RVS - 202004314/1/A3
From GDPRhub
| RvS - 202004314/1/A3 | |
|---|---|
 | |
| Court: | RvS (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 4(1) GDPR Article 21 GDPR Article 82 GDPR Article 1(3) Awb Article 34 UAVG Article 6(4)(1) Awb Article 8(88) Awb Wet bescherming bedrijfsgeheimen Wob |
| Decided: | 02.02.2022 |
| Published: | 02.02.2022 |
| Parties: | Yards Deurwaardersdiensten B.V Unnamed plaintiff 1 Unnamed plaintiff 2 Bureau Financieel Toezicht (BFT) |
| National Case Number/Name: | 202004314/1/A3 |
| European Case Law Identifier: | ECLI:NL:RVS:2022:319 |
| Appeal from: | Rb. Midden-Nederland (Netherlands) 19/5568 |
| Appeal to: | |
| Original Language(s): | Dutch |
| Original Source: | Rechtspraak (in Dutch) |
| Initial Contributor: | Kave Noori |
The Supreme Administrative Court of the Netherlands ruled that Dutch administrative courts have jurisdiction to decide on compensation claims under Article 82 GDPR, if none of the plaintiffs individually claim a compensation of more than €25,000.
English Summary
Facts
The Dutch financial regulator, Bureau Financieel Toezicht (BFT), provided a journalist with a copy of a decision and an accompanied letter. The decision and letter had been issued by the Chamber of Bailiffs (kamer voor gerechtsdeurwaarders) in a disciplinary proceeding against a company. The BFT provided the journalist with the documents without anonymizing them. The company and two individuals (the plaintiffs) complained that this was a data breach under the GDPR. The plaintiffs demanded that it should be reported to the Dutch DPA Autoriteit Persoonsgegevens (AP).
In December 2019, the BFT informed the plaintiffs that there was no need to report the incident as a data breach under the GDPR. The plaintiffs complained. In January 2020, the BFT ruled that the complaint was inadmissible, meaning that the plaintiffs didn't have the right to have the action reviewed by a court. The plaintiffs appealed the BFTs decision to declare the complaint inadmissible.
In June 2020, the District Court of Midden-Nederland ruled on the appeal. The District Court reversed the BFT's January 2020 decision and ordered the BFT to issue a new decision on the objection. In addition, the District Court ruled that, as an administrative court, it didn't have jurisdiction to decide on compensation issues.
The applicants appealed the District Court's decision to the Supreme Administrative Court (Raad van State). BFT filed an incidential appeal, which is an appeal filed after an opposing party has already filed an appeal. The Supreme Administrative Court held a hearing in October 2021. At the hearing, it became clear that the plaintiffs and BFT now agree that it was wrong to disclose the documents to the journalist without anonymizing them.
The Supreme Administrative Court now had to answer three questions:
1) Were there any legal remedies against the BFT's decision?
2) Does an administrative court have jurisdiction to decide on applications for compensation?
3) Should the request for compensation be granted?
Holding
Initial considerations
First, the Supreme Administrative Court examined whether the GDPR gives the company any rights on which to base its claims. The court examined the definition of personal data in Article 4(1) and Recital 14. The Supreme Administrative Court found that the GDPR only applies to natural persons and that the company, as a legal person, cannot assert any rights for data subjects. However, since the two plaintiffs were natural persons with rights as data subjects, this didn't affect the admissibility of the case.
Were there any legal remedies against the BFT's decision?
First, the Supreme Administrative Court addressed BFT's claim that the decision was inadmissible because it wasn't a decision within the meaning of Section 1(3) of the Dutch General Administrative Act (Awb).
The court held that under Article 34 of the Dutch GDPR implementation act (UAVG), the BFT's measure can only be considered an administrative decision that can be challenged in court if it's a decision concerning a data subject exercising his or her rights under Article 15 GDPR - Article 22 GDPR.
The court also recalled that it's important to distinguish between the data subject's right to object to data processing under Article 21 GDPR and the citizen's right to object to an administrative decision under Article 6(4)(1) Awb. It then concluded that the BFT measures cannot be considered as an administrative decision on the exercise of the data subject's rights. The court then considered whether the BFT's actions constituted an administrative decision under other laws. It considered whether it could be an administrative decision under the Dutch Freedom of Information Act, Wet openbaarheid van bestuur (Wob). The court ruled that the action couldn't be considered a disclosure under the Wob. The journalist had never filed a formal freedom of information request. The court also found that it wasn't a publication on the initiative of the BFT, since the journalist had stated that they didn't want to publish the decision itself, but only to use the information in an article.
