Hoge Raad - 22/03293
Hoge Raad - 22/03293 | |
---|---|
Court: | Hoge Raad (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 15 GDPR Article 35 Uitvoeringswet Algemene Verordening Gegevensbescherming |
Decided: | 15.09.2023 |
Published: | 15.09.2023 |
Parties: | |
National Case Number/Name: | 22/03293 |
European Case Law Identifier: | ECLI:NL:HR:2023:1216 |
Appeal from: | GHAMS ECLI:NL:GHAMS:2019:3966 |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Hoge Raad (in Dutch) |
Initial Contributor: | Enzo Marquet |
The Dutch High Court held that when a data subject seeks to have their access rights enforced, they can also request preliminary injunction, even though the legal deadline for such enforcement has officially passed. The High Court also noted that making additional access requests without new information does not mean those requests are automatically manifestly unfounded or excessive.
English Summary
Facts
The case concerned an action for cassation brought before the Dutch Supreme Court on 15 September 2023, following an appeal against the Amsterdam Court of Appeal's judgment of 5 November 2019.
The main question brought before the Court was whether it was possible to raise an objection to the procesing of personal data in summary proceedings following the six-week time limit set out by Article 35(2) of the UAVG (Uitvoeringswet Algemene Verordening Gegevensbescherming). The UAVG is the Dutch national transposition of the GDPR. Article 35 UAVG implements Article 79 GDPR, and provides:
"1. If the decision on a request as referred to in Article 34 has been taken by a body other than an administrative body, the interested party may apply to the court with a written request to order the controller to comply with the request referred to in Articles 15 to 22 of the Regulation.
2. The application shall be made within six weeks of receipt of the answer from the controller. If the controller has not replied within the time limits referred to in Article 12, paragraph 3 of the Regulation, the submission of the application shall not be subject to a period."
In the present case, the data subject had made an application after the six-week time limit laid down in Article 35(2) UAVG. The facts are as follows. The data subject had taken out a student loan in 2002, and consequently, the details of it were registered in the Dutch Central Credit Registration Office (BKR). This body keeps records of private parties that have taken out credit. In early 2018, the data subject had applied for a loan and was denied due to the financial records on their credit history kept by the BKR.
On 27 June 2018, the data subject submitted an objection to processing (Article 21 GDPR) to BKR. By a letter dated 23 July 2018, BKR responded in the negative, refusing to comply with the objection.
On 30 October 2018, the data subject made a request to the court to order the controller to comply with the request made under Article 21 GDPR. The Court at first instance dismissed the application because it fell outwith the 6-week time limit under Article 35 UAVG. The data subject appealed this decision.
On 5 November 2019, the appeal was before the Amsterdam Court of Appeal. The Court upheld the First Instance ruling and dismissed the appeal. The Court of Appeal noted that:
"In a case like the present one, the claimant will have to substantiate his urgent interests against the background of Article 21 GDPR and 35 UAVG. That system is based on the idea that the parties first try to reach an agreement themselves and that, in the vent of a negative response under the penalty of inadmissability, the interested party has only a limited time to submit its objections to the Court." [1]
Moreover, the Court held that repeated requests to the controller made under Articles 15-22 GDPR are considered manifestly unfounded or excessive on the ground that it is an appeal of a previously denied request where there has been no change in circumstances or facts.
The data subject appealed the decision and on 15 September 2023, the Hoge Raad (Dutch Supreme Court) ruled on the case.
Holding
The Supreme Court upheld the appeal and overtuned the Court of Appeal's ruling. In reaching its conclusion, the Court placed emphasis on the fundamental rights nature of the GDPR, pointing to Recitals 10 and 59 GDPR. Recital 10 establishes that Member States should provide for a high level of protection of the rights and freedoms of natural persons, and Recital 59 establishes that modalities should be provided for by the controller for facilitating the exercise of data subject's rights under the GDPR.
Following from this, the Court noted that Article 21 GDPR confers the right upon data subjects to confer to processing at any time. The Court also pointed to Article 12 GDPR, which establishes that the burden falls upon the controller to demonstrate that a data subject's request is manifestly unfounded or excessive, not the data subject. The Court relied upon these provisions for its reading of Article 35(2) UAVG. The Court held that an objection made under Article 21 GDPR, must be read in-line with the principles under Article 12 GDPR,
"In the light of the foregoing, Article 35(2) UAVG should be interpreted as meaning that in a case such as the one at issue here, where the controller has rejected the data subject's request within the time limits referred to in Article 12(3) UAVG and the data subject has not filed a petition as referred to in Article 35(1) UAVG against it within the six-week period mentioned in Article 35(2) UAVG, the data subject may choose to make a renewed request to the controller. If this repeated request is again rejected by the controller, the data subject may, under Article 35(1) UAVG, request the court to order the controller to still grant the request. If the controller has not responded to the repeated request within the time limits specified in Art. 12(3) UAVG, the submission of the petition is not subject to a time limit."
Following from this, the Supreme Court held that the Court of Appeal had erred in the application of the law. The Supreme Court held that it was wrong to interpret Article 35 UAVG to mean that a data subject must base a repeated request under Articles 15-22 GDPR to acontroller or a claim in summary proceedings on new facts and circumstances compared to the earlier (rejected) request to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
- ↑ ECLI:NL:GHAMS:2019:3966, para 3.4.5