Hoge Raad - 21/00241: Difference between revisions
No edit summary |
No edit summary |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 53: | Line 53: | ||
|}} | |}} | ||
The Dutch Supreme Court held that a registration in the | The Dutch Supreme Court held that a registration in the Central Credit Information System ('CKI') is not based on a legal obligation per [[Article 6 GDPR#1|Article 6(1)(c)]], but on a legitimate interest per [[Article 6 GDPR#1|Article 6(1)(f) GDPR]]. Consequently, the data subject could exercise their right to object and erasure. | ||
== English Summary == | == English Summary == | ||
Line 60: | Line 60: | ||
This case concerns an interlocutory judgment in the case [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:174&showbutton=true&keyword=C%2f13%2f694440%2fKG C/13/694440/KG ZA-20-1118 MvW/JE dated 21 January 2021], in which the interim relief judge of the District Court of Amsterdam referred questions to the Dutch Supreme Court for a preliminary ruling pursuant to Section 392 RV. | This case concerns an interlocutory judgment in the case [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:174&showbutton=true&keyword=C%2f13%2f694440%2fKG C/13/694440/KG ZA-20-1118 MvW/JE dated 21 January 2021], in which the interim relief judge of the District Court of Amsterdam referred questions to the Dutch Supreme Court for a preliminary ruling pursuant to Section 392 RV. | ||
Controller is Hoist Finance. The data subject had taken out a loan with the controller. The controller claimed this credit after payment arrears had occurred. | Controller is Hoist Finance. The data subject had taken out a loan with the controller. The controller claimed this credit after payment arrears had occurred. Because payment arrears had occurred, the data subject was registered in the Central Credit Information System (CKI) of the Credit Registration Office (BKR) with a special code "A". This special code was then adjusted in the following months do display that the claim had been claimed, and that the amount exceeded a certain threshold. | ||
After the debt had been settled, and the processor notified the controller of this, the controller ensured the data subject that it would have the entry removed from the BKR registration, which indicated that the amount of the claim exceeded a certain threshold. Because the controller did not comply with the request, the data subject submitted another request, which was rejected by the controller. | |||
The District Court of Amsterdam referred the following preliminary questions were put to the Supreme Court: | The District Court of Amsterdam referred the following preliminary questions were put to the Supreme Court: | ||
Line 79: | Line 81: | ||
''The first question'' | ''The first question'' | ||
To answer the first preliminary question, the Supreme Court first assessed whether there was a legal obligation to process the personal data, and examined Article 4:32 (1) of the Financial Supervision Act (Wft) creates this legal obligation. This provision prescribes that a creditor, in this case the controller, participates in the credit registration system. Article 4:34 of the same Act contains the duty of care to prevent excessive lending and the investigation of the financial position of the data subject. In the Netherlands, the performance of these duties by lenders is translated into registration in the BKR's CKI. The CKI has no legal basis. It is based on self-regulation by the financial sector, which is accepted by the legislator. Article 3(4) of the CKI General Regulation states that the processing of personal data in the CKI | To answer the first preliminary question, the Supreme Court first assessed whether there was a legal obligation to process the personal data, and examined Article 4:32 (1) of the Financial Supervision Act (Wft) which creates this legal obligation. This provision prescribes that a creditor, in this case the controller, participates in the credit registration system. Article 4:34 of the same Act contains the duty of care to prevent excessive lending and the investigation of the financial position of the data subject. In the Netherlands, the performance of these duties by lenders is translated into registration in the BKR's CKI. The CKI, however, has no legal basis. It is based on self-regulation by the financial sector, which is accepted by the legislator. Article 3(4) of the CKI General Regulation states that the processing of personal data in the CKI is based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], because the processing is necessary to serve the legitimate interests of the BKR and its business customers. | ||
Furthermore, the Supreme Court assessed whether the processing could be based on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], because Articles 4:32 and 4:34 Wft oblige credit providers to participate in, and consult a credit registration system. The Court noted that [[Article 6 GDPR#3|Article 6(3) GDPR]] read in conjunction with Recital 41, requires that the Member State legislation, in such a case, "should be clear and precise and its application should be foreseeable to persons subject to it". The provisions do not suffice this requirement, since it is not specified which personal data must or may be registered in the CKI, what the conditions for such registration are, and under what conditions and within what time limits, personal data must be deleted. This is all regulated in the CKI regulations, but these regulations have no legal basis. Therefore, these provisions do not create a legal obligation within the meaning of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. | |||
''The second and third question'' | ''The second and third question'' |
Latest revision as of 17:00, 15 December 2021
Hoge Raad - 21/00241 | |
---|---|
Court: | Hoge Raad (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 17 GDPR Article 21 GDPR |
Decided: | 03.12.2021 |
Published: | 03.12.2021 |
Parties: | HOIST FINANCE AB |
National Case Number/Name: | 21/00241 |
European Case Law Identifier: | ECLI:NL:HR:2021:1814 |
Appeal from: | Rb. Amsterdam (Netherlands) C/13/694440 / KG ZA 20-1118 |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | Jonathan Crabbe |
The Dutch Supreme Court held that a registration in the Central Credit Information System ('CKI') is not based on a legal obligation per Article 6(1)(c), but on a legitimate interest per Article 6(1)(f) GDPR. Consequently, the data subject could exercise their right to object and erasure.