The court then considered whether BFT had violated the Trade Secrets Act (Wet bescherming bedrijfsgeheimen). The Supreme Court ruled that this law only protects the company from lawsuits filed by its competitors, not actions that are based on administrative law.
The Supreme Administrative Court ruled that BFT's decision not to report the incident as a data breach wasn't an administrative decision that could be challenged in court. The Supreme Court reversed the district court's decision.
Was the administrative court competent to rule on the issue of compensation?
The Supreme Administrative Court referred to previous case law and concluded that the administrative courts have jurisdiction to decide on compensation claims. The Supreme Administrative Court recalled that according to Article 8(88) Awb, the administrative courts may decide on compensation claims below €25,000. As long as the claim is below this amount, the claimant/plaintiff can choose whether to bring the case before a civil court or an administrative court.
In this case, the plaintiffs estimated their damages at more than €25,000. However, they'd limited the amount of compensation they sought in court to €25,000 per person. The Supreme Administrative Court found that it was wrong for the district court to add up the plaintiffs' claims and conclude that the upper limit had been exceeded. For this reason, the Supreme Administrative Court ruled that the district court had jurisdiction to decide the issue of compensation. The Supreme Administrative Court also clarified that it's not necessary for a data subject to have exercised any of his/her rights before he/she can claim damages in court under Article 82 GDPR.
Should the request for compensation be granted?
The Supreme Administrative Court found that the claimants hadn't sufficiently demonstrated the psychological injury they'd suffered as a result of the disclosure. For example, the claimants hadn't made it plausible to the administrative court that the costs were caused by the unlawful processing of their names when the documents were handed over to the journalist without anonymization. The Supreme Administrative Court also weighed that the judgment of the court case to which the documents belonged was public. Therefore, only the names of the applicants and their company had been wrongfully disclosed to the journalist. BTF had also asked the journalist not to publish the names, and they were never mentioned in the published article. Therefore, the Supreme Administrative Court rejected the request for compensation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
202004314/1/A3.
Judgment date: February 2, 2022
DEPARTMENT
ADMINISTRATIVE JURISDICTION
Judgment on the appeals of:
1. Yards Deurwaardersdiensten B.V., established in Almere, [appellant 1A] and [appellant 1B] (hereinafter jointly: Yards and others),
2. Bureau Financial Supervision (hereinafter: the BFT), established in Utrecht,
appellants,
against the judgment of the preliminary relief judge of the Midden-Nederland District Court (hereinafter: the District Court) of 23 June 2020 in cases no. 19/5568 and 20/1027 in the proceedings between:
Yards and others
and
the BFT.
Process sequence
In a letter dated 12 December 2019, the BFT informed Yards and others that there was no reason to report a data breach to the Dutch Data Protection Authority or to take other measures.
By decision of 28 January 2020, the BFT declared the objection made by Yards and others inadmissible.
In a judgment of 23 June 2020, the court declared, insofar as relevant, the legal appeal against the decision of 28 January 2020 well-founded, annulled the decision of 28 January 2020 and instructed the BFT to take a new decision on the objection. In that ruling, the court declared itself incompetent to hear the application for compensation. This statement is attached.
Yards and others have appealed this ruling.
The BFT has given a written explanation and has lodged an incidental appeal.
Yards and others have submitted views on the cross-appeal.
By decision of 16 July 2020, the BFT again decisively upheld the objection of Yards and others.
Yards and others filed grounds against the decision dated July 16, 2020.
Yards and others and the BFT have submitted further documents.
The Division heard the matter in court on October 1, 2021, where Yards and others, represented by C.N. van der Sluis and mr. J.E. van der Holst, lawyers in Rotterdam, and [appellant sub 1A], and the BFT, represented by mr. I.W. van der Heijden and mr. T. Gillhaus, lawyers in The Hague, and mr. E.B. Vernooij-Kruimel, have been published.
Considerations
Introduction
1. The text of the regulations cited in this judgment is included in the appendix. That appendix is part of the judgment.
2. The BFT has given a journalist the non-anonymised version of a decision of the Chamber of Bailiffs and the accompanying letter of presentation. This decision was made in response to a complaint lodged by the BFT against Yards and others. They believe that the BFT should not have given the decision to the journalist. By doing so, according to Yards and others, there is a data breach. They have suffered damage as a result. In their appeal, Yards and others added that the provision of the decision violates several regulations.
