Rb. Noord-Holland - AWB-20 4638: Difference between revisions
(→Facts) |
No edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 52: | Line 52: | ||
}} | }} | ||
The District Court of Northern Holland held that a data controller | The District Court of Northern Holland held that where a data subject makes a non-specific access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The claimant's request for access to his personal data was rejected by the Minister of Finance (the defendant). | The claimant's request for access to his personal data was rejected by the Minister of Finance (the defendant), and the claimant appealed this decision. | ||
The Minister of Finance considered the request to be too general, comparing it to a 'fishing expedition.' It argued that where a controller processes a large amount of data about a data subject (such as in this case), the data subject must specify to which information or which processing activity the request relates. | The Minister of Finance considered the request to be too general, comparing it to a 'fishing expedition.' It argued that where a controller processes a large amount of data about a data subject (such as in this case), the data subject must specify to which information or which processing activity the request relates. | ||
Line 71: | Line 62: | ||
The defendant draws on case law, as well as Recital 63 GDPR, which at sentence seven states: "Where the controller processes a large quantity of information concerning a data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates." | The defendant draws on case law, as well as Recital 63 GDPR, which at sentence seven states: "Where the controller processes a large quantity of information concerning a data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates." | ||
With regard to the statutory tasks of the tax authorities, the defendant | With regard to the statutory tasks of the tax authorities, the defendant argued that the claimant can largely view and change his personal data himself by logging in to 'my tax authority' or 'my benefits' (web portals). | ||
The claimant argues that the defendant is wrong to ask him to specify his request, because this would make it impossible for him to verify what personal data is being processed. According to the claimant, there is a possibility that personal data may be processed incorrectly, incompletely and/or unlawfully without the ability to verify and rectify. | The claimant argues that the defendant is wrong to ask him to specify his request, because this would make it impossible for him to verify what personal data is being processed. According to the claimant, there is a possibility that personal data may be processed incorrectly, incompletely and/or unlawfully without the ability to verify and rectify. |
Latest revision as of 11:58, 11 August 2021
Rb. Noord-Holland - AWB-20_4638 | |
---|---|
Court: | Rb. Noord-Holland (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 15(1) GDPR |
Decided: | 18.06.2021 |
Published: | 20.07.2021 |
Parties: | Minister of Finance |
National Case Number/Name: | AWB-20_4638 |
European Case Law Identifier: | ECLI:NL:RBNHO:2021:6040 |
Appeal from: | |
Appeal to: | |
Original Language(s): | Dutch Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | n/a |
The District Court of Northern Holland held that where a data subject makes a non-specific access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications.
English Summary
Facts
The claimant's request for access to his personal data was rejected by the Minister of Finance (the defendant), and the claimant appealed this decision.
The Minister of Finance considered the request to be too general, comparing it to a 'fishing expedition.' It argued that where a controller processes a large amount of data about a data subject (such as in this case), the data subject must specify to which information or which processing activity the request relates.
The defendant draws on case law, as well as Recital 63 GDPR, which at sentence seven states: "Where the controller processes a large quantity of information concerning a data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates."
With regard to the statutory tasks of the tax authorities, the defendant argued that the claimant can largely view and change his personal data himself by logging in to 'my tax authority' or 'my benefits' (web portals).
The claimant argues that the defendant is wrong to ask him to specify his request, because this would make it impossible for him to verify what personal data is being processed. According to the claimant, there is a possibility that personal data may be processed incorrectly, incompletely and/or unlawfully without the ability to verify and rectify.
Holding
The Court declared the claimant's appeal well-founded, and annulled the Minister of Finance's decision.
It held that, in general, a controller may request clarification from a data subject on an access request if it processes a large amount of data. However, this does not mean that a controller can in all cases demand clarification before performing a search.
In the opinion of the Court, even where a controller processes a large amount of data, it is reasonable to expect the data controller to perform a search for the "most common" personal data in the case of a generally formulated request (e.g., on the basis of a name, address, or social security number), in the "most common" data files and/or computer systems or applications.
