Rb. Rotterdam - ROT 22/3576: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 66: | Line 66: | ||
}} | }} | ||
A court ruled that the Tax | A court ruled that the Tax Administration could not restrict the data subject's right to access by simply referring to the national implementation of [[Article 23 GDPR|Article 23 GDPR]]. Indeed, the controller should have provided more information on why the exception at hand would apply. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject lives in the Netherlands and was a victim of the so-called "benefit scandal" (see [[AP (The Netherlands) - 25.11.2021|AP (The Netherlands) - 25.11.2021)]]. | The data subject lives in the Netherlands and was a victim of the so-called "benefit scandal". The latter involved the usage of a discriminatory algorithm by the Dutch Tax Administration in order to detect frauds by families claiming childcare benefits (see [[AP (The Netherlands) - 25.11.2021|AP (The Netherlands) - 25.11.2021)]]. | ||
Since she wanted to know what personal data of her the Tax Administration (''Belastingdienst'') was processing, she filed an access request with the | Since she wanted to know what personal data of her the Tax Administration (''Belastingdienst'', the controller) was processing, she filed an access request with the Tax Administration. More specifically, she requested the respective minister to access and list her personal data contained in the Fraud Alert Facility (''Fraude Signalering Voorziening - FSV''), a system used to detect possible frauds in an automatic way. | ||
The controller rejected the access request. It argued that the processing at hand fell within the scope of [[Article 23 GDPR|Article 23 GDPR]]. More specifically, the controller referred to [https://wetten.overheid.nl/jci1.3:c:BWBR0040940&hoofdstuk=4&artikel=41&z=2021-07-01&g=2021-07-01 Article 41(1)(i) of the Dutch GDPR Implementation Act] (''Uitvoeringswet Algemene verordening gegevensbescherming - UAVG''), stating that the controller can limit data subjects' rights (in this case, the right of access) in view of the protection of the rights and freedoms of others. | The controller rejected the access request. It argued that the processing at hand fell within the scope of [[Article 23 GDPR|Article 23 GDPR]]. More specifically, the controller referred to [https://wetten.overheid.nl/jci1.3:c:BWBR0040940&hoofdstuk=4&artikel=41&z=2021-07-01&g=2021-07-01 Article 41(1)(i) of the Dutch GDPR Implementation Act] (''Uitvoeringswet Algemene verordening gegevensbescherming - UAVG''), stating that the controller can limit data subjects' rights (in this case, the right of access) in view of the protection of the rights and freedoms of others. |
Latest revision as of 12:58, 19 November 2024
Rb. Rotterdam - ROT 22/3576 | |
---|---|
Court: | Rb. Rotterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 15 GDPR Article 23(1)(i) GDPR Artikel 41 UAVG |
Decided: | 06.11.2024 |
Published: | 11.11.2024 |
Parties: | Minister van Financiën |
National Case Number/Name: | ROT 22/3576 |
European Case Law Identifier: | ECLI:NL:RBROT:2024:10919 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | De Rechtspraak (in Dutch) |
Initial Contributor: | fb |
A court ruled that the Tax Administration could not restrict the data subject's right to access by simply referring to the national implementation of Article 23 GDPR. Indeed, the controller should have provided more information on why the exception at hand would apply.
English Summary
Facts
The data subject lives in the Netherlands and was a victim of the so-called "benefit scandal". The latter involved the usage of a discriminatory algorithm by the Dutch Tax Administration in order to detect frauds by families claiming childcare benefits (see AP (The Netherlands) - 25.11.2021).
Since she wanted to know what personal data of her the Tax Administration (Belastingdienst, the controller) was processing, she filed an access request with the Tax Administration. More specifically, she requested the respective minister to access and list her personal data contained in the Fraud Alert Facility (Fraude Signalering Voorziening - FSV), a system used to detect possible frauds in an automatic way.
The controller rejected the access request. It argued that the processing at hand fell within the scope of Article 23 GDPR. More specifically, the controller referred to Article 41(1)(i) of the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming - UAVG), stating that the controller can limit data subjects' rights (in this case, the right of access) in view of the protection of the rights and freedoms of others.
The controller took the position that it could not comment further on this, as this would prejudice the purpose of the restriction. The controller, therefore, did not specify how the balancing of interests entailed on the basis of Article 41(2)(h) UAVG was carried out.
On these grounds, the data subject appealed the controller's decision before the District Court of Rotterdam (Rechtbank Rotterdam - Rb. Rotterdam).
Holding
The court ruled that the controller did not give sufficient reasons for reject the data subject's access request.
The court referred to the Explanatory Memorandum of Article 41 UAVG. According to the court, this document states that it is possible not to grant a data subject's right under the GDPR only in individual cases and only if strictly necessary.