It is no longer in dispute that the BFT should not have given the decision and the cover letter to the journalist in this way.
The question that is answered in this ruling is how the request of Yards and others should be interpreted and whether the response of the BFT to it is a decision against which legal remedies are open. It is also discussed whether the administrative court has jurisdiction to rule on their request for compensation.
Before arriving at these substantive points, the Division will first assess the request insofar as it has been submitted by Yards Deurwaardersdiensten B.V.
Prior to
Can Yards Deurwaardersdiensten B.V. invoke the GDPR?
3. The answer to this question is no. The reason for this is that Yards Deurwaardersdiensten B.V. is not a natural person. Only natural persons can submit a request under the GDPR, as was done in this case. The Division deduces this from the definition of the term 'personal data' in Article 4, opening words and under 1, of the GDPR. It states that personal data is any information relating to an identified or identifiable natural person ("the data subject"). Only the data subject can invoke the rights set out in Chapter III of the GDPR. This is confirmed in recital 14 of the preamble to the GDPR, which reads: “The protection afforded by this Regulation applies to natural persons, regardless of their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of data about legal persons and in particular companies established as legal persons, such as the name and legal form of the legal person and the contact details of the legal person." Also only a natural person can then request under the GDPR for compensation in the event of a breach of the GDPR.
The BFT therefore had Yards Deurwaardersdiensten B.V. must inform them that for that reason their request will not be complied with. Because the request was also submitted by the natural persons [appellant 1A] and [appellant 1B] (hereinafter: [appellants 1]) and they can invoke the GDPR, the Division will not take any consequences in this case. to connect.
Attacked verdict
4. The court has ruled that the BFT has unlawfully processed the data of [appellants under 1] by giving the journalist the letter of presentation and the non-anonymised decision of the Chamber of Bailiffs. According to the court, the decision on the objection lodged by [appellants under 1] against this is a decision as referred to in Article 21, first paragraph, of the General Data Processing Regulation (EU) 2016/679 (hereinafter: the GDPR). In view of Article 34 of the GDPR Implementation Act, this is a decision within the meaning of Article 1:3 of the General Administrative Law Act (hereinafter: the Awb) against which objections can be lodged. The BFT therefore wrongly declared the objection of [appellants under 1] inadmissible, according to the court.
With regard to the request for compensation, the court has ruled that it is not competent to rule on this because the total damage claimed is more than € 25,000.00.
Incidental appeal from the BFT
Is the response of the BFT a decision?
5. The BFT has lodged an incidental appeal. The BFT disputes that its response to the request of [appellants under 1] to report the alleged data breach to the AP is a decision as referred to in the Awb. If the response of the BFT is not a decision as referred to in Article 1:3 of the Awb, no administrative legal remedies can be used against it. Because this concerns an aspect of admissibility, the Division will first discuss the cross-appeal.
6. The BFT argues that the court erroneously ruled that the objection of [appellants under 1] should have been declared admissible because the notice of objection must be regarded as an objection within the meaning of Article 21(1) of the GDPR. The BFT argues that this paragraph does not apply because the provision of the decision of the data to the journalist is not based on one of the processing grounds of Article 6, first paragraph, preamble and under e or f, of the GDPR.
According to him, the response of the BFT is also not a decision based on the Government Information (Public Access) Act (hereinafter: the Wob). The BFT did not provide the data of its own accord and the journalist did not make a request under the Wob either.
Finally, the BFT argues that its response is also not a decision as referred to in the Awb in connection with the request for compensation. The alleged damage is not caused by a decision as referred to in Articles 15 to 22 of the GDPR. That is why it is not the administrative court that has jurisdiction, but the civil court.
- the GDPR
7. As far as the GDPR is concerned, the response of the BFT is only a decision that can be challenged before the administrative court if it can be regarded as a decision on a request as referred to in Articles 15 to 22 of the GDPR. This follows from Article 34 of the GDPR Implementation Act.
Article 21 of the GDPR is entitled to object. That right to object must be distinguished from making an objection as referred to in Section 6:4(1) of the Awb. A decision by the controller on a request for application of Article 21, first paragraph, of the GDPR is a decision against which an objection as referred to in the Awb is open. Article 21 of the GDPR contains the right of a data subject to request that processing based on Article 6(1)(e) or (f) of the GDPR cease in connection with special circumstances concerning him/her.
