The Dutch Data Protection Authority (DPA) imposed a fine of €830,000 on the Dutch Credit Registration Bureau (BKR) for making it overly difficult and expensive for data subjects (i.e., people) to gain access to and have their information deleted. The BKR had required a written request, accompanied by a copy of the person’s passport, allowable only once per year, and even then, the response time would be “within 28 days.” Quicker response times required a paid subscription. The DPA ruled these restrictions unreasonable.