English Summary
Facts
This case concerns an interlocutory judgment in the case C/13/694440/KG ZA-20-1118 MvW/JE dated 21 January 2021, in which the interim relief judge of the District Court of Amsterdam referred questions to the Dutch Supreme Court for a preliminary ruling pursuant to Section 392 RV.
Controller is Hoist Finance. The data subject had taken out a loan with the controller. The controller claimed this credit after payment arrears had occurred. Because payment arrears had occurred, the data subject was registered in the Central Credit Information System (CKI) of the Credit Registration Office (BKR) with a special code "A". This special code was then adjusted in the following months do display that the claim had been claimed, and that the amount exceeded a certain threshold.
After the debt had been settled, and the processor notified the controller of this, the controller ensured the data subject that it would have the entry removed from the BKR registration, which indicated that the amount of the claim exceeded a certain threshold. Because the controller did not comply with the request, the data subject submitted another request, which was rejected by the controller.
The District Court of Amsterdam referred the following preliminary questions were put to the Supreme Court:
1. Must the processing of specific personal data by a credit institution, by means of an individual registration in the system of BKR, be assessed in accordance with the provisions of Article 6(1)(c), Article 6(1)(f) GDPR, or both provisions?
2. Does the answer to Question 1 mean:
a) that the person whose personal data have been recorded is not entitled to invoke the right to erasure provided for in Article 17 GDPR?
b) that person is not entitled to a right of objection as referred to in Article 21 GDPR?
3. If the answer to Question 2b means that, in the case of a BKR registration, there is no right of objection within the meaning of Article 21 GDPR, does that mean that Article 35 of the Implementing Act General Data Protection Regulation (UAVG) plays no role in the legal proceedings to have that registration removed?
Holding
The Supreme Court decided that Article 6(1)(c) GDPR cannot serve as a legal basis for the processing of personal data in the CKI of the BKR, and that such processing must be examined in accordance with Article 6(1)(f) GDPR. The answer to the second question was therefore that the data subject whose personal data have been registered with the BKR, is entitled (a) to erasure as referred to in Article 17 GDPR and (b) to the right of objection as referred to in Article 21 GDPR.
The first question
To answer the first preliminary question, the Supreme Court first assessed whether there was a legal obligation to process the personal data, and examined Article 4:32 (1) of the Financial Supervision Act (Wft) which creates this legal obligation. This provision prescribes that a creditor, in this case the controller, participates in the credit registration system. Article 4:34 of the same Act contains the duty of care to prevent excessive lending and the investigation of the financial position of the data subject. In the Netherlands, the performance of these duties by lenders is translated into registration in the BKR's CKI. The CKI, however, has no legal basis. It is based on self-regulation by the financial sector, which is accepted by the legislator. Article 3(4) of the CKI General Regulation states that the processing of personal data in the CKI is based on Article 6(1)(f) GDPR, because the processing is necessary to serve the legitimate interests of the BKR and its business customers.
Furthermore, the Supreme Court assessed whether the processing could be based on Article 6(1)(c) GDPR, because Articles 4:32 and 4:34 Wft oblige credit providers to participate in, and consult a credit registration system. The Court noted that Article 6(3) GDPR read in conjunction with Recital 41, requires that the Member State legislation, in such a case, "should be clear and precise and its application should be foreseeable to persons subject to it". The provisions do not suffice this requirement, since it is not specified which personal data must or may be registered in the CKI, what the conditions for such registration are, and under what conditions and within what time limits, personal data must be deleted. This is all regulated in the CKI regulations, but these regulations have no legal basis. Therefore, these provisions do not create a legal obligation within the meaning of Article 6(1)(c) GDPR.
