The Dutch Data Protection Authority (AP) has imposed a fine of €150,000 on International Card Services B.V. (ICS) for violating the General Data Protection Regulation (GDPR). ICS, a credit card company, utilized customer personal data extensively without conducting a legally required Data Protection Impact Assessment (DPIA). The DPIA is crucial for identifying potential privacy risks associated with processing sensitive information. In this case, ICS failed to perform a DPIA before implementing digital customer identification procedures in the Netherlands in 2019, affecting approximately 1.5 million customers.
The identity checks involved in the digital identification process collected sensitive information, including customers’ names, addresses, phone numbers, emails, and photos. Customers were required to take and submit photos of themselves via a mobile phone or webcam, which ICS then used for comparison with copies of their IDs. While financial institutions are legally obligated to verify customer identities, they must handle such information with utmost care, necessitating a DPIA. The AP’s fine underscores the importance of organizations conducting thorough risk analyses to anticipate and mitigate privacy risks, especially when dealing with large volumes of sensitive data.
Katja Mur, a board member of the AP, emphasized the legal obligation for organizations to assess potential risks before processing individuals’ data. The failure to do so can expose individuals to identity fraud, where sensitive information, like a copy of a passport, may fall into the wrong hands. Mur stressed the importance of preventive measures, urging organizations to investigate privacy risks thoroughly and take corrective actions. The penalty serves as a reminder of the significance of proactive privacy measures in preventing potential issues and safeguarding individuals from identity-related fraud.
