AP (The Netherlands) - z2020-08787
|AP - z2020-08787
|AP (The Netherlands)
|Article 12(3) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|[ (in )]
The Dutch DPA (AP) reprimanded CAK, a Dutch public body, for violation of Article 12(3) GDPR because CAK did not respond in a timely manner to an access request. The AP concluded a reprimand is a fitting sanction since the breach was small.
English Summary[edit | edit source]
Facts[edit | edit source]
On 3 January 2020 the data subject asked for data access. CAK requested additional information on 15 January 2020, which was provided the same day. The data subject then filed a complaint with the AP on 15 February 2020. On 25 March 2020 CAK sent a formal decision together with an overview of the requested data.
Holding[edit | edit source]
The AP reprimands the CAK for the violation of Article 12, paragraph 3 of the GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. The AP has decided not to publish the decision, which is a violation of article 4(1) of the official publication policy of the AP.
The CAK Attn. the direction PO Box 84030 2508 M S-GRAVENHAGE Date Our reference Dec 16, 2022 z2020-08787 Contact ******** 070 8888 500 Subject Decision reprimand Dear management, In the case mentioned above, the Dutch Data Protection Authority (hereinafter: 'AP') informs you as follows. The AP has decided to reprimand the CAK. The AP is of the opinion that the CAK is culpably late responded to the request for inspection (Article 12, paragraph 3 of the General Regulation data protection (hereinafter: 'GDPR') ) With the reprimand, the AP expresses that the GDPR has been infringed. The AP believes that In this case, a reprimand is appropriate, which also involves the fact that there is a minor infringement. The person concerned has finally been given access to the processing of his personal data. That late unchanged that the AP disapproves of the behavior of the CAK. After all, the CAK adheres to the relevant ones provisions of the GDPR. Should there be a renewed violation (recidivism) in the future, the AP will report to the take into account that a reprimand has already been imposed. The decision to impose a reprimand is further substantiated below. The relevant facts and circumstances on which the reprimand is based are described in paragraph I. Section 2 describes the reprimand. Paragraph 3 shows the assessment and the violation established. Section 4 contains the operative part and the remedies clause. Date Our reference Dec 16, 2022 z2020-08787 1. Facts and Circumstances On 3 January 2020, ******** (hereinafter: 'the person concerned l', submitted a request for access to his submitted personal data to the CAK and explicitly relied on Article 12 and Article 15 of the GDPR.1 On 15 January 2020, the CAK requested the person concerned to provide additional information about the request for inspection.2 On 15 January 2020, the person concerned provided his initials and surname, home address and e-mail address to the CAK.3 On 15 January 2020, the person concerned received an e-mail confirming that the e-mail of the person concerned was received and that the CAK would make every effort to process his message no later than 22 January 2020.4 On February 28, 2020, the person concerned received the answer to the request for inspection of January 3 from the CAK 2020.5 1n the reply to the request for inspection stated that the CAK has retained the name, address, place of residence, date of birth and citizen service number (BSN) and in some cases the account number, income data and data of a partner. I let CAK further indicated that the e-mail address and the telephone number are stored with contact and that the CAK does not have the telephone number of the person concerned. Furthermore, it was explained in general terms which transactions can take place, to which parties personal data can be provided and how long the data can be kept warden. At no time was it indicated which cases specifically apply to the person concerned. In the aforementioned response from the CAK did not indicate what is registered in the systems of the CAK about the person concerned. On 28 February 2020, the person concerned sent a message6 to the CAK in which the person concerned indicated that the response to the request for access was incomplete on five points, namely: 1 what is actually registered in the systems of bet CAK is missing in the answer to it access request; 2 specific processing operations related to the data subject are not mentioned; 3 available information about the source of the personal data is not fully given; 4 a list of recipients to whom personal data have been or will be provided is missing; 5 storage periods per processing are missing. On March 25, 2020, a written decision followed with an objection clause from the CAK in which the CAK screen shots of the computer system.7 In addition, the CAK stated the purpose of the processing, namely for the maximum periodic contribution for support from the Wmo/own determine and collect the contribution for care from the Long-Term Care Act. In addition, the CAK indicated that it is subject to two 1 Acknowledgment of receipt with single file reference '2693703'. The content of the CAK follows in the email of 15 January 2020 from the CAK request. 