Fine from the Dutch DPA for requesting ID for erasure requests

A Company received a fine from the Dutch DPA for the collection of excessive data. 


The Dutch Data Protection Authority has imposed a fine of €525,000 on DPG Media according to this EDPB report. The media company was fined for requesting a copy of subjects’ identification to confirm their identity before honoring their right of access and erasure. That is not necessary in this situation and therefore goes against the principle of data minimisation. As a result, the media company was fined for these requests for excessive data in order to allow data subjects to 


When DPG Media acquired Sanoma, there were several changes which greatly affected former customers of Sanoma. 


After having received several complaints about the way Sanoma Media Netherlands BV dealt with these requests, the Dutch DPA has imposed a fine. The data subjects who submitted a complaint may have had a subscription to a magazine or received advertising from Sanoma. Sanoma was subsequently acquired by DPG Media in April 2020. Data subjects  who wanted access to their personal data being kept by Sanoma and DPG Media, or who wanted to have that data deleted,  were required to first upload or send proof of identity. In addition, the data subjects were not informed by Sanoma and DPG Media that they were allowed to protect their data in cases where the proof of identity was sent digitally. 


It was concluded that the request for identity documents was a step too far and led to the collection of excessive data.


Both Sanoma and DPG Media requested too much data by demanding a copy of the identity document, going against the principle of data minimisation . And therefore made it much too complicated for customers to view or delete data. With regard to customers of DPG Media who had not created an online account with DPG Media, it was more difficult for them to access or change their data. DPG Media changed its working method after the acquisition of Sanoma. Now, DPG Media establishes the identity of a requester by sending a verification email, which should definitely suffice. Monique Verdier, Vice-President of the Dutch Data Protection Authority said: “You should never just request an identity document. It contains a lot of personal data. Even if parts of an identity document are protected, a copy often remains too heavy a means to determine whether someone is who they say they are. Copies of IDs should also be kept with great care.”

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Data subject right of access: Guidelines by the EDPB

The EDPB recently released guidelines on data subject right of access in the context of the GDPR.


The right of access aims to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data. This is expected to add greater ease to the process of data subjects exercising their rights to erasure and rectification, although it is not a condition to them exercising those rights. The data subject right of access is enshrined in both the GDPR (Article 15), as well as the Charter of Fundamental Rights of the EU. Under the GDPR, this right consists of three components. This includes confirmation of whether or not an individual’s personal data is being processed, access to it, and information about the processing of this personal data. Essentially, this summarizes a data subject’s ability to question, access, and verify any personal data being held by a controller. The EDPB has released its official guidelines on data subject right of access.


Data subject right of access includes the right of confirmation as to whether or not data is being processed, access to the personal data being processed as well as information on the processing of the data.


The right of access can only be exercised regarding personal data which falls within the material and territorial scope of the GDPR. Therefore, an integral part of the assessment carried out by the controller, is the differentiation between personal data and other data, identifying the scope of the data which the data subject is entitled access to. Under the GDPR, personal data is “any information relating to an identified or identifiable natural person”. The CJEU ruled that the right of access covers personal data contained in minutes, like “name, date of birth, nationality, gender, ethnicity, religion and language of the applicant“ “and, where relevant, the data in the legal analysis contained in the minute”. This right of access can be exercised exclusively by the data subject (and in select cases by an authorized person or proxy). It is also important to note that at times personal data may include data relating to another individual at the same time, however this does not automatically mean that personal data of another individual can and should be shared by a controller. The controller must ensure compliance with Article 15(4) of the GDPR which states “The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.” 

Access requests must be handled within the required time frame, but may be extended by two months if necessary depending on the complexity and number of requests.


Under Article 12 of the GDPR, a controller is required to take action, and provide information on action taken regarding the access request to the data subject without undue delay, and within one month of receipt of the request. This deadline can be extended by a controller by a maximum of two months, depending on the number of requests received and the complexity of the requests. However, in the event the initial one month deadline needs to be extended, the data subject must be informed of the extension, and the reason why it is necessary without delay, and within the one month period after the request was received. The EDPB maintains however, that access requests should be handled without undue delay, meaning the information should be given as soon as possible. This time limit starts when the controller has received an access request. However in cases where the controller needs to communicate with the data subject in order to confirm the identity of the person making the request, there may be a suspension in time, with the time limit starting when the controller has obtained all the information needed from the data subject, provided that the controller has requested the information without undue delay. 


The EDPB has outlined how access should be provided, depending on the amount of data and the complexity of the processing.


According to the EDPB, unless explicitly stated otherwise, requests should be understood as referring to all personal data concerning the data subject. A controller may ask the data subject to specify the request if the controller processes a very large amount of data. Otherwise, the controller will have to search for personal data throughout all IT systems, as well as all non-IT filing systems based on a search criteria that mirrors the structure of the stored information. For example, the controller would search for information relating to a specific data subject name or customer number. Communication relating to the processing must be provided in a concise, intelligible, transparent and easily accessible form, making use of clear and clean language. This data, particularly if it contains “raw data” has to be explained in a manner which would make sense to the data subject. Generally speaking this data must be sent in a permanent form such as written text, and can be sent via email. The EDPB suggests taking a layered approach to presenting the information in cases where the amount of data is vast, in order to facilitate the data subject’s understanding of the data presented. In this case all layers should be provided at the same time if the data subject requests it. 


The EDPB, in this recent release of its official guidelines on data subject right of access, has provided several specific examples of scenarios, and how they each should be handled, to enable data controllers to understand their role and responsibilities in fulfilling access requests, and maintaining compliance. For more information, including visual flow charts demonstrating when and how access requests should be handled, controllers may refer to the guidelines

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.