As the BFT rightly argues, Article 21 of the GDPR can only be invoked if the processing takes place on the basis of the aforementioned parts of Article 6 of the GDPR. It is undisputed that this was not the basis for giving the journalist the decision and the cover letter. In this case, it is no longer in dispute that there was no basis for the processing.
7.1. [appellants under 1] argue that their request should be regarded as a request for access, as referred to in Article 15, first paragraph, of the GDPR. They refer in particular to part e of that article. In short, pursuant to Article 15, first paragraph, preamble of the GDPR, the data subject has the right to know whether personal data concerning him/her is being processed. The request of [appellants sub 1] means that the BFT must ensure that the data breach is reported to the AP and that the BFT must ensure that the journalist or other involved parties can no longer or will no longer use the leaked information. In view of this wording, this request cannot be interpreted as a request for access. Not even insofar as the right to object is mentioned in Article 15, first paragraph, preamble and under e, of the GDPR. This section merely means that the controller must not only provide insight into the personal data that it processes from the data subject, but also provide the data subject with information about, among other things, his right to object as referred to in Article 21 of the GDPR. The part of the article therefore does not contain an independent basis for taking a decision.
The court wrongly considered that the decision on the objection of 28 January 2020 is a decision as referred to in Article 21(1) of the GDPR.
[appellants sub 1] confirmed at the hearing on appeal that their request for rectification of the unlawfully disclosed information is not a request for rectification as referred to in Article 16 of the GDPR. The Division follows them in that position. That article provides for the possibility to rectify or supplement inaccurate or incomplete personal data. It is not in dispute that the personal data provided is correct in this case.
In the opinion of the Division, there are no grounds for the opinion that one of the other relevant articles of the GDPR applies in this case. Since [appellants under 1] have not invoked these articles, the Division will not deal with them separately.
8. On the basis of what [appellants under 1] have argued, the Division will assess whether the response of the BFT to the request of [appellants under 1] on the basis of another law is a decision against which objection and appeal to the administrative court is possible. .
- the Wob
9. The Division is of the opinion that the BFT has made it plausible that the journalist did not submit a request under the Wob and that there is therefore no question of so-called passive disclosure. The reason for this is that the journalist has asked the BFT for a decision to use the information from it for the article he wrote. It is unlikely that the journalist himself wanted to make the decision public to everyone.
In the opinion of the Division, the information was not made public by the BFT on its own initiative.
The Division is of the opinion that there is therefore no decision based on the Wob.
- the Trade Secrets Protection Act
10. The Trade Secrets Protection Act is intended to better protect trade secrets against competitors and does not refer to legal acts under public law. Insofar as [appellants under 1] invoked this law, that argument fails for that reason alone.
- Conclusion incidental appeal
11. Contrary to the court, the Division is of the opinion that the response of the BFT to the request of [appellants under 1] to report the data breach is not a decision. The BFT therefore rightly declared the objection of [appellants under 1] to be inadmissible.
12. The cross-appeal is well founded. The appealed decision must be quashed insofar as the court has declared the appeal well-founded, has quashed the decision on the objection and instructed the BFT to take a new decision on the objection. Doing what the court should do, the Division will still declare the appeal of [appellants under 1] against the inadmissibility of their objection to be unfounded.
Appeal of [appellants sub 1]
13. The discussion of the appeal of [appellants under 1] will not be discussed insofar as it does not concern their request for compensation.
Is the administrative court competent to rule on compensation?
14. Contrary to the court, the Division is of the opinion that the administrative court has jurisdiction in this case to adjudicate on the request for compensation.
14.1. In line with the ruling of 1 April 2020, ECLI:NL:RVS:2020:898, the Division considers that a person who, on the basis of Article 82 of the GDPR, is entitled to compensation for damage resulting from unlawful processing of personal data by an administrative body, in accordance with Article 8:88 of the Awb, has freedom of choice to submit its request to the administrative court or to realize its claim for compensation through civil law. To submit such a request, it is not necessary that the data subject has first invoked his rights referred to in Chapter III of the GDPR. The Division notes in this regard that if the request concerns a higher amount than € 25,000.00, application of Article 8:88 Awb entails that in that case the civil court has exclusive jurisdiction to hear such a request.
14.2. The BFT is an administrative body. It is not in dispute that the BFT should not have given the journalist the non-anonymised version of a decision of the Chamber of Bailiffs and the accompanying letter of presentation. This act by the BFT is an infringement of the protection of the personal data of [appellants under 1].
