Rb. Den Haag - AWB - 20 5680
Rb. Den Haag - AWB - 20 _ 5680 | |
---|---|
Court: | Rb. Den Haag (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 13(1) GDPR Article 15(1) GDPR Article 15(4) GDPR Article 23(1)(i) GDPR |
Decided: | 08.12.2021 |
Published: | 22.12.2021 |
Parties: | Regional Public Health Service (RDOG) Hollands Midden |
National Case Number/Name: | AWB - 20 _ 5680 |
European Case Law Identifier: | ECLI:NL:RBDHA:2021:13435 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | Giel Ritzen |
The District Court Den Haag held that data subject’s right to access can be restricted by omitting the identity of third parties who reported them, because of the privacy of these third parties, Article 23(1)(i).
English Summary
Facts
Controller is the managing board of the Regional Public Health Service (RDOG) Hollands Midden. Data subject is a person who was reported anonymously to the Care and Nuisance Reporting Centre of the Municipal Health Service (GGD) Hollands Midden. This Reporting Centre discussed the report in their meeting, and decided that this was not a task for them, so they closed the file. However, controller also received a notification of this report, and registered this notification in their system by mistake. Moreover, controller did not inform data subject about this notification.
After data subject became aware of the existence of the notification at the beginning of 2020, they wanted to find out who reported them. Hence, they filed an access request pursuant to Article 15 GDPR, after which they received a copy of the report that was made. However, because the report was anonymous, a passage containing personal data of the person who reported them, was omitted. Data subject wanted to know the identity of this person, so they could pursue further legal claims against this person, and brought the action before court.
Holding
The Court rejected the appeal.
First, it stated that the controller wrongfully did not inform the data subject regarding the notification, violating Article 13(1) GDPR. The controller, however, had already acknowledged this, had apologised to the data subject and adjusted the work process to avoid a similar situation in the future.
Second, the Court considered data subject’s claim to know the identity of the person who reported them. It stipulated that the GDPR is not intended for this purpose, since the purpose of the right to access is to enable the data subject to inform themselves of the processing of their personal data and to check the lawfulness thereof. According to the Court, it is not the controller’s task to enable the data subject to improve their legal claim against another entity, via the GDPR.
Moreover, the Court stated that, pursuant to Article 15(4) GDPR, the right of access cannot infringe the rights and freedoms of others, and, pursuant to Article 23(1)(i) GDPR, this right may be restricted (in brief) on account of the rights and freedoms of others. Hence, the Court found that the removal of personal data of the third parties was justified for the sake of their privacy. It even stated that the controller supplied more information than needed under the GDPR, since the mere notification that data subject’s personal data was processed, would have been sufficient.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Body Court of The Hague Date of judgment 08-12-2021 Date of publication 22-12-2021 Case number AWB - 20 _ 5680 Jurisdictions Administrative law Special characteristics First instance - single Content indication proceedings on the merits, GDPR Locations Rechtspraak.nl Enhanced pronunciation Share pronunciation print Save as PDF Copy link Pronunciation COURT OF THE HAGUEAdministrative case number: SGR 20/5680ruling of the single chamber of 8 December 2021 in the case between [plaintiff], at [place of residence], claimant and the executive board of the Regional Public Health Service (RDOG) Hollands Midden, defendant (agent: mr. KJJW Smedts). Plaintiff has been granted access to her personal data. By decision of 22 July 2020 (the contested decision), the defendant declared the objection of the plaintiff unfounded. Plaintiff appealed against the contested decision. Defendant filed a statement of defence. The hearing was held on November 4, 2021. Plaintiff was present. The defendant was represented by its authorized representative, mr. K.J.J.W. smedts. [A] and Mr. [B] were also present for the defendant. ConsiderationsWhat is this case about?1. On November 16, 2018, an (anonymous) report was received about the plaintiff at the Hotline for Care and Nuisance of the GGD Hollands Midden. Defendant has processed this notification in the system without informing Plaintiff about this. Plaintiff became aware of the existence of the report at the beginning of 2020. Plaintiff wants to obtain all the documents that are available about her with the help of the AVG1 in order to find out who made this report about her. What are the rules ? 2. The request is subject to the GDPR. Article 15 of the GDPR regulates the data subject's right of access to the personal data concerning him. Article 23 of the GDPR and Article 41 of the UAVG specify the restrictions on the right of access. What do the parties on appeal think? 