
use a different method to identify their customers
who are interested in a credit card over the choice of using services from other providers
to make.
6Appendix3,p.5, research report.
7Guidelines mentioned above, p.11.
8Appendix3,p.4, research report.
9Guidelines mentioned above, p.12.
5/20 Date Unattribute
December 18, 2023 [CONFIDENTIAL]
26. Since in any case two criteria from the Guidelines apply, there is a kind of
processing that is likely to pose a high risk to the rights and freedoms of natural persons
persons. This means that carrying out a DPIA by ICS was mandatory.
27. According to ICS, she did not have to carry out a DPIA because the CRA process risks abuse of
personal data have been analyzed and this process according to ICS to the extent that it can be compared to a DPIA.
In view of this, the next question that needs to be answered is whether to equate the ICS CRA process
isonaDPIA.
28. The AP assessment follows. The Guidelines provide criteria for an acceptable DPIA (not to be confused
with criteria for assessing whether a DPIA should be carried out). It is then together
controller must choose a method by which the set criteria are met.
The controller is obliged to meet the (main and sub) criteria. This must be done:
1. a systematic description of the processing is given;
2. the necessity and proportionality of the processing are assessed;
3. the risks to the rights and freedoms of data subjects are managed;
4. the interested parties (their representatives) and the data protection officer (FG)
be involved. For example, the advice of the FG must be won or must be sent to the
opinions of those involved are asked.
29. ICS has used ABN-AMRO's CRA process. ABN-AMRO's CRA process
consists of 22 risks (threats) with associated code. The vast majority of the described
risks are directly or indirectly related to combating fraud and complying with the Prevention Act
of Money Laundering and Financing of Terrorism (Wwft). Only three risks (riskkeyr007, r011, r025)
relate to the protection of personal data. ICS therefore complies with one of them
main criteria from the Guidelines mentioned above in edge number 28, namely the third
criterion: “management of risks to the rights and freedoms of those involved”. The CRA process of ABN-
AMRO was not sufficiently focused on the protection of personal data on the other three criteria,
so that the CRA process is not complete enough to comply with GDPR.
30. ICS, in addition to ABN-AMRO's CRA process, does not have its own CRA process in April 2020
executed. This CRA process also provides a systematic description of the processing
it has not appeared that the necessity and proportionality of the processing has been assessed, in particular
measures that contribute to the protection of the rights of those involved. That is not in addition
it has become apparent that interested parties, their representatives and not the official
data protection are involved in the processing. The FG of ICS was therefore unable to provide advice
1Guidelinesabovementionedp.28-29.
1Appendix9b,research report.
1 Appendix 9a, research report.
6/20 Date Unmarked
December 18, 2023 [CONFIDENTIAL]
about carrying out a DPIA. This means that ICS has three out of four (main) criteria for one
acceptableDPIAhas not been tested.
31. From the foregoing it follows that the criteria mentioned in the Guidelines for an acceptable
DPIAhave not been applied in the CRA process of ICS. The CRA process of ICS, viewed in conjunction with
that of ABN-AMRO, in the opinion of the AP, therefore cannot be equated with a DPIA. The CRA-
processes of ICS and ABN-AMRO were mainly aimed at preventing and combating
(identity) fraud and are not (also) specifically aimed at the protection of data.3
32. Furthermore, the PrivacyImpact Assessment Triage of 18 June 2019, as part of the CRA process
This did not result in a DPIA being carried out because those triages and injustices were not recognised
it concerns large-scale processing.
33. The AP is of the opinion that ICS should have carried out a DPIA. By failing to do so, ICS has Article 35,
first paragraph, GDPR violated. The AP sees reason to impose a fine.
6. Administrative fine
34. The AP is based on Article 58, second paragraph, at the beginning and under i, in conjunction with Article 83 GDPR
read in conjunction with Article 14, third paragraph, UAVG, the authority to impose an administrative fine.