Moreover, according to this Memorandum, a categorical limitation of data subjects' rights, when necessary and proportionate in a democratic society, cannot be based on Article 41 UAVG but can only possibly be included in sector-specific legislation. The court found that, in the case at hand, there is no relevant sector-specific legislation.
Furthermore, the court noted that the controller did not specify how the balancing of interests entailed on the basis of Article 41(2)(h) UAVG was carried out. More generally, other than simply referring to the already mentioned articles, the controller did not state any further reason regarding why the exception would apply.
As for the applicability of Article 41(1)(i) UAVG, the court finds that - while it could be true that the relevant registration in the FSV includes personal data of others - still the controller justified the applicability of this exception only by referring to the law. Moreover, it did not explain how the positions of the two data subjects have been balanced.
Therefore, the court annulled the controller's decision and, pursuant to Dutch administrative law, ordered the controller to make a new decision on the matter.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Judgment ROTTERDAM COURT Administrative law case number: ROT 22/3576 judgment of the single-judge chamber of 6 November 2024 in the case between [name of claimant] , from Maassluis, claimant (attorney: Mr. S. Arakelyan), and the Minister of Finance, the Minister (attorney: Mr. A. Cramer) with the State of the Netherlands (the Minister of Justice and Security) as third party, the State. Introduction 1. In this judgment, the court assesses the appeal of the claimant against a rejection of her request for access on the basis of the GDPR1 in the FSV2. 1.1. With the primary decision of 22 January 2022, the Minister rejected the request for access. With the contested decision of 27 June 2022, the Minister declared the claimant's objection well-founded and granted access to part of the claimant's processed personal data. The claimant appealed against this decision. 1.2. The Minister responded to the appeal with a statement of defence. 1.3. On 27 September 2024, the claimant submitted a further document (a screenshot of the FSV diary). 1.4. The Minister submitted documents relating to this case. These are (1) data from the FSV and (2) a cover letter with these documents in which the basis for refusing to provide the documents to the claimant is further substantiated. In addition, on 27 October 2022, the Minister requested that these documents be kept confidential from the claimant.3 A judge-commissioner decided in a decision of 2 October 2024 that, with regard to 1, it is justified that the claimant is not allowed to inspect these documents during the appeal procedure and, with regard to 2, decided that there is insufficient reasoning as to why the claimant is not allowed to inspect them. 1.5. The claimant has given permission to the court to inspect the confidential documents. 1.6. The court heard the appeal at a hearing on 14 October 2024. The following participated: the claimant, the claimant's representative, together with Mr B.J. Warringa and, on behalf of the Minister, the representative and [person A]. Formation of the decision 2. On 2 December 2021, the claimant requested the Minister to inspect and provide an overview of her personal data contained in the FSV. The Minister interpreted this request as a GDPR request. With the primary decision, the Minister rejected the request on the basis of Articles 23 of the GDPR and 41 of the UAVG.4 With the contested decision, the Minister declared the claimant's objection well-founded. In doing so, the Minister took the position that he had consulted which personal data of the claimant were processed in the FSV. In principle, these data must be provided with a request for access. Because, according to the Minister, there is an exception, the Minister refrained from doing so. In doing so, the Minister weighed the importance of the right to access the processed personal data of the claimant against the interests mentioned in Articles 23 of the GDPR and 41 of the UAVG. The Minister wrongly failed to provide access to a number of data. The Minister subsequently did so. Assessment by the court 3. With the contested decision, the Minister partially granted the claimant's request for access and provided an overview of processed personal data from the FSV. This overview is not in dispute. The dispute is whether the Minister was right not to provide access to the rest of the processed personal data of the claimant. For the relevant legislation and regulations, the court refers to the appendix to this judgment. 4. The right of access under Article 15 of the GDPR is not absolute. Article 23 of the GDPR stipulates that certain provisions of the GDPR, including the right of access, may be limited under certain circumstances by a legislative measure under EU law or Member State law. In the Netherlands, this has been implemented by the UAVG. The secret documents 5. The court has taken cognizance of the documents for which confidentiality was requested and deemed justified by the examining magistrate. This concerns a registration in the FSV to which the claimant was not given access. Although the court cannot comment on the content of this, the court does note that this registration apparently has no relation to the claimant's disadvantage in benefits. The reason for refusing access (grounds for refusal) 6. The claimant stated at the hearing that her partner had received a letter stating that he was registered in the FSV, but that this registration had had no adverse consequences for him. The claimant did not receive such a letter. Because the claimant is a victim of the benefits scandal, she submitted the request for access partly in response to this in order to gain insight into the personal data processed by the Tax and Customs Administration. In the contested decision, the Minister determined that the claimant would not be granted access to her processed personal data in part, referring to Articles 23 of the GDPR and 41 of the UAVG. This was done on the basis of a balancing of interests by the Minister. The Minister has taken the position that he cannot comment further on this, because this would undermine the purpose of the restriction. The Minister has therefore not specified in more detail what this balancing of interests entailed, based on Article 41, paragraph 2, under h of the UAVG. 7. In response to the decision of the examining magistrate of 2 October 2024, the Minister's representative further specified at the hearing that the claimant is not entitled to access in view of the protection of the rights and freedoms of others (as stated in Articles 23, paragraph 1, under i of the GDPR and 41, paragraph 1, under i of the UAVG). 