The second and third question
Since Article 6(1)(f) GDPR is the legal basis for the controller's processing of the personal data in the CKI, the answer to the second preliminary question is therefore, that the data subject whose personal data have been registered in the CKI is entitled exercise his right to erasure, Article 17 GDPR, and right to object, Article 21 GDPR. The third question will not be discussed since it is based on the assumption that there is no right of objection.
Comment
The Supreme Court emphasized that the data subject whose personal data have been processed on the basis of Article 6(1)(c) GDPR does not have the rights to erasure and objection contained in Article 17 and Article 21 GDPR respectively. This does not mean that the person concerned is deprived of legal protection in this case. For example, they may be able to oppose the processing of their personal data before the civil courts by invoking Article 6:162 of the Dutch Civil Code, whether or not in conjunction with Article 8 of the ECHR
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Body High Council Date of judgment 03-12-2021 Date of publication 03-12-2021 Case number 21/00241 Formal Relationships Conclusion: ECLI:NL:PHR:2021:831 Jurisdictions Civil rights Special characteristics Preliminary ruling Content indication Preliminary questions (art. 392 DCCP). General Data Protection Regulation (GDPR). Legal basis for the processing of personal data in the credit registration system of the BKR; art. 6 para. 1 lit. c GDPR (legal basis) or Art. 6 para. 1 lit. f GDPR (for the protection of the processor's legitimate interests)? Right to erasure (Art. 17 GDPR); right to object (Art. 21 GDPR)? Locations Rechtspraak.nl Enhanced pronunciation Share pronunciation print Save as PDF Copy link Pronunciation SUPREME COURT OF THE NETHERLANDS CIVIL CHAMBER Number 21/00241 Date December 3, 2021 PRELIMINARY DECISION In the case of [applicant], residing at [residence], Plaintiff at first instance, hereinafter: [applicant], did not appear in the preliminary ruling proceedings, in return for the legal person under Swedish law HOIST FINANCE AB, with its registered office in Amsterdam, DEFENDANT at first instance, hereafter: Hoist, lawyer in the preliminary ruling proceedings: J.W.H. from neighbourhood. 1. The preliminary ruling procedure In the interlocutory judgment in the case C/13/694440 / KG ZA 20-1118 MvW/JE of 21 January 2021, the judge in preliminary relief proceedings in the Amsterdam District Court, on the basis of art. 392 RV referred questions to the Supreme Court for a preliminary ruling. Hoist has written comments as referred to in art. 393 paragraph 1 Rv submitted. The conclusion of the Advocate General E.B. Rank-Berenschot aims to answer the preliminary questions as stated in the conclusion under 3.17, 3.19 and 3.21. Hoist's lawyer responded in writing to that conclusion. 2 Principles and facts 2.1 This preliminary ruling concerns the question to which of the persons referred to in art. 6 General Data Protection Regulation1 (hereinafter: AVG) a registration with the Stichting Bureau Kredietregistratie (hereinafter: the BKR) must be checked. Is registration with the BKR in order to fulfill a legal obligation within the meaning of art. 6 para. 1 lit. c GDPR, or to defend the legitimate interests of the controller or a third party within the meaning of Art. 6 para. 1 lit. f GDPR? The answer to this question is important, among other things, for the borrower's claim to erasure of his personal data pursuant to Art. 17 GDPR, and for the option of the borrower to object to the processing of his personal data pursuant to Art. 21 GDPR. 2.2 In answering the questions referred for a preliminary ruling, the Supreme Court starts from the following facts: (i) The BKR has a Central Credit Information System (hereinafter: the CKI). In this system, payment arrears or other irregularities that arise during the term of a credit agreement are stated with special codes (hereinafter: the BKR registration). (ii) [applicant] has taken out a credit with (a legal predecessor of) Hoist. After payment arrears had arisen, Hoist claimed the credit in July 2006. (iii) In May 2006, the special code 'A' was noted in the CKI in connection with the credit granted under the name of [applicant]. This coding means that there is a backlog. Shortly afterwards, a '2-coding' was added to [applicant]'s BKR registration, which means that there is a claimed claim. (iv) On June 1, 2017, a '3-code' was added to the BKR registration of [applicant], which means that an amount greater than €250 had to be debited from the credit. (v) On June 27, 2017, NDA Incasso, to whom Hoist had handed over the claim and who had agreed a payment arrangement with [applicant], notified [applicant] that the entire claim had been paid. (vi) In July 2020, Hoist notified [applicant], following a request made by [applicant], that she would have the 3 coding in [applicant]'s BKR registration removed. (vii) On September 10, 2020, [applicant] again submitted a request for removal of the BKR registration to Hoist. Hoist rejected this request by email dated September 21, 2020. 