ICS – €150,000 Fine (Netherlands, 2023)

Following a series of reports and complaints against ICS, a subsidiary of ABN AMRO, as a controller, the Dutch DPA (Autoriteit Persoonsgegevens, AP) decided to start an ex officio investigation into the processing operations carried out by the controller. The AP mainly received complaints concerning the controller's process of re-identifying its customers online by means of a new identification and verification tool, ID&V. The AP found that the controller never conducted a DPIA in 2018, prior to the introduction of its identification system, and asked the controller to provide its submissions on this. The controller claimed in this respect that it did not need to carry out a DPIA, since the same identification system was used by ABN AMRO before, and ABN AMRO had previously carried out a risk assessment of its own authentication app. Moreover, the controller argued that when ID&V was introduced, there were no risks of potential misuse of personal data, and strict security measures were in place. Also, the controller argued that the only criterion that suggested the need to carry out a DPIA, according to Article 35 GDPR, was the fact that the processing was large-scale, but no other criteria were given that would make its processing activities "high risk". Lastly, the controller claimed that it does not process any special categories of personal data within the meaning of Article 9 GDPR. The AP first of all assessed whether the controller’s processing operations presented a high risk to the rights and freedoms of natural persons. The AP made this assessment in light of [https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwj5rKOm5PODAxUBbvEDHTkrDysQFnoECBAQAQ&url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Fdocument.cfm%3Fdoc_id%3D47711&usg=AOvVaw0fHA9krZ_2-wSysNMXoIyB&opi=89978449 Article 29 Working Party Guidelines 248 rev.01 on “Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high