Rb. Amsterdam - 20/1908
Rb. Amsterdam - 20/1908 | |
---|---|
Court: | Rb. Amsterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 6(1)(c) GDPR Article 6(3) GDPR Article 36(1) GDPR Article 52(2) GDPR UAVG Spanish royal decree 1070/2017 |
Decided: | 08.03.2021 |
Published: | 29.04.2021 |
Parties: | Autoriteit Persoonsgegevens Booking.com |
National Case Number/Name: | 20/1908 |
European Case Law Identifier: | ECLI:NL:RBAMS:2021:926 |
Appeal from: | Autoriteit Persoonsgegevens |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | uitspraken.rechtspraak.nl (in Dutch) |
Initial Contributor: | Kave Noori |
The Amsterdam District Court upheld the Dutch DPA's decision to deny Booking.com's request for prior consultation. The court ruled that the Spanish DPA is the competent supervisory authority, as the personal data would be collected to comply with a Spanish tax law.
Facts
Booking.com is an online accommodation platform headquartered in Netherlands. Booking.com was planning to collect additional information about customers for accommodation in Spain. The additional information on 'accommodation partners' and 'bookers' would be collected in order to comply with Booking.com's tax reporting obligations arising from Article 1.11 of the Spanish Royal Decree 'Real Decreto 1070/2017' of 29 December 2017.
Before Booking.com started collecting this data, it requested prior consultation under Article 36(1) GDPR from the Dutch DPA Autoriteit Persoonsgegevens ("AP"). Article 36(1) GDPR requires a data controller to consult a DPA when a data processing activity is likely to result in a high risk of harm to data subjects. Booking.com submitted the request to the AP under the one-stop-shop mechanism of the GDPR, which makes the AP its lead supervisory authority.
The AP denied the request for prior consultation for lack of jurisdiction to enforce Spanish law. The AP pointed out that Article 55(2) GDPR excludes the one-stop-shop mechanism from data processing activities whose legal basis is the performance of a legal obligation Article 6(1)(c) GDPR. The AP referred Booking.com to the Spanish DPA, Agencia Española de Protección de Datos (AEPD), to resolve the case. Booking.com appealed the decision, claiming that the AP was competent to advise on the matter.
Dispute
1. Does the one-stop-shop mechanism apply to this processing?
Booking.com considered that the AP interpreted Article 55(2) GDPR too narrowly. Booking.com considered that Article 55(2) GDPR did not apply to all private sector entities, but only to certain private sector entities who are acting in the public interest. Booking.com considered that it did not perform a task in the public interest. Furthermore, Booking.com considered that recitals 122 and 128 supported its view that the wording of Article 55(2) GDPR should not be interpreted as the AP had done.
2. Is Spanish royal decree 1070/2017 a law under the GDPR?
Booking.com further asked whether Royal Decree 1070/2017 is a law within the meaning of Article 6(1)(c) GDPR. Article 6(1)(c) GDPR provides a legal basis for processing personal data on the basis of a legal obligation. Booking.com found it questionable that the AP accepted Decree 1070/2017 as a law. Booking.com also claimed that there is a conflict of law between the Spanish decree and the Dutch law implementing the GDPR (UAVG), which prohibits the company from collecting national identification numbers.
Holding
1. Does the one-stop-shop mechanism apply to this processing?
First, the court analyzed the wording of Article 55(2) GDPR. The court noted that Article 55(2) GDPR refers quite clearly to "private entities", which means that it can be applied to any private entity. The provision should not be interpreted as applying exclusively to certain private entities entrusted with a public interest task.
Secondly, the Court referred to recitals 122 and 128 to further support its interpretation:
Recital 122 states that any data protection authority should have the power to carry out a task conferred on it by the GDPR on the territory of its Member State. This power should include, inter alia, 'the processing of personal data carried out by private bodies acting in the public interest'. The Court found that the wording of the recital did not emphasize that private bodies not performing tasks in the public interest should be excluded.