8. The court is of the opinion that the Minister has insufficiently motivated why the claimant's request for access was refused. The court considers that the Explanatory Memorandum (MvT) to Article 41 of the UAVG indicates that the provision offers an opportunity to deviate from the rights that apply under the GDPR in individual cases and only if this is strictly necessary, with a view to the interests mentioned in Article 23 of the GDPR. According to the Explanatory Memorandum, a categorical restriction of the rights of the data subject, when this is necessary and proportionate in a democratic society, cannot be based on Article 41 of the GDPR, but can only be included in sector-specific legislation.5 In this case, there is no sector-specific legislation. This means that the Minister must consider in the specific case whether an exception is justified. 9. With the contested decision, the Minister refused the claimant access to personal data, with only a general reference to Article 23 of the GDPR and Article 41 of the GDPR as the reasoning. After taking note of the refused data, the court is of the opinion that the situation does not arise in which merely providing a more specific reasoning based on one of the components of Article 41, paragraph 1, GDPR would undermine the purpose of the restriction. To that extent, the Minister could therefore not rely on Article 41, paragraph 2, under h, GDPR. This means that the Minister was required to provide more specific reasons for refusing access to the grounds for refusal referred to in Article 41, paragraph 1. 10. The Minister did this by stating at the hearing that access was refused in order to safeguard the protection of the rights or freedoms of others (Article 41, paragraph 1, under i, of the GDPR). According to the Minister, the relevant registration in the FSV includes personal data of others. This means that the reasoning for refusing access still consists only of a reference to part of a statutory article. The court considers this to be insufficient reasoning in this case. After taking cognisance of the data, the court considers it conceivable that the Minister cannot provide this data on the basis of the GDPR, but does not see that this cannot be further substantiated by the Minister given the nature of the registered data. The Minister has not provided any or insufficient insight into the interests at stake on his side in the context of the refusal on the i-ground. In this regard, the court further notes that the claimant does not dispute the non-sharing of data of others on the grounds of the privacy of others. The claimant's ground for appeal, that the contested decision was taken in violation of the principle of motivation, is successful. Conclusion and consequences 11. The appeal will be declared well-founded because the contested decision is in violation of article 7:12 of the General Administrative Law Act.6 The contested decision will be annulled. In this case, the court sees no reason to make its own provision in the case because information would then possibly be released against which the Minister would no longer be able to use an effective legal remedy. The court therefore determines, applying article 8:72, fourth paragraph, of the General Administrative Law Act, that the Minister must take a new decision on the objection in accordance with this ruling. The court gives the Minister six weeks to do so. 12. Because the appeal is well-founded, the Minister must reimburse the claimant for the court fee and the claimant will also receive compensation for the costs incurred in the appeal. The compensation for this is calculated as follows, applying the Administrative Law Costs Decree. For legal assistance by an authorised representative, the claimant receives a fixed amount (a lump sum compensation) per procedural act (point). In appeal, each procedural act has a value of €875. The authorised representative has filed an appeal (1 point) and has attended the court hearing (1 point). The compensation then amounts to a total of €1,750. Request for compensation for exceeding the reasonable term 13. The claimant has also requested compensation for exceeding the reasonable term. In principle, the reasonable term has not been exceeded for a procedure in two instances (as here, in objection and then in appeal) if that procedure has not lasted longer than two years in total.7 The handling of the objection may take a maximum of six months and the handling of the appeal a maximum of one and a half years. In principle, compensation of €500 is awarded for each half year (or part thereof) by which the reasonable term has been exceeded.8 In principle, the reasonable term commences at the moment that the administrative body receives an objection. 14. The Minister received the claimant's notice of objection on 25 February 2022, after which a decision on the objection followed on 27 June 2022. In this case, there is a period of 2 years and 9 months between receipt of the notice of objection and the ruling in the first instance. This is an excess of the reasonable term by 9 months. The excess of 9 months results in an amount of non-material damages of € 1,000 (twice € 500). Because the handling of the objection did not last longer than six months, the excess of the reasonable term is attributable to the court. The payment of this compensation is therefore at the expense of the State. 