AP (The Netherlands) - z2020-08787

From GDPRhub
Revision as of 09:16, 19 May 2023 by Jochemd (talk | contribs) (Upated appeal status)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AP - z2020-08787
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 12(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 15.02.2020
Decided: 16.12.2022
Published:
Fine: n/a
Parties: CAK
National Case Number/Name: z2020-08787
European Case Law Identifier: n/a
Appeal: no
Original Language(s): [[:Category:|]] [[Category:]]
Original Source: [ (in )]
Initial Contributor: n/a

The Dutch DPA (AP) reprimanded CAK, a Dutch public body, for violation of Article 12(3) GDPR because CAK did not respond in a timely manner to an access request. The AP concluded a reprimand is a fitting sanction since the breach was small.

English Summary

Facts

On 3 January 2020 the data subject asked for data access. CAK requested additional information on 15 January 2020, which was provided the same day. The data subject then filed a complaint with the AP on 15 February 2020. On 25 March 2020 CAK sent a formal decision together with an overview of the requested data.

Holding

The AP reprimands the CAK for the violation of Article 12, paragraph 3 of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. The AP has decided not to publish the decision, which is a violation of article 4(1) of the official publication policy of the AP.

The CAK
Attn. the direction
PO Box 84030
2508 M S-GRAVENHAGE

Date                   Our reference
Dec 16, 2022           z2020-08787

Contact
********
070 8888 500

Subject
Decision reprimand

Dear management,

In the case mentioned above, the Dutch Data Protection Authority (hereinafter: 'AP') informs you as follows.
The AP has decided to reprimand the CAK. The AP is of the opinion that the CAK is culpably late
responded to the request for inspection (Article 12, paragraph 3 of the General Regulation
data protection (hereinafter: 'GDPR') )

With the reprimand, the AP expresses that the GDPR has been infringed. The AP believes that
In this case, a reprimand is appropriate, which also involves the fact that there is a minor infringement.
The person concerned has finally been given access to the processing of his personal data. That late
unchanged that the AP disapproves of the behavior of the CAK. After all, the CAK adheres to the relevant ones
provisions of the GDPR.

Should there be a renewed violation (recidivism) in the future, the AP will report to the
take into account that a reprimand has already been imposed.

The decision to impose a reprimand is further substantiated below. The relevant facts and
circumstances on which the reprimand is based are described in paragraph I. Section 2
describes the reprimand. Paragraph 3 shows the assessment and the violation
established. Section 4 contains the operative part and the remedies clause.





Date                   Our reference
Dec 16, 2022           z2020-08787

1. Facts and Circumstances
On 3 January 2020, ******** (hereinafter: 'the person concerned l', submitted a request for access to his
submitted personal data to the CAK and explicitly relied on Article 12 and Article 15 of the GDPR.1

On 15 January 2020, the CAK requested the person concerned to provide additional information about the request
for inspection.2

On 15 January 2020, the person concerned provided his initials and surname, home address and e-mail address to the
CAK.3 On 15 January 2020, the person concerned received an e-mail confirming that the e-mail of the person concerned
was received and that the CAK would make every effort to process his message no later than 22 January 2020.4

On February 28, 2020, the person concerned received the answer to the request for inspection of January 3 from the CAK
2020.5 1n the reply to the request for inspection stated that the CAK has retained the name, address,
place of residence, date of birth and citizen service number (BSN) and in some cases the account number,
income data and data of a partner. I let CAK further indicated that the e-mail address and the
telephone number are stored with contact and that the CAK does not have the telephone number
of the person concerned. Furthermore, it was explained in general terms which transactions can take place,
to which parties personal data can be provided and how long the data can be kept
warden. At no time was it indicated which cases specifically apply to the person concerned. In
the aforementioned response from the CAK did not indicate what is registered in the systems of the
CAK about the person concerned.

On 28 February 2020, the person concerned sent a message6 to the CAK in which the person concerned indicated that the
response to the request for access was incomplete on five points, namely:
1 what is actually registered in the systems of bet CAK is missing in the answer to it
access request;
2 specific processing operations related to the data subject are not mentioned;
3 available information about the source of the personal data is not fully given;
4 a list of recipients to whom personal data have been or will be provided is missing;
5 storage periods per processing are missing.

On March 25, 2020, a written decision followed with an objection clause from the CAK in which the CAK
screen shots of the computer system.7 In addition, the CAK stated the purpose of the
processing, namely for the maximum periodic contribution for support from the Wmo/own
determine and collect the contribution for care from the Long-Term Care Act. In addition, the CAK indicated that it is subject to two

1 Acknowledgment of receipt with single file reference '2693703'. The content of the CAK follows in the email of 15 January 2020 from the CAK
request.
2 Email of 15 January 2020 from the CAK to the person concerned, sent from contac-t@cak.helptu.nl.
3 Email dated 15 January 2020 from the person concerned to the CAK.
4 Acknowledgment of receipt of 15 January 2020 of the message from the person concerned, sent from no-reply.helptu.nl.
5 Email of 28 February 2020 from the CAK to the person concerned, sent from contact@cak.helptu.nl.
6 Email dated 28 February 2020 from the person concerned to the CAK.
7 Decision of 25 March 2020 of the CAK.





