DPG Media – €525,000 Fine (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
DPG Media was fined €525,000 for making it too hard for people without accounts to access or delete their data. They required a copy of an ID, which was unnecessary and excessive. This case shows that companies must make it easy for everyone to exercise their data rights.
What happened
DPG Media required non-account holders to provide a copy of their ID to access or delete their data, which was deemed excessive.
Who was affected
Individuals without DPG Media accounts who wanted to access or erase their personal data.
What the authority found
The Dutch DPA found DPG Media violated GDPR by making it disproportionately difficult for individuals to exercise their data rights.
Why this matters
This case emphasizes the need for companies to facilitate easy access to data rights for all users, not just account holders. It highlights the importance of proportionality in identity verification processes.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is DPG Media, a Dutch company that exploits books, magazines, and (news)papers. Between May 2018 and January 2019, the Dutch DPA received several complaints from data subjects who did not have an account with DPG Media, and had to provide a copy of their ID, as verification, before they could submit an access request pursuant to Article 15, or an erasure request pursuant to Article 17 GDPR (the same was not requested from users who had an account). DPG Media argued that the ID request was justified under Article 12(6) GDPR, as there were no other options to correctly verify the data subject’s identity. The DPA then started an investigation into how DPG Media dealt with access- and erasure requests of data subjects that did not have an account with DPG Media. The DPA noted that, although the controller must verify the data subject’s identity, it possibly violates Article 12(2) GDPR if it hinders the data subject from exercising their rights. Moreover, as follows from the principle of data minimisation, the identity verification must suffice the requirements of proportionality and subsidiarity. Hence, the controller must, in principle try to verify a data subject’s identity based on the information it already has on this data subject. The DPA further noted that, considering the very sensitive information an ID contains, one can only request a copy of the ID if there is a legal basis to do so. The DPA found that, considering the sensitive information on an ID, and that it is possible to verify the data subject’s identity based on other information (like subscription details, name, and email), it is disproportionate to request, in all cases, a data subject’s ID for verification. Hence, the DPA concluded that DPG Media violated Article 12(2) GDPR for not facilitating the data subject’s rights sufficiently. The DPA imposed a fine of € 525,000 and considered that this was appropriate, due to the sensitivity of the personal data, the systemic nature of
Related Enforcement Actions (0)
No other enforcement actions found for DPG Media in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
24 February 2022
Authority
Autoriteit Persoonsgegevens
Fine Amount
€525,000
GDPRhub ID
gdprhub-4662About this data
Cite as: Cookie Fines. DPG Media - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: