Rb. Midden-Nederland - ECLI:NL:RBMNE:2023:6043

From GDPRhub
Revision as of 09:53, 6 December 2023 by Aa (talk | contribs)
Rb. Midden-Nederland - ECLI:NL:RBMNE:2023:6043
Courts logo1.png
Court: Rb. Midden-Nederland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 12(3) GDPR
Decided: 09.11.2023
Published: 29.11.2023
Parties: University of Utecht
National Case Number/Name: ECLI:NL:RBMNE:2023:6043
European Case Law Identifier: ECLI:NL:RBMNE:2023:6043
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: De Rechtspraak (in Dutch)
Initial Contributor: n/a

The Central Netherlands District Court awarded a data subject €707 in damages for a controller's late response to an access request. The controller was in violation of Article 12(3) GDPR, as they had failed to respond to the data subject's access request within the one-month deadline.

English Summary

Facts

On 2 December 2022, the data subject made an access request to the University of Utrecht (the controller), under Article 15 GDPR. In the request, the data subject asked for 'all information about my [their] records'.

On 11 January 2023, the controller responded asking the data subject to clarify their request, as the original request was too general and not specific enough.

On 13 January 2023, the data subject replied, noting that they did not need to provide the controller with any more information.

On 10 February 2023, the controller set aside the data subject's request due to their lack of response and notified them thereof. The data subject subsequently brought a claim against the controller in the Central Netherlands District Court for the lack of response to their access request.

Holding

The Court held that the controller was in violation of Article 12(3) GDPR, as they had failed to respond to the data subject's access request within the one-month deadline.

The Court noted that, while the controller did respond with a request for more information. This response was after the one-month deadline established by Article 12(3) GDPR. Usually, a request for more information would have suspended the one-month deadline. However, in this case it was not suspended, as the response was done after the deadline had passed. The Court further held that there was no infringement of Article 15 GDPR, as the data subject did not respond to the controller's request for more information. As such, the controller was entitled to set aside the access request on 10 February 2023.

As a result, the Court held that the controller was liable for damages for their violation of Article 12(3) GDPR, and awarded the data subject €707 in damages. The amount awarded was calculated on the basis of domestic administrative law, as the controller (the University of Utrecht) is an administrative body.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.