During the hearing, the defendant had argued that to search the many systems in which the Minister of Finance processes personal data, employees must log-in separately and that only a limited number of employees are authorized for some systems, such as the Fraud Signaling Facility (FSV) system. In this regard, the Court found that the defendant had insufficiently substantiated that it would not be possible to perform a search for the most common personal data in a number of the larger applications or systems. The fact that an employee must log in per system or application, or that not every tax employee has access to a system or an application, does not justify the conclusion that this requires a disproportionate effort from the Minister of Finance, without further substantiation. Accordingly, the contested decision lacks a proper statement of reasons.
The Court ordered the defendant to reach a new decision in line with its ruling. The defendant therefore now either has to: further substantiate that a search for the most common personal data is not possible; or, will have to perform a search and respond to the data subject's access request accordingly.
The Court denied the claimant's request to impose a penalty on the defendant, because there is no reason to assume that the defendant will not comply with the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Body Court of North Holland Date of judgment 18-06-2021 Date of publication 20-07-2021 Case number AWB - 20 _ 4638 Jurisdictions Administrative law Special characteristics First instance - single Content indication AVG - The Tax and Customs Administration has provided insufficient reasons that a search for the most common personal data is not possible without further specification. Locations Rechtspraak.nl Viditax (FutD), 6/22/2021 FutD 2021-1970 with annotation from Fiscal up to Date U-N Today 2021/1795 NLF 2021/1527 Enhanced pronunciation Share pronunciation print Save as PDF Copy link Pronunciation NORTH HOLLAND COURT Seating location Haarlem Administrative law case number: HAA 20/4638 judgment of the single chamber of 18 June 2021 in the case between [claimant] , at [place of residence] , claimant (Agent: J.H.P.M. Raaijmakers), and the Minister of Finance, defendant (Agents: J.L. Lam MSc LL.M. and I.H.H.L. Kolthof). Process sequence In the decision of 7 April 2020 (primary decision), the respondent rejected the request for access to his personal data on the basis of the General Data Protection Regulation (GDPR). In the decision of 23 July 2020 (contested decision), the respondent upheld the claimant's objection against the primary decision, in so far as the application was completely rejected and the rest declared unfounded. Plaintiff appealed against the contested decision. Defendant has filed a statement of defence. The examination at the hearing took place on 17 May 2021 using video bubbles. Plaintiff is represented by his authorized representative. Defendant was represented by his attorneys. Considerations 1. In a letter dated January 23, 2020, the plaintiff submitted a request to the defendant for access to his personal data. The defendant rejected the request, referring the plaintiff to 'my tax authorities' and 'my allowances' for his personal data. 2. The defendant has declared the objection of the plaintiff well-founded in the sense that the request is not wholly rejected, but that the reference to 'my allowances' and 'my tax authorities' provides sufficient access to the personal data. 3. As discussed at the hearing, the core of the dispute between the parties is the answer to the question whether the defendant could have sufficed to refer to my tax authorities and my allowances and otherwise require the claimant to specify his request. 4. The defendant takes the position that the request for access by the plaintiff is so general that it has the character of a 'fishing expedition'. Where a controller processes a large amount of data about a data subject (such as a defendant), the data subject may be requested to specify in his request to which information or which processing activity the request relates. The defendant bases its position on recital 631 of the GDPR and the relevant case law. With regard to the statutory duties of the tax authorities (levying/collecting taxes, paying surcharges, supervising goods and detecting related offenses), the defendant states that the plaintiff can largely view his personal data and change it (or have it changed) by logging in to ' my tax authorities' or 'my allowances'. 5. The Claimant argues that the Respondent wrongly asks him to specify his request, because this prevents him from checking all his personal data. Such an obligation also does not follow from the GDPR (and/or recital 63). Plaintiff states that more information is available than is currently provided by the tax authorities. For example, the Tax and Customs Administration states that the claimant is the Ultimate Benificial Owner (UBO) of a number of foreign companies. According to the claimant, it is not an excessive effort for the tax authorities to obtain the personal data. By not being given full access, because a request should be specified, there is a chance that personal data may be incorrectly and/or incompletely and/or unlawfully processed without there being any possibility of checking and correction. 6. The court considers as follows. 