Rb. Rotterdam - ROT 22/2125: Difference between revisions
No edit summary |
No edit summary |
||
(5 intermediate revisions by 3 users not shown) | |||
Line 70: | Line 70: | ||
}} | }} | ||
When the Dutch Tax Administration answers a data subject's access request, it should search beyond the general system it uses and provide specific information as to the purpose of the processing, the potential recipients and the source of the data. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject made an access request with the Dutch Tax Administration (the controller). The controller decided to deny the | A data subject made an access request with the Dutch Tax Administration (the controller). The controller decided to deny the request. The data subject raised several objections against this decision, but the controller declared it unfounded. The data subject appealed this decision. | ||
The Court | The Court considered the appeal grounded and ordered the controller to fulfill the access request. Following this first decision, the controller answered the request with a general indication of the personal data it processed and for what purpose (information usually available in privacy policies). It also provided the data subject with their most commonly processed personal data. Last, the controller generally referred to [[Article 13 GDPR#4|Article 13(4)]], [[Article 14 GDPR#5|Article 14(5)]] and [[Article 23 GDPR]] for possible non-disclosure. | ||
The | The data subject found the answer incomplete and lodged a further appeal to the Court. | ||
In an attempt to explain why some information had not been included in the response, the controller argued that the response was based on what it could find on its general system. The other IT systems had not been searched, because there were too many and this would therefore constitute a disproportionate burden. | |||
=== Holding === | === Holding === | ||
The District Court of Rotterdam held that searching a general system was not sufficient | The District Court of Rotterdam held that searching a general system was not sufficient. The Court found that the controller's view that there were too many systems was not supported by evidence, unsubstantiated, and insufficient reasoning to suffice with the limited search it conducted and that the controller's general reference to grounds for exemption in the GDPR was insufficient. The controller had therefore not complied with the data subject's request. | ||
Furthermore, the Court held that the controller should have specified | Furthermore, the Court held that the controller should have specified purposes, recipients and sources per [[Article 15 GDPR|Article 15(1)]]. The mere listing of the personal data found, followed with a general explanation of how the Tax Administration handles personal data was not enough. The Court held that this did not allow the data subject to verify the lawfulness of processing under [[Article 15 GDPR]]. | ||
The Court declared the appeal well-founded, annulled the contested decision and ordered the controller to make a new decision, taking this judgement into account. | The Court declared the appeal well-founded, annulled the contested decision and ordered the controller to make a new decision, taking this judgement into account. | ||
== Comment == | == Comment == | ||
The Dutch Tax Administration is a part of the Ministry of Finance. Therefore, when a decision of the Tax Administration is appealed, the party in the proceedings is the Minister of Finance. | The Dutch Tax Administration is a part of the Ministry of Finance. Therefore, when a decision of the Tax Administration is appealed, the party in the proceedings is the Minister of Finance. As an administrative Court, the District Court of Rotterdam is competent to annul administrative decisions. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 15:20, 21 March 2023
Rb. Rotterdam - ROT 22/2125 | |
---|---|
Court: | Rb. Rotterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 13(4) GDPR Article 14(5)(a) GDPR Article 15(1) GDPR Article 23(1)(d) GDPR Article 23(1)(i) GDPR |
Decided: | 17.02.2023 |
Published: | 20.02.2023 |
Parties: | Minister of Finance (Dutch Tax Administration) |
National Case Number/Name: | ROT 22/2125 |
European Case Law Identifier: | ECLI:NL:RBROT:2023:1189 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | rechtspraak.nl (in Dutch) |
Initial Contributor: | elsjegold |
When the Dutch Tax Administration answers a data subject's access request, it should search beyond the general system it uses and provide specific information as to the purpose of the processing, the potential recipients and the source of the data.
English Summary
Facts
A data subject made an access request with the Dutch Tax Administration (the controller). The controller decided to deny the request. The data subject raised several objections against this decision, but the controller declared it unfounded. The data subject appealed this decision.
The Court considered the appeal grounded and ordered the controller to fulfill the access request. Following this first decision, the controller answered the request with a general indication of the personal data it processed and for what purpose (information usually available in privacy policies). It also provided the data subject with their most commonly processed personal data. Last, the controller generally referred to Article 13(4), Article 14(5) and Article 23 GDPR for possible non-disclosure.
The data subject found the answer incomplete and lodged a further appeal to the Court.
In an attempt to explain why some information had not been included in the response, the controller argued that the response was based on what it could find on its general system. The other IT systems had not been searched, because there were too many and this would therefore constitute a disproportionate burden.
Holding
The District Court of Rotterdam held that searching a general system was not sufficient. The Court found that the controller's view that there were too many systems was not supported by evidence, unsubstantiated, and insufficient reasoning to suffice with the limited search it conducted and that the controller's general reference to grounds for exemption in the GDPR was insufficient. The controller had therefore not complied with the data subject's request.
