Rb. Rotterdam - ROT 22/2125

From GDPRhub
Revision as of 09:59, 21 March 2023 by 10.90.129.158 (talk)
Rb. Rotterdam - ROT 22/2125
Courts logo1.png
Court: Rb. Rotterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 13(4) GDPR
Article 14(5)(a) GDPR
Article 15(1) GDPR
Article 23(1)(d) GDPR
Article 23(1)(i) GDPR
Decided: 17.02.2023
Published: 20.02.2023
Parties: Minister of Finance (Dutch Tax Administration)
National Case Number/Name: ROT 22/2125
European Case Law Identifier: ECLI:NL:RBROT:2023:1189
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: rechtspraak.nl (in Dutch)
Initial Contributor: elsjegold

When the Dutch Tax Administration answers a data subject's access request, it should search beyond the general system and the purpose, whom the data may have been shared with and the origin of the data should be specified.

English Summary

Facts

A data subject made an access request with the Dutch Tax Administration (the controller). The controller decided to deny the data subject's request. The data subject raised objections against this decision, but the controller declared it unfounded. The data subject appealed this decision on the objection to the Court.

The Court declared the appeal well-founded and ordered the controller to take a new decision on the objection (thus, to fulfill the access request).

The controller 'fulfilled' the request with a general indication of the personal data it processes, why, for what purpose, (information usually available in privacy policies). It also provided the data subject with their most commonly processed personal data as it appeared in the controller's general system. Last, the controller generally referred to Article 13(4), Article 14(5) and Article 23 GDPR for possible non-disclosure.

The data subject, not satisfied with this answer, again appealed the decision to the Court.

During the hearing, the controller explained that other systems used by the controller were not searched because there were too many systems and this would therefore be disproportionately burdensome. It also referred to the grounds for exemptions in the GDPR, without further details.

Holding

The District Court of Rotterdam held that searching a general system was not sufficient. The Court found that the controller's view that there were too many systems was unsubstantiated, and insufficient reasoning to suffice with the limited search it conducted. The controller had therefpre not complied with the data subject's request.

Regarding the existing documents containing personal data outside of the system searched, the Court held that the controller's general reference to grounds for exemption in the GDPR was insufficient.

Furthermore, the Court held that the controller should have specified the purpose, whom the data may have been shared with and the origin of the data. The mere listing of the personal data found, followed with a general explanation of how the Tax Administration handles personal data was not enough. The Court held that this did not allow the data subject to verify the lawfulness of processing under Article 15 GDPR.

The Court declared the appeal well-founded, annulled the contested decision and ordered the controller to make a new decision, taking this judgement into account.

Comment

The Dutch Tax Administration is a part of the Ministry of Finance. Therefore, when a decision of the Tax Administration is appealed, the party in the proceedings is the Minister of Finance. As an administrative Court, the District Court of Rotterdam is competent to annul administrative decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Authority
Rotterdam District Court
Date of decision
17-02-2023
Date of publication
20-02-2023
Case number
ROT 22/2125
Fields of law
Administrative law
Special features
First instance - single-member
Content indication

Request for inspection under the AVG, defendant could not suffice with a mere search in the general system, action well founded for breach of the principle that reasons must be given.
Findings
Rechtspraak.nl
Enriched judgment
Judgment
ROTTERDAM COURT

Administrative law

Case number: ROT 22/2125

judgment of the single chamber of 17 February 2023 in the case between
[name of plaintiff] , from [place] , plaintiff,

(Agent: Mr G.A. Soebhag)

and
The Minister of Finance, defendant,

(Agent: [name of agent] ).
Proceedings

By decision dated 23 August 2019 (primary decision), the defendant rejected a request by the claimant for access under the General Data Processing Regulation (GDPR).

By decision of 4 February 2020, the defendant rejected the claimant's objection to the primary decision as unfounded.

Against this decision, the claimant filed the appeal with case number 20/1419, which was heard at a hearing on 23 December 2021.

By judgment of 3 February 2022 (20/1419), the court upheld the appeal, set aside the decision of 4 February 2020 and ordered the defendant to make a new decision on the objection in compliance with that judgment.

