Rb. Midden-Nederland - UTR 21/2957: Difference between revisions
No edit summary |
mNo edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 42: | Line 42: | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
|Party_Name_1=AP (Netherlands) | |Party_Name_1=AP (The Netherlands) | ||
|Party_Link_1= | |Party_Link_1= | ||
|Party_Name_2= | |Party_Name_2= | ||
Line 49: | Line 49: | ||
|Party_Link_3= | |Party_Link_3= | ||
|Appeal_From_Body=AP (Netherlands) | |Appeal_From_Body=AP (The Netherlands) | ||
|Appeal_From_Case_Number_Name= | |Appeal_From_Case_Number_Name= | ||
|Appeal_From_Status= | |Appeal_From_Status= | ||
Line 62: | Line 62: | ||
}} | }} | ||
The | The District Court of Midden-Nederland held that the Dutch DPA could reject a complaint when there was still a court case pending on the legal question that was the subject of the complaint. | ||
== English Summary == | == English Summary == | ||
Line 72: | Line 72: | ||
'''Complaint 1''': on 4 January 2017, the data subject's father submitted a complaint with the Dutch DPA. He argued that the controller failed to carry out a proportionality test, which was a breach of the Wpb.<ref>'Wet bescherming persoonsgegevens,' the implementation of Directive (EU) 2016/680 (the GDPR predecessor)</ref> He requested the DPA to order the controller to immediately cease the structural provision of data on all children to the Tax Authorities. | '''Complaint 1''': on 4 January 2017, the data subject's father submitted a complaint with the Dutch DPA. He argued that the controller failed to carry out a proportionality test, which was a breach of the Wpb.<ref>'Wet bescherming persoonsgegevens,' the implementation of Directive (EU) 2016/680 (the GDPR predecessor)</ref> He requested the DPA to order the controller to immediately cease the structural provision of data on all children to the Tax Authorities. | ||
'''Complaint 2''': on 17 May 2019, the data subject filed another complaint with the DPA against the controller and the Tax Authority (now based on the GDPR). He argued that the controller violated the principle of proportionality and subsidiarity contained in the GDPR. He | '''Complaint 2''': on 17 May 2019, the data subject filed another complaint with the DPA against the controller and the Tax Authority (now based on the GDPR). He argued that the controller violated the principle of proportionality and subsidiarity contained in the GDPR. He requested the DPA to order the controller and the Tax Authority to remove his daughter's personal data from their systems. (He has now limited this complaint to the controller). On 19 November 2020, the DPA rejected the complaint. | ||
The data subject's father also started legal proceedings against the controller. This resulted in a [https://gdprhub.eu/index.php?title=Rb._Midden-Nederland_-_AWB_-_20_3811 Court ruling on 4 May 2021], where the Court held that the controller had indeed unlawfully invaded the privacy of the data subject by providing her personal data to the Tax Administration. The controller appealed this decision to the Council of State (''RvS''). | The data subject's father also started legal proceedings against the controller. This resulted in a [https://gdprhub.eu/index.php?title=Rb._Midden-Nederland_-_AWB_-_20_3811 Court ruling on 4 May 2021], where the Court held that the controller had indeed unlawfully invaded the privacy of the data subject by providing her personal data to the Tax Administration. The controller appealed this decision to the Council of State (''RvS''). | ||
Line 83: | Line 83: | ||
The Court held, in line with the DPA's argument, that complaint 2 could be seen as an expansion of complaint 1. They both covered the same alleged violation by the controller and an enforcement request. The Court thus agreed with the DPA that the latter decided on both complaints with its decision of 19 November 2020 despite the fact that the decision only mentioned complaint 2. The Court held that the father's appeal against complaint 1 for the failure to make a timely decision was therefore inadmissible. | The Court held, in line with the DPA's argument, that complaint 2 could be seen as an expansion of complaint 1. They both covered the same alleged violation by the controller and an enforcement request. The Court thus agreed with the DPA that the latter decided on both complaints with its decision of 19 November 2020 despite the fact that the decision only mentioned complaint 2. The Court held that the father's appeal against complaint 1 for the failure to make a timely decision was therefore inadmissible. | ||
