Rb. Den Haag - SGR 23/6174

From GDPRhub
Revision as of 09:02, 20 August 2024 by Ec (talk | contribs)
Rb. Den Haag - SGR 23/6174
Courts logo1.png
Court: Rb. Den Haag (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 57(1)(f) GDPR
Decided: 23.07.2024
Published: 06.08.2024
Parties: Autoriteit Persoonsgegevens
National Case Number/Name: SGR 23/6174
European Case Law Identifier: ECLI:NL:RBDHA:2024:12074
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: ec

A court held that under Article 57(1)(f) GDPR, the DPA has discretion to decide to not investigate a complaint further and take any corrective measures.

English Summary

Facts

The data subject had a bankruptcy trustee. The data subject was discharged from bankruptcy on 7 July 2022. However, on 19 July 2022, an employee of a Dutch bank, ABN AMRO Bank (the controller), shared the data subject’s personal data with the former bankruptcy trustee of the data subject on the phone.

The data subject lodged a complaint at the Dutch DPA (“Autoriteit Persoonsgegevens) for an unreported data breach by the controller for sharing his personal data with his former bankruptcy trustee.

The controller sent an e-mail to the DPA, stating that the bankruptcy trustee of the data subject should have been informed that they were no longer appointed due to the discharge from bankruptcy of the data subject, and that therefore information of the data subject would not be shared anymore with them.

According to the DPA, the data subject was not complaining about a data breach, but about unlawful processing of sensitive personal data. To determine whether unlawful processing took place, further investigation was required. However, in this case, the DPA refrained from conducting further investigation.

The DPA explained why it was not investigating the data subject’s complaint, referring to the criteria on their website. On their website the DPA states that to be efficient and effective, they have to make choices and therefore use the following criteria to determine whether the complaint qualifies for further investigation: the complaint is about a violation that is still ongoing, has a broader societal interest, there are no other proceedings pending on the complaint, is specifically about a GDPR issue and the subject of the complaint has not previously been investigated by the DPA.

Taking into account the data subject's complaint, the DPA held that the alleged violation did not last long and the phone call took place quite some time ago. There was also no broader social significance and only affected the data subject and the subject of the complaint did not fall within any of the DPA’s central themes of 2024. Lastly, the DPA held that the dispute between the data subject and the former bankruptcy trustee was not primarily a GDPR violation.

The data subject appealed the DPA’s decision to not further investigate at the District Court of The Hague (“Rechtbank Den Haag”).

The DPA argued that further investigation was not needed to establish wrongdoing. The controller’s sharing of the data subject’s personal data with the former bankruptcy trustee was unlawful. However, the DPA stated that the controller acknowledged the violation and mistakenly did not report the breach to the data subject.

Holding

The court found that the DPA could refrain from conducting further investigation. According to Article 57(1)(f) GDPR, the DPA must deal with complaints to the extent appropriate. The court therefore held that the DPA has discretion to determine case by case whether to take corrective measures.

The court found that based on the available information, the DPA could not yet determine whether there was a violation as for example it was not clear what personal data was shared during the phone call. The fact that the controller should have informed the former bankruptcy trustee that they were no longer appointed and that information should not be shared with them anymore, does not mean that there was a GDPR violation. Therefore, further investigation was required.

However, the court stated it could follow the DPA’s reasoning for not further investigating the complaint based on the DPA's criteria. Therefore, the court held that the DPA could refrain from further investigating and thus dismissed the appeal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

THE HAGUE DISTRICT COURT

Administrative law

case number: SGR 23/6174
judgment of the single-judge chamber of 23 July 2024 in the case between
[plaintiff] , from [place of residence] , plaintiff

and

the Dutch Data Protection Authority, defendant

(authorized representative: Mr. O.S. Nijveld and Mr. A. Karimi).

Introduction

1. In this judgment, the court assesses the plaintiff's appeal against the defendant's decision not to investigate his complaint further.

1.1.

The defendant dismissed this complaint by decision of 15 March 2023. By decision of 17 August 2023, the plaintiff's objection to this was declared manifestly unfounded. By the contested decision of 28 March 2024, the decision of 17 August 2023 was withdrawn, and the objection (again) declared manifestly unfounded.

1.2.

The court heard the appeal on 19 June 2024. The following persons participated: the claimant and the defendant's representatives.

Assessment by the court

What is this case about?

2. The claimant has filed a GDPR complaint with the defendant. According to the claimant, there was an unreported data breach from his former trustee and ABN AMRO Bank (the Bank). An employee of the Bank allegedly shared personal data of the claimant with the claimant's former trustee in a telephone conversation on 19 July 2022. At that time, the trustee was no longer authorised, because the claimant's bankruptcy had been lifted on 7 July 2022.

2.1.

According to the defendant, the claimant is not complaining about a (supposed) data breach, but about an (supposed) unlawful processing of sensitive personal data. According to the defendant, further investigation is required in order to determine whether there has been unlawful processing of sensitive personal data. In this case, the defendant has refrained from conducting further investigation. This case concerns the question of whether the defendant was allowed to refrain from further investigation.

What does the plaintiff think?

3. No further investigation is required to establish the violation. The exchange of the plaintiff's data between the Bank and the former trustee was unlawful. The Bank has acknowledged the violation. The Bank and the former trustee wrongly failed to report the data breach to the defendant.

What is the court's judgment?

Appeal against the decision of 17 August 2023

4. The defendant has withdrawn the decision of 17 August 2023. The plaintiff has not stated that he has suffered damage as a result of the decision of 17 August 2023. In view of this, the plaintiff no longer has an interest in a substantive assessment of his appeal against the decision of 17 August 2023. The court therefore declares the plaintiff's appeal inadmissible insofar as it is directed against the withdrawn decision due to the loss of procedural interest.

Appeal against the decision of 28 March 2024

5. The court finds that the defendant could refrain from conducting further investigation. The court explains below how it reached this conclusion.

5.1.

According to the law, the defendant must handle complaints to the extent that this is appropriate. This means that the defendant has discretion to determine in which cases it will take enforcement action and in which cases it will not. The defendant uses a fixed procedure in this regard. The fixed procedure entails that the defendant makes an initial substantive assessment of a complaint that meets the formal requirements. This initial substantive assessment can have three outcomes: there is a violation, there is no violation or it is (not yet) clear whether there is a violation. If it is (not yet) clear whether there is a violation, the defendant will determine whether it will investigate the complaint further. The defendant will determine this on the basis of criteria that it has stated on its website.
5.2.

Given the available information, the defendant could conclude that a violation could not (yet) be established. It is namely not clear which data was exchanged during the telephone conversation. The defendant could therefore not determine whether the processing was necessary to serve a legitimate interest, for example on the basis of the Bankruptcy Act after the settlement of a bankruptcy. The e-mail message of 15 September 2022 from the Bank does not change this. In it, the Bank writes that the former trustee should have communicated that the guardianship had ended, and that the information would then not have been provided to him, but that does not mean that the GDPR has been violated. After all, in order to be able to determine whether there has been a violation, it must be clear (among other things) which data has been exchanged. Further investigation is required for this.
5.3.

The defendant has explained, using the criteria on its website, why it is not investigating the plaintiff's complaint further. The alleged violation did not last long and the telephone conversation took place quite some time ago. Furthermore, compared to other (alleged) violations, there is no broader social significance and the violation only affects the plaintiff himself. In addition, the subject of the violation does not fall within one of the themes that the defendant has centralized in 2024. The extent to which the defendant can act effectively and efficiently is also limited, because the core of the underlying dispute with the plaintiff's former curator does not primarily lie in a violation of the GDPR. The court can follow the defendant in this. The defendant was therefore allowed to refrain from conducting further investigation.

Conclusion and consequences

6. The court declares the appeal against the replacement decision of 28 March 2024 unfounded. This means that the defendant did not have to further investigate the plaintiff's GDPR complaint.
6.1.

The appeal against the withdrawn decision of 17 August 2023 is inadmissible due to a lack of procedural interest. However, the defendant must repay the court fee of € 184 to the plaintiff.
6.2.

There is no reason to award costs.

Decision

The court: - declares the appeal against the contested decision of 17 August 2023 inadmissible;- declares the appeal against the contested decision of 28 March 2024 unfounded;- orders the defendant to reimburse the paid court fee of € 184 to the plaintiff.

This decision was made by Mr. E.K.S. Mollen, judge, in the presence of Mr. B.D.A. Mantingh, clerk. The decision was pronounced in public on 23 July 2024.

clerk

judge

A copy of this decision was sent to the parties on:

Information about appeal

A party that disagrees with this decision may send an appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party disagrees with this decision. The appeal must be submitted within six weeks after the date on which this decision was sent. If the submitter cannot await the hearing of the appeal because the case is urgent, the submitter can request the provisional relief judge of the Administrative Jurisdiction Division of the Council of State to make an interim provision (a temporary measure).

Based on article 6:19 of the General Administrative Law Act (Awb), the appeal automatically also relates to the contested decision.

General Data Protection Regulation.

Article 4, opening words and under 12, of the GDPR.

Article 6, first paragraph, of the GDPR read in conjunction with article 5 of the GDPR.

Article 57, first paragraph, opening words and under f, of the GDPR.

See: www.autoriteitpersoonsgegevens.nl/een-tip-of-klacht-indienen-bij-de-ap/behandeling-van-klachten-door-de-ap.

Unlawful data processing, article 6 of the GDPR.