35. It has been concluded in paragraph 33 that ICS has wrongly carried out a DPIA and
has therefore violated Article 35, first paragraph, GDPR. This means that there has been one conduct
for which a fine will be imposed.
6.1 Systematics for determining the amount of the fine
36. When exercising the power to impose an administrative fine, the APight applies to both
Policy rules of the AP regarding determining the amount of administrative fines (Stcrt.2019,
14586)(hereinafter: Fine policy rules) as theGuidelineonthecalculationofadministrativefinesundertheGDPR
(hereinafter: Guidelines). This is in accordance with what is stated in the explanation
Fine policy rules on establishing joint principles regarding the calculation
of fines and temporary nature of the AP's policy on this.
1Appendix3,p.12, research report.
1There is currently no Dutch translation of the Guidelines available. The Guidelines can be consulted at<
https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en>.
7/20 Date Unattribute
December 18, 2023 [CONFIDENTIAL]
37. The amount of the fine will be determined as follows:
1. Determining the starting amount of the fine based on the Fine Policy Rules 2019;
2. Consideration of the circumstances based on the Penalty Policy Rules;
3. Consideration of the circumstances based on the Guidelines;
4. Determining the amount of the fine and assessing effectiveness, proportionality and deterrence.
38. These parts are discussed in turn below.
6.2 Determine the starting amount based on Fine Policy Rules 2019
39. As mentioned above, in this case the starting point is the applicable bandwidth
of the Fine policy rules. The AP is responsible for determining the amount of the fine, without prejudice to
Articles 3:4 and 5:46 of the General Administrative Law Act, take into account the factors mentioned in Article 7 of the
Fine policy rules. These factors are also described in Article 83, second paragraph, GDPR in the Guidelines
appointed.
40. For a violation of Article 35, first paragraph, GDPR, the AP may impose an administrative fine up to
amount of €10,000,000. In the case of a company, a fine of up to 2% of
the total worldwide annual turnover in the previous financial year, if this figure is higher. The AP notes that
the total worldwide annual turnover of the parent company of ICS will amount to €7.841 billion in 2022, and that
the maximum legal fine therefore amounts to €156.8 million.
41. Under the Fine Policy Rules, an infringement is classified into a category according to the
violation of the provision, ranging from category I to IV. The following applies: how important the provision is
for the protection of personal data, the higher the category of infringement
Fine policy rules state that violations of Article 35, first paragraph, GDPR fall into category II. The
bandwidth of this category runs from €120,000 to €500,000, with a basic fine of
€ 310,000. This amount will be taken as a starting point for the further calculation of the
final fine, after considering the relevant factors.
6.3 Consideration of the circumstances based on the Penalty Policy Rules
42. When determining the amount of the fine, the relevant circumstances will be discussed in this case
assessed on the basis of the factors mentioned in Article 7 of the Fine Policy Rules.
15
A calculation based on the worldwide turnover of €7.841 billion of ABN-AMRO, as parent company of ICS. See
16ijkenshetIntegratedAnnual ReportABN-AMRO2022, p.237.
See Fine policy rules 2019, appendix 1.
8/20 Date Unattribute
December 18, 2023 [CONFIDENTIAL]
43. One of these factors is the severity of the violation. In determining this, each case is taken into account
taken into account the nature, severity and duration of the infringement. Other circumstances that in any case
is taken into account, are the categories of data concerned and whether there is a
infringement which is inherently intentional or negligent.
44. The following is relevant for this purpose. The obligation to carry out a DPIA is intended for the process
to describe the processing of data, so that not only the necessity and proportionality
of the processing are mapped, but also the risks for the rights and freedoms of
those involved in the processing of personal data. Failure to carry out a DPIA is an end to this
itself (therefore) a violation of the GDPR, while it also increases the chance of violation again
violations of the GDPR because risks of possible (other) violations of the GDPR are not identified in time
recognized.
