GHDHA - 200.291.947/01: Difference between revisions
No edit summary |
No edit summary |
||
Line 59: | Line 59: | ||
=== Facts === | === Facts === | ||
The claimant requested the defendant to remove certain special codes, that link to his creditworthiness, from the Central Credit Information System (CKI) of the Bureau for Credit Registration. The registration of these special codes had resulted from the claimant's inability to repay his mortgage debt to the defendant. | The claimant requested the defendant to remove certain special codes, that link to his creditworthiness, from the Central Credit Information System (CKI) of the Bureau for Credit Registration. The registration of these special codes had resulted from the claimant's inability to repay his mortgage debt to the defendant. The registration was dated September 2018 and remained in effect for a period of five years. Hence, the claimant would not be removed from the BKI until September 2023. Since the registration had the effect of preventing the claimant from taking out a new loan, the claimant requested the defendant to remove his personal data from the CKI. | ||
However, claimant made some procedural mistakes. He first requested his personal to be removed on 22 August 2019. Defendant rejected to this request on 10 September 2019. Afterwards, claimant lodged an appeal to this decision, but erroneously brought defendant's sister company to Court. Claimant submitted the his second request to deletion, which was identical to the first one, on 28 April 2020. After defendant rejected the request again, claimant submitted appeal to the decision. However, this time, he brought the right party to Court. | |||
In the first instance, the claimant demanded the removal of the registration accompanied by a daily penalty payment. The Court ordered the defendant to remove the registration on 1 January 2023 instead of September 2023. However the demanded penalty payment was rejected. The applicant did not agree with the ruling and brought the case for appeal. | |||
The claimant put forward three grounds of appeal against the contested decision. First of all, the claimant points to the wrongful absence of relevant facts. Secondly, the claimant argued that the Court should have first assessed whether the registration was still necessary before weighing up the interests. Finally, the claimant challenges the Court's finding that the registration should not be removed until 1 January 2023. | |||
The | |||
The defendant, in turn, put forward four grounds for appeal. Firstly, it also concerns the establishment of facts and, secondly, the admissibility of the application. Thirdly, the defendant complains that the Court wrongly gave weight to the time lapse factor in the weighing of interests. Finally, the defendant argues that there is no ground for removal on 1 January 2023. | |||
=== Holding === | |||
The Court of Appeal of The Hague tested two elements in its judgment, namely the admissibility of the application and whether the request for removal of the registration should be granted. | |||
With regard to the admissibility of the claimant's application of 28 April 2020, the Court of Appeal considered Article 35(2) of the Implementing Act of the GDPR (UAVG), which follows from the right to object, [[Article 21 GDPR]]. Article 35(2) UAVG stipulates that the appeal must be submitted to Court within six weeks after receipt of the response from the data controller. Defendant claimed that claimant exceeded the (initial) deadline. First, they claimed that claimant did not submit any new facts and circumstances in his request of 28 April 2020. Second, they stated that claimant could circumvent Article 35(2) UAVG at any moment by submitting a new deletion request. | |||
The Court, however, considered that the appeal was admissible. First, they considered that it was clear that claimant made a procedural mistake by addressing the first application to the wrong party, and that the new request dated 28 April 2020 is motivated by the wish to rectify this mistake by still obtaining judicial review. Hence, the Court noted that a reasonable interpretation of Article 35(2) UAVG implies that claimant could still appeal to the rejection of 26 May 2020. Furthermore, respondent, in its response of 26 May 2020 to the second deletion request of 28 April 2020, assessed the content of the request again, and did not emphasis that it would no longer consider the request since this request was identical to the first one. Therefore, the Court concluded that claimant's right to object pursuant to [[Article 21 GDPR]], weighs more than defendant's interest in legal certainty that after six weeks it no longer had to expect that it would be involved in legal proceedings. | |||