By decision of 24 March 2022 (contested decision), the defendant made a new decision on the objection. In doing so, the defendant provided an overview of the personal data processed.

The claimant appealed against the contested decision.

The defendant submitted a statement of defence.

The claimant submitted further documents.

The court heard the appeal at a hearing on 13 January 2023. The claimant appeared, assisted by his authorised representative. The defendant was represented by its authorised representative and by E.J.P. Nevens.
Considerations

1. For the history of this case, the court refers to its decision of 3 February 2022.

2. The defendant considered that with regard to the period up to and including 2 January 2018, the request had already been complied with by a decision dated 2 March 2018 by providing access to the data processing. With regard to the period from 2 January 2018 to 14 March 2022, the defendant generally indicated which personal data are processed by the Tax Administration, referred to belastingdienst.nl/privacy, "My Tax Service" and "My Benefits" for an overview of the personal data processed, indicated why personal data are processed, indicated how personal data are obtained, indicated with whom the personal data are shared, indicated how long the personal data are kept and provided information on automated decision-making. The Respondent generally referred to Article 13(4), Article 14(5) and Article 23 of the AVG (and the equivalent Article 41 of the AVG Implementation Act (UAVG)), for possible non-disclosure. The defendant provided a representation of the claimant's most commonly processed personal data as it appears in the most general system 'BRF'.

3. For the laws and regulations, please refer to the annex, which forms part of this ruling.

4. The claimant argues that the defendant has not fully complied with its AVG request. The defendant must provide an overview of all its personal data, stating why, when and on what legal basis personal data was processed and with whom it was shared. The claimant requests the court to impose a periodic penalty of €1,000 per day up to a maximum of €1,000,000 on the defendant to comply with its request.
4.1.

The defendant explained at the hearing that its search consisted of searching for the claimant's personal data in the most common tax system, the BRF. Other systems were not searched because, according to the defendant, there are too many systems and this would therefore be disproportionately burdensome. The defendant also presented at the hearing an inventory list known to the plaintiff of documents submitted to the court under secrecy in another of the plaintiff's appeal proceedings. This list shows that these documents consist of: bank statements of the claimant, bank statements of third parties in which the claimant's personal data appear, agreements and official reports for the purpose of criminal investigations in which the claimant's personal data appear and internal and external e-mail exchanges in which strategic information regarding the claimant's criminal and tax treatment and personal data of the claimant are mentioned.
4.2.

The court finds that by the contested decision, in conjunction with the explanation given at the hearing, the defendant has not complied with the claimant's request. It is not sufficient for the defendant to merely conduct a search in the most general system. The unsubstantiated view that there are too many systems is insufficient reasoning to suffice with this limited search. The defendant did not make it clear that a broader search than the one carried out would require a disproportionate effort. Moreover, with regard to the extent of that effort, it is relevant that the defendant has already limited the claimant's request to a specific period, namely 2 January 2018 to 14 March 2022. Furthermore, it appears from the inventory list submitted at the hearing that there are documents outside the system searched at the defendant that contain the claimant's personal data. These documents were not considered by the defendant in the decision-making process. The defendant's general reference to grounds for exemption in the AVG is insufficient, without a reasoning focused on these documents, to refuse access to the personal data contained in those documents. Moreover, the defendant did not bring those documents into these proceedings by relying on Article 8:29 of the General Administrative Law Act, so that the court cannot examine whether the grounds for exceptions were rightly invoked either.

Furthermore, the defendant cannot suffice with an enumeration of personal data found without addressing the questions raised by the claimant in its request as to the purpose of the use, to whom the data may have been provided and the origin of the data, if known. Indeed, the inspection should allow the claimant to verify the lawfulness of the data processing under Article 15 of the AVG. A mere listing of the personal data found does not enable the claimant to do so. The defendant's explanation of how personal data are generally handled at the Tax Administration is not sufficient because it does not provide any insight into how the claimant's specific personal data were handled.