45. It is further relevant to determine the seriousness of the violation that ICS personal data of a
large number of parties involved, namely 1.5 million customers. This fact contributes to the seriousness of
the violation.The AP has marked the data that ICS has processed as sensitive
data and data of a very personal nature. At the same time, the AP takes into account the
circumstance that ICS has started the process of re-identifying its customers based on a
obligations arising from the Wwft. When complying with them, the AP did not find that ICS
the DPIA referred to has not been carried out on purpose. In the opinion of the AP, there is a case of negligence.
The failure to carry out a DPIA was due to an incorrect assessment by ICS
combating fraud and complying with the Wwft as guiding principles, but in that context
ICs also had to independently assess GDPR compliance. The AP weighs the element
negligence in this case as “neutral”, because it cannot be said that ICS by not executing
a DPIA has not been compliant at all, in which context the AP ascribes significance to the
circumstance that ICS does meet one of the main criteria in the application of the CRA process
aforementioned Guidelines for an acceptable DPIA, namely the management of risks for the
rights and freedoms of those involved. To this extent, ICS has paid (some) attention to
the aforementioned risks that may arise when processing data.
46. It has been established that ICS has wrongly carried out a DPIA. To determine the severity of the
violation, the AP does take into account the circumstance that ICs the aforementioned CRA process
carried out at the start of re-identifying its customers. Part of that process is,
as ICS has put forward in its views, a Privacy Impact Assessment, in which
Privacy Officer is involved. During data assessment it is determined which data are processed,
who has access to these data, what retention periods apply and whether they apply
of transfers outside the EU and measures taken for this transfer. IC, like the AP
has also considered this and has taken into account the risks to the rights and freedoms
those involved in the processing of personal data, but have not sufficiently recognized that this
should have led to the execution of a DPIA.
9/20 Date Unmarked
December 18, 2023 [CONFIDENTIAL]
47. The AP has the other circumstances as mentioned in Article 7, underk, Fine Policy Rules
taken into consideration. The AP has taken into account other circumstances during the long period of time in between
publishing the investigation reports and issuing an enforcement decision. This section
has been designated as a mitigating factor with regard to the amount of the fine.
48. Furthermore, no other circumstances mentioned in Article 7 of the Fine Policy Rules have emerged
and views on the infringement by ICS, have occurred.
49. Taking the foregoing circumstances into account, the AP is of the opinion that this case is serious
this infringement must be qualified at a low level.
6.4 Consideration of the circumstances based on the Guidelines
50. The European Data Protection Committee adopted the final text of
the Guidelines. As mentioned above, the EDPB has established common principles
regarding the calculation of fines for violations of the GDPR.
51. The Guidelines describe a methodology in which the following is considered:
1. What and how many acts and infringements are under assessment;
2. Which starting amount is the starting point for calculating the fine for this;
3. Whether mitigating or aggravating circumstances arise, it is open to adjustment
amountexit2;
4. What maximum amounts apply to the violations and any increases from the previous ones
stepnotexceedthisamount;
5. Whether the final amount of the calculated fine meets the requirements of effectiveness,
deterrence and proportionality, and if necessary, adjusted accordingly.
52. The number of actions that resulted in infringements of the GDPR and the starting amount for
penalty calculation are already qualified under paragraph 6.2.
53. As well as the Fine Policy Rules, write the Guidelines before the AP considers whether to soften or
are aggravating circumstances that may lead to an adjustment in the classification of the infringement.
This must be done on the basis of the circumstances stated in Article 83, second paragraph,
salutationsunderatotenwithk,AVG.
10/20 Date Unmarked
December 18, 2023 [CONFIDENTIAL]
54. First of all, attention should be paid to the gravity of the infringement. Here is an account
taken into account the nature, severity and duration of the infringement, as well as the intentional or negligent nature of the infringement
infringements and categories of the processed personal data. These are in marginal numbers 43 to 46
factors have already been discussed. This has led to the fact that in edge number 49, the severity of the infringement is not low
gets qualified.