Regarding the deletion request, the Court examined [[Article 6 GDPR#1f|Article 6(1)(f)]], [[Article 17 GDPR|Article 17]], and [[Article 21 GDPR]]. The second sentence of [[Article 21 GDPR#1|Article 21(1)]] stipulates that the controller (the defendant) shall no longer personal data unless it has compelling legitimate grounds for the processing which override the interests or the fundamental rights and freedoms of the data subject. Hence, the Court assessed whether the infringement of the data subject's interests is not disproportionate in relation to the purpose that is served by the processing (proportionality test) and whether that purpose cannot reasonably be achieved in a different manner that is less detrimental to the data subject (subsidiarity test). | |||
The | Pursuant to Article 4:32 of the Financial Supervision Act, credit providers are obliged to participate in a credit registration system. The purpose of credit registration is to promote socially responsible financial services, as (also) follows from the General Regulations of the CKI (CKI-regulations). On the one hand, it is in the interest of consumers to protect them excessive lending and other financial problems (i.e., problematic debt situations). On the other hand, it is in the interest of credit providers to limit financial risks when granting credit and to prevent, and combat abuse and fraud. The credit registration system serves these interests, for example by informing credit providers about relevant details that have occurred in the (recent) past. To this end a credit provider is obliged (pursuant to the CKI-regulations) to register certain payment arrears and other irregularities in the CKI. Hence, in principle, such a special codes (that link to bad creditworthiness) remain in place for up to five years after the arrears have been repaid or the credit agreement has been terminated. | ||
The | The Court acknowledged defendant's arguments that stated that claimant was late with payments for a long period, defendant was left with a large residual debt which it had to write of to a large extend, and claimant had not done everything in his power to pay his debts. Considering the fact that claimant also had other debts (that were largely written off), the Court considered that this indicated a risk of excessive lending. This legitimated the importance of registration in the CKI, so that other lenders can assess their credit risks. The claimant was not able to sufficiently demonstrate that its interests outweighed above-mentioned interest. Hence, the Court concluded that the defendant's interest in maintaining the registration outweighed the claimant's interest in having his personal data removed. The request for removal was therefore dismissed. | ||
== Comment == | == Comment == |
Revision as of 15:49, 11 November 2021
GHDHA - 200.291.947/01 | |
---|---|
Court: | GHDHA (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 6(1)(f) GDPR Article 17 GDPR Article 21 GDPR art. 35 (2) UAVG |
Decided: | 05.10.2021 |
Published: | 03.11.2021 |
Parties: | Aegon |
National Case Number/Name: | 200.291.947/01 |
European Case Law Identifier: | ECLI:NL:GHDHA:2021:1924 |
Appeal from: | Rb. Den Haag (Netherlands) C/09/595546 / HA RK 20-314 |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | n/a |
The Court of Appeal of The Hague expressed the opinion that the balancing of interests from Article 21(1) GDPR succeeds in favour of the controller, since the data subject does not make it plausible that the individual interests exceed the interests of the sector as set out in Art. 4:32 Financial Supervision Act.
English Summary
Facts
The claimant requested the defendant to remove certain special codes, that link to his creditworthiness, from the Central Credit Information System (CKI) of the Bureau for Credit Registration. The registration of these special codes had resulted from the claimant's inability to repay his mortgage debt to the defendant. The registration was dated September 2018 and remained in effect for a period of five years. Hence, the claimant would not be removed from the BKI until September 2023. Since the registration had the effect of preventing the claimant from taking out a new loan, the claimant requested the defendant to remove his personal data from the CKI.
However, claimant made some procedural mistakes. He first requested his personal to be removed on 22 August 2019. Defendant rejected to this request on 10 September 2019. Afterwards, claimant lodged an appeal to this decision, but erroneously brought defendant's sister company to Court. Claimant submitted the his second request to deletion, which was identical to the first one, on 28 April 2020. After defendant rejected the request again, claimant submitted appeal to the decision. However, this time, he brought the right party to Court.
In the first instance, the claimant demanded the removal of the registration accompanied by a daily penalty payment. The Court ordered the defendant to remove the registration on 1 January 2023 instead of September 2023. However the demanded penalty payment was rejected. The applicant did not agree with the ruling and brought the case for appeal.
