National Credit Register (BKR) fined for personal data access charges

6 August 2020

The National Credit Register (BKR) in the Netherlands can no longer charge people who wish to access the personal data it holds on them. In addition, if data subjects wish to receive a copy of their data by post, the procedure must be simple, and they must be able to request a new copy after a reasonable period of time has passed. The BKR had created too many obstacles for people wishing to access their data. Under privacy legislation, this is not permitted. As a result, the Dutch Data Protection Authority (Dutch DPA) issued the BKR with a €830,000 fine. 

The Dutch DPA received complaints from data subjects about the difficulties involved in accessing the data the BKR held on them. The Dutch DPA considered these complaints significant enough to warrant an investigation.

Accessing credit registration data
In the words of Dutch DPA chairman Aleid Wolfsen, ‘It is vital that people are able to access their credit registration data. A poor credit score can affect a person’s ability to take out a loan or mortgage. So it is important for people to be able to quickly and easily check what data of theirs is being processed and if this is being done in the proper manner.’ 

The issue
In May 2018 the BKR began charging a fee to data subjects for requesting access to their data in a digital format. Furthermore, although data subjects could obtain a paper copy of their data for free, this was only possible once a year. This situation was an infringement of privacy legislation, and led to the BKR being fined €830,000.

Following the Dutch DPA’s investigation, the BKR has modified its processes. Since April 2019 data subjects have been able to access their data for free. In addition, in March 2019 the BKR changed the number of times a year data subjects can receive a paper copy of their data by post. 

What’s next?
The BKR has appealed the case in court, which means that the Dutch DPA’s decision about the fine is not yet final. 

The Dutch version of this press release is available here

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.