Recital 128 indicates that the one-stop shop and lead supervisory authority rules should not apply "where the processing is carried out by private bodies in the public interest". The Court noted that the wording of this recital focuses on the data processing activity itself and not on who the actor is.
The Court concluded that both Recital 122 and Recital 128 focus on the data processing activity per se, which is carried out in the public interest. The court underlined that this is consistent with the notion of "legal obligation" under Article 6(1)(c) GDPR. The court clarified that a company processing personal data to comply with a legal obligation is acting in the public interest and not in its own interest.
Booking.com had cited the Dutch government's Explanatory Memorandum for the GDPR Implementation Act (UAVG) to support its interpretation of Article 55(2) GDPR. The court commented by clarifying that a justification of a national law cannot change a mandatory provision of an EU regulation.
The court held that the Spanish DPA, and not the Dutch DPA, is the competent supervisory authority in relation to the processing activities at issue in this case, where the legal basis is a "legal obligation" under Article 6(1)(c) GDPR.
2. Is Spanish royal decree 1070/2017 a law under the GDPR?
The court first examined the concept of "legal obligation" in the GDPR. The court noted that a "legal obligation" should not be understood only as a law in the formal sense. Further, the court clarified that Article 6(3) GDPR makes clear that a legal obligation must have its legal basis either in an EU law or in a Member State law applicable to the controller. The court concluded that the Decree can be considered as a legal obligation within the meaning of Article 6 GDPR.
Secondly, the court found that the absence of a law in the Dutch sense was not a problem. The court clarified that the GDPR Implementation Act (UAVG) does not prohibit Booking.com from collecting personal data based on a Spanish tax law. The court emphasized that the GDPR has direct effect in all member states and must be interpreted autonomously (regardless of member state law) and uniformly across the EU. Further, the court clarified that the issue must be viewed solely through the lens of the GDPR. The court therefore concluded that Booking.com's fear that prior consultation by the AEPD would lead to a result that conflicted with the provisions of the GDPR Implementation Act (UAVG) was unfounded.
The court upheld the AP’s decision, upholding that AP lacked jurisdiction to provide prior advice to Booking.com. The appeal was therefore dismissed.
Comment
Article 87 GDPR gives member states room to prescribe under which conditions national identification numbers may be used by controllers. The case does not explicitly mention which paragraph in the Dutch GDPR Implementation Act (UAVG) would prohibit the collection of national identification numbers. The initial contributor to this wiki article believes that Article 46(1) of the UAVG is that provision. In fact, this provision limits the use of national identification numbers to situations where a law requires the processing of national identification numbers. It also prohibits the further processing of collected national identification numbers for new purposes not authorized by a law.
AirBnB has written a FAQ about Spanish royal decree 1070/2017: https://www.airbnb.com/help/article/2470/tax-data-sharing-in-spain-frequently-asked-questions#9
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Court of Amsterdam Date of judgment 08-03-2021 Date of publication 29-04-2021 Case number 20/1908 Jurisdictions Administrative law Special characteristics First instance - multiple Content indication Article 55, second paragraph, of the GDPR. Article 6, first paragraph, opening lines and under c, of the GDPR. Power of the Dutch Data Protection Authority for prior consultation with regard to data processing on the basis of Spanish law. The Dutch Data Protection Authority takes the position that it is not it, but the Spanish supervisory authority that is competent to process the request for a prior consultation. Appeal unfounded. Locations Rechtspraak.nl Enriched pronunciation Share pronunciation Print Save as PDF Copy link Statement COURT AMSTERDAM Administrative lawsuit number: AMS 20/1908 judgment of the multiple judge in the case between Booking.com BV, Amsterdam, plaintiff (attorney: mr. J. Bodewits), and the Dutch Data Protection Authority, defendant (attorneys: mr. W. van Steenbergen and mr. E Nijhof). Procedure By decision of 23 September 2019 (the primary decision), the respondent did not consider the claimant's request for prior consultation on the basis of Article 36, first paragraph, of the General Data Protection Regulation (GDPR). On February 18, 2020 (the contested decision), the defendant