The claimant put forward three grounds of appeal against the contested decision. First of all, the claimant points to the wrongful absence of relevant facts. Secondly, the claimant argued that the Court should have first assessed whether the registration was still necessary before weighing up the interests. Finally, the claimant challenges the Court's finding that the registration should not be removed until 1 January 2023.
The defendant, in turn, put forward four grounds for appeal. Firstly, it also concerns the establishment of facts and, secondly, the admissibility of the application. Thirdly, the defendant complains that the Court wrongly gave weight to the time lapse factor in the weighing of interests. Finally, the defendant argues that there is no ground for removal on 1 January 2023.
Holding
The Court of Appeal of The Hague tested two elements in its judgment, namely the admissibility of the application and whether the request for removal of the registration should be granted.
With regard to the admissibility of the claimant's application of 28 April 2020, the Court of Appeal considered Article 35(2) of the Implementing Act of the GDPR (UAVG), which follows from the right to object, Article 21 GDPR. Article 35(2) UAVG stipulates that the appeal must be submitted to Court within six weeks after receipt of the response from the data controller. Defendant claimed that claimant exceeded the (initial) deadline. First, they claimed that claimant did not submit any new facts and circumstances in his request of 28 April 2020. Second, they stated that claimant could circumvent Article 35(2) UAVG at any moment by submitting a new deletion request.
The Court, however, considered that the appeal was admissible. First, they considered that it was clear that claimant made a procedural mistake by addressing the first application to the wrong party, and that the new request dated 28 April 2020 is motivated by the wish to rectify this mistake by still obtaining judicial review. Hence, the Court noted that a reasonable interpretation of Article 35(2) UAVG implies that claimant could still appeal to the rejection of 26 May 2020. Furthermore, respondent, in its response of 26 May 2020 to the second deletion request of 28 April 2020, assessed the content of the request again, and did not emphasis that it would no longer consider the request since this request was identical to the first one. Therefore, the Court concluded that claimant's right to object pursuant to Article 21 GDPR, weighs more than defendant's interest in legal certainty that after six weeks it no longer had to expect that it would be involved in legal proceedings.
Regarding the deletion request, the Court examined Article 6(1)(f), Article 17, and Article 21 GDPR. The second sentence of Article 21(1) stipulates that the controller (the defendant) shall no longer personal data unless it has compelling legitimate grounds for the processing which override the interests or the fundamental rights and freedoms of the data subject. Hence, the Court assessed whether the infringement of the data subject's interests is not disproportionate in relation to the purpose that is served by the processing (proportionality test) and whether that purpose cannot reasonably be achieved in a different manner that is less detrimental to the data subject (subsidiarity test).
Pursuant to Article 4:32 of the Financial Supervision Act, credit providers are obliged to participate in a credit registration system. The purpose of credit registration is to promote socially responsible financial services, as (also) follows from the General Regulations of the CKI (CKI-regulations). On the one hand, it is in the interest of consumers to protect them excessive lending and other financial problems (i.e., problematic debt situations). On the other hand, it is in the interest of credit providers to limit financial risks when granting credit and to prevent, and combat abuse and fraud. The credit registration system serves these interests, for example by informing credit providers about relevant details that have occurred in the (recent) past. To this end a credit provider is obliged (pursuant to the CKI-regulations) to register certain payment arrears and other irregularities in the CKI. Hence, in principle, such a special codes (that link to bad creditworthiness) remain in place for up to five years after the arrears have been repaid or the credit agreement has been terminated.
The Court acknowledged defendant's arguments that stated that claimant was late with payments for a long period, defendant was left with a large residual debt which it had to write of to a large extend, and claimant had not done everything in his power to pay his debts. Considering the fact that claimant also had other debts (that were largely written off), the Court considered that this indicated a risk of excessive lending. This legitimated the importance of registration in the CKI, so that other lenders can assess their credit risks. The claimant was not able to sufficiently demonstrate that its interests outweighed above-mentioned interest. Hence, the Court concluded that the defendant's interest in maintaining the registration outweighed the claimant's interest in having his personal data removed. The request for removal was therefore dismissed.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.