AP (The Netherlands) - z2020-19687

From GDPRhub
Revision as of 21:07, 19 May 2023 by Jochemd (talk | contribs) (Link to uploaded original)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AP - z2020-19687
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 12(3) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 22.11.2020
Decided: 05.04.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: z2020-19687
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: AP (in NL)
Initial Contributor: n/a

The Autoriteit Persoonsgegevens reprimanded Nuts Topholding BV for not properly responding to a request for access.

English Summary

Facts

A data subject requested access to all his personal data. The controller provided only partial access, even after the data subject asked to provide the missing data. During the investigation by the Autoriteit Persoonsgegevens, the controller did provide the missing data.

Holding

The DPA found a violation of Article 12(3) GDPR in conjunction with Article 15(1) and Article 15(3) GDPR because the controller failed to properly respond to a request for access.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Nuts Topholding B.V.
Attn. the direction
Reguliersdwarsstraat 58 A
1017 BM AMSTERDAM

Date                 Our reference      Contact person
Apr 5, 2023          z2020-19687        ********
                                        0708888500
Subject
Reprimand



Dear management,

In the case mentioned above, the Dutch Data Protection Authority (hereinafter: 'AP') informs you as follows.

The AP has decided to reprimand Nuts Topholding B.V. (hereinafter: 'Nuts Topholding'). The AP notes that
Nuts Topholding has not fully responded to the request for inspection of ******** (hereinafter: 'the data subject')
in a timely manner. The AP concludes that Nuts Topholding article 12, third paragraph in conjunction
read with Article 15, paragraphs 1 and 3 of the General Data Protection Regulation (hereinafter:
'GDPR') has: violated.

With the reprimand, the AP expresses that the GDPR has been infringed. The AP believes that
In this case a reprimand is appropriate, which also involves that there is a minor infringement
leaves unchanged that the AP disapproves of Nuts Topholding's conduct. After all, Nuts Topholding serves itself
comply with the relevant provisions of the GDPR. If there is a repeat violation
(recidivism), the AP will take into account in its assessment that this reprimand has been imposed.

The decision to impose a reprimand is further substantiated below. The relevant facts and
circumstances on which the reprimand is based are described in paragraph 1. In paragraph 2
the assessment is made and the violation is determined. Section 3 contains the operative part and the
remedies clause.

The legal framework applicable to this reprimand is set out in Annex 1. Annex 1 makes
integral part of this decision.

1/6

AUTORITEIT PERSOONSGEGEVENS
Date                 Our reference
Apr 5, 2023          z2020-19687





1. Facts and Circumstances
1.1 Summary of the complaint to the AP
On November 22, 2020, the AP received a complaint from the data subject, as referred to in Article 77 of the GDPR,
against Nuts Groep B.V. (hereinafter: 'Nuts Groep'). According to the person concerned, his right of
insight. The person concerned stated that Nuts Groep had not fully responded to his request for inspection,
because in any case no complete overview of his personal data has been provided and because information
about the source and provision to third parties was missing. The AP has investigated the complaint and has come to a conclusion
determination of the following facts and circumstances.

1.2 Background organizations involved
The person concerned had an agreement for the supply of electricity and gas with Budget Thuis B.V., until 1
January 2022 called NutsServices B.V. (hereinafter: 'Budget Home'). From the trade register of the Chamber
van Koophandel (hereinafter: 'KVK') it follows that Nuts Topholding is the director of Budget Thuis. In the
privacy statement of Budget Thuis, version 31 March 2021 (hereinafter: 'the privacy statement of Budget Thuis')
states that Nuts Topholding is the controller for the processing of personal data
within the Nuts Group. It follows from the trade register of the Chamber of Commerce that the Nuts Topholding is the director
of the Nuts Group.

1.3 The request for inspection by the data subject
By e-mail of 27 September 2020, the data subject requested Nuts Groep to inspect his personal data.
The data subject explicitly invoked Articles 12 and 15 of the GDPR.

On 26 October 2020, the data subject received two emails in response to his access request.

From the e-mail address noreply@budgetenergie.nl it was indicated that the person concerned had received a (different) e-mail
will receive with a file containing his personal data as an attachment. The person concerned was also
refer to the privacy statement of Budget Thuis. The privacy statement of Budget Thuis states about
the source of personal data is included: 'When you become a customer of Budget Thuis, you provide us with a number
necessary personal data. This concerns your (company) name. sex. date of birth. address data.
contact details. and bank account number. For the implementation of your energy contract. All-in-l contract, and/or mobile
In addition to the aforementioned data, we also collect a number of other necessary data.
Such as: your contract data (for example duration and rates), consumption data (for example meter readings or
data usage, connection data (for example the type of connection), and payment data (for example your payment behaviour).
We do not collect some of this data from you, but, for example, from the network operator (when purchasing
electricity and/or gas). KPN (the party WE work with for the supply of All-in-l and mobile telephony). or
(if a creditworthiness assessment is made) from trade information agencies we work with
(Experian and/or EDR).' About the sharing of personal data with third parties it is stated: 'Binnen de Nuts
Group (..) we can exchange and combine certain data for the above purposes. For example in it
within the framework of the execution of agreements, accepting and making an offer to an existing or
potential customer and for marketing purposes. (..). It is also possible that we share data with external parties
parties. This includes IT suppliers, collection agencies, or resellers (for example, a
reward such seller for acquiring a new customer). (..).'