Date                   Our reference
Dec 16, 2022           z2020-08787

categories of organizations must provide personal data, namely 1) chain partners ("UVVV,
Tax and Customs Administration, Municipalities, Healthcare Offices and Healthcare Institutions") and 2) processors. It was also indicated that the
data will be kept as long as the person concerned uses support from the Social Support Act. Ten
with regard to the retention period, the CAK stated that it is obliged, on the basis of the Archiefivet 1995, to
store personal data of the person concerned for 7 years. The screenshots showed the
data that the CAK has in the computer system of the person concerned, including name, address,
date of birth, client number.

On 29 March 2020, the data subject sent a message to the data protection officer (hereinafter:
'FG') of the CAK, in which the person concerned shared his experiences regarding the request for inspection to the CAK.8
In addition, the person concerned asked for payment details that were missing in the sent decision of 25 March
2020.

On April 9, 2020, the DPO replied that payment details are available and will be provided to the data subject
sent.9

On 9 April 2020, the person concerned replied that sending the payment details is not necessary.10

On 15 February 2020, the person concerned submitted a complaint against the CAK under Article 77 of the GDPR to
the AP. On 25 May 2020, the person concerned supplemented his complaint and also requested corrective measures
against the CAK, because, in the opinion of the data subject, the CAK had violated the GDPR by
not comply with his request for inspection.

On October 28, 2020, the AP announced an investigation into the complaint and sent the AP
a request for information to the CAK.

On November 5, 2020, the CAK provided written answers to the AP's questions. The CAK indicated the target
and determine the means of the processing of personal data. Furthermore, the CAK indicated that it
request for inspection from the person concerned was received on January 3, 2020 and that the CAK on March 25, 2020
has taken a decision on the request for inspection by the person concerned. Finally, the CAK indicated that there was no
(legal) procedures of the person concerned are known to the CAK.

By letter dated October 19, 2022, the AP informed you of its intention to impose a reprimand
made. The AP has given you the opportunity to express your view on the
intention to impose a reprimand. You expressed your views in a letter dated 8 July 2022
made to the AP.

8 Email of 29 March 2020 from the person concerned to the DPO of the CAK.
9 Email of 9 April 2020 from the DPO of the CAI< to the person concerned.
10 Email of 9 April 2020 from the person concerned to the DPO of the CAK




Date                   Our reference
Dec 16, 2022           z2020-08787

2. Reprimand
The AP has the power to impose a reprimand if a controller breaches it
makes on provisions of the AVG (article 58, second paragraph, sub b, of the AVG).

Annex I to this decision contains the relevant legislation and regulations pertaining to the reprimand. That
appendix forms an integral part of this decision.

A reprimand - instead of a fine - can be imposed if there is a minor infringement.
The DPA also considers whether the infringement poses a significant risk to the rights of those involved
and does not detract from the essence of the obligation.

In paragraph 3 of this decision, the AP explains why there has been a violation and why the AP
reason to impose a reprimand on that basis.

3. Assessment
Pursuant to Article I2, paragraph 3 of the GDPR, the controller provides the data subject
without delay and in any event within one month of receipt of the request pursuant to Article 15 to
with 22 information on the follow-up to the request. Depending on the complexity of the
requests and of the number of requests, that period may be extended by a further two months if necessary
extended. The controller shall inform the data subject within one month of receipt of the
request of such extension.

The AP establishes that the data subject had submitted a request for inspection to the CAK on 3 January 2020. This
means that the CAK had until 3 February 2020 at the latest to provide information about the consequences
has been given to the request or should have indicated that the period will be increased by two months
extended. On February 28, 2020, supplemented on March 25, 2020 by the CAK and supplemented by the FG on 9
April 2020, the person concerned received the decision on his request for inspection from the CAK. The reaction follows
one and a half months after the CAK received the request for inspection from the person concerned. The CA had
did not make use of the power to extend the term by two months. This
means that the CAK has responded too late to the request for inspection by the person concerned and is therefore in
has violated Article 12, paragraph 3 of the GDPR by deciding on it later than one month
request of the person concerned.

The AP sees reason to impose a reprimand for the aforementioned violation. The AP finds
the reprimand is an appropriate measure. The AP has taken into account that there is a small
infringement. The breach does not pose a significant risk to the rights of the data subject. person concerned has
ultimately obtained access to the processing of his personal data.




Date                   Our reference
Dec 16, 2022           z2020-08787

4. Operative part

Reprimand
The AP reprimands the CAK for the violation of Article 12, paragraph 3 of the AVG.

Yours faithfully,

Authority for Personal Data
On their behalf

********
Director of Customer Contact and Controlling Investigation



Remedies Clause
If you do not agree with this decision, you can within six weeks from the date of sending it
decides to submit a notice of objection to the Dutch Data Protection Authority digitally or on paper.
Submitting a notice of objection does not suspend the effect of this decision.

To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading 'Objection
at the bottom of the page under the heading 'Contact with the Dutch Data Protection Authority'.
The address for submission on paper is: Dutch Data Protection Authority, PO Box 93374, 2509 AJ The Hague.
Mention 'Awb objection' on the envelope and put objection in the title of your letter.
Write in your notice of objection at least:
• Your name and address
• The date of your objection
• The reference mentioned in this letter (case number); you can also get a copy of this decision
  attach
• The reason(s) why you disagree with this decision
• Your signature
For more information, see: https://autoriteitpersoonsgegevens.nl/bezwaar-maken