Fine from the Dutch DPA for requesting ID for erasure requests

A Company received a fine from the Dutch DPA for the collection of excessive data. 

 

The Dutch Data Protection Authority has imposed a fine of €525,000 on DPG Media according to this EDPB report. The media company was fined for requesting a copy of subjects’ identification to confirm their identity before honoring their right of access and erasure. That is not necessary in this situation and therefore goes against the principle of data minimisation. As a result, the media company was fined for these requests for excessive data in order to allow data subjects to 

 

When DPG Media acquired Sanoma, there were several changes which greatly affected former customers of Sanoma. 

 

After having received several complaints about the way Sanoma Media Netherlands BV dealt with these requests, the Dutch DPA has imposed a fine. The data subjects who submitted a complaint may have had a subscription to a magazine or received advertising from Sanoma. Sanoma was subsequently acquired by DPG Media in April 2020. Data subjects  who wanted access to their personal data being kept by Sanoma and DPG Media, or who wanted to have that data deleted,  were required to first upload or send proof of identity. In addition, the data subjects were not informed by Sanoma and DPG Media that they were allowed to protect their data in cases where the proof of identity was sent digitally. 

 

It was concluded that the request for identity documents was a step too far and led to the collection of excessive data.

 

Both Sanoma and DPG Media requested too much data by demanding a copy of the identity document, going against the principle of data minimisation . And therefore made it much too complicated for customers to view or delete data. With regard to customers of DPG Media who had not created an online account with DPG Media, it was more difficult for them to access or change their data. DPG Media changed its working method after the acquisition of Sanoma. Now, DPG Media establishes the identity of a requester by sending a verification email, which should definitely suffice. Monique Verdier, Vice-President of the Dutch Data Protection Authority said: “You should never just request an identity document. It contains a lot of personal data. Even if parts of an identity document are protected, a copy often remains too heavy a means to determine whether someone is who they say they are. Copies of IDs should also be kept with great care.”

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Leave a Comment

(0 Comments)

Your email address will not be published.