declared the plaintiff's objection unfounded. The plaintiff filed an appeal against the contested decision. The defendant filed a statement of defense. The hearing took place on 13 January 2021 using a video and audio connection. via Skype for Business. Plaintiff was represented by her authorized representative. [Name 1] and [name 2] also appeared on behalf of plaintiff, assisted by H. Bos, an interpreter in the English language. The defendant was represented by its agents. Considerations 1. With her request of 2 July 2019, the Plaintiff requested the Respondent for a prior consultation as referred to in Article 36, first paragraph, of the GDPR. Plaintiff made this request because it intends to collect and provide personal data of "Accomodation partners" and "Bookers" of accommodations in Spain to the Spanish authorities. This disclosure is made on the basis of Spanish tax reporting obligations arising from Article 1.11 of the Spanish Royal Decree "Real Decreto 1070/2017" of December 29, 2017. Respondent has taken the position that it is not he, but the Spanish regulator that is competent to assess the Claimant's request for a prior consultation. Respondent has acknowledged that Plaintiff has its European headquarters in the Netherlands and that it determines the purpose and means of data processing in the Netherlands. On the basis of the "one-stop-shop mechanism", which is the starting point under the GDPR, the respondent is in principle the plaintiff's leading data protection supervisor. However, the prior consultation requested by the plaintiff is an exception to that principle, because it concerns processing of personal data on the basis of a legal obligation in Spanish tax law (Real Decreto 1070/2017). This is a legal obligation as referred to in Article 6, paragraph 1, opening lines and under c, of the GDPR. Article 55, second paragraph, of the GDPR states that the one-stop-shop mechanism does not apply to processing operations by public organizations or private organizations based on that basis. The respondent therefore takes the position that the plaintiff should apply to the Spanish regulator, the Agencia Española de Protección de Datos (AEPD). Plaintiff's position 3.1. Plaintiff takes the position that the defendant is giving too strict an explanation. Article 55, second paragraph, of the GDPR. This article only applies to private bodies that act in the public interest and Plaintiff does not do that. Plaintiff points to the preamble to the GDPR in substantiation, in particular under numbers 122 and 128.3.2. Plaintiff also doubts whether in this case there is a legal obligation within the meaning of Article 6, first paragraph, opening words and under c, of the GDPR. In his decision, the defendant states that the plaintiff processes personal data on the basis of that provision by accepting the Spanish regulations as law and thereby presuming the lawfulness of the processing activities by the plaintiff. Plaintiff cannot agree with this interpretation, in particular not because UAVG2 prohibits Plaintiff from collecting national identification numbers. 3.3 Based on this, Plaintiff is of the opinion that the Respondent is authorized to consider her request for prior consultation. court 4. The court should answer the question whether the defendant has rightly taken the position that he is not competent to deal with the request for a prior consultation. How should Article 55, second paragraph, of the GDPR be interpreted? 5.1 Article 55, second paragraph, of the GDPR provides, insofar as it is relevant in this procedure, that in the case of processing by public authorities or private bodies acting on the basis of Article 6, paragraph 1, opening words and under c. , of the GDPR the supervisory authority of the Member State in question is competent. In such cases, Article 56 does not apply. 5.2 Article 6, paragraph 1, opening lines and under c, of the GDPR provides that the processing is only lawful if and insofar as the processing is necessary to comply with a legal obligation that applies to 5.3. The preamble to the GDPR states, among other things: (122) Each supervisory authority should be competent in the territory of its Member State to exercise the powers and duties conferred on it in accordance with this Regulation . This should include in particular: (…) the processing of personal data by public authorities or private bodies acting in the public interest (…). (128) The rules on lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases, the supervisory authority of the Member State where the public authority or private body is established should be the sole competent supervisory authority in accordance with this Regulation. GDPR is based on 'private bodies' and not only on private bodies that (partly or partially) serve a general interest. The provision is not unclear in