Dutch DPA – Court Ruling (Netherlands, 2023)

The Dutch Data Protection Authority, the defendant in this case, received multiple complaints regarding DPG's (a magazine publisher) practice of requesting ID verification for data erasure requests. DPG clarified that ID verification was solely for erasure requests made outside of its online platform. The defendant subsequently levied a €525,000 fine on the data controller due to a violation of Article 12(2) GDPR. The DPA found that requesting ID verification to facilitate an erasure request was disproportionate, and contrary to the obligation of facilitating the exercise of the right to access and deletion. DPG appealed the DPA's decision, and argued that the DPA's interpretation of Article 12(2) GDPR was wrong. They submitted that their privacy policy outlined their obligation to identify data subjects before facilitating erasure requests, and allowed that parts of the ID, such as the citizen service number and photo, might be hidden. Moreover, DPG argued that imposing the fine contradicted the principle of legal certainty (lex certa), and that the amount was contrary to the principle of proportionality. The Court deliberated whether DPG adequately facilitated the exercise of GDPR rights for the purposes of Article 12(2) GDPR. This provision obliges controllers to "facilitate the exercise of data subject rights under Articles 15 to 22." The Court interpreted "facilitation" in the context of Article 12(2) GDPR, in connection with Recitals 59 to 64 GDPR, concluding that data controllers must provide an accessible system for the exercise of data subjects' rights without introducing unnecessary obstacles. Firstly, though DPG was obligated to validate the identity for data erasure requests, their rigid procedure required an ID copy for every request, irrespective of the data involved. This approach was disproportionate because it did not differentiate between requests concerning sensitive and non-sensitive data, and requested ID verification for all types of r