#Credit #card #company #ICS #fined #failing #monitor #privacy

AFP

NOS Nieuws•vandaag, 12:54

The Dutch Data Protection Authority (AP) has fined credit card company ICS 150,000 euros. The company used a lot of personal data without first conducting a mandatory privacy check. ICS thus violated the privacy law, the AP says.

ICS takes care of the issuance, administration and control of credit cards. Bunq, ABN Amro and American Express, among others, use the company’s services.

In 2019, ICS started digitally checking approximately 1.5 million customers in the Netherlands. They used sensitive information, such as name, address, telephone number and email, and asked customers to take and send photos of themselves via mobile phones or webcams. ICS used these photos to compare them with copies of IDs.

Very carefully

Financial institutions, such as ICS, must legally establish the identity of customers, but they must also be very careful about the information they use. Because ICS did not build in any additional privacy guarantees, the company violated its duty of care, according to the AP.

‘It is not without reason that organizations are legally obliged to check in advance what risks there are. If a copy of a passport falls into the wrong hands, one can become a victim of identity fraud,” says Katja Mur, board member of the AP.

The AP can impose fines between 120,000 and 500,000 euros. Because this involved negligence and not intent, the fine for ICS is relatively mild.

ICS said in a response to NOS that it will not appeal against the sanction. ICS acknowledges that it has made mistakes, but adds that the matter has since been tightened up. “The risk analysis was carried out in 2021 and no safety risks emerged,” says a spokesperson.