Rb. Den Haag - SGR 23/6174: Difference between revisions
mNo edit summary |
m (→Facts) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 62: | Line 62: | ||
}} | }} | ||
A court held that under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], the DPA has discretion to decide to | A court held that under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], the DPA has discretion to decide not to investigate a complaint further and to refrain from taking any corrective measures. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Due to a bankruptcy the data subject was represented by a bankruptcy trustee. The bankruptcy was lifted on 7 July 2022, ending the trustee’s authorization to represent the data subject. However, on 19 July 2022, an employee of a Dutch bank, ''ABN AMRO Bank'' (the controller), shared the data subject’s personal data with the former bankruptcy trustee of the data subject on the phone. | |||
The data subject lodged a complaint | The data subject lodged a complaint with the Dutch DPA (“''Autoriteit'' ''<u>Persoonsgegevens</u>'') for an unreported data breach by the controller (i.e. sharing his personal data with his former bankruptcy trustee). | ||
The controller | The controller admitted to the DPA that the bankruptcy trustee of the data subject should only have been informed that they were no longer appointed due to the discharge from bankruptcy of the data subject, and that therefore information of the data subject would not be shared anymore with them. | ||
The DPA interpreted the data subject's complaint as not directly referring to the data breach, but to the unlawful processing of sensitive personal data. To determine whether unlawful processing took place, further investigation would have been required. However, in this case, the DPA refrained from conducting further investigation. | |||
The DPA explained why it was not investigating the data subject’s complaint, referring to the criteria on their website. On their website the DPA states that to be efficient and effective, they have to make choices and therefore use the following criteria to determine whether the complaint qualifies for further investigation: the complaint is about a violation that is still ongoing, has a broader societal interest, there are no other proceedings pending | The DPA explained why it was not investigating the data subject’s complaint, referring to the [https://www.autoriteitpersoonsgegevens.nl/een-tip-of-klacht-indienen-bij-de-ap/behandeling-van-klachten-door-de-ap criteria on their website]. On their website the DPA states that to be efficient and effective, they have to make choices and therefore use the following criteria to determine whether the complaint qualifies for further investigation: the complaint is about a violation that is still ongoing, has a broader societal interest, there are no other proceedings pending, the complaint is specifically about a GDPR issue, and the subject of the complaint has not previously been investigated by the DPA. | ||
Taking into account the data subject's complaint, the DPA held that the alleged violation did not last long and the phone call took place quite some time ago. There was also no broader social significance and only | Taking into account the data subject's complaint, the DPA held that the alleged violation did not last long and the phone call took place quite some time ago. There was also no broader social significance and only the data subject was affected and the subject of the complaint did not fall within any of the DPA’s central themes of 2024. Lastly, the DPA held that the dispute between the data subject and the former bankruptcy trustee was not primarily a GDPR violation. | ||
The data subject appealed the DPA’s decision to not further investigate at the District Court of The Hague (“''Rechtbank Den Haag''”). | The data subject appealed the DPA’s decision to not further investigate at the District Court of The Hague (“''Rechtbank Den Haag''”). | ||
Line 84: | Line 84: | ||
=== Holding === | === Holding === | ||
The court found that the DPA could refrain from conducting further investigation. According to [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], the DPA must deal with complaints to the extent appropriate. The court therefore held that the DPA has discretion to determine case by case whether to take corrective measures. | The court found that the DPA could refrain from conducting further investigation. According to [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], the DPA must deal with complaints to the ''extent appropriate''. The court therefore held that the DPA has discretion to determine case by case whether to take corrective measures. | ||
The court found that based on the available information, the DPA could not yet determine whether there was a violation as for example it was not clear what personal data was shared during the phone call. The fact that the controller should have informed the former bankruptcy trustee that they were no longer appointed and that information should not be shared with them anymore, does not mean that there was a GDPR violation. Therefore, further investigation was required. | The court found that based on the available information, the DPA could not yet determine whether there was a violation as for example it was not clear what personal data was shared during the phone call. The fact that the controller should have informed the former bankruptcy trustee that they were no longer appointed and that information should not be shared with them anymore, does not mean that there was a GDPR violation. Therefore, further investigation was required. | ||
Line 91: | Line 91: | ||
== Comment == | == Comment == | ||
Taking into account the judgement in the [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|Schufa]] case, the CJEU stated that the DPA has a margin of discretion as to the choice of the appropriate means under [[Article 58 GDPR#2|Article 58(2) GDPR]] (see para 57 and 68). There is nothing in the GDPR or in CJEU case law that the DPA has the discretion to assess the extent to which a complaint should be investigated. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 06:23, 21 August 2024
Rb. Den Haag - SGR 23/6174 | |
---|---|
Court: | Rb. Den Haag (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 57(1)(f) GDPR |
Decided: | 23.07.2024 |
Published: | 06.08.2024 |
Parties: | Autoriteit Persoonsgegevens |
National Case Number/Name: | SGR 23/6174 |
European Case Law Identifier: | ECLI:NL:RBDHA:2024:12074 |
Appeal from: | |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | ec |
A court held that under Article 57(1)(f) GDPR, the DPA has discretion to decide not to investigate a complaint further and to refrain from taking any corrective measures.
