GHSHE - 200.290.520 01
|GHSHE - 200.290.520_01|
|Relevant Law:||Article 12(1) GDPR|
Article 15 GDPR
|National Case Number/Name:||200.290.520_01|
|European Case Law Identifier:||ECLI:NL:GHSHE:2021:2252|
|Appeal from:||Rb. Limburg (Netherlands)|
C/03/267045 / HA RK 19-162
|Original Source:||Rechtspraak.nl (in Dutch)|
|Initial Contributor:||Martijn Staal|
The Court of Appeal of 's-Hertogenbosch held that Article 15 GDPR does not give data subjects the right to access copies of all documents in which their personal data are or may be contained, and that the data subject could not request access to previously deleted personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject requested the District Court Limburg to order their former bank to hand them all documents that contain their personal data that have been processed. The District Court considered that the dispute mainly focuses on the personal data of the data subject that are or may have been included in the so-called EVA registration (a Dutch fraud prevention system) and in the report of the security affairs department of the bank. The bank stated that it had no longer had these documents, but offered to conduct internal investigation. The District Court gave the bank the opportunity to conduct this investigation and to hand over a report to the data subject which he had not yet received.
The district court rejected the data subject's request because it considered that their former bank had fulfilled its obligation to provide information by handing over the report. Furthermore, the court concluded that the data subject no longer objected the bank's position that the internal security report is no longer available. The data subject only requested a copy of their personal data concerning the EVA registration, but the court ruled that the bank had sufficiently substantiated its claim that it no longer has this data.
The data subject disagreed with the ruling of the District Court and filed a request with the Court of Appeal. The data subject claimed that the bank had conducted several investigations into them, at least in 2015 and 2018. The data subject also claimed that Article 15 GDPR gives them the right to access complete copies of the entire documentation in which their personal data are or may be contained, such as underlying documents and personal notes made by others.
The bank also argued in appeal that they no longer have the data which the data subject is requesting, since the relation between the data subject and the bank ended in 2012 and all data is from the period 2009-2011. The retention period of 7 years has been exceeded already by several years.
Holding[edit | edit source]
The Court of Appeal of 's-Hertogenbosch held that Article 15 GDPR does not give the right to access by means of full copies of full documentation in which personal data are or may be contained, such as underlying documents and personal notes by others. It is important to give the data subject sufficient opportunity to take note of the processed data, including conclusions drawn, and to be able to check whether these are correct and have been processed lawfully, according to the CJEU in C‑141/12 and C‑372/12, which also applies to the GDPR in the opinion of the Court of Appeal. Furthermore, the Court of Appeal held that the bank provided the data subject all the personal data it had at its disposal. The data subject was simply too late in requesting the data.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Body Court of Appeal 's-Hertogenbosch Date of judgment 15-07-2021 Date of publication 27-07-2021 Case number 200.290.520_01 Jurisdictions Civil rights Special characteristics Appeal Content indication Rejection of request for inspection pursuant to Articles 12 and 15 of the GDPR to submit all documents in which personal data of the bank client have been processed / request has been met, and for the alleged missing data, the request was made too late / no order to pay costs on appeal due to the nature of the procedure Locations Rechtspraak.nl NJF 2021/359 Enhanced pronunciation Share pronunciation print Save as PDF Copy link Pronunciation COURT OF COURT 's-HERTOGENBOSCH Commercial Law Team Verdict: July 15, 2021 Case number: 200.290.520/01 Case number first instance: C/03/267045 / HA RK 19-162 in the appeal case of: [the person concerned] , living in [residence] , Belgium, appellant, hereinafter referred to as: [the person concerned] , authorized representative: [authorized representative] at [place] , in return for [the couch] , established in [establishment] , defendant, hereinafter referred to as: [the bank] , lawyer: mr. D.S. van Lith in Utrecht. 1 The proceedings at first instance The court refers to the decision of the Limburg District Court, seat location Roermond, of December 24, 2020 (and the interim decision of April 8, 2020). 