RVS - 202105980/1/A3

From GDPRhub
RVS - 202105980/1/A3
Courts logo1.png
Court: RvS (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 15 GDPR
Decided: 12.04.2023
Published: 12.04.2023
Parties: Minister van Financiën
National Case Number/Name: 202105980/1/A3
European Case Law Identifier: ECLI:NL:RVS:2023:1427
Appeal from: Rb. Amsterdam (Netherlands)
20/6874
Appeal to: Not appealed
Original Language(s): Dutch
Original Source: RvS 202105980/1/A3 (in Dutch)
Initial Contributor: Matthias Smet

The Council of State rejected an appeal by a data subject who claimed that the Ministry of Finance did not adequately respond to their access request. The Council stated, among the others, that a report mentioning possible unidentified systems does not imply the existence of secret systems kept by the tax authorities.

English Summary

Facts

On 20 April 2020, the data subject exercised his right of access and information under Article 15 GDPR by sending a request to the Minister of Finance. He was asking more specifically whether his data were processed in the fraud alert system "Fraude Signalering Voorziening" (FSV) and/or other undisclosed databases. In the affirmative, he requested a copy of such data. The Minister stated in his answer that no personal data could be found in the FVS.

The data subject considered this answer insufficient and asked the Minister to reconsider its position. He claimed that the Minister could not limit the data search to FVS alone, but also had to consult all other systems in response to his request. He didn't refer to specific system, arguing that he could not be aware about their names or even existence, some of which possibly being secret or undisclosed to the public. In this respect, he refered to a report by KPMG mentioning a possible existence of non identified systems used by the tax authorities. In addition, the data subject claimed that the Minister did not provide sufficient information regarding the search method used.

The Minister refused to give further information. As a consequence, the data subject lodged an action with the District Court of Amsterdam, which declared the appeal unfounded. He therefore appealed before the Council of State against the decision of the District Court of Amsterdam

Holding

The Council stated that the report of KMPG, which mentions possible systems that have not been identified, does not imply that it is plausible that there are other systems whose existence is kept secret by the tax authorities and the Ministry.

Next, the Council of State confirmed that in his answer to the request of access and information the Minister has provided sufficient insight into how he searched for personal data and indicated that other search methods would have led to a similar result.

For the above reasons, the Council of State declared the appeal unfounded and upheld the contested decision.

Comment

It is interesting to note that in another recent decision from the Netherlands (available here), the Court of Rotterdam decided that when the Dutch Tax Administration answers a data subject's access request, it should search beyond the general system it uses and provide specific information. The facts were quite similar : a data subject requested information under Article 15 and considered the reply of the tax administration as insufficient.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Authority
Council of State
Date statement
12-04-2023
Date publication
12-04-2023
Case number
202105980/1/A3
Jurisdictions
Administrative law
Special characteristics
Appeal
Content indication
By decision of 20 July 2020, the Minister of Finance decided on [plaintiff]'s request for access to his personal data. In a letter dated 31 March 2020, [plaintiff] requested the Tax and Customs Administration to inform him, pursuant to Article 15 of the General Data Protection Regulation, whether his personal data are being processed in the Fraud Identification Facility or other secret systems and databases. If that is the case, he wishes to inspect that data, as well as a copy thereof. In a letter dated 31 March 2020, [plaintiff] requested the Tax and Customs Administration to inform him, pursuant to Article 15 of the General Data Protection Regulation, whether his personal data are being processed in the Fraud Identification Facility or other secret systems and databases. If that is the case, he wishes to inspect that data, as well as a copy thereof. The Minister has indicated by decision of 20 July 2020 that no personal data of [plaintiff] will be processed in the FSV. The minister upheld his decision on appeal and the court declared the appeal lodged against it unfounded.

Locations
Rechtspraak.nl
Enriched pronunciation
Pronunciation
202105980/1/A3.

Judgment date: April 12, 2023

DEPARTMENT

ADMINISTRATIVE LAW

Judgment on the appeal of:

[plaintiff], residing at [place of residence],

against the judgment of the District Court of Amsterdam of 23 July 2021 in case no. 20/6874 in the proceedings between:

[appellant]

and

the Minister of Finance.

Process flow

By decision of 20 July 2020, the Minister decided on [plaintiff]'s request for access to his personal data.

By decision of 23 November 2020, the Minister declared the objection lodged against this by [plaintiff] to be unfounded.

In a judgment of 23 July 2021, the court declared the appeal lodged against this by [plaintiff] unfounded. This statement is attached.

The appellant has appealed against this decision.

The Division handled the case at the hearing of March 8, 2023, where [plaintiff], assisted by mr. R.G. Meester, lawyer in Amsterdam, and the minister, represented by mr. drs. I.A. Huppertz, have appeared.

Considerations

Introduction

1. In a letter dated 31 March 2020, [plaintiff] requested the Tax and Customs Administration to inform him, pursuant to Article 15 of the General Data Protection Regulation (hereinafter: the GDPR), whether his personal data are being processed in the Fraud Identification Facility (hereinafter: the FSV) or other secret systems and databases. If that is the case, he wishes to inspect that data, as well as a copy thereof. The Minister has indicated by decision of 20 July 2020 that no personal data of [plaintiff] will be processed in the FSV. The minister upheld his decision on appeal and the court declared the appeal lodged against it unfounded.