7. In general, a controller may request clarification if it processes a large amount of data. However, this does not mean that a controller can in all cases demand clarification before performing a search. The more concrete a request is, the more effort may be expected from the controller, but in the opinion of the court, the controller may also be expected to perform a search for the most common personal data in the case of a generally formulated request (for example, on the basis of the Name and address details and BSN number) in the most common data files and/or computer systems/applications. This would only be different if the controller provides clear reasons that such a limited search also requires a disproportionate amount of effort. 8. It is not disputed that the Tax and Customs Administration processes a large amount of data. At the hearing, the defendant explained that to search the many systems in which the Tax and Customs Administration processes personal data, employees must log in separately and that only a limited number of employees are authorized for some systems, such as the Fraud Signaling Facility (FSV) system. In this explanation, however, the respondent has provided insufficient reasons that it would not be possible to perform a search for the most common personal data (name and address details and the citizen service number) in a number of the larger applications or systems. The circumstance that login is required per system or application or that not every tax employee has access to a system or application does not justify the conclusion without further motivation that this requires a disproportionate effort from the Tax and Customs Administration. The contested decision therefore lacks a proper statement of reasons and will therefore be annulled. 9. The court will therefore declare the appeal well-founded and annul the contested decision. The court itself does not provide in this case, because the defendant either has to provide further reasons that a search for the most common personal data is not possible, or will have to perform that search. Defendant will therefore have to make a new decision with due observance of this ruling. 10. The court will deny the claimant's request to impose a penalty on the defendant, because there is no reason to assume that the defendant will not comply with this decision. 11. Because the District Court declares the appeal well-founded, the District Court determines that the defendant reimburses the applicant for the court fee paid by him. 12. The court orders the defendant to pay the costs incurred by the plaintiff. Based on the Administrative Costs Decree, the court sets these costs for legal assistance provided professionally by a third party at €1,068 (1 point for submitting the notice of appeal, 1 point for appearing at the hearing, with a value per point of € 534 and weighting factor 1). Furthermore, the defendant must reimburse the court fee paid by the plaintiff. Decision The court: - declares the appeal well-founded; - annul the contested decision; - instructs the defendant to take a new decision on the objection within six weeks of the date on which this decision was sent, taking into account the considerations in this decision; - rejects the request to impose a penalty; - orders the defendant to reimburse the plaintiff for the court fee paid of € 178; - orders the defendant to pay the plaintiff's legal costs to an amount of € 1,068. This statement was made by mr. M.P. de Valk, judge, in the presence of mr. J.H. Bosveld, clerk. The verdict was handed down in public on June 18, 2021. clerk Right A copy of this ruling has been sent to the parties at: Do you disagree with this statement? If you do not agree with this ruling, you can send a letter to the Administrative Jurisdiction Division of the Council of State explaining why you do not agree with it. This is called an appeal. You must submit this notice of appeal within 6 weeks after the day on which this statement was sent. You can see this date above. Appendix Recital 63: “A data subject should have the right to access the personal data collected about them and to exercise that right easily and at reasonable intervals so that they can obtain information about the processing and verify its lawfulness . This also means that data subjects should have the right to access their personal data regarding their health, such as the data in their medical file, which contains information about, for example, diagnoses, research results, assessments by treating physicians and treatments or interventions performed. Each data subject must therefore have the right to know and be informed for what purposes the personal data are processed, if possible how long they are stored, who receives the personal data, what logic is underlying any automatic processing of the data. personal data and, at least where the processing is based on profiling, what the consequences of such processing are. If possible, the controller should be able to provide remote access to a secure system on which the data subject can directly view his personal data. That right should not affect the rights or freedoms of others, including business secrets or intellectual property and, in particular, the copyright protecting the software. However, those considerations should not lead to the data subject being withheld all information. Where the controller processes a large amount of data concerning the data subject, it should be able to request the data subject, prior to providing the information, to specify the information or processing activities to which the request relates.” 1 See annex for the text of recital 63