According to the Division, the amount of compensation requested by [appellants under 1] does not exceed the limit of jurisdiction for the administrative court. For the limit of jurisdiction it is important what the amount of the claim per person is. [appellants sub 1] have argued that they have suffered € 151,489.00 respectively € 9,880.00 in material damage and € 15,000.00 each in immaterial damage, but expressly limited their claims to € 25,000.00 per person. In a further letter to the court, they further substantiated the immaterial damage in response to the aforementioned decision of the Division of 1 April 2020. In this letter, they did not withdraw the previous limitation of the claim to € 25,000.00 per person. The court wrongly added up the claims of [appellants under 1] and ruled that the total damage claimed exceeds the jurisdictional limit. Contrary to what the court has considered, in this case the administrative court is competent to adjudicate on the request for compensation.
Conclusion on appeal
15. The appeal of [appellants under 1] is well founded. The judgment under appeal must also be quashed to the extent that the court has declared itself incompetent to adjudicate on damages. Doing what the court should do, the Division will assess the grounds of appeal of [appellants under 1] against the rejection of the request for compensation.
Should the claim for compensation be granted?
16. The material damage alleged by [appellants under 1] consists of costs for external assistance in connection with the assessment of the draft article of the journalist and communication with the AP and the BFT, the time of [appellants under 1] and others of the company and lost income of the shareholders due to the missed sale of Yards Deurwaardersdiensten BV as a result of the journalist's article. In the opinion of the Division, [appellants under 1] have not demonstrated that these costs are the result of the unlawful processing of their names. The BFT has therefore rightly taken the position that this material damage is not eligible for compensation.
17. In accordance with established case law of the Division (see, for example, the judgment of 25 August 2010, ECLI:NL:RVS:2010:BN4952), connection is sought with civil compensation law for the assessment of a request for compensation for non-material damage. As the Division considered in the aforementioned judgment of 1 April 2020, this is also the case for the assessment of non-material damage on the basis of Article 82 of the GDPR. This damage is in any case the case if the injured party has suffered a mental injury. The person who invokes this will have to provide sufficient concrete information from which it can be concluded that psychological damage has occurred in connection with the circumstances of the case. Even if the existence of mental injury cannot be presumed, it cannot be ruled out that the nature and seriousness of the violation of norms and of the consequences thereof for the injured party may imply that his person is harmed 'in another way' as referred to in Article 6. :106, preamble and under b, BW. In that case, the person who invokes this will have to substantiate the damage to his person with concrete information. This is only different if the nature and seriousness of the violation of standards mean that the relevant adverse consequences for the injured party in this regard are so obvious that an impairment in the person can be assumed. Personal injury 'in another way' as referred to in Article 6:106, opening words and under b, of the Dutch Civil Code, does not already exist in the case of a mere violation of a fundamental right. (See the judgments of the Supreme Court of 15 March 2019, ECLI:NL:HR:2019:376, ro4.2.2, of 28 May 2019, ECLI:NL:HR:2019:793, para 2.4.5. and of 19 July 2019, ECLI:NL:HR:2019:1278, ro 2.13.2.).
The BFT rightly argues that [appellants under 1] have not made it plausible that they have suffered mental injuries. Nor have [appellants under 1] substantiated with concrete data that despite the fact that the existence of mental injury cannot be assumed, there is still damage to their person because the nature and seriousness of the violation of norms are such. It is important for this that the decision of the disciplinary court is made anonymous and public for everyone and that only the names of [appellants sub 1] and of their company were wrongly provided to the journalist. In addition, the BFT requested the journalist not to use this personal data before the article was published and the journalist did not mention their names in the published article. The nature and seriousness of the violation of standards also do not mean that the adverse consequences for the injured party are so obvious that the person is affected. [appellants under 1] have therefore not made it plausible that passing on the non-anonymized version of the judgment and the accompanying letter of presentation led to the impairment of their person and that the consequences of the infringement affected them directly.
Claim compensation
18. The Division will reject the request for compensation.
Legal appeal
New decision on objection
19. The BFT has carried out the order of the court and made a new decision on the objection on July 16, 2020. In view of Article 6:24 of the Awb, read in conjunction with Article 6:19(1) of the Awb, this decision is deemed to be the subject of these proceedings by operation of law.