Furthermore, the Court held that the controller should have specified purposes, recipients and sources per Article 15(1). The mere listing of the personal data found, followed with a general explanation of how the Tax Administration handles personal data was not enough. The Court held that this did not allow the data subject to verify the lawfulness of processing under Article 15 GDPR.
The Court declared the appeal well-founded, annulled the contested decision and ordered the controller to make a new decision, taking this judgement into account.
Comment
The Dutch Tax Administration is a part of the Ministry of Finance. Therefore, when a decision of the Tax Administration is appealed, the party in the proceedings is the Minister of Finance. As an administrative Court, the District Court of Rotterdam is competent to annul administrative decisions.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Rotterdam District Court Date of decision 17-02-2023 Date of publication 20-02-2023 Case number ROT 22/2125 Fields of law Administrative law Special features First instance - single-member Content indication Request for inspection under the AVG, defendant could not suffice with a mere search in the general system, action well founded for breach of the principle that reasons must be given. Findings Rechtspraak.nl Enriched judgment Judgment ROTTERDAM COURT Administrative law Case number: ROT 22/2125 judgment of the single chamber of 17 February 2023 in the case between [name of plaintiff] , from [place] , plaintiff, (Agent: Mr G.A. Soebhag) and The Minister of Finance, defendant, (Agent: [name of agent] ). Proceedings By decision dated 23 August 2019 (primary decision), the defendant rejected a request by the claimant for access under the General Data Processing Regulation (GDPR). By decision of 4 February 2020, the defendant rejected the claimant's objection to the primary decision as unfounded. Against this decision, the claimant filed the appeal with case number 20/1419, which was heard at a hearing on 23 December 2021. By judgment of 3 February 2022 (20/1419), the court upheld the appeal, set aside the decision of 4 February 2020 and ordered the defendant to make a new decision on the objection in compliance with that judgment. By decision of 24 March 2022 (contested decision), the defendant made a new decision on the objection. In doing so, the defendant provided an overview of the personal data processed. The claimant appealed against the contested decision. The defendant submitted a statement of defence. The claimant submitted further documents. The court heard the appeal at a hearing on 13 January 2023. The claimant appeared, assisted by his authorised representative. The defendant was represented by its authorised representative and by E.J.P. Nevens. Considerations 1. For the history of this case, the court refers to its decision of 3 February 2022. 2. The defendant considered that with regard to the period up to and including 2 January 2018, the request had already been complied with by a decision dated 2 March 2018 by providing access to the data processing. With regard to the period from 2 January 2018 to 14 March 2022, the defendant generally indicated which personal data are processed by the Tax Administration, referred to belastingdienst.nl/privacy, "My Tax Service" and "My Benefits" for an overview of the personal data processed, indicated why personal data are processed, indicated how personal data are obtained, indicated with whom the personal data are shared, indicated how long the personal data are kept and provided information on automated decision-making. The Respondent generally referred to Article 13(4), Article 14(5) and Article 23 of the AVG (and the equivalent Article 41 of the AVG Implementation Act (UAVG)), for possible non-disclosure. The defendant provided a representation of the claimant's most commonly processed personal data as it appears in the most general system 'BRF'. 3. For the laws and regulations, please refer to the annex, which forms part of this ruling. 4. The claimant argues that the defendant has not fully complied with its AVG request. The defendant must provide an overview of all its personal data, stating why, when and on what legal basis personal data was processed and with whom it was shared. The claimant requests the court to impose a periodic penalty of €1,000 per day up to a maximum of €1,000,000 on the defendant to comply with its request. 4.1. The defendant explained at the hearing that its search consisted of searching for the claimant's personal data in the most common tax system, the BRF. Other systems were not searched because, according to the defendant, there are too many systems and this would therefore be disproportionately burdensome. The defendant also presented at the hearing an inventory list known to the plaintiff of documents submitted to the court under secrecy in another of the plaintiff's appeal proceedings. This list shows that these documents consist of: bank statements of the claimant, bank statements of third parties in which the claimant's personal data appear, agreements and official reports for the purpose of criminal investigations in which the claimant's personal data appear and internal and external e-mail exchanges in which strategic information regarding the claimant's criminal and tax treatment and personal data of the claimant are mentioned. 4.2. The court finds that by the contested decision, in conjunction with the explanation given at the hearing, the defendant has not complied with the claimant's request. It is not sufficient for the defendant to merely conduct a search in the most general system. The unsubstantiated view that there are too many systems is insufficient reasoning to suffice with this limited search. The defendant did not make it clear that a broader search than the one carried out would require a disproportionate effort. Moreover, with regard to the extent of that effort, it is relevant that the defendant has already limited the claimant's request to a specific period, namely 2 January 2018 to 14 March 2022. Furthermore, it appears from the inventory list submitted at the hearing that there are documents outside the system searched at the defendant that contain the claimant's personal data. These documents were not considered by the defendant in the decision-making process. The defendant's general reference to grounds for exemption in the AVG is insufficient, without a reasoning focused on these documents, to refuse access to the personal data contained in those documents. Moreover, the defendant did not bring those documents into these proceedings by relying on Article 8:29 of the General Administrative Law Act, so that the court cannot examine whether the grounds for exceptions were rightly invoked either. Furthermore, the defendant cannot suffice with an enumeration of personal data found without addressing the questions raised by the claimant in its request as to the purpose of the use, to whom the data may have been provided and the origin of the data, if known. Indeed, the inspection should allow the claimant to verify the lawfulness of the data processing under Article 15 of the AVG. A mere listing of the personal data found does not enable the claimant to do so. The defendant's explanation of how personal data are generally handled at the Tax Administration is not sufficient because it does not provide any insight into how the claimant's specific personal data were handled. 