15. Now that an additional appeal has been filed for compensation for non-material damages, there is reason to award costs. The court has set these costs at €418.50 on the basis of the Administrative Law Costs Decree (1 point for submitting the request for compensation for damages with a value per point of €837 and a weighting factor of 0.5). The court has assumed a weighting factor of 0.5 because the cost compensation is only awarded due to the exceeding of the reasonable term. The payment of these costs is also borne by the State. Decision The court: - declares the appeal well-founded; - annuls the decision of 27 June 2022; - orders the Minister to take a new decision on the objection within six weeks after the date of dispatch of this ruling, taking into account this ruling; - determines that the Minister must reimburse the plaintiff for the court fee of €184; - orders the Minister to pay €1,750 in legal costs to the plaintiff; - orders the State (the Minister of Justice and Security) to pay compensation for non-material damage to the plaintiff in the amount of €1,000 and the legal costs up to an amount of €418.50. This ruling was made by Mr. A. Dingemanse, judge, in the presence of Mr. H. Sabanovic, registrar. The ruling was pronounced in public on 6 November 2024. registrar judge A copy of this ruling was sent to the parties on: Information about appeal A party that disagrees with this ruling may send an appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party disagrees with this ruling. The appeal must be submitted within six weeks after the date on which this ruling was sent. If the applicant cannot await the appeal hearing because the case is urgent, the applicant can request the provisional relief judge of the Administrative Jurisdiction Division of the Council of State to take an interim measure (a temporary measure). Appendix: relevant legislation and regulations GDPR Article 15 Right of access of the data subject 1. The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him are being processed and, where that is the case, to access those personal data and the following information: a. a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the period for which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning him or her, or to object to such processing; f) the existence of the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Article 23 Restrictions 1. The scope of the obligations and rights referred to in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations referred to in Articles 12 to 22, may be restricted by a Union or Member State legislative measure to which the controller or processor is subject, provided that such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: a. (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (e) other important objectives of general interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security; (f) the protection of judicial independence and judicial proceedings; (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; (h) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in the cases referred to in points (a) to (e) and (g); (i) the protection of the data subject or of the rights and freedoms of others; (j) the enforcement of civil law claims. 2. The legislative measure referred to in paragraph 1 shall in particular contain specific provisions as regards, where appropriate, at least: a. (a) the purposes of the processing or the categories of processing, b) the categories of personal data, c) the scope of the restrictions introduced, d) the safeguards to prevent misuse or unlawful access or transfer, e) the specification of the controller or categories of controllers, f) the storage periods and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing, g) the risks to the rights and freedoms of data subjects, and h) the right of data subjects to be informed of the restriction, unless this could jeopardise the purpose of the restriction. GDPR Article 41. Exceptions to the rights of the data subject and the obligations of the controller 1. The controller may disapply the obligations and rights referred to in Articles 12 to 21 and Article 34 of the Regulation to the extent that this is necessary and proportionate to safeguard: a. National security; b. national defence; c. public security; d. the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; e. other important objectives of general interest of the European Union or of the Netherlands, in particular an important economic or financial interest of the European Union or of the Netherlands, including monetary, budgetary and tax matters, public health and social security; f. the protection of the independence of the judiciary and judicial proceedings; g. the prevention, investigation, detection and prosecution of breaches of professional codes of conduct for regulated professions; h. a monitoring, inspection or regulatory task connected, even occasionally, with the exercise of official authority in the cases referred to in points (a), (b), (c), (d), (e) and (g); i. the protection of the data subject or of the rights and freedoms of others; or j. the recovery of civil claims. 2. When applying the first paragraph, the controller shall take into account at least, where applicable: a. the purposes of the processing or the categories of processing; b. the categories of personal data; c. the scope of the restrictions introduced; d. the safeguards to prevent misuse or unlawful access or transfer; e. the specification of the controller or categories of controllers; f. the storage periods and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing; g. the risks to the rights and freedoms of data subjects; and h. the right of data subjects to be informed of the restriction, unless this would undermine the purpose of the restriction. 1 General Data Protection Regulation 2 Fraud reporting facility 3 Based on article 8:29 of the General Administrative Law Act (Awb). 4 Implementation Act GDPR 5 Parliamentary Papers II 2017/18, 34851, 3, p. 47-49. 6 General Administrative Law Act 7 ECLI:NL:RVS:2023:3846 8 ECLI:NL:HR:2016:252 and ECLI:NL:HR:2024:853