Conclusion of the appeal by operation of law
20. Because this decision is based on the appealed decision and the appealed decision is annulled by the Division, the basis of this new decision on objection has lapsed. The new decision on the objection must be quashed. The Division is not allowed to deal with the grounds advanced by [appellants under 1] against this decision.
Process costs
21. The BFT must reimburse the legal costs.
22. [appellants under 1] have requested reimbursement of the costs actually incurred in the proceedings.
22.1. The Department will not honor this request.
If special circumstances arise, it is possible to deviate from the flat-rate system on the basis of Article 2, third paragraph, of the Administrative Costs Decree. This is possible in an exceptional case in which strict application of the flat-rate compensation system would prove unjust, for example in a case in which the public has been forced to incur exceptionally high costs for collecting the necessary factual material due to the lack of information provided by the government. In the opinion of the Division, this is not the case in this case. The correspondence that has taken place with the BFT and the Dutch Data Protection Authority was not excessive. The fact that, according to the appeal, the BFT wrongly declared the objection inadmissible is not a special circumstance within the meaning of Article 2(3) of the Decree. [appellants under 1] have not demonstrated that the BFT deliberately acted negligently. They have also not made it plausible that the BFT's conduct and decision-making forced them to call in legal aid that involved an exceptional use of time.
Decision
The Administrative Jurisdiction Division of the Council of State:
I. declares the cross-appeal of the Financial Supervision Office to be well founded;
II. declares the appeal of [appellant 1A] and [appellant 1B] well-founded;
III. annuls the judgment of the MiddenNederland District Court of 23 June 2020 in case no. 19/5568 and 20/1027;
IV. declares the appeal of [appellant 1A] and [appellant 1B] against the decision on the objection of 28 January 2020 unfounded;
V. annuls the decision on the objection of 16 July 2020;
VI. rejects the claim for compensation;
VII. orders the Financial Supervision Office to reimburse legal costs incurred by [appellant under 1A] and [appellant under 1B] in connection with the handling of the appeal up to an amount of € 1,518.00, attributable entirely to professionally granted by a third party; legal counsel;
VIII. determines that the Financial Supervision Office will reimburse the court fee paid by [appellant 1A] and [appellant 1B] for the handling of the appeal in the amount of € 532.00.
Adopted by mr. A.W.M. Bijloos, chairman, and mr. C.M. Wissels and mr. J.M.L. Niederer, members, in the presence of Mr. S.C. van Tuyll van Serooskerken, clerk of the court.
The chairman is unable to sign the decision.
The clerk is unable to sign the decision.
Pronounced in public on February 2, 2022
APPENDIX
GDPR
Article 4
Definitions
For the purposes of this Regulation:
1) 'personal data' means any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;
Article 15
Right of access of the data subject
1. The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him/her is processed and, where that is the case, to obtain access to those personal data and to the following information:
a) the processing purposes;
b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) if possible, the period for which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period;
e) that the data subject has the right to request from the controller that personal data be rectified or erased, or that the processing of personal data concerning him/her be restricted, as well as the right to object to such processing;
f) that the data subject has the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information about the source of that data;
(h) the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected impact of such processing on the person concerned.
2. When personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards in accordance with Article 46 on the transfer.
3. The controller shall provide the data subject with a copy of the personal data being processed. If the data subject requests additional copies, the controller may charge a reasonable fee based on the administrative costs. Where the data subject submits his request electronically, and does not request a different arrangement, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others.
Article 16
Right to rectification
The data subject has the right to obtain from the controller the rectification of incorrect personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.
Article 17
Right to erasure ("right to be forgotten")
1. The data subject shall have the right to obtain from the controller without undue delay the erasure of personal data concerning him or her and the controller shall be required to erase personal data without undue delay where one of the following applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a), and there is no other legal basis for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data has been unlawfully processed;
e) the personal data must be erased in order to comply with a legal obligation imposed on the controller under Union or Member State law;
f) the personal data were collected in connection with an offer of information society services as referred to in Article 8(1).
2. Where the controller has made the personal data public and is required to erase the personal data in accordance with paragraph 1, it shall take reasonable steps, taking into account available technology and implementation costs, including technical measures, to inform controllers processing the personal data. inform the data subject that the data subject has requested the data controllers to delete any link to, or copy or reproduction of, such personal data.