that regard. For reasons of legal certainty alone, a clear provision should be applied as such. 5.5 Nor is the plaintiff supported in its contention that the preamble under numbers 122 and 128 indicates that the literal text is not intended to be and should not be followed. . In the text under number 122, the processing of personal data is mentioned as a competence or task over which a supervisory authority is competent. The emphasis there is not on excluding private bodies that do not act in the public interest. In the text under number 128, the use of the phrase "in the public interest" does not refer to the private body, but to the processing of personal data. In both cases, it therefore concerns the circumstance that the processing of personal data is carried out in the public interest. This is in line with the term "legal obligation" of Article 6, first paragraph, opening lines and under c, of the GDPR. After all, with the processing of personal data on the basis of a legal obligation, a private organization does not necessarily serve its own interest, but it does serve the public interest. 5.6 Contrary to what plaintiff has argued, what it has quoted from the Explanatory Memorandum to the UAVG no argument can be taken for its interpretation of Article 55, second paragraph, of the GDPR. The main thing here is that an explanation of a national law cannot amend a mandatory provision of an EU regulation. Moreover, the quotation concerns a public law and not a private body. 5.7 If processing is based on Article 6, first paragraph, opening words and under c of the GDPR, the AEPD is therefore competent in the present case. . This ground of appeal on the part of the Claimant is not successful. Is the Decreto Royal 1070/2017 a law within the meaning of Article 6, first paragraph, opening lines and under c, of the GDPR? 6.1 It is not disputed that the reporting obligation that the Claimant must comply with in Spain it is based on a Spanish Royal Decree (Decreto Royal 1070/2017). The Royal Decree has been signed by the King and by the responsible Minister of State. 6.2 It does not follow from the GDPR that the term 'legal obligation' should only be understood as a law in a formal sense. In addition, it follows from Article 6 (3) of the GDPR that the legal basis for the processing referred to in Article 6 (1), preamble and under c, of the GDPR must be determined by: a) Union law; or (b) Member State law applicable to the controller. In this case, Member State law is involved, since the plaintiff is subject to Spanish law. The Spanish legislation that has been questioned here by Plaintiff can therefore be regarded as a legal obligation within the meaning of Article 6, first paragraph, opening words and under c, of the GDPR. 6.3. Plaintiff is not followed in her argumentation. that from the UAVG3 - in the absence of a Dutch law in a formal sense - a prohibition arises for the plaintiff to collect the national identification numbers requested on the basis of the Spanish tax legislation. The GDPR is a European regulation that has direct effect in the national legal order of all member states of the European Union (EU). The GDPR should therefore be interpreted autonomously, with a view to its uniform application throughout the EU.4 The assessment framework is the GDPR and not the UAVG as the plaintiff states. The plaintiff's fear that a prior consultation by the Spanish regulator may have a result that contradicts the UAVG is therefore unfounded. 6.4 Finally, the court notes that insofar as Plaintiff has argued that the Spanish regulations may be in conflict with the GDPR, which cannot lead to a well-founded appeal. This circumstance does not affect the question whether the defendant is competent to deal with the request for prior consultation and therefore falls outside the scope of these proceedings. Respondent has rightly ruled that he is not authorized to deal with the claimant's request for prior consultation. 8. The appeal is unfounded. 9. There is no reason for an order for costs to be ordered or reimbursed for the court fees. Decision The court declares the appeal unfounded. This judgment was made by Mr. R. Hirzalla, chairman, Mr. M. Greebe and Mr. TL Fernig-Rocour, members, in the presence of Mr. . L.N. Linzey, Registrar. The decision will be pronounced in public. Clerk of the Court A copy of this decision is sent to the parties on: Legal remedy This decision can be appealed to the Administrative Jurisdiction Division of the Council of State within six weeks of the date on which it was sent. a decommissioning as referred to in Section 4: 5 of the General Administrative Law Act, but the respondent does not consider itself competent to deal with the request. 3 General Data Protection Regulation Implementation Act. 4 This follows from Article 288 of the Treaty on the Functioning of the EU.