Regarding the decision to reject complaint 2, the Court noted that the DPA had discretionary power to decided whether or not to take enforcement action pursuant to Article 57(1)(f) GDPR. The Court held that the DPA could reasonably decide to reject the complaint, as an appeal procedure was pending at the Council of State on the legal question relevant for the complaint. Further investigation would result in a parallel administrative procedure. The Court therefore held that the appeal was unfounded. | Regarding the decision to reject complaint 2, the Court noted that the DPA had discretionary power to decided whether or not to take enforcement action pursuant to [[Article 57 GDPR|Article 57(1)(f) GDPR]]. The Court held that the DPA could reasonably decide to reject the complaint, as an appeal procedure was pending at the Council of State on the legal question relevant for the complaint. Further investigation would result in a parallel administrative procedure. The Court therefore held that the appeal was unfounded. | ||
During the hearing, the DPA explained that if a violation is definitively established by the Council of State, it will take the required necessary steps. The Court agreed with this view of the DPA. | During the hearing, the DPA explained that if a violation is definitively established by the Council of State, it will take the required necessary steps. The Court agreed with this view of the DPA. |
Latest revision as of 08:33, 14 September 2022
Rb. Midden-Nederland - UTR 21/2957 | |
---|---|
Court: | Rb. Midden-Nederland (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 57 GDPR |
Decided: | 13.12.2021 |
Published: | 24.08.2022 |
Parties: | AP (The Netherlands) |
National Case Number/Name: | UTR 21/2957 |
European Case Law Identifier: | ECLI:NL:RBMNE:2021:6052 |
Appeal from: | AP (The Netherlands) |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | Jette |
The District Court of Midden-Nederland held that the Dutch DPA could reject a complaint when there was still a court case pending on the legal question that was the subject of the complaint.
English Summary
Facts
The SVB (controller), a social security administrator in the Netherlands, structurally send personal data of newly born children to the Tax Administration. The controller has this data, as it is responsible for paying out the general child allowance. The tax office is responsible for paying out the child-related budget (an extra allowance for low-income families). The data subject's father believed that the controller wrongfully shared his daughter's information with the Tax Administration in connection with the child-related budget. He never submitted an application for this allowance and, in view of his income, he was not eligible for it.
Complaint 1: on 4 January 2017, the data subject's father submitted a complaint with the Dutch DPA. He argued that the controller failed to carry out a proportionality test, which was a breach of the Wpb.[1] He requested the DPA to order the controller to immediately cease the structural provision of data on all children to the Tax Authorities.
Complaint 2: on 17 May 2019, the data subject filed another complaint with the DPA against the controller and the Tax Authority (now based on the GDPR). He argued that the controller violated the principle of proportionality and subsidiarity contained in the GDPR. He requested the DPA to order the controller and the Tax Authority to remove his daughter's personal data from their systems. (He has now limited this complaint to the controller). On 19 November 2020, the DPA rejected the complaint.
The data subject's father also started legal proceedings against the controller. This resulted in a Court ruling on 4 May 2021, where the Court held that the controller had indeed unlawfully invaded the privacy of the data subject by providing her personal data to the Tax Administration. The controller appealed this decision to the Council of State (RvS).
In the case at hand, the data subject's father loged two appeals at the District Court. One against the failure to decide in due time on complaint 1 and one on the DPA's decision to reject complaint 2.
Regarding the failure to decide on complaint 1, the DPA stated that both complaints relate to the same alleged violation. Therefore, it decided on both complaints in its decision from 19 November 2020. The DPA stated that it rejected complaint 2, as related to a legal question thas was the subject of ongoing administrative proceedings (the controller's appeal at the Coucil of State). The data subject's father argued that was an invalid argument, as there already was a court ruling on the subject from 4 May 2021. He stated that not only a court, but also the controller itself has the power to decide on the interpretation of privacy law.