55. The Guidelines are written before taking into account the size of the company from the point of view of fairness
must be taken into account when calculating the amount of the fine. The size of the company is determined
based on turnover. According to the case law of the Court of Justice of the European Union,
the turnover of the entire group is used to determine the upper limit of the fine. ICSis
a wholly owned subsidiary of ABN-AMRO. Therefore, the size of the company will become
determined on the basis of ABN-AMRO's worldwide turnover. ABN-AMRO has a turnover in 2022
achieved €7.841 billion. Since ABN-AMRO's turnover is higher than €156.8 million20, he writes
AVNo maximum fine of 2% of the total worldwide annual turnover for.
56. Then write the Guidelines for the other circumstances from Article 83 GDPR
are taken.As already mentioned, the partsctoandwithfthepartshtoandwithj
Article 7 of the Fine Policy Rules was not found to be relevant in the case of ICS. These parts
correspond to the prescribed components that must be observed under the
Guidelines and are therefore not relevant in the case of ICS.
57. The AP has the other circumstances as mentioned in Article 7, underk, Fine Policy Rules
taken into consideration. This provision corresponds to Article 83, second paragraph, subsection, GDPR
As other circumstances, AP has taken into account the long period of time between publishing it
investigation reports and the issuance of an enforcement decision. This section is under paragraph 6.2
classified as mitigating with regard to the amount of the fine.
6.5 Determining the amount of the fine and assessing effectiveness, proportionality and deterrence
58. In this case, the amount of the fine will, however, be determined by applying the basic fine from the
concerningcategoryoftheFinepolicyrules.Otherwiseandasoutlinedabove,thiswill
specific case, the amount of the fine on the basis of both the Fine Policy Rules and the Guidelines, up to
lead to the same outcome.
59. In this case it concerns an infringement for which category II of the Fine Policy Rules applies.
The fine bandwidth for category II is between €120,000 and €500,000.
1Guidelines,p.17.
1GroupeGascogneSA v European Commission (Case C-58/12P, judgment of 26 November 2013), ECLI:EU:C:2013:770, §52-57.
1A calculation based on the worldwide turnover of €7.841 billion of ABN-AMRO, as parent company of ICS. See
according to the Integrated Annual Report ABN-AMRO 2022, p.237.
2See Article 83(5) of the GDPR.
11/20 Date Unmarked
December 18, 2023 [CONFIDENTIAL]
60. Finally, it must be assessed whether the fine is effective, proportionate and deterrent. Based on
Article 49 of the Charter of Fundamental Rights of the EU may impose an administrative fine, given that
circumstances of the concrete case do not lead to a disproportionate outcome. This has also been stated
in Articles 3:4 and 5:46, second paragraph, General Administrative Law Act.
61. Pursuant to Article 83, fifth paragraph, opening words under b, GDPR, the AP can apply for the above
violations to impose an administrative fine. The purpose of imposing an administrative fine can be
are located on the one hand in punishing unlawful behavior and on the other hand in promoting it
compliance with applicable regulations.
62. Considering the nature, severity and duration of the infringement, as well as other factors from Article 83, second paragraph,
GDPR, as assessed in this chapter, includes the imposition of an administrative fine under this
circumstances have an effective and deterrent effect. Furthermore, it has not been established that the violation ICS
cannot be blamed.
63. In view of all the above circumstances, the AP concludes that a fine of €150,000
for a violation of failure to execute a DPIA (Article 35, first, GDPR), in which case appropriate
andcommandment.
7. Dictum
64. DeAPlies to InternationalCardServicesB.V. due to violation of Article 35, first paragraph, GDPRNo
administrative fine in an amount of €150,000 (in words: one hundred and fifty thousand euros). 21
Yours faithfully,
Dutch Data Protection Authority,
w.g.
mr.A.Wolfsen
Chair
2The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).
12/20Date Unmarked
December 18, 2023 [CONFIDENTIAL]
Remedies clause
If you do not agree with this decision, you can do so within six weeks after the date of dispatch of the letter
decides to submit an objection digitally or on paper to the Dutch Data Protection Authority.