5. The contested decision must therefore be annulled for breach of the principle that reasons must be given. The defendant must still carry out a search for the presence of the claimant's personal data in the applications and systems used by the Tax and Customs Administration or provide sufficient reasons as to why this would require a disproportionate effort. In doing so, the defendant must also explicitly include the documents as mentioned in the inventory list submitted at the hearing and any other documents containing the claimant's personal data, and, if applicable, explain why these documents are covered by the grounds for refusal. Furthermore, with regard to personal data provided or to be provided, the defendant will have to enable the claimant to verify the lawfulness of the data processing by answering the questions what is the purpose of the use, to whom the data have been provided, if any, and the origin of the data, if known. 6. The claimant informed the court prior to the hearing that it would call witnesses. Of those witnesses, only the defendant's agent, [name of agent] , appeared. The claimant did not request the court to summon the other witnesses. The court saw no reason to hear the defendant's authorised representative, , as a witness, as this could not reasonably contribute to the assessment of the case. For the same reason, the court also sees no reason to summon the other witnesses called by the plaintiff. 7. The appeal is well-founded and the court annuls the contested decision. The defendant will have to make a new decision taking this judgment into account. The court considers the application of an administrative loop ineffective, as this is not expected to speed up the decision-making process. The court will set a six-week deadline for the new decision to be taken by the defendant. The court sees no reason to attach to it the penalty payment requested by the plaintiff, as there is no reason to assume that the defendant will not comply with the order. Moreover, the plaintiff has the option of giving the defendant notice of default in the event of late decision-making. 8. As the court declares the appeal well-founded, the court orders the defendant to reimburse the plaintiff for the court fee paid by him. 9. The court orders the defendant to pay the legal costs incurred by the claimant. Pursuant to the Administrative Costs Decree, the court fixes these costs at € 1,674 (one point for lodging the notice of appeal and one point for attending the hearing, with a value per point of € 837 and a weighting factor of 1) for the legal assistance provided by a third party in a professional capacity. Decision The court: - Declares the appeal well-founded; - sets aside the contested decision - orders the defendant to take a new decision within six weeks of the date of dispatch of this ruling, taking this ruling into account; - orders the defendant to reimburse the claimant for the court fee of € 184; - orders the defendant to pay the claimant €1,674 in legal costs. This decision has been delivered by A.C. Rop, judge, in the presence of F. van Ommeren, Registrar. The judgment was pronounced in public on 17 February 2023. Registrar judge A copy of this judgment has been sent to the parties on: Do you disagree with this ruling? If you disagree with this ruling, you can send a letter to the Administrative Law Division of the Council of State explaining why you disagree. This is called a notice of appeal. You must submit this notice of appeal within 6 weeks of the day this ruling was sent. You can see this date above. Annex: laws and regulations The General Data Protection Regulation - as far as relevant here - reads as follows: Article 13 Information to be provided when personal data are collected from the data subject (...) 4. Paragraphs 1, 2 and 3 shall not apply when and insofar as the data subject already has the information. Article 14 Information to be provided when personal data have not been obtained from the data subject (...) 5. Paragraphs 1 to 4 shall not apply when and insofar as: (a) the data subject already has the information; (...) Article 15 Right of inspection of the data subject 1. The data subject shall have the right to obtain from the controller a confirmation as to whether or not personal data relating to him/her are being processed and, if so, to obtain access to those personal data and to the following information: (a) the purposes of processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) if possible, the period for which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period; (e) that the data subject has the right to request the controller to rectify or erase personal data or to restrict the processing of personal data concerning him, as well as the right to object to such processing (f) that the data subject has the right to lodge a complaint with a supervisory authority; (g) where personal data are not collected from the data subject, any available information as to the source of those data; (h) the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information on the underlying logic as well as the significance and expected consequences of such processing for the data subject. (...) Article 23 Restrictions 1. The scope of the obligations and rights set out in Articles 12 to 22 and Article 34 as well as in Article 5 may, to the extent that the provisions of those Articles correspond to the rights and obligations set out in Articles 12 to 20, be limited by provisions of Union or Member State law applicable to the controller or processor, provided that such limitation does not affect the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (...) (d) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security; (...) (i) the protection of the data subject or of the rights and freedoms of others; (...)