Kristof Van Quathem of Covington and Burling writes:
In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.
First, the Dutch SA decided that the company was required to perform a DPIA because the processing met two of the nine conditions set out in the EDPB Guidelines on DPIAs. In particular, the processing was large scale (1.5 million customers) and involved personal data that was sensitive or of a “very personal nature” (name, date of birth, place of birth, e-mail address, telephone number, gender, Netherlands government ID Number, number of the ID document and photo).
Read more at Inside Privacy.