Article 38 of the UGDPR suspends the submission of an objection to the effect of the decision
imposition of the administrative fine. The AP will only proceed to recovery after the decision
has become irrevocable. To submit a digital objection, see
www.autoriteitpersoonsgegevens.nl, below the heading Objection against a decision, below
page under the heading Contact the Dutch Data Protection Authority. The address for submitting and on paper
is: Dutch Data Protection Authority, PO Box 93374, 2509AJTheHague.
Please state 'Awb objection' on the envelope and put 'objection notice' in the title of your letter.
Write in your objection letter at least:
-your name and address;
-the date of your objection;
- attach the reference (case number) mentioned in this letter; or a copy of this decision;
-the reason(s) why you do not agree with this decision;
-your signature.
13/20Date Unmarked
December 18, 2023 [CONFIDENTIAL]
Attachment 1
General Data Protection Regulation
Article4
Definitions
For the application of this Regulation the following definitions apply:
1) 'personal data' means any information relating to an identified or identifiable natural data
person ("the data subject"); is considered identifiable as a natural person who is directly or
can be identified indirectly, in particular by means of an identifier such as a name, a
identification number, location data, an online identifier or one or more elements that
characteristic of the physical, physiological, genetic, psychological, economic, cultural or social
identity of that natural person;
[…]
Article9
Processing of special categories of personal data
1.Processing of data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or membership of a trade union, and processing of
genetic data, biometric data for the purpose of uniquely identifying a person, or
data about health, or data relating to a person's sexual behavior or sex life
targeting are prohibited.
2.Paragraph 1 shall not apply where any of the following conditions is met:
a) the data subject has given explicit consent to the processing
personal data for one or more specific purposes, except where provided for in Union or Member State law
the law stipulates that the ban referred to in paragraph 1 cannot be lifted by the person concerned;
b) the processing is necessary for the performance of obligations and exercise
of specific rights of the controller or data subject in the field of
labor rights, social security and social protection law, insofar as this is permitted
Union law or Member State law or a collective agreement based on Member State law
provides appropriate guarantees for the fundamental rights and interests of the data subject;
c) the processing is necessary to protect the vital interests of the data subject
another natural person if the data subject is not physically or legally capable of giving his consent
to give;
14/20Date Unmarked
December 18, 2023 [CONFIDENTIAL]
d) the processing is carried out by a foundation, association or other body without
profit motive that is active in the political, philosophical, religious or trade union field
within the framework of its legitimate activities and with appropriate guarantees, provided that the processing is exclusive
relates to the members or former members of the body or to persons associated with
her purposes to maintain regular contact with her, and not without data
permission from those involved is provided outside that agency;
e) the processing relates to personal data that is apparently made public by the data subject
are made;
f) the processing relates to personal data that is apparently made public by the data subject
are made;
g) the processing is necessary for reasons of substantial public interest, on the basis of
Union or Member State law, ensuring proportionality to the aim pursued, the
The essential content of the right to the protection of data is respected and appropriate
and specific measures are taken to protect fundamental and fundamental rights
interests of the data subject;
h) the processing is necessary for preventive or occupational medicine purposes
assessment of the employee's fitness for work, medical diagnoses and the provision of
health care or social services or treatments or the management of health care systems
-services or social systems and services, under Union or Member State law, or under a
agreementwithahealthcareworkersubjecttotheconditionsmentionedinparagraph3
safeguards;
i) the processing is necessary for reasons of general interest in the field of
public health, such as protection against serious cross-border dangers to health or
ensuring high standards of quality and safety of health care
medicines or medical devices, on the basis of Union or Member State law where appropriate
and specific measures have been taken to protect the rights and freedoms of the
person concerned, in particular with regard to professional secrecy;
j) the processing is necessary for the purpose of archiving in the public interest,
scientific or historical research or statistical purposes in accordance with Article 89(1)op
on the basis of Union or Member State law, whereby proportionality with the aim pursued is ensured
is guaranteed, the essential content of the right to protection of data is guaranteed
respected and appropriate and specific measures are taken to protect the
fundamental rights and interests of the data subject.
