Hoge Raad - 22/03293

From GDPRhub
Revision as of 19:52, 1 October 2023 by FeestHoed (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Hoge Raad |Court_Original_Name=Hoge Raad der Nederlanden |Court_English_Name=Supreme Court of the Netherlands |Court_With_Country=Hoge Raad (Netherlands) |Case_Number_Name=22/03293 |ECLI=ECLI:NL:HR:2023:1216 |Original_Source_Name_1=Hoge Raad |Original_Source_Link_1=https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:HR:2023:1216&showbutton=true&keyword=ECLI...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Hoge Raad - 22/03293
Courts logo1.png
Court: Hoge Raad (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 15 GDPR
Article 35 Uitvoeringswet Algemene Verordening Gegevensbescherming
Decided: 15.09.2023
Published: 15.09.2023
Parties:
National Case Number/Name: 22/03293
European Case Law Identifier: ECLI:NL:HR:2023:1216
Appeal from: GHAMS
ECLI:NL:GHAMS:2019:3966
Appeal to:
Original Language(s): Dutch
Original Source: Hoge Raad (in Dutch)
Initial Contributor: Enzo Marquet

The Dutch High Court held that when a data subject seeks to have their access rights enforced, they can also request preliminary injunction, even though the legal deadline for such enforcement has officially passed. The High Court also noted that making additional access requests without new information does not mean those requests are automatically manifestly unfounded or excessive.

English Summary

Facts

The data subject requested ING (a bank and the controller) the national board of credit registration (controller and a public instance) to delete her data. ING refused this. The data subject then went to court to have her data deleted. The data subject also submitted a claim for preliminary injunction. However, the court in first instance dismissed her preliminary claim since she submitted it more than 6 weeks after the rejection of her request for erasure. The court referred to article 35(1) law implementing the GDPR (UAVG) for this time frame.

Holding

The High Court first held that making additional access requests under Article 15 to Article 22, even though that request includes no new information, does not automatically mean the request is manifestly unfounded of excessive.

The High Court clarified that article 35 of the Dutch UAVG specifies that the petition procedure should be used when a data subject asks the court to instruct the data controller to accept or reject a request based on Articles 15 to 22 of the GDPR. The High Court stated that the regular court cannot be used to challenge a decision of a controller for access request. However, the High Court did hold that for urgent needs, temporary relief can be requested through a preliminary injunction. On top of that missing the deadline under article 35 UAVG does not deprive a data subject of its right from seeking legal action through this preliminary injunction.

Lastly, the High Court held that when a controller denies an access request, it must motivate its decision. It comes to the controller to show why the request is manifestly unfounded or excessive.

As such, the High Court annuled the decision by the regular court.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.