DPA fines DPG Media for unnecessarily requesting copies of identity documents
The Dutch Data Protection Authority (DPA) has imposed a fine of € 525,000 on DPG Media. The media company had required people wanting to view their data or have their data deleted to first upload a copy of an identity document. The situation did not necessitate this. DPG Media therefore collected too much personal data.
The DPA received various complaints regarding how Sanoma Media Netherlands B.V. (before Sanoma was taken over by DPG Media in April 2020) handled requests from people to view their data or have their data deleted. These complaints were submitted by people who, for example, had a magazine subscription or had received advertisements from Sanoma.
Anyone who wanted to know what personal data of theirs Sanoma and DPG Media kept or who wanted their data deleted, was required to first upload or send in a copy of their identity document. What’s more, when sending such a copy electronically, they were not informed by Sanoma and DPG Media that they could redact certain data.
These were DPG Media customers who did not have an online account with DPG Media. It was difficult for them to access their data. After taking over Sanoma, DPG Media changed its practices. DPG Media now confirms the identity of a person requesting access to their data or deletion of their data by sending a verification email. The violation is therefore no longer being committed.
In requiring people to provide a copy of their identity document, Sanoma and DPG Media requested too much data. The company thus made it overly complicated for customers to access their data or have their data deleted.
In the words of DPA deputy chair Monique Verdier, ‘You cannot require a copy of an identity document without good reason for doing so. Identity documents include a lot of personal data. Even if parts are redacted, it will often be disproportionate to require a copy of an identity document in order to confirm that a person really is who they claim to be.'
'Copies of identity documents must also be stored with the utmost care. It’s frightening to imagine what would happen if there was a ransomware attack or data breach and copies of people’s identity documents were to fall into the wrong hands. This could lead to identity fraud and have far-reaching consequences for the people whose personal data is concerned.’
What happens next?
DPG Media has lodged an objection to this fine.
Update August 2023
On August 10th, 2023 the District Court of Amsterdam ruled that DPG Media has violated the GDPR, but given the circumstances, the DPA should not have imposed the fine. The DPA is currently studying the verdict.