If the bank has denied you a loan and they want to know the reasons, they can quickly pay and recognize them online in a matter of days or often. But I know the idea of paying to have information about you don’t like you, you have to take paper and pen and write a letter of request waiting to receive a response in a month. This is basically the solution adopted by the Bureau Krediet Registratie (BKR) with Dutch citizens, forgetting that the right of access to personal data is essentially free.
The BRK Foundation, which in the Netherlands is responsible for managing the credit information system on consumer creditworthiness, had established its rules and provided substantially two options for processing applications for the exercise of rights that the GDPR recognizes to interested parties, i.e. primarily the ordinary processing, which has to be exploited from the letter that has to be mailed with a photocopy of the identity document and the request to obtain free a copy of your own personal data in letter-order format within 28 days, or alternatively, for the most impatient, by activating an annual subscription to be paid with costs between 5 and 12.50 euros, which instead allowed to receive the documentation more quickly in digital format.
Everyone is easy and quick for the people who paid, but from the other side were the citizens who were not willing to pay money to see the respect of a right, and for this they found a penalty, for greater reason because either it was consented nor pur to repeat the instance of access more once in the year, with the risk of spending all the money and time to send a letter that could also be ignored without get a response.
In the face of another case in which the fact that the protection of privacy is a fundamental right of the person was forgotten, the Dutch Data Protection Authority (Autoriteit Persoonsgegegevens) has not at all consented to this disparity of treatment, and having after having investigated the case has stated that, by replying to the bodies of the interested parties, the BKR did not offer a service but also complied with an obligation of the GDPR , therefore if the controller has the technical possibilities to process them in a short period of time he would have to do so in each case, and not only because they are willing to pay a subscription to see it online while others have to wait a month before receiving them by post.
The Dutch supervisory authority has relieved that, with its procedures, BKR was in breach of Article 12(5) of the GDPR, where the European Regulation specifies that the information provided is free, and that it is possible to “charge a reasonable spese contribution taking into account the sustained administrative costs”, only by quainting the requests of the data subject “are manifestly unfounded or excessive, in particular for their repetitive characteristics”.
Also on the limit imposed from BKR not to accept more than one request for access in the year, the Authoriteit Persoonsgegegevens has stated that it is not the number of applications that determines whether these may be considered manifestly excessive or repetitive in accordance with Article 12(5) of the GDPR, but the controller “cannot refuse to satisfy the data subject’s request” , and regardless of the number of access applications submitted, it is necessary to evaluate on a case-by-case basis to establish whether the budgets for a thick contributor are present, which cannot be established from a price list or by a pre-set tariff.
As is now known, on non-compliance with the requirements relating to the rights of the person concerned, the EU Regulation 2016/679 (GDPR) provides for administrative penalties of up to 20 million euros or up to 4% of the total global annual turnover of the violator, and the Dutch regulator did not go very light, by imposing a fine of 830,000 euros on BKR.
SOURCE: FEDERPRIVACY