3. The data referred to in paragraph 1 may be processed for the purposes of paragraph 2(h)
purposes when those data are processed by or under the responsibility of one
professional who is authorized under Union or Member State law or under national law
rules governing professional secrecy laid down by authorities, or by another person who
also under Union or Member State law or under national competent authorities
established rules of confidentiality are kept.
15/20Date Unmarked
December 18, 2023 [CONFIDENTIAL]
4. Member States may impose additional conditions, including restrictions, regarding the
processing genetic data, biometric data or health maintenance data or
enter.
Article35
Data Protection Impact Assessment
1. Whena type of processing, in particular a processing that involves new technologies
used, given its nature, size, context and purposes, is probably a high risk
the rights and freedoms of natural persons are carried out by the controller
before processing, an assessment of the effect of the intended processing activities on the
protectionofpersonaldata.Oneassessmentcancoveraseriesofcomparableprocesses
that entail similarly high risks.
2. When a data protection officer is appointed, the
controller when carrying out a data protection impact assessment
advicein.
3. A data protection impact assessment referred to in paragraph 1 shall be required in particular in the following
fallen:
a) a systematic and comprehensive assessment of personal aspects of natural persons,
which is based on automated processing, including profiling, and on which decisions are made
based on which legal consequences are attached to the natural person or that natural person
to achieve in a similar way;
b) large-scale processing of special categories of personal data as referred to in
Article 9(1) or of data relating to criminal convictions and offenses such as
referred to in Article 10; or
c) systematic and large-scale monitoring of publicly accessible spaces.
[…]
Article58
Powers
[…]
2.Each supervisory authority shall have all the following powers to take corrective action
measures:
[…]
(i) as appropriate to the circumstances of each case, in addition to or instead of that referred to in this paragraph
measures, imposing an administrative fine on the basis of Article 83;
16/20Date Unmarked
December 18, 2023 [CONFIDENTIAL]
[…]
Article83
General terms and conditions for imposing administrative fines
1. Each supervisory authority shall ensure that any administrative penalties imposed pursuant to this
article are imposed for the end of paragraphs 4, 5 and 6, infringements of this regulation are mentioned in each case
be effective, proportionately deterrent.
2. Administrative fines are imposed, depending on the circumstances of the specific case
in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j).
it decides on whether an administrative fine will be imposed and on its amount
the following shall be duly taken into account in each concrete case:
(a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose
of the processing in question as well as the number of data subjects affected and the extent of the processing by them
damages suffered;
b) the intentional or negligent nature of the infringement;
c) the measures taken by the controller or processor to
limit damage suffered by those involved;
d) the extent to which the controller or processor responsible is seen
technical and organizational measures he has implemented in accordance with Articles 25 and 32;
e) previous relevant infringements by the controller or processor;
(f) the extent to which you cooperated with the supervisory authority to commit the infringement
to remedy and limit possible negative consequences;
g) the categories of personal data to which the infringement relates;
h) the manner in which the supervisory authority became aware of the infringement, in particular
whether, and if so to what extent, the controller or processor has reported the infringement;
(i) compliance with the measures referred to in Article 58(2), to the extent that they previously concern
of the controller or processor in question in relation to the same
matter have been taken;
j) joining approved codes of conduct in accordance with Article 40 or approved ones
certification mechanism in accordance with Article 42; and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial gains made, or losses avoided, whether or not directly resulting from the infringement
ensue.
3.If a controller or a processor intentionally or negligently with regard to
to the same or related processing activities, an infringement commits several
provisions of this regulation, the total fine is not higher than that for the serious infringement.
17/20Date Unmarked
December 18, 2023 [CONFIDENTIAL]
4. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2
fines up to EUR 10 000 000 or, for an undertaking, up to 2% of the total worldwide annual turnover in
the previous financial year, if this figure is higher:
a) the obligations of the controller and the processor
Articles 8, 11, 25 to 39, 42 and 43;
(b) the obligations of the certification body under Articles 42 and 43;
(c) the obligations of supervision in accordance with Article 41(4).
5. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2
fines up to EUR 20 000 000 or, for a company, up to 4% of the total worldwide annual turnover in
the previous financial year, if this figure is higher:
a) the basic principles of processing, including the conditions for consent,
in accordance with Articles 5, 6, 7 and 9;
(b) the rights of the data subject in accordance with Articles 12 to 22;
c) the transfer of personal data to a recipient in a third country or an international country
organization in accordance with articles 44 to 49;
(d) all obligations under law established by the Member States under Chapter IX;
e) non-compliance with an order or a temporary or permanent processing restriction or
suspension of data flows by the supervisory authority in accordance with Article 58(2) or
failure to grant access in violation of Article 58(1).
6. Non-compliance with an order of the supervisory authority referred to in Article 58(2) is
in accordance with paragraph 2 of this article, subject to administrative fines of up to EUR 20 000 000 or,
for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this
grade higher.
7. Without prejudice to the powers to take corrective measures of the supervisory authority
authority, in accordance with Article 58(2), each Member State may lay down rules concerning the question whether and
to what extent administrative fines can be imposed on persons established in that Member State
government agencies and government bodies.
8. The exercise by the supervisory authority of its powers under this Article is
subject to the appropriate procedural guarantee in accordance with Union and Member State law
law, including an effective remedy and a fair administration of justice.
9. Where the legal system of the Member State does not provide for administrative fines, this Article may
are applied in such a way that fines are initiated by the competent supervisory authority
and imposed by the competent national courts, ensuring that these remedies are available
are effective and have the same effect as those imposed by supervisory authorities
administrative fines. The fines are effective, proportionate and deterrent in every case
Member States shall communicate to the Commission by 25 May 2018 at the latest the legislative provisions it adopts on the basis of
18/20Date Unmarked
December 18, 2023 [CONFIDENTIAL]
adopt this paragraph, as well as all subsequent amendments thereto and all matters affecting it
amending legislation.
Implementation Act of the General Data Protection Regulation
Article14
DutiesandauthoritiesAP
[…]
3. The Data Protection Authority may, in the event of a violation of the provisions of Article 83, fourth,
fifth or sixth paragraph of the regulation imposes an administrative fine on at most these members
mentioned amounts.
General Administrative Law Act
Article3:2
When preparing a decision, the administrative body gathers the necessary knowledge about the relevant issues
factsandweighinginterests.
Article3:4
1. The administrative body shall weigh the interests directly involved in the decision, insofar as not specified
a limitation arises from a legal requirement or from the nature of the authority to be exercised.
2. The adverse consequences of a decision for one or more interested parties may not be disproportionate
relationship to the goals to be served by the decision.
Article4:8
1. Before an administrative body issues a decision against which an interested party takes the decision
has not requested it is expected that he or she will have reservations, it puts the interested party to an end
opportunity to submit his views if:
(a) the decision would be based on information about facts and interests concerning the interested party, and
b) that data has not been provided by the interested party itself.
2.The first paragraph does not apply if the interested party has not fulfilled a legal obligation
to provide data.
Article 5:46
1. The law determines the maximum administrative fine that can be imposed for a specific violation
imposed.
19/20Date Unmarked
December 18, 2023 [CONFIDENTIAL]
2. Unless the amount of the administrative fine has been determined by statutory regulation, it votes
administrative body administrative fine depending on the seriousness of the violation and the extent to which it occurred
offender can be blamed. The administrative body will take this into account if necessary
circumstances under which the violation was committed.
3. If the amount of the administrative fine has been determined by statutory regulation, it shall be imposed
administrative body shall nevertheless impose a lower administrative fine if the offender can demonstrate that this is the case
established administrative fine due to special circumstances is too high.
4. Article 1, second paragraph, of the Criminal Code applies accordingly.
20/20