2/6

AUTORITEIT PERSOONSGEGEVENS
Date                 Our reference
Apr 5, 2023          z2020-19687

By e-mail from privacy@nutsgroep.nl it was indicated that the data subject - in response to his request to
pursuant to Article 20 of the GDPR - receives a machine-readable file containing his personal data. It
The attached file consists of a 'Relationship' tab and a 'Contract' tab. Under the relationship tab
are the customer number, gender. name, date of birth, email address, telephone number,
bank account details and the correspondence address of the data subject. Under the contract tab
information about the connections, the delivery address and data about the contract.

The data subject responded to the e-mail the same day [n his response, the data subject indicated that he
had not made a request based on Article 20 of the GDPR, but a request for access based on Article
12 and 15 GDPR. The data subject indicated that his request for inspection has not been answered in full. [n
in any case, information about its consumption and its direct marketing preferences was lacking. Furthermore
was, according to the data subject, a reference to the privacy statement insufficient, because it does not contain
concretely it can be determined what the source of his personal data is and whether his personal data are
provided to third parties. According to the person concerned, the privacy statement only contains a general summary
of possible processing. In the e-mail, the person concerned asked for his request to be fully complied with
inspection to comply.

1.4 Nuts Groep's response to the complaint
The AP has asked Nuts Groep by letter of 13 July 2021 to respond to the complaint and questions from the
AP. Nuts Groep responded by letter dated August 12, 2021.

Nuts Groep stated that Nuts Topholding is the controller for the processing of
personal data of the data subject. Nuts Groep confirmed that the responses of October 26, 2020 are not the
data on consumption and data on preference with regard to direct marketing of the
contain the data subject. That's because the wrong process, namely that for a request as referred to in
Article 20 of the GDPR has been applied. Nuts Groep (still) added a copy of personal data of the
data subject about consumption and preference with regard to direct marketing in her answer.

Nuts Groep disputes that it failed to provide the data subject with specific information about the
source of his personal data and provision of his personal data to third parties. This information
follows, according to Nuts Groep, from the privacy statement sent to the data subject.
Nuts Groep has a work instruction and a privacy policy regarding the facilitation of the rights of
data subjects. Nuts Groep indicates that the matter of the data subject is not in accordance with the policy and the
work instruction has been followed. Nuts Groep also indicates that it has eight requests for
received access from other parties involved. These requests for inspection are, with the exception of one case, every time
answered in accordance with Nuts Groep's own policy or work instructions.

2. Assessment
Article 12 of the GDPR contains rules for exercising the rights of the data subject. In
Article 15 of the GDPR specifically regulates the right of access of data subjects. Article 12 and 15 of the
GDPR contain obligations for the controller. The AP will therefore first determine

3/6

AUTORITEIT PERSOONSGEGEVENS
Date                 Our reference
Apr 5, 2023          z2020-19687

who is the controller. The AP then proceeds to assess whether the
controller in accordance with article 12. third paragraph read in conjunction with article 15. first and
third paragraph of the AVG has provided the data subject with full access to his personal data in a timely manner.

2.1 Controller
2.1.1 Legal framework determining the controller
Article 4, preamble and under 7 of the GDPR defines controller as a natural person
person or legal entity, a government agency, agency or other body that, alone or together
with others, determines the purposes and means of the processing of personal data.

2.1.2 Conclusion of determination of the controller
The person concerned stated in his complaint that Nuts Groep has infringed his right of access. On
however, based on the findings, the AP concludes that Nuts Topholding is the controller
is for the processing of personal data of the data subject. The AP bases this on the statement of
Nuts Groep to the AP and the privacy statement of Budget Thuis. In addition, Nuts Topholding is according to
information from the trade register of the Chamber of Commerce the director of both Budget Thuis and the Nuts Groep.

2.2 Right of access
2.2.1 Legal framework for the right of access
Pursuant to Article 15.1 of the GDPR, the data subject has the right to receive information from the
to obtain a confirmation from the controller as to whether or not personal data relating to him are being processed
personal data. When that is the case. the data subject has the right to obtain access to it
personal data and to be provided with the information referred to in Article 15. first paragraph. sub a to
and with h of the GDPR. From article 15. first paragraph. sub c of the AVG follows, for example, that the data subject has the
is entitled to information about the recipients or categories of recipients to whom the personal data
have been or will be provided. It follows from Article 15, first paragraph, sub g of the GDPR that the data subject has the right
has information about the source of personal data if the personal data does not belong to the data subject
have been collected.

Pursuant to Article 15.3 of the GDPR, the controller must provide the data subject with a copy
to provide the personal data that is being processed.