Appeal

2. [plaintiff] argues that his request is not only about the FSV, but about all black lists used by the Tax and Customs Administration. The minister should therefore have also searched for personal data in those other lists. [plaintiff] cannot be expected to know all lists and to know whether they are blacklists. He cannot therefore state the names of those lists or systems in his request, but the minister must include them in the investigation. According to him, the court did not recognize this.

In addition, [plaintiff] argues that the Minister has not sufficiently motivated how the FSV was searched for his personal data. The officials who handled his GDPR request do not have access to the FSV themselves and are therefore unable to provide an explanation based on their own observations. The minister must therefore submit an official statement from the person who searched the FSV. It is also hard to believe that the FSV can only be searched by surname and citizen service number (hereinafter: BSN). In a letter to the House of Representatives dated 28 April 2020 (Parliamentary Papers II, 2019/2020, 31066, no. 632), the State Secretary also indicated that various departments and local offices of the Tax and Customs Administration deal with the FSV in different ways. [plaintiff] argues that the Tax and Customs Administration itself therefore does not know how and where the system is used. The Data Protection Impact Assessment (GEB/PIA) Rijksdienst FSV shows that it is possible to make a system dump via the Excel export function, so that different search terms can be easily searched. The minister has wrongly failed to make use of it. Finally, various circumstances show that he has been included in the FSV, according to [plaintiff].

Assessment of appeal

Scope of the request

3. Article 15 of the GDPR gives someone the right to obtain information about whether or not personal data concerning them is being processed and to obtain access to that personal data. The applicant's request under this article reads as follows:

"Clients wish to exercise the aforementioned rights (read: the rights referred to in Article 15 of the AVG) vis-à-vis the Tax and Customs Administration. More specifically, clients wish to know whether the Tax and Customs Administration (in the past) (has) processed personal data in in connection with - in short - the FSV as described above, as well as any other system / database the existence of which is kept secret by the Tax and Customs Administration. If that is the case, they wish to inspect and obtain a copy of that personal data. in the case of the Tax Authorities to receive the information as referred to in Article 15, paragraph 1 a to h GDPR."

3.1. The Division agrees with the judgment of the District Court and with the considerations included under 7.3 in the judgment under appeal, on which that judgment is based. The court rightly ruled that the request is not formulated in such a broad way that every system is undeterminedly included.

3.2. During the hearing at the Department, [plaintiff] also referred to a letter from the State Secretary of Finance to the President of the House of Representatives dated 10 July 2020 about an investigation by KPMG into the FSV (Parliamentary Papers II, 2019/2020, 31 066, No. 681, p.4). It says:

"It was not possible with the information available and in the time available for KPMG to identify all applications and oversight processes similar to FSV, which may have left processes with use for risk signals out of sight."

Contrary to what [plaintiff] argues, it does not follow from this that it is plausible that there are other systems whose existence is kept secret by the Tax and Customs Administration and that the Minister should have searched for personal data in those systems.

The argument fails.

Has the minister provided sufficient insight into the search?

4. In the decision of 20 July 2020, the Minister explained the search for personal data as follows:

"With regard to your request regarding the Fraud Signaling Facility (FSV), I can inform you that personal data, such as your name and citizen service number, do not appear in this application. For the sake of completeness, I inform you that the application was cleaned on February 27, 2020. On the application was also turned off on the same day. A reserve file (backup) was then kept from the situation of February 26, 2020, so before the cleaning. The reserve file is in a secure environment for further investigation, including by the Dutch Data Protection Authority. The data in the reserve file will no longer be used. After completion of the said investigation, the data from the backup will be destroyed. When your request was processed, the reserve file was searched. Your personal data, such as your name and citizen service number, are not in the backup file."

In his statement of defense and during the court hearing, the minister explained that the FSV can only be searched by surname and citizen service number. In addition, the minister explained that the so-called 'non-visible archive' of the FSV was also searched. During the session at the Department, the Minister once again explained the search options in the FSV.

4.1. With the explanation he provided, the Minister has provided sufficient insight into how he searched for personal data. He has made it plausible that he has done everything reasonably possible to retrieve the personal data of [plaintiff]. No personal details of [plaintiff] were found in the FSV. Although it is possible to make a system dump of the FSV with the Excel export function so that a search can also be made by date of birth, company name or address, it is unlikely that the minister would find any personal data. As the minister explained during the session, all systems are linked to the BSN. There are no further concrete indications that [plaintiff] is nevertheless listed in the FSV. During the court hearing, the Minister explained that in another procedure instituted by [plaintiff] and in this GDPR procedure, the relevant employees of the Tax and Customs Administration started making inquiries internally in response to the objections expressed by [plaintiff] in both proceedings. . As a result of that inquiry, information about [plaintiff] emerged that was not yet known to those employees at that time. With this, the minister has sufficiently refuted that this information must come from the FSV, as [plaintiff] argues. The authorized representative of the minister in these proceedings, who does not have access to the FSV himself, was allowed to rely on the findings of the colleague who had access to the FSV and searched for personal data there. That behavior is not negligent. The minister was not required to submit a statement from that colleague.

The argument fails.

Conclusion

5. The appeal is unfounded. The attacked decision needs to be confirmed.

6. The minister does not have to pay any costs of proceedings.

Decision

The Administrative Jurisdiction Division of the Council of State:

confirms the challenged statement.

Thus established by mr. E. Steendijk, chairman, and mr. J.TH. Drop and Mr. C.H. Bangma, members, in the presence of mr. R.J.A. Meerman, clerk.

e.g. Steendijk

chair

e.g. Merman

clerk

Pronounced in public on April 12, 2023

960