Stichting Bureau Krediet Registratie (BKR) – Court Ruling (Netherlands, 2023)

In May 2018, Stichting Bureau Krediet Registratie (BKR, the controller) began charging a fee to data subjects for requesting access to their data in a digital format. Data subjects could obtain a paper copy of their data for free, but only once a year. Following the DPA’s investigation, the controller has modified its processes. Since April 2019 data subjects have been able to access their data for free. In addition, in March 2019 the controller changed the number of times a year data subjects can receive a paper copy of their data by post. The Dutch DPA found that this practice was an infringement of privacy legislation, and imposed a fine of €830,000. controller then appealed in court. The court ruled that controller violated both Article 12(2) and Article 12(5) GDPR. The court found that controller's policy of limiting free access to once a year and charging for electronic access was inconsistent with the GDPR's requirements. The court emphasized that the GDPR requires data controllers to facilitate individuals' rights to access their data easily and free of charge, especially when data is processed electronically. The court rejected controller's argument that the GDPR's rules were unclear, stating that controller, as a professional organization, should have been aware of its obligations. The court acknowledged that the violations were related and reduced the fine by 20% due to the interconnected nature of the breaches. However, the court also found that the original fine of €830,000 was disproportionate and further reduced it to €668,000.