2.3 In these preliminary relief proceedings, [applicant] claims that Hoist be ordered to have the BKR registration changed, in the sense that the codes 2 and A are removed after his name. Hoist defended himself against that claim, inter alia by appealing to inadmissibility on the ground that [applicant] did not appeal within six weeks against the rejection decision of 21 September 2020 on his second removal request (see above in 2.2 under (vii)), as prescribed in art. 35 paragraph 2 of the Implementation Act General Data Protection Regulation (hereinafter: UAVG). 2.4 In an interlocutory judgment2 on the basis of art. 392 et seq. Rv submitted the following preliminary questions to the Supreme Court. 1. Should the processing of specific personal data by a credit institution, by means of an individual registration in the BKR system, be tested against the provisions of art. 6 para. 1, preamble and under c GDPR, or to Art. 6 para. 1, preamble and under f GDPR, or to both provisions? 2. Does the answer to question 1 mean a. that the person whose personal data has been registered cannot invoke the right to erasure as referred to in art. 17 GDPR? b. that the person has no right of objection as referred to in art. 21 GDPR? 3. If the answer to question 2b means that with a BKR registration no right of objection as referred to in art. 21 GDPR, does this mean that Art. 35 UAVG does not play a role in the legal proceedings for the removal of that registration? 3 Answer to the questions referred for a preliminary ruling 3.1.1 The first question for a preliminary ruling raises whether the processing of personal data by a credit institution by means of an individual registration in the system of the BKR must be tested against the provisions of art. 6 para. 1, preamble and under c GDPR, or to Art. 6 para. 1, preamble and under f GDPR, or to both provisions. 3.1.2 Protection of personal data is a fundamental right protected by Art. 8 ECHR, which provides for the right to respect for private and family life, Art. 16 paragraph 1 of the Treaty on the Functioning of the European Union and art. 8 paragraph 1 of the Charter of Fundamental Rights of the European Union, which provides that everyone has the right to the protection of his personal data. In its decision of 9 September 2011, the Supreme Court ruled under the now expired Personal Data Protection Act (hereinafter: Wbp) and the now repealed Personal Data Protection Directive3 that, partly in the light of art. 8 ECHR, all data processing must comply with the principles of proportionality and subsidiarity and that this entails that the infringement of the interests of the data subject may not be disproportionate in relation to the purpose to be served with the processing and that this purpose cannot reasonably be can be reached in a different way, which is less detrimental to the data subject.4 This also applies under the GDPR, which has replaced the Personal Data Protection Directive and the Wbp. 3.1.3 art. 6 para. 1 GDPR provides that the processing of personal data is only lawful if and insofar as at least one of the following conditions is met: a) the data subject has consented to the processing of his/her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; c) the processing is necessary for compliance with a legal obligation to which the controller is subject; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the controller; f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the person concerned is a child. The provisions under f do not apply to processing by government authorities in the performance of their duties. These bases for the processing of personal data are not mutually exclusive, as follows from the words "at least" in Art. 6 para. 1 GDPR, so that it is possible that a processing of personal data falls under more than one processing basis. 3.1.4 Pursuant to art. 6 para. 1, preamble and under c GDPR, the controller is entitled to process personal data if this is necessary to comply with a legal obligation to which he is subject. It appears from the explanatory memorandum to the UAVG that the Dutch legislator has interpreted the requirement of necessity to be met if it is not reasonably possible to perform a legal obligation that rests on the controller without processing the personal data.5 3.1.5 art. 6 para. 3 GDPR provides, insofar as it is relevant to answer the questions referred for a preliminary ruling, that the legal obligation referred to in Art. 6(1)(c) of the GDPR must be determined by Union or Member State law to which the controller is subject, whichever Union or Member State law must determine the purpose of the processing. Recital 41 of the GDPR states that when the GDPR refers to a legal basis or a legislative measure, it does not necessarily require a legislative act adopted by a parliament. However, the legal basis or legislative measure must be clear and precise, and its application must be predictable for those to whom it applies, as required by the case law of the Court of Justice of the European Union and the European Court of the Rights of the Man, according to the preamble. Furthermore, recital 45 in the preamble to the GDPR states that the GDPR does not require specific legislation for each individual data processing, but that it is sufficient to provide legislation that serves as the basis for several data processing operations on the basis of a legal obligation incumbent on the controller. 