The Dutch supervisory authority (AP) has imposed a fine on media company DPG Media Magazines B.V. for violating Article 12(2) of the GDPR. The fine was imposed following complaints from customers and subscribers. According to the complainants, the company unnecessarily requested redundant identification data from them.
Between May 2018 and January 2019 AP received five complaints about DPG Media Magazines’ handling of data subject access and deletion requests. According to the complainants, DPG Media Magazines requested a copy of the complainants’ identity document to verify their identity as a condition for further processing of the access or deletion request.
AP investigated the corporation’s policy on the collection and processing of copies of identity documents together with requests for access to or deletion of personal data. The scope of the supervisory authority’s investigation included requests made by complainants outside the secure account login environment (DPG Media Magazines provided such a service to its customers and subscribers). Requests were made by letter, email or web form.
When receiving a request for access to or deletion of personal data submitted outside the secure account login environment, the company always requested a copy of the data subject’s proof of identity. This was without regard to exactly what information about that person was being processed by the corporation. The company did not take into account in its practice the nature and amount of the data requested to be accessed or deleted. The Dutch supervisory authority in this context pointed out that the exercise of rights under the RODO must be organised in the least intrusive way possible for the data subject.
AP considered that a fine of €525,000 was appropriate for DPG Media Magazines given the scale of the breach. DPG Media Magazines has filed its opposition to this decision.