English Summary
Facts
Due to a bankruptcy the data subject was represented by a bankruptcy trustee. The bankruptcy was lifted on 7 July 2022, ending the trustee’s authorization to represent the data subject. However, on 19 July 2022, an employee of a Dutch bank, ABN AMRO Bank (the controller), shared the data subject’s personal data with the former bankruptcy trustee of the data subject on the phone.
The data subject lodged a complaint with the Dutch DPA (“Autoriteit Persoonsgegevens) for an unreported data breach by the controller (i.e. sharing his personal data with his former bankruptcy trustee).
The controller admitted to the DPA that the bankruptcy trustee of the data subject should only have been informed that they were no longer appointed due to the discharge from bankruptcy of the data subject, and that therefore information of the data subject would not be shared anymore with them.
The DPA interpreted the data subject's complaint as not directly referring to the data breach, but to the unlawful processing of sensitive personal data. To determine whether unlawful processing took place, further investigation would have been required. However, in this case, the DPA refrained from conducting further investigation.
The DPA explained why it was not investigating the data subject’s complaint, referring to the criteria on their website. On their website the DPA states that to be efficient and effective, they have to make choices and therefore use the following criteria to determine whether the complaint qualifies for further investigation: the complaint is about a violation that is still ongoing, has a broader societal interest, there are no other proceedings pending, the complaint is specifically about a GDPR issue, and the subject of the complaint has not previously been investigated by the DPA.
Taking into account the data subject's complaint, the DPA held that the alleged violation did not last long and the phone call took place quite some time ago. There was also no broader social significance and only the data subject was affected and the subject of the complaint did not fall within any of the DPA’s central themes of 2024. Lastly, the DPA held that the dispute between the data subject and the former bankruptcy trustee was not primarily a GDPR violation.
The data subject appealed the DPA’s decision to not further investigate at the District Court of The Hague (“Rechtbank Den Haag”).
The DPA argued that further investigation was not needed to establish wrongdoing. The controller’s sharing of the data subject’s personal data with the former bankruptcy trustee was unlawful. However, the DPA stated that the controller acknowledged the violation and mistakenly did not report the breach to the data subject.
Holding
The court found that the DPA could refrain from conducting further investigation. According to Article 57(1)(f) GDPR, the DPA must deal with complaints to the extent appropriate. The court therefore held that the DPA has discretion to determine case by case whether to take corrective measures.
The court found that based on the available information, the DPA could not yet determine whether there was a violation as for example it was not clear what personal data was shared during the phone call. The fact that the controller should have informed the former bankruptcy trustee that they were no longer appointed and that information should not be shared with them anymore, does not mean that there was a GDPR violation. Therefore, further investigation was required.
However, the court stated it could follow the DPA’s reasoning for not further investigating the complaint based on the DPA's criteria. Therefore, the court held that the DPA could refrain from further investigating and thus dismissed the appeal.
Comment
Taking into account the judgement in the Schufa case, the CJEU stated that the DPA has a margin of discretion as to the choice of the appropriate means under Article 58(2) GDPR (see para 57 and 68). There is nothing in the GDPR or in CJEU case law that the DPA has the discretion to assess the extent to which a complaint should be investigated.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
THE HAGUE DISTRICT COURT Administrative law case number: SGR 23/6174 judgment of the single-judge chamber of 23 July 2024 in the case between [plaintiff] , from [place of residence] , plaintiff and the Dutch Data Protection Authority, defendant (authorized representative: Mr. O.S. Nijveld and Mr. A. Karimi). Introduction 1. In this judgment, the court assesses the plaintiff's appeal against the defendant's decision not to investigate his complaint further. 1.1. The defendant dismissed this complaint by decision of 15 March 2023. By decision of 17 August 2023, the plaintiff's objection to this was declared manifestly unfounded. By the contested decision of 28 March 2024, the decision of 17 August 2023 was withdrawn, and the objection (again) declared manifestly unfounded. 1.2. The court heard the appeal on 19 June 2024. The following persons participated: the claimant and the defendant's representatives. Assessment by the court What is this case about? 2. The claimant has filed a GDPR complaint with the defendant. According to the claimant, there was an unreported data breach from his former trustee and ABN AMRO Bank (the Bank). An employee of the Bank allegedly shared personal data of the claimant with the claimant's former trustee in a telephone conversation on 19 July 2022. At that time, the trustee was no longer authorised, because the claimant's bankruptcy had been lifted on 7 July 2022. 