The National Credit Register (BKR) in the Netherlands can no longer charge people who wish to access the personal data it holds on them. In addition, if data subjects wish to receive a copy of their data by post, the procedure must be simple, and they must be able to request a new copy after a reasonable period of time has passed. The BKR had created too many obstacles for people wishing to access their data. Under privacy legislation, this is not permitted. As a result, the Dutch Data Protection Authority (Dutch DPA) issued the BKR with a €830,000 fine.
The Dutch DPA received complaints from data subjects about the difficulties involved in accessing the data the BKR held on them. The Dutch DPA considered these complaints significant enough to warrant an investigation.
Accessing credit registration data
In the words of Dutch DPA chairman Aleid Wolfsen, ‘It is vital that people are able to access their credit registration data. A poor credit score can affect a person’s ability to take out a loan or mortgage. So it is important for people to be able to quickly and easily check what data of theirs is being processed and if this is being done in the proper manner.’
The issue
In May 2018 the BKR began charging a fee to data subjects for requesting access to their data in a digital format. Furthermore, although data subjects could obtain a paper copy of their data for free, this was only possible once a year. This situation was an infringement of privacy legislation, and led to the BKR being fined €830,000.
Following the Dutch DPA’s investigation, the BKR has modified its processes. Since April 2019 data subjects have been able to access their data for free. In addition, in March 2019 the BKR changed the number of times a year data subjects can receive a paper copy of their data by post.
What’s next?
The BKR has appealed the case in court, which means that the Dutch DPA’s decision about the fine is not yet final.
The Dutch version of this press release is available here.