3.1.6 art. 4:32(1) of the Financial Supervision Act (hereinafter: Wft) prescribes that a credit provider participates in a credit registration system. art. 4:34(1) of the Wft contains a duty of care to prevent excessive lending and obliges a credit provider to obtain information in the interest of the consumer about its financial position and to assess whether the lending is justified. The duty of care arising from this article is further elaborated in art. 114 of the Decree on the Supervision of the Conduct of Financial Undertakings Wft (hereinafter: BGfo). This stipulates that a credit provider must, prior to granting a credit of more than €250, consult the credit registration system about credits already granted to the consumer. art. In short, 4:34 paragraph 2 Wft provides that a credit provider will not grant credit if this is irresponsible with a view to excessive lending to the consumer. This refusal obligation is further elaborated in art. 113 paragraph 1 BGfo. This stipulates that a credit provider will not grant a consumer credit of more than €1,000 if the provider does not have sufficient information about the consumer's financial position to be able to assess, in order to prevent excessive lending, whether of the agreement is responsible. 3.1.7 The duty of care to prevent excessive lending is partly based on Directive 2008/48/EC6 (hereinafter: Consumer Credit Directive). art. 8(1) of the Consumer Credit Directive provides that Member States shall ensure that the creditor assesses the consumer's creditworthiness before concluding the credit agreement on the basis of sufficient information obtained, where appropriate, from the consumer and, where necessary, on the basis of a consultation of the relevant database. art. 9 paragraph 1 Consumer Credit Directive provides that each Member State shall ensure that creditors from other Member States have access to the data files used in the Member State in question to assess the creditworthiness of the consumer and that the access conditions may not be discriminatory. art. 9 paragraph 4 Consumer Credit Directive in connection with art. 94 para. 2 GDPR provides that Art. 9 Consumer Credit Directive does not affect the application of the GDPR. 3.1.8 In the Netherlands, the system of credit registration in which credit providers participate in compliance with the legislation and regulations referred to in 3.1.6 above and which they consult for its implementation is formed by the CKI of the BKR. The CKI has no legal basis. It is based on self-regulation by the financial sector, which the legislator has accepted.7 The BKR has established the General CKI Regulations (hereinafter: CKI Regulations).8 According to art. 2 paragraph 1 CKI regulations, this concerns a contractual arrangement that exclusively regulates the relationship between the BKR and its business customers. art. 3 paragraph 1 CKI regulations state that the objective of the BKR is to promote socially responsible financial services, that the BKR wants to protect consumers from excessive credit and other financial problems and that the BKR wants to contribute to its business customers limiting financial risks in lending and preventing and combating abuse and fraud. This purpose of the registration and consultation of personal data in the CKI of the BKR has also been mentioned in legislative history in the context of the duty of care of credit providers.9 Art. 3 paragraph 2 CKI regulations stipulate that the BKR pursues this goal by, among other things, collecting, recording, organizing and providing its business customers with personal data relevant for this purpose. art. 3 paragraph 4 CKI regulations determine that the processing of personal data in the CKI finds its lawful basis in art. 6 para. 1 lit. f GDPR, because the processing is necessary for the protection of the legitimate interests of the BKR and its business customers. 3.1.9 art. 4:32 paragraph 1 Wft and art. 4:34 paragraph 1 Wft, as further elaborated in art. 114 BGfo, while obliging credit providers to participate in and consult a system of credit registration, these legal provisions are not sufficiently clear and precise and their application is not sufficiently predictable for those to whom these legal provisions apply, such as Art. 6 para. 3 GDPR (see 3.1.5). After all, it is not clear from those legal provisions which personal data must or may be registered in the CKI, what the conditions are for such registration and under what conditions and within what periods the personal data must be deleted. This is regulated in the CKI regulations, but those regulations are not based on a legal basis; the registration of personal data in the CKI takes place on the basis of an agreement between the BKR and credit providers (see 3.1.8). 