2.1. According to the defendant, the claimant is not complaining about a (supposed) data breach, but about an (supposed) unlawful processing of sensitive personal data. According to the defendant, further investigation is required in order to determine whether there has been unlawful processing of sensitive personal data. In this case, the defendant has refrained from conducting further investigation. This case concerns the question of whether the defendant was allowed to refrain from further investigation. What does the plaintiff think? 3. No further investigation is required to establish the violation. The exchange of the plaintiff's data between the Bank and the former trustee was unlawful. The Bank has acknowledged the violation. The Bank and the former trustee wrongly failed to report the data breach to the defendant. What is the court's judgment? Appeal against the decision of 17 August 2023 4. The defendant has withdrawn the decision of 17 August 2023. The plaintiff has not stated that he has suffered damage as a result of the decision of 17 August 2023. In view of this, the plaintiff no longer has an interest in a substantive assessment of his appeal against the decision of 17 August 2023. The court therefore declares the plaintiff's appeal inadmissible insofar as it is directed against the withdrawn decision due to the loss of procedural interest. Appeal against the decision of 28 March 2024 5. The court finds that the defendant could refrain from conducting further investigation. The court explains below how it reached this conclusion. 5.1. According to the law, the defendant must handle complaints to the extent that this is appropriate. This means that the defendant has discretion to determine in which cases it will take enforcement action and in which cases it will not. The defendant uses a fixed procedure in this regard. The fixed procedure entails that the defendant makes an initial substantive assessment of a complaint that meets the formal requirements. This initial substantive assessment can have three outcomes: there is a violation, there is no violation or it is (not yet) clear whether there is a violation. If it is (not yet) clear whether there is a violation, the defendant will determine whether it will investigate the complaint further. The defendant will determine this on the basis of criteria that it has stated on its website. 5.2. Given the available information, the defendant could conclude that a violation could not (yet) be established. It is namely not clear which data was exchanged during the telephone conversation. The defendant could therefore not determine whether the processing was necessary to serve a legitimate interest, for example on the basis of the Bankruptcy Act after the settlement of a bankruptcy. The e-mail message of 15 September 2022 from the Bank does not change this. In it, the Bank writes that the former trustee should have communicated that the guardianship had ended, and that the information would then not have been provided to him, but that does not mean that the GDPR has been violated. After all, in order to be able to determine whether there has been a violation, it must be clear (among other things) which data has been exchanged. Further investigation is required for this. 5.3. The defendant has explained, using the criteria on its website, why it is not investigating the plaintiff's complaint further. The alleged violation did not last long and the telephone conversation took place quite some time ago. Furthermore, compared to other (alleged) violations, there is no broader social significance and the violation only affects the plaintiff himself. In addition, the subject of the violation does not fall within one of the themes that the defendant has centralized in 2024. The extent to which the defendant can act effectively and efficiently is also limited, because the core of the underlying dispute with the plaintiff's former curator does not primarily lie in a violation of the GDPR. The court can follow the defendant in this. The defendant was therefore allowed to refrain from conducting further investigation. Conclusion and consequences 6. The court declares the appeal against the replacement decision of 28 March 2024 unfounded. This means that the defendant did not have to further investigate the plaintiff's GDPR complaint. 6.1. The appeal against the withdrawn decision of 17 August 2023 is inadmissible due to a lack of procedural interest. However, the defendant must repay the court fee of € 184 to the plaintiff. 6.2. There is no reason to award costs. Decision The court: - declares the appeal against the contested decision of 17 August 2023 inadmissible;- declares the appeal against the contested decision of 28 March 2024 unfounded;- orders the defendant to reimburse the paid court fee of € 184 to the plaintiff. This decision was made by Mr. E.K.S. Mollen, judge, in the presence of Mr. B.D.A. Mantingh, clerk. The decision was pronounced in public on 23 July 2024. clerk judge A copy of this decision was sent to the parties on: Information about appeal A party that disagrees with this decision may send an appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party disagrees with this decision. The appeal must be submitted within six weeks after the date on which this decision was sent. If the submitter cannot await the hearing of the appeal because the case is urgent, the submitter can request the provisional relief judge of the Administrative Jurisdiction Division of the Council of State to make an interim provision (a temporary measure). Based on article 6:19 of the General Administrative Law Act (Awb), the appeal automatically also relates to the contested decision. General Data Protection Regulation. Article 4, opening words and under 12, of the GDPR. Article 6, first paragraph, of the GDPR read in conjunction with article 5 of the GDPR. Article 57, first paragraph, opening words and under f, of the GDPR. See: www.autoriteitpersoonsgegevens.nl/een-tip-of-klacht-indienen-bij-de-ap/behandeling-van-klachten-door-de-ap. Unlawful data processing, article 6 of the GDPR.