5. The contested decision must therefore be annulled for breach of the principle that reasons must be given. The defendant must still carry out a search for the presence of the claimant's personal data in the applications and systems used by the Tax and Customs Administration or provide sufficient reasons as to why this would require a disproportionate effort. In doing so, the defendant must also explicitly include the documents as mentioned in the inventory list submitted at the hearing and any other documents containing the claimant's personal data, and, if applicable, explain why these documents are covered by the grounds for refusal. Furthermore, with regard to personal data provided or to be provided, the defendant will have to enable the claimant to verify the lawfulness of the data processing by answering the questions what is the purpose of the use, to whom the data have been provided, if any, and the origin of the data, if known.

6. The claimant informed the court prior to the hearing that it would call witnesses. Of those witnesses, only the defendant's agent, [name of agent] , appeared. The claimant did not request the court to summon the other witnesses. The court saw no reason to hear the defendant's authorised representative,
, as a witness, as this could not reasonably contribute to the assessment of the case. For the same reason, the court also sees no reason to summon the other witnesses called by the plaintiff.

7. The appeal is well-founded and the court annuls the contested decision. The defendant will have to make a new decision taking this judgment into account. The court considers the application of an administrative loop ineffective, as this is not expected to speed up the decision-making process. The court will set a six-week deadline for the new decision to be taken by the defendant. The court sees no reason to attach to it the penalty payment requested by the plaintiff, as there is no reason to assume that the defendant will not comply with the order. Moreover, the plaintiff has the option of giving the defendant notice of default in the event of late decision-making.

8. As the court declares the appeal well-founded, the court orders the defendant to reimburse the plaintiff for the court fee paid by him.

9. The court orders the defendant to pay the legal costs incurred by the claimant. Pursuant to the Administrative Costs Decree, the court fixes these costs at € 1,674 (one point for lodging the notice of appeal and one point for attending the hearing, with a value per point of € 837 and a weighting factor of 1) for the legal assistance provided by a third party in a professional capacity.
Decision

The court:

- Declares the appeal well-founded;

- sets aside the contested decision

- orders the defendant to take a new decision within six weeks of the date of dispatch of this ruling, taking this ruling into account;

- orders the defendant to reimburse the claimant for the court fee of € 184;

- orders the defendant to pay the claimant €1,674 in legal costs.

This decision has been delivered by A.C. Rop, judge, in the presence of
F. van Ommeren, Registrar. The judgment was pronounced in public on
17 February 2023.

Registrar
	

judge

A copy of this judgment has been sent to the parties on:
Do you disagree with this ruling?

If you disagree with this ruling, you can send a letter to the Administrative Law Division of the Council of State explaining why you disagree. This is called a notice of appeal. You must submit this notice of appeal within 6 weeks of the day this ruling was sent. You can see this date above.
Annex: laws and regulations

The General Data Protection Regulation - as far as relevant here - reads as follows:

Article 13

Information to be provided when personal data are collected from the data subject

(...)

4. Paragraphs 1, 2 and 3 shall not apply when and insofar as the data subject already has the information.

Article 14

Information to be provided when personal data have not been obtained from the data subject

(...)

5. Paragraphs 1 to 4 shall not apply when and insofar as:

(a) the data subject already has the information;

(...)

Article 15

Right of inspection of the data subject

1. The data subject shall have the right to obtain from the controller a confirmation as to whether or not personal data relating to him/her are being processed and, if so, to obtain access to those personal data and to the following information:

(a) the purposes of processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) if possible, the period for which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period;

(e) that the data subject has the right to request the controller to rectify or erase personal data or to restrict the processing of personal data concerning him, as well as the right to object to such processing

(f) that the data subject has the right to lodge a complaint with a supervisory authority;

(g) where personal data are not collected from the data subject, any available information as to the source of those data;

(h) the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information on the underlying logic as well as the significance and expected consequences of such processing for the data subject.

(...)

Article 23

Restrictions

1. The scope of the obligations and rights set out in Articles 12 to 22 and Article 34 as well as in Article 5 may, to the extent that the provisions of those Articles correspond to the rights and obligations set out in Articles 12 to 20, be limited by provisions of Union or Member State law applicable to the controller or processor, provided that such limitation does not affect the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(...)

(d) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security;

(...)

(i) the protection of the data subject or of the rights and freedoms of others;

(...)