3.1. Plaintiff believes that a passage containing a third party's personal data has been incorrectly painted off in the notification form that she has received. She thinks this is censorship. According to her, it was the intention from the start to hide the report from her. The minutes of the care network meeting are too brief. In order to find out what was said there, she wants the contact details of the participants in the consultation, especially those of the employees of the municipality of Oegstgeest and the police. Plaintiff also wants to be provided with the advice issued by the Meldpunt. Plaintiff finds it incorrect that Defendant has interpreted and treated some parts of her objection as a complaint. According to her, these are indeed objections. 3.2. Defendant states that on 15 November 2018 a signal about Plaintiff was submitted to Meldpunt Zorg en Nuisance by the local police officer. Nothing was done with this report because it was not a matter for Meldpunt. The report received the day after, on November 16, 2018, was registered in the system by mistake. This was incorrect. Plaintiff should have been informed about this. The information requested by the claimant has been provided to her, with the exception of data from third parties. Their privacy opposes this. The signal that was submitted about the claimant was discussed once in the care network meeting of the Meldpunt. The minutes show that it was not a task for Meldpunt. The file is therefore closed. There has been no more or other communication about the claimant with other authorities. The minutes of the care network meeting are by definition brief. There is no question of a (substantive) response or advice to the report. What is the court's opinion? 4.1 The court states first and foremost that the defendant should have notified the plaintiff that her personal data has been processed. The defendant acknowledged this, apologized to the plaintiff and adjusted the work process to prevent a similar situation in the future. 4.2 As became apparent during the hearing, the claimant wants to find out through the respondent who made the (anonymous) report about her at the time. Plaintiff suspects that it is an official of the municipality of Oegstgeest and wants to take legal action against the municipality, such as submitting a complaint to the National Ombudsman. The court finds that the GDPR is not intended for that. The right of access under the GDPR aims to enable the data subject to be informed of the processing of his personal data and to check its lawfulness. It is not the defendant's task to enable the plaintiff to submit a complaint against the municipality that is as concrete as possible via the AVG. 4.3 In these proceedings it must be assessed whether the defendant has correctly handled the request for access by the plaintiff. The court finds that the defendant has provided to the plaintiff everything that was about the report, with the exception of the data of third parties. This concerns the data of the reporter and the data of the members of the care network consultation in which the report was discussed. In doing so, the defendant acted in accordance with the GDPR. Pursuant to Article 15(4) of the GDPR, the right of access does not affect the rights and freedoms of others. According to Article 23, first paragraph, preamble and under i, of the GDPR2, the right of access can be limited (in short) because of the rights and freedoms of others. It is therefore justified to omit the personal data of third parties for the sake of their privacy. Incidentally, the Respondent could have sufficed by inspecting or stating the Plaintiff's personal data and has therefore, strictly speaking, done more than he was obliged to do under the GDPR. 4.4 Plaintiff's argument that there should be more documents about her than she received is not successful. According to settled case law of the highest administrative court3, if the administrative authority does not deny that there are documents without credibility, it is up to the person concerned to demonstrate that the information is there. Defendant stated that Plaintiff received everything that was there and that there is no more. The court has no reason to doubt that. After all, the report was also inappropriate because the claimant does not belong to the target group of Meldpunt. Plaintiff has not made it plausible that there would be more or different documents.4.5 Finally, Defendant has correctly established that a number of parts of the objection relate to treatment and working method and can therefore be regarded as complaints. After all, this does not concern the right of inspection as such or the care with which the contested decision was taken. Conclusion5. The appeal is unfounded.6. The defendant does not have to pay any legal costs. Decision The court declares the appeal unfounded. This decision was made by mr. D. Biever, judge, in the presence of mr. B.M. van der Meide, clerk of the court. The verdict was pronounced in public on December 8, 2021.Registrar JudgeCopy sent to parties at:Do you disagree with this verdict? If you do not agree with this ruling, you can send a letter to the Administrative Jurisdiction Division of the Council of State explaining why you do not agree with it. This is called an appeal. You must submit this notice of appeal within 6 weeks of the day on which this decision was sent. You can see this date above. 1 General Data Protection Regulation2And the equivalent article 41 of the UAVG3 Decision of the Administrative Jurisdiction Division of the Council of State of 16 June 2021, ECLI:NL:RVS:2021:1278