2 Email of 15 January 2020 from the CAK to the person concerned, sent from email@example.com. 3 Email dated 15 January 2020 from the person concerned to the CAK. 4 Acknowledgment of receipt of 15 January 2020 of the message from the person concerned, sent from no-reply.helptu.nl. 5 Email of 28 February 2020 from the CAK to the person concerned, sent from firstname.lastname@example.org. 6 Email dated 28 February 2020 from the person concerned to the CAK. 7 Decision of 25 March 2020 of the CAK. Date Our reference Dec 16, 2022 z2020-08787 categories of organizations must provide personal data, namely 1) chain partners ("UVVV, Tax and Customs Administration, Municipalities, Healthcare Offices and Healthcare Institutions") and 2) processors. It was also indicated that the data will be kept as long as the person concerned uses support from the Social Support Act. Ten with regard to the retention period, the CAK stated that it is obliged, on the basis of the Archiefivet 1995, to store personal data of the person concerned for 7 years. The screenshots showed the data that the CAK has in the computer system of the person concerned, including name, address, date of birth, client number. On 29 March 2020, the data subject sent a message to the data protection officer (hereinafter: 'FG') of the CAK, in which the person concerned shared his experiences regarding the request for inspection to the CAK.8 In addition, the person concerned asked for payment details that were missing in the sent decision of 25 March 2020. On April 9, 2020, the DPO replied that payment details are available and will be provided to the data subject sent.9 On 9 April 2020, the person concerned replied that sending the payment details is not necessary.10 On 15 February 2020, the person concerned submitted a complaint against the CAK under Article 77 of the GDPR to the AP. On 25 May 2020, the person concerned supplemented his complaint and also requested corrective measures against the CAK, because, in the opinion of the data subject, the CAK had violated the GDPR by not comply with his request for inspection. On October 28, 2020, the AP announced an investigation into the complaint and sent the AP a request for information to the CAK. On November 5, 2020, the CAK provided written answers to the AP's questions. The CAK indicated the target and determine the means of the processing of personal data. Furthermore, the CAK indicated that it request for inspection from the person concerned was received on January 3, 2020 and that the CAK on March 25, 2020 has taken a decision on the request for inspection by the person concerned. Finally, the CAK indicated that there was no (legal) procedures of the person concerned are known to the CAK. By letter dated October 19, 2022, the AP informed you of its intention to impose a reprimand made. The AP has given you the opportunity to express your view on the intention to impose a reprimand. You expressed your views in a letter dated 8 July 2022 made to the AP. 8 Email of 29 March 2020 from the person concerned to the DPO of the CAK. 9 Email of 9 April 2020 from the DPO of the CAI< to the person concerned. 10 Email of 9 April 2020 from the person concerned to the DPO of the CAK Date Our reference Dec 16, 2022 z2020-08787 2. Reprimand The AP has the power to impose a reprimand if a controller breaches it makes on provisions of the AVG (article 58, second paragraph, sub b, of the AVG). Annex I to this decision contains the relevant legislation and regulations pertaining to the reprimand. That appendix forms an integral part of this decision. A reprimand - instead of a fine - can be imposed if there is a minor infringement. The DPA also considers whether the infringement poses a significant risk to the rights of those involved and does not detract from the essence of the obligation. In paragraph 3 of this decision, the AP explains why there has been a violation and why the AP reason to impose a reprimand on that basis. 3. Assessment Pursuant to Article I2, paragraph 3 of the GDPR, the controller provides the data subject without delay and in any event within one month of receipt of the request pursuant to Article 15 to with 22 information on the follow-up to the request. Depending on the complexity of the requests and of the number of requests, that period may be extended by a further two months if necessary extended. The controller shall inform the data subject within one month of receipt of the request of such extension. The AP establishes that the data subject had submitted a request for inspection to the CAK on 3 January 2020. This means that the CAK had until 3 February 2020 at the latest to provide information about the consequences has been given to the request or should have indicated that the period will be increased by two months extended. On February 28, 2020, supplemented on March 25, 2020 by the CAK and supplemented by the FG on 9 April 2020, the person concerned received the decision on his request for inspection from the CAK. The reaction follows one and a half months after the CAK received the request for inspection from the person concerned. The CA had did not make use of the power to extend the term by two months. This means that the CAK has responded too late to the request for inspection by the person concerned and is therefore in has violated Article 12, paragraph 3 of the GDPR by deciding on it later than one month request of the person concerned. The AP sees reason to impose a reprimand for the aforementioned violation. The AP finds the reprimand is an appropriate measure. The AP has taken into account that there is a small infringement. The breach does not pose a significant risk to the rights of the data subject. person concerned has ultimately obtained access to the processing of his personal data. Date Our reference Dec 16, 2022 z2020-08787 4. Operative part Reprimand The AP reprimands the CAK for the violation of Article 12, paragraph 3 of the AVG. Yours faithfully, Authority for Personal Data On their behalf ******** Director of Customer Contact and Controlling Investigation Remedies Clause If you do not agree with this decision, you can within six weeks from the date of sending it decides to submit a notice of objection to the Dutch Data Protection Authority digitally or on paper. Submitting a notice of objection does not suspend the effect of this decision. To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading 'Objection at the bottom of the page under the heading 'Contact with the Dutch Data Protection Authority'. The address for submission on paper is: Dutch Data Protection Authority, PO Box 93374, 2509 AJ The Hague. Mention 'Awb objection' on the envelope and put objection in the title of your letter. Write in your notice of objection at least: • Your name and address • The date of your objection • The reference mentioned in this letter (case number); you can also get a copy of this decision attach • The reason(s) why you disagree with this decision • Your signature For more information, see: https://autoriteitpersoonsgegevens.nl/bezwaar-maken