It follows from recital 63 of the GDPR that the data subject has the right of access so that he can refrain from the
processing and verify its lawfulness.
It follows from Article 12. third paragraph of the GDPR that the controller must immediately and in any case
within one month of receipt of a request for inspection, must provide information about the action to be taken
the request for access has been given.

There are restrictions on the right of access. These are included in Article 12, paragraph 5 of the GDPR,
Article 15, fourth paragraph of the GDPR and Article 23 of the GDPR (further elaborated in Article 41 of the
GDPR Implementation Act (hereinafter: 'UAVG')).

4/6


AUTORITEIT PERSOONSGEGEVENS
Date                 Our reference
Apr 5, 2023          z2020-19687

.2.2.2 Conclusion on the right of access – access to and copy of the personal data processed
Based on the available information, the AP concludes that Nuts Topholding Article 12, paragraph 3 of the
AVG in conjunction with article 15, first paragraph and third paragraph of the AVG: violated. The data subject
has: requested access to his personal data on 27 September 2020. On October 26, 2020, the
person concerned a response. This response did not include access to consumption and direct marketing preferences
the data subject. These personal data were processed, because the personal data are on 12
August 2021 provided. The information available does not in any way indicate that there were facts and
circumstances that restrict the data subject's right of access, as referred to in Article 12, paragraph 5
of the AVG, article 15, fourth paragraph of the AVG or article 23 of the AVG or article 41 of the UAVG.

2.2.3 Conclusion on the right of access - information about the source and disclosures to third parties
In addition, the AP Nuts Topholding points out the following. It follows from the findings that Nuts Groep de
the data subject has the information as referred to in Article 15, first paragraph under a to h of the GDPR
provided by referring to the privacy statement. The privacy statement does not say what - in case
of the data subject - was the actual source of his personal data. From the privacy statement follows
nor whether the personal data of the data subject has actually been provided to third parties and which ones
specific third parties. Based on the findings, the AP cannot determine that the
personal data of the data subject have not been collected from the data subject. The AP can, based on the
findings also do not establish that the personal data of the data subject has been provided to third parties. The
AP cannot therefore determine whether Nuts Topholding has complied with Article 15, first paragraph under a to h of the
AVG has provided the information mentioned. The AP points out to Nuts Topholding that in the privacy statement
terminology such as 'we can' is used. 'it is possible that we'. The right of access must be a
enable the data subject to become aware of the processing and the lawfulness
check (recital 63 of the GDPR). Using language such as 'could', 'might' and 'possibly'
may undermine this purpose mentioned in recital 63 of the GDPR. 1

2.3 Reprimand
The AP has the power to impose a reprimand if a controller infringes on 
provisions of the AVG, as referred to in Article 58, second paragraph under b of the AVG. A reprimand
may be imposed instead of a fine if there is a minor infringement. This involves the
AP informs whether the infringement does not pose a significant risk to the rights of the data subjects and does not affect it
meets the essence of the obligation.

In view of the above, the AP Nuts Topholding will be reprimanded for the violation referred to in this decision
the GDPR. The AP considers the reprimand in question to be an appropriate measure. The AP has the following here
weighed in. There is a relatively minor infringement. Of a significant risk to the data subject
the infringement has not been revealed. No large group of people involved has been affected by the breach and it is going
nor for the processing of special personal data or personal data of a vulnerable person
group. The data subject still has access to his personal data regarding consumption and direct

1 See also Guidance on Transparency under Regulation (EU) 2016/679 (WP260 rev.01) under
margin number 17.

5/6


AUTORITEIT PERSOONSGEGEVENS
Date                 Our reference
Apr 5, 2023          z2020-19687

marketing preferences. Nuts Topholding has a policy and working method that are required for this
ensure that future access requests from data subjects are handled in accordance with the GDPR.
There has also been no evidence of intent or conscious recklessness on the part of Nuts Topholding.

3. Operative part
The AP reprimands Nuts Topholding for the violation of Article 12, paragraph 3 read in conjunction with
Article 15, first and third paragraph of the GDPR.

The AP will send a copy of this decision to your data protection officer.

Yours faithfully,
Autoriteit Persoonsgegevens,
On their behalf,

********
Director of Customer Contact and Controlling Investigation

Objection
Would you like an explanation of the decision? Please contact the person mentioned at the top of this letter
contact. This contact person will discuss the decision with you.

Do you disagree with the content of this decision? Then you can do so within six weeks after the date of dispatch
submit this decision digitally or in writing. At autoriteitpersoonsgegevens.nl/bezwaar-maken
you will find more information about the procedure and what is expected of you. Submitting an objection
does not suspend the effect of this decision.

You will find the digital form with which you can submit your objection at autoriteitpersoonsgegevens.nl/bezwaar-maken
submit digitally.

If you wish to object in writing, you must submit your letter within six weeks of the date this is sent
decision to the postal address stated at the top of this letter. Mention 'Awb objection' on the envelope
and put 'objection' in the title of your letter. Include in your objection at least:
• your name and address;
• the date of your objection;
• the reason(s) for which you disagree with this decision;
• your signature;
  the reference mentioned at the top of this letter or a copy of this decision.

6/6