2 The appeal proceedings 2.1. By notice of appeal with exhibits, received at the registry of this Court of Appeal on February 19, 2021, [the person concerned] requested that the aforementioned decision be annulled and that the appeal be declared well-founded, with the [bank] being ordered to pay the costs of the proceedings. 2.2. In a statement of defence, received at the registry on 3 May 2021, [the bank] requested, as far as possible provisionally enforceable, that [the person concerned] be declared inadmissible in the appeal lodged by him, or at least his requests - if necessary with correction of the grounds – to be dismissed, with the [person concerned] being ordered to pay the costs of the proceedings at first instance and these proceedings on appeal (including subsequent costs). 2.3. The oral hearing took place on 2 June 2021. On that occasion, the following were heard: - [the person concerned] , assisted by his authorized representative [authorized representative] ; - mr. Van Lith on behalf of [the bank] . 2.4. The Court has also taken cognizance of the contents of: - the documents of the first instance, received at the registry on 17 March 2021; - the memorandum of attorney submitted and proposed at the hearing from authorized representative [authorized representative] . 3 The assessment 3.1. This case concerns the following. - [the person concerned] has been a customer of [the bank]. In 2012, [the person concerned] terminated his relationship with [the bank]. - By letter dated 5 April 2019, [the person concerned], invoking Articles 12 and 15 of the General Data Protection Regulation (GDPR), requested [the bank] to send him all documents in which his personal data were processed at [the bank] [ branch 2] and the national [the bank] . - Correspondence between the parties has taken place. - On 4 June 2019, [the bank] sent information related to the GDPR to [the data subject]'s lawyer in another procedure, requesting that this information be forwarded to [the data subject] . - On 14 June 2019, [the bank] sent three PDF files to [the person concerned] via [name]. 3.2. On 24 July 2019, [the person concerned] submitted a petition to the Limburg District Court (seat location Roermond). In it he requests - in summary - to order [the bank] to hand over to him all documents in which his personal data have been processed and to determine that in the event of non-compliance with this order, [the bank] will forfeit a penalty of € 500 per day. . 3.3. By interim order dated April 8, 2020, the court referred the case to the petition roll for deeds, statement and answer and adjourned any further decision. To that end, the court considered - inter alia and in summary - that the dispute mainly focuses on the personal data of [the person concerned] that are (or would have been) included in the so-called EVA registration [Court: External Reference Application in the External Reference Register ( EVR)] and in the report of the security affairs department of [the bank] in the Netherlands. [the bank] has stated that it no longer has these documents at its disposal, but has offered at the hearing in the first instance that it wishes to conduct further internal investigations into the (possible) documents concerning the EVA notification and the report of the Security Affairs Department and substantiated this by means of return a written statement. The court gave [the bank] the opportunity to do so, as well as to hand over the report of [the bank] [branch 1] – which [the person concerned] would not yet have at his disposal – to [the person concerned]. 3.4. By order dated 24 December 2019, appealed from, the court rejected [the person concerned]'s request and ordered him to pay the costs of the proceedings. To this end, the court considered – inter alia and in summary – that [the bank] submitted the report to [branch 1] by deed, with which it fulfilled its obligation to provide information and as a result of which the importance of [the person concerned]'s request in this respect is lost. Furthermore, the court deduced from [the person concerned]'s letter of reply that he no longer objected to [the bank]'s position that the internal security report is no longer available, but that his request only extends to the issue of his personal data insofar as they appear in the EVR. According to the court, [the bank] has sufficiently substantiated its claim – that it no longer has the data regarding the EVA notification in the EVR and can no longer retrieve it because the retention period has been exceeded. 