Holding
The Court held, in line with the DPA's argument, that complaint 2 could be seen as an expansion of complaint 1. They both covered the same alleged violation by the controller and an enforcement request. The Court thus agreed with the DPA that the latter decided on both complaints with its decision of 19 November 2020 despite the fact that the decision only mentioned complaint 2. The Court held that the father's appeal against complaint 1 for the failure to make a timely decision was therefore inadmissible.
Regarding the decision to reject complaint 2, the Court noted that the DPA had discretionary power to decided whether or not to take enforcement action pursuant to Article 57(1)(f) GDPR. The Court held that the DPA could reasonably decide to reject the complaint, as an appeal procedure was pending at the Council of State on the legal question relevant for the complaint. Further investigation would result in a parallel administrative procedure. The Court therefore held that the appeal was unfounded.
During the hearing, the DPA explained that if a violation is definitively established by the Council of State, it will take the required necessary steps. The Court agreed with this view of the DPA.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
CENTRAL NETHERLANDS COURT Seating location Utrecht Administrative law case number: UTR 21/2957 decision of the single chamber of 13 December 2021 in the case between [claimant] , at [place of residence] , claimant, and Dutch Data Protection Authority, defendant (agents: mr. J.M.A. Koster and mr. T.G.H. Spruyt). Process sequence By decision of 19 November 2020 (the primary decision), the respondent rejected the claimant's request of 17 May 2019 to the respondent to take enforcement action against the Social Insurance Bank (SVB). By decision of 10 June 2021 (the contested decision), the respondent declared the claimant's objection unfounded. Plaintiff appealed against the contested decision. Plaintiff also filed an appeal against failing to make a timely decision on a previously submitted enforcement request dated 4 January 2017. Defendant has filed a statement of defence. The hearing took place on October 5, 2021 via a Skype video connection. Plaintiff appeared. Defendant was represented by his attorneys. Considerations Introduction 1. On the basis of a covenant from 2007, the SVB provides structural data to the Tax Authorities/Supplementary Benefits (the Tax Authorities) of all children who are entitled to child benefit. The claimant believes that the SVB should not have shared any information about his minor daughter, born in 2016, with the tax authorities in the context of the child budget. An application for this was never submitted for his daughter and the claimant is not eligible for this in view of his income. Prior to and simultaneously with these proceedings, the claimant conducted several legal proceedings against the SVB. The complaint about the provision of data to the tax authorities is directed against the SVB, because it sends the data to the tax authorities. 2. Plaintiff submitted a first enforcement request to Defendant on January 4, 2017. In addition, the SVB was requested to demand that the structural data provision of all children to the Tax Authorities cease immediately due to violation of the Personal Data Protection Act (Wbp). According to the claimant, the SVB has not performed a proportionality test. 3. On February 10, 2019, the claimant requested the SVB to delete his subsidiary's personal data, in particular the start message, as provided by the SVB to the Tax Authorities. The start message is a digital notification stating that a child is entitled to child benefit from a certain date, containing the citizen service number, date of birth and country of residence of the child. The SVB rejected this request by decision of 1 April 2019 and upheld in objection by decision of 14 August 2020. This court upheld the claim of 21 September 2020 against the latter decision by decision of 4 May 20211 and ruled that the SVB has unlawfully infringed on the privacy of the plaintiff's daughter by providing her personal data to the tax authorities. The SVB has lodged an appeal against this decision with the Administrative Jurisdiction Division of the Council of State (ABRvS). 