3. Paragraphs 1 and 2 do not apply to the extent that processing is necessary:
a) for exercising the right to freedom of expression and information;
(b) for compliance with a legal processing obligation, laid down in Union or Member State law, to which the controller is subject, or for the performance of a task carried out in the public interest or for the exercise of official authority conferred on the controller;
(c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1), to the extent that the right referred to in paragraph 1 threatens to make the achievement of the purposes of such processing impossible or seriously impairs the achievement of the purposes of such processing. threatens to compromise;
e) for the establishment, exercise or defense of legal claims.
Article 18
Right to restriction of processing
1. The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests that their use be restricted instead;
c) the controller no longer needs the personal data for the processing purposes, but the data subject needs them for the establishment, exercise or defense of legal claims;
d) the data subject has objected to the processing in accordance with Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing is restricted pursuant to paragraph 1, personal data, with the exception of their storage, shall only be processed with the consent of the data subject or for the establishment, exercise or defense of legal claims or to protect the rights of another natural or legal person or for important reasons of public interest for the Union or for a Member State.
3. A data subject who has obtained a restriction of processing in accordance with paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Article 19
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall notify any recipient to whom personal data has been disclosed of any rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17(1) and 18, unless this proves impossible or involves a disproportionate effort. The controller shall provide the data subject with information about these recipients if the data subject requests it.
Article 20
Right to data portability
1. The data subject has the right to obtain the personal data concerning him/her, which he has provided to a controller, in a structured, commonly used and machine-readable form and has the right to transfer those data to another controller without being hindered by the controller to whom the personal data was provided, if:
a) the processing is based on consent pursuant to Article 6(1)(a) or 9(2)(a) or on a contract pursuant to Article 6(1)(b); and
b) the processing is carried out by automated means.
2. In exercising their right to data portability under paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not affect the rights and freedoms of others.
Article 21
Right to object
1. The data subject has the right to object at any time, on grounds relating to his particular situation, to the processing of personal data concerning him or her on the basis of Article 6(1)(e) or (f) of Article 6(1) 1, including profiling based on those provisions. The controller shall cease processing the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or which are related to the establishment, exercise or defense of legal claims.
2. Where personal data is processed for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him/her for such marketing, including profiling related to direct marketing.
3. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
4. The right referred to in paragraphs 1 and 2 shall be expressly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and displayed clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research or statistical purposes in accordance with Article 89(1), the data subject shall have the right to object to the processing of personal data concerning him or her on grounds relating to his particular situation, unless the processing is necessary for the performance of a task carried out in the public interest.
Article 22
Automated individual decision making, including profiling
1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or which otherwise significantly affects him or her.
2. Paragraph 1 does not apply if the decision:
a) is necessary for the conclusion or performance of a contract between the data subject and a controller;
(b) is permitted by a provision of Union or Member State law to which the controller is subject and which also provides for appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
c) is based on the explicit consent of the data subject.
3. In the cases referred to in points (a) and (c) of paragraph 2, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, the right to state its position and the right to challenge the decision.
4. The decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and there are appropriate measures to protect the legitimate interests of the data subject are affected.
Article 82
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for damage caused by processing in breach of this Regulation. A processor shall only be liable for damage caused by processing where the processing has not complied with the obligations of this Regulation specifically addressed to processors or has acted outside or contrary to the lawful instructions of the controller.
3. A controller or processor shall be released from liability under paragraph 2 if it proves that it is in no way responsible for the event giving rise to the damage.
4. Where several controllers or processors are involved in the same processing, and are responsible in accordance with paragraphs 2 and 3 for damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure that the data subject is effectively compensated .
5. Where a controller or processor has fully compensated for the damage in accordance with paragraph 4, that controller or processor may recover from other controllers or processors involved in the processing the part of the compensation corresponding to their share of the liability for the damage , in accordance with the conditions set out in paragraph 2.
6. Legal proceedings for the exercise of the right to compensation shall be conducted before the courts with jurisdiction under Member State law referred to in Article 79(2).
UAVG
Article 34
A written decision on a request as referred to in Articles 15 to 22 of the Regulation shall be taken within the time limits referred to in Article 12(3) of the Regulation and, insofar as it has been taken by an administrative authority, shall be regarded as a decision within the meaning of the General Administrative Law Act.
Civil Code
Article 6:106
For loss that does not consist in financial loss, the injured party is entitled to compensation to be determined in fairness:
a. […];
b. if the injured party has suffered physical injury, his honor or reputation has been damaged or his person has been damaged in any other way;
c. †