3.5. [the person concerned] cannot agree with this decision and has submitted the following to this court in this regard. According to [the person concerned], the court assessed his case insufficiently and incorrectly and thus undermined the purpose of the GDPR. According to [the person concerned], [the bank] has conducted various investigations into him in recent years and the court ignored this. The statement of [the bank] that the documents are not available because it was too long ago is not correct, according to [the person concerned]. [the person concerned] still demands access to the documents of the internal security investigation, which according to [the person concerned] was drawn up in 2015, as well as the documents relating to the EVR. According to [the person concerned], [the bank] still tested the EVR in 2018, so that the documents must be present. An EVA notification in the EVR remains and [the bank] should have informed [the person concerned] about it. According to [the data subject], the documents that [the bank] has provided so far do not comply with the processing for which the GDPR stands. During the oral hearing, the representative of [the person concerned] explicitly invoked the effect of Article 63 of the GDPR and also referred to a “guideline” of the Dutch Central Bank (hereinafter: DNB). The Court of Appeal understands that [the person concerned] quotes on page 2 of his notice of appeal on appeal from and refers to the Guideline Wwft and Sw (version December 2020) of DNB. Furthermore, the representative emphasized that [the person concerned] wishes to inspect [the bank]'s internal decision-making regarding his person. 3.6. [the bank] has put forward the following defence. She also argued on appeal that she no longer has the data that [the person concerned] asks for, because these data date from 2009 and 2011. The retention period of the data (7 years) has now been exceeded by a large margin. In addition, [the person concerned] ended his relationship with [the bank] in 2012. [the person concerned] is now registered as an ex-customer with three separate (until 2016 independent) local Rabobanks - [branch 1], [branch 2] and [branch 3] - and [the bank] has submitted three (GDPR) reports on appeal regarding these three locations. At [the bank] [establishment 1] (report/exhibit 1) it appears that [the person concerned] was registered as a director-majority shareholder of a company that had only purchased an insurance product. At [the bank] [establishment 2] (report/exhibit 2) [the person concerned] no longer has any private products since 2010. He was only registered as surety for the company ([company]) of his daughter and son-in-law, which suretyship was terminated in 2016. At [the bank] [establishment 3] (report/exhibit 3) [the person concerned] was only registered as a director-major shareholder of a company, without private products. That company's bank account was terminated in 2013. According to the reports (1 and 2), one EVA assessment took place in 2009 for the application of a new service by [the person concerned] . It turned out that a so-called 'hit' from another bank had been obtained and the service was subsequently not provided to [the person concerned]. [the bank] no longer has the data regarding the 'hit' – such a ‘hit’ is only saved for a short time – and therefore does not know from which bank the hit came. The internal security report dates from February 2012 and [the bank] is no longer available because [the person concerned] has not been a customer for a number of years. The Security Affairs Department has not investigated [the person concerned] in recent years. Not even in 2019. In 2019, only the e-mail correspondence relating to [the data subject]'s GDPR request was registered. According to [the bank], the reports submitted, stating the processed personal data of [the data subject], meet the requirements of the GDPR. 3.7. The court considers as follows. 3.7.1. The Court of Appeal first notes that it is of the opinion that [the person concerned], litigating without a lawyer, can be received in his appeal and refers, among other things, to its decision of 1 February 2018, ECLI:NL:GHSHE:2018:363 r.o. 3.7.1. et seq. (with regard to the Personal Data Protection Act, predecessor of the AVG) and to Article 35(4) of the GDPR Implementation Act (hereinafter UAVG), which also pertains to appeals. 3.7.2. Furthermore, the Court of Appeal finds that it is not in dispute between the parties that [the bank] has processed personal data of [the person concerned]. In short, it is disputed whether [the bank] has complied with the requirements of the GDPR-based request to exercise the right of access of [the data subject], as regulated by Articles 12-15 GDPR. 3.7.3. Pursuant to art. 15, paragraph 1 of the GDPR, [the data subject] has the right to obtain from [the bank] access to his personal data and to (among other things and insofar as relevant here) the following information: - the processing purposes; - the categories of personal data concerned; - the recipients or categories of recipients to whom the personal data have been or will be disclosed; - if possible, the period for which the personal data is expected to be stored, or if that is not possible, the criteria for determining that period; - where the personal data is not collected from the data subject, all available information about the source of that data. Pursuant to art. 15 paragraph 3 GDPR, [the bank] must provide [the data subject] with a copy of the personal data being processed, albeit with due observance of Article 15 paragraph 4 GDPR. Art. 12 (1) GDPR provides that [the data subject] receives such information in a concise, transparent, intelligible and easily accessible form and in clear and plain language. 