In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.
First, the Dutch SA decided that the company was required to perform a DPIA because the processing met two of the nine conditions set out in the EDPB Guidelines on DPIAs. In particular, the processing was large scale (1.5 million customers) and involved personal data that was sensitive or of a “very personal nature” (name, date of birth, place of birth, e-mail address, telephone number, gender, Netherlands government ID Number, number of the ID document and photo).
Second, the SA decided that the company’s impact assessment of its identification and verification process (which the company called a “Change Risk Assessment”) was not a valid DPIA because it was too focused on financial services regulations and did not sufficiently take into account data protection requirements, such as the necessity and proportionality of the processing. The DPO was also not sufficiently involved in the assessment.
Covington’s Data Privacy and Cybersecurity team regularly advises companies on all aspects of their privacy compliance programs, including on data protection impact assessments.