3.1.10 In the absence of a legal obligation to process data within the meaning of Art. 6 para. 1, preamble and under c of the GDPR, this provision cannot serve as a basis for the lawful processing of personal data in the CKI of the BKR. Now that data processing is also not based on one of the grounds referred to in Art. 6 para. 1 lit. a, b, d or e GDPR (see above in 3.1.3), the lawfulness of the data processing must be assessed on the basis of the criterion of Art. 6 para. 1, preamble and under f GDPR. 3.1.11 The answer to the first question referred is that Art. 6 paragraph 1, preamble and under c of the GDPR cannot serve as a basis for the processing of personal data in the CKI of the BKR and that this processing must be assessed against the provisions of art. 6 para. 1, preamble and under f GDPR. 3.2.1 The second question referred for a preliminary ruling raises whether the answer to the first question means that the person whose personal data have been registered (a) does not have a right to erasure as referred to in Art. 17 GDPR and (b) that the person has no right of objection within the meaning of Art. 21 GDPR. 3.2.2 art. 21 para. 1 GDPR provides that a data subject has the right to object at any time, on grounds relating to his particular situation, to the processing of personal data concerning him or her on the basis of Art. 6 para. 1, preamble and under e and f of the GDPR and that the controller then ceases the processing of the personal data, unless he invokes compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subject or that are related with the institution, exercise or substantiation of a legal claim. art. 17 (1) preamble and point c of the GDPR means, insofar as it is relevant to answer the questions referred for a preliminary ruling, that the controller is obliged to delete personal data without undue delay at the request of the data subject, including if the data subject is subject to Art. 21 para. 1 GDPR to the processing, and there are no overriding legitimate grounds for the processing. 3.2.3 from art. 17 and art. 21 GDPR, it follows that the data subject whose personal data has been processed on the basis of Art. 6 para. 1, preamble and under f GDPR, has the right to erasure and the right to object. It follows from the answer to the first question referred that Art. 6 para. 1, preamble and under f GDPR forms the basis for the processing by the controller of the personal data of the data subject in the CKI of the BKR. The answer to the second question for a preliminary ruling is therefore that the data subject whose personal data are registered with the BKR (a) has the right to erasure as referred to in Art. 17 GDPR and (b) that the data subject has the right to object pursuant to Art. 21 GDPR. 3.2.4 It should be noted that the data subject whose personal data have been processed on the basis of Art. 6 para. 1, preamble and under c GDPR does not have the data erasure and objection rights set out in Art. 17 GDPR or Art. 21 GDPR. This does not mean that the data subject is deprived of legal protection in that case. For example, he can appeal to the civil court on the basis of art. 6:162 of the Dutch Civil Code, whether or not in conjunction with art. 8 ECHR, oppose the processing of his personal data (cf. what has been considered above in 3.1.2). 3.3 The third question for a preliminary ruling assumes that with a BKR registration no right of objection as referred to in art. 21 GDPR exists. Because it follows from the answer to the second question that such a right of objection does exist with a BKR registration, the Supreme Court did not answer this question. 3 Decision The high Council: - answers the questions in the manner described above in 3.1.11 and 3.2.3; - estimates the costs of this procedure on the basis of art. 393 paragraph 10 DCCP at €1,800 on the part of Hoist and on nil on the part of [applicant]. This decision was made by Vice President M.V. Polak as chairman and councilors C.E. du Perron, M.J. Kroeze, H. M. Wattendorff and G. C. Makkink, and pronounced in public by Counsel H.M. Wattendorff on December 3, 2021. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( General Data Protection Regulation), OJEU 2016, L 119/1. 2 Amsterdam District Court 21 January 2021, ECLI:NL:RBAMS:2021:174. 3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, PbEG 1995, L 281/31. 4 HR 9 September 2011, ECLI:NL:HR:2011:BQ8097 (Santander), para. 3.3. 5 Parliamentary Papers II 2017/18, 34851, no. 3, p. 35. 6 Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC, OJEU 2008, L 133/66. 7 See Parliamentary Papers II 1986/87, 19785, no. 3, p. 14-15; Parliamentary Papers II 1987/88, 19785, no. 7, p. 10-11. 8 Stichting BKR, General Regulations CKI, 1 January 2021, can be consulted via www.bkr.nl. 9 See, for example, Parliamentary Papers II 2003/04, 29507, no. 3, p. 18; Parliamentary Papers II 2009/10, 32339, no. 3, p. 36.