3.7.4. Contrary to what [the data subject] argues, Article 15 GDPR does not give him the right to inspect (by means of full copies) the integral documentation in which his personal data are (possibly) included, such as underlying documents and personal notes of others. According to ECJ of 17 July 2014, C-141/12 and C-372/12ECLI:EU:C:2014:2081 - in the opinion of the Court of Appeal also applicable to the GDPR - it is about giving the data subject (in this case [the data subject]) sufficient opportunity to take cognizance of the processed data , including conclusions drawn, and to be able to verify that they are accurate and lawfully processed. Attention may also be paid to the rights and freedoms of third parties (Article 15(4) GDPR). 3.7.5. Furthermore, the Court of Appeal considers it sufficiently plausible that all the data that [the bank] provided to [the person concerned] before and after the decision that was appealed to [the person concerned] is also that (and the only) in terms of processing personal data that [the bank] still actually has at its disposal. . The (other) data requested by [the person concerned] – in short regarding the EVA notification in the EVR and the internal security investigation – date from 2009 and/or 2011/2012. It is established that [the person concerned] was refused a service in 2009 because of the EVA notification and [the person concerned] has furthermore insufficiently contradicted the fact that the internal security report dates from 2012. Only in 2019 did [the person concerned] [the bank] first requested access to this data, while he had the opportunity to do so much earlier and at various times (2009 and 2011/2012 and also 2016). The Court of Appeal therefore considers the request of [the person concerned] in 2019 to be factually too late. This also applies if [the person concerned] – as he stated at the hearing of this court – only became aware of the registrations in 2009 and 2011/2012 in 2014. In addition, when the guarantee was terminated in 2016, [the person concerned] had another moment to request [the bank] under the old Wbp, as applicable at the time, access to the personal data processed with regard to him, which he did not do at the time. did. By ignoring the previous opportunities and not taking 'action' until 2019, [the data subject] has taken the risk that the data - partly in view of the undisputed retention period of 7 years, as ensuing from, among other things, Article 2:10 paragraph 3 BW – are currently no longer available. Furthermore, it has not been stated or shown that [the data subject] at any time consulted the controller of the EVR in order to find out which bank - other than [the bank] - made the notification in 2009. 3.7.6. The court therefore rightly rejected [the person concerned]'s request by final decision, in view of the further information provided by [the bank]. Process costs 3.8. Article 289 DCCP applies to petition proceedings, which stipulates that the court may issue an order for costs. The nature of the procedure is also a determining factor in this regard. Referring to previous rulings of this court (ECLI:NL:GHSHE:2018:363, ECLI:NL:GHSHE:2020:2536 and ECLI:NL:GHSHE:2021:1301; in which rulings the court has sought affiliation with ECJ EU 27 September 2017 in Puškár, C-73/16, ECLI:EU:C:2017:725) the Court of Appeal also finds in the present case that [the bank's] request for an order for costs of the proceedings of [the person concerned] on appeal, if the unsuccessful party must be omitted. The nature of the procedure - as covered by Article 289 DCCP and as further specified in the key of what the Court of Justice has considered according to the aforementioned decisions of this Court of 2018, 2020 and 2021 and in view of the text and purpose of Article 79 GDPR - entails this in principle. Since [the person concerned], while being assisted by an authorized representative, has not raised a complaint against the order to pay costs in the first instance, the Court of Appeal must, however, uphold this order. After all, the order for costs in the first instance – regardless of the substantive outcome of the appeal – does not form part of the legal battle on appeal in the present case (compare the decision of this Court of Appeal of 6 August 2020, ECLI:NL:GHSHE:2020: 2536). With regard to the costs of the proceedings on appeal, the Court of Appeal will determine that these must be compensated, so that each of the parties bears his or her own costs. 3.9. The decision of which appeal will be affirmed. 4 The decision The Council: confirms the decision which is appealed; compensates the costs of the proceedings on appeal, so that each party bears its own costs. This decision was made by Mrs. R.R.M. de Moor, J.W. van Rijkom and T. van der Valk and pronounced in public on 15 July 2021.