4. On 17 May 2019, the claimant submitted a complaint to the respondent under Article 77 of the General Data Protection Regulation (GDPR) with the request to take enforcement action against the SVB and the Tax Authorities. According to the claimant, the SVB is acting in violation of the principle of proportionality and subsidiarity included in the GDPR by providing the tax authorities with personal data of children for whom there is a right to child benefit. The claimant requests the respondent to instruct the SVB and the tax authorities to remove the data about his subsidiary from the systems and to confirm this in writing. Plaintiff has explained that he has now limited his GDPR complaint to the SVB. 5. The court refers to the appendix for the relevant legislation and regulations. This appendix is part of the ruling. The contested decision 6. In the contested decision, the defendant rejected the claimant's request to take enforcement action against the SVB. Respondent takes the position that the claim of the claimant essentially concerns the answer to the question whether or not the provision of personal data by the SVB to the tax authorities with regard to the right to child benefit complies with the principles of proportionality and subsidiarity. . It is stated in the contested decision that this legal question is the subject of administrative proceedings, in which the opinion on the lawfulness of this provision has not yet been definitively established. This concerns the appeal that is still pending before the ABRvS against the aforementioned decision of this court of 4 May 2021. With reference to its prioritization policy, as laid down in Article 57, first paragraph, under f, of the GDPR, the respondent waives the initiation of a further investigation, because it considers the extent to which it can act effectively and efficiently in this case is limited. Failure to make a timely decision on the appeal on the first enforcement request 7. The claimant has submitted on appeal with regard to the first enforcement request that he had given the respondent a notice of default on November 13, 2020. According to the claimant, the primary decision does not relate to this enforcement request, but only to the request of May 17, 2019. For that reason, the claimant is of the opinion that the defendant has not yet taken a decision on its first enforcement request of January 4, 2017. This means that The defendant must still decide on this first request and is liable to pay a penalty for failing to make a timely decision. 8. The respondent has taken the position that the enforcement request of 4 January 2017 and the enforcement request of 17 May 2019 both relate to the same alleged violation by the SVB. For this reason, the respondent takes the position that by decision of 19 November 2020 it has decided on both the enforcement request of 4 January 2017 and the enforcement request of 17 May 2019. Plaintiff's first enforcement request. In view of Article 6:12, second paragraph, preamble and under a, of the General Administrative Law Act, the conditions for submitting an appeal pursuant to Article 8:55b of the General Administrative Law Act (Awb) are therefore not met. 9. The court considers as follows. The court concludes from the two enforcement requests of the claimant that the second request of 17 May 2019 can be seen as an extension of the first request of the claimant of 4 January 2017. Both requests relate to the same alleged violation by the SVB and the request to to take enforcement action in that regard. The court follows the defendant's position that with the decision of 19 November 2020, the defendant has decided on both enforcement requests. The fact that the decision of November 19, 2020 only mentions the enforcement request of May 17, 2019 does not change this, since the content of both requests from the applicant requested enforcement due to the same alleged violation of the SVB. The claimant's appeal against the failure to make a timely decision on the request of 4 January 2017 is therefore inadmissible. On the appeal against the contested decision 10. The claimant has further put forward on appeal that he believes that the respondent must still make a substantive decision about the - according to him - unlawful act of the SVB by providing the personal data of all children for whom there is a right to child benefit to the Tax Authorities. The claimant invokes the aforementioned decision of this court of 4 May 2021. According to the claimant, the fact that the SVB has lodged an appeal against this decision is not a relevant criterion. According to the claimant, the respondent ignores that not only can the administrative court give an opinion on the interpretation and application of privacy legislation, but that this is also the core task of the respondent to give a substantive opinion on this. According to the claimant, the defendant chooses to await the decision of the ABRvS, while in this matter a judgment by the defendant would considerably shorten and simplify the procedure at the ABRvS because a thorough, substantive judgment by the defendant can be crucial for the appeal procedure. . 