Publisher DPG Media was fined €525,000 by the GDPR for asking customers to prove their identity if they wanted to access their data. Thus, the DPG “raised unnecessary barriers to implementing GDPR rights”.
DPG Media, the parent company of the Talkers and publisher of major newspapers and magazines such as de Volkskrant and Otwick, will bear the fine. The Dutch Data Protection Authority informs the publisher A fine of €525,000 for For violating the General Data Protection Regulation. The breaches occurred at DPG magazines, which was known as Sanoma until it was acquired by DPG in April 2020. Customers who wanted to know what information the publisher had collected about them at Sanoma and later DPG had to submit digital proof of their identity. Customers also had to do this if they wanted to cancel or change their subscription. The DPG also did not inform them that their data could be protected.
Between May 2018 and January 2019, a privacy supervisor received complaints about the way what was then Sanoma handled identity documents. That was when the GDPR Privacy Act came into effect. Customers without an account with magazines or websites had to upload their ID to verify their identity. If customers submitted a request for access via an online form, DPG did not show them the option to hide information such as a citizen service number or the photo on the copy. This was indicated by the publisher when communicating by mail. Most customers who made changes or applied for access did so through an online account. Verification is not requested.
According to DPG, this was the only way to identify users. In the period considered by the AP, 11,000 accesses and other customer requests were submitted, 1,600 of which were made via form or mail. In 60 cases related to a request to delete data. The German Dubai group says it no longer requires proof of identity since December 2020.
AP . Recordings Accurate Resolution that DPG Article 12 of the General Data Protection Regulation violated. This article outlines what data customers can request and delete and under what conditions. According to the Privacy Act, customers should be “able to exercise their rights more easily and simply.” “The console may not create unnecessary barriers for data subjects to exercise the above rights,” the Netherlands Data Protection Authority wrote. On the other hand, the party collecting the data must be able to verify the identity of the person making such a request.
The Dutch Data Protection Authority has concluded that it is “disproportionate” to request a copy of the identity document “if the data subject’s claim can be verified in another way”. In the case of the DPG, this was possible by creating an account. The publisher can also identify customers based on other personal information the company already has, including the subscriber’s number along with their username, address, and email address. “Now that the DPG has standardly requested a copy of an identity document from data subjects without first checking whether the DPG (actually) has (identify) another (contact) information and without taking into account the nature and amount of personal data, the AP believes that the data subjects cannot easily Simply claim their rights under the General Data Protection Regulation.”
So the publisher’s policy was “disabled” and requesting a copy of the identity document was “disproportionate to the nature and amount of personal data” collected. So the Associated Press is talking about a “serious violation”. “You shouldn’t think copies are in the wrong hands through a ransomware attack or other data breach. This can lead to identity fraud and have serious consequences for the people behind this personal data,” said Monique Verdier, Associate Vice President of the Associated Press.