11. The defendant refers to Article 57 of the GDPR and takes the position that the plaintiff's situation is subject to administrative legal protection. The lawfulness of the data provision by SVB to the Tax Authorities is currently still subject to dispute in the appeal against the aforementioned decision of this court of 4 May 2021. Because these proceedings have not yet been completed, the defendant sees no reason to conduct further additional investigations. to do. It concerns the answer to the same legal question. Article 57 of the GDPR offers the defendant the option of pursuing a prioritization policy for the handling of GDPR complaints. In this context, the respondent refers to a decision of the Overijssel District Court dated March 22, 20212. In the claimant's situation, this policy was used by deciding not to conduct any further investigation in response to the claimant's request. 12. The court establishes that the defendant has discretion to decide whether or not to take enforcement action. In doing so, the defendant makes use of prioritization criteria. The Respondent has this scope on the basis of Article 57(1)(f) of the GDPR, which stipulates that the content of the complaint will be investigated to the extent that this is appropriate. After a global desk investigation, after checking against the prioritization policy, the respondent failed to conduct further investigation. The court is of the opinion that the defendant could reasonably have decided in a situation such as this, where an appeal procedure is pending and the decision of this court of 4 May 2021 against a decision of the SVB has not yet been established in court, it is not appropriate to to go through a parallel administrative procedure, as it were, via the route of further investigation following a complaint under Article 77 of the GDPR. This route is substantively derived from the primarily designated route of objection to decision-making by the administrative body itself. In doing so, the respondent was allowed to take into account its prioritization policy3 for the handling of GDPR complaints. At the hearing, the defendant explained that if it is definitively established on appeal that the SVB has violated the GDPR, the defendant will then take the necessary steps if desired. The court agrees with the defendant's view and approach. 13. The action brought against the contested decision is unfounded. 14. There is no reason for an order to pay costs. Decision The court declares: - the appeal against the failure to decide in time on the enforcement request of 4 January 2017 is inadmissible; - the appeal against the contested decision is unfounded. This statement was made by mr. L.M. Reijnierse, judge, in the presence of mr. M.M. van Luijk-Salomons, Registrar. The decision was handed down on December 13, 2021 and will be made public by publication onsrecht.nl. Registrar Judge Copy sent to parties on: Remedy An appeal can be lodged against this decision with the Administrative Jurisdiction Division of the Council of State within six weeks of the date on which it was sent. General Data Protection Regulation Article 57 Tasks 1. Without prejudice to other tasks established under this Regulation, each supervisory authority in its territory shall perform the following tasks: f) deal with complaints from data subjects, or from bodies, organizations or associations in accordance with Article 80, examine the content of the complaint to the extent appropriate and inform the complainant within a reasonable time of the progress and outcome of the complaint; investigation, in particular if further investigation or coordination with another supervisory authority is necessary; Article 77 1. Without prejudice to any other administrative or judicial remedy, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State where he usually resides, has his place of work or where the alleged infringement was committed , if he believes that the processing of personal data concerning him infringes this Regulation. 2. The supervisory authority to which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, as well as of the possible judicial remedy in accordance with Article 78. Policy rules prioritizing complaints investigation AP Article 2 1. The AP investigates the content of a complaint to the extent that this is appropriate. 2. The AP first assesses, based on the content of the complaint, whether it concerns the processing of personal data that concerns the complainant and whether or not there is a violation of the GDPR. 3. If it follows from the initial assessment that there may have been a violation, but it cannot yet be established, the DPA will consider whether there is reason for a further investigation. In doing so, the AP uses the following, non-cumulative, factors: a. a) The extent to which the data subject is affected by the alleged violation; b) The broader social significance of any action by the AP, also viewed from the point of view that the AP announces on a periodic basis; c) The extent to which the AP is able to act effectively and efficiently. 1 ECLI:NL:RBMNE:2021:1865 2 ECLI:NL:RBOVE:2021:1219 3 Policy rules prioritization of complaint investigation AP
- ↑ 'Wet bescherming persoonsgegevens,' the implementation of Directive (EU) 2016/680 (the GDPR predecessor)