Raad van State - ECLI:NL:RVS:2023:4155: Difference between revisions

Revision as of 14:23, 14 November 2023

Raad van State - ECLI:NL:RVS:2023:4155

Court:	Raad van State (Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 2(1) GDPR
Decided:	08.11.2023
Published:	08.11.2023
Parties:	Ministry of Finance
National Case Number/Name:	ECLI:NL:RVS:2023:4155
European Case Law Identifier:	ECLI:NL:RVS:2023:4155
Appeal from:
Appeal to:
Original Language(s):	Dutch
Original Source:	de Rechtspraak (in Dutch)
Initial Contributor:	n/a

The Netherlands’ highest administrative court, the Council of State, ruled that the data processing activities of the Fiscal Intelligence and Investigation Services (FIOD) were excluded from the material scope of the GDPR under Article 2(1)(d) GDPR.

English Summary

Facts

On 15 June 2019, the data subject made an access request under Article 15 GDPR to the Dutch Fiscal Intelligence and Investigation Service (FIOD). The FIOD is a government agency in the Netherlands responsible for investigating financial crimes, and is under the administration of the Ministry of Finance.

On 7 August 2019, the FIOD responded to the data subject, stating that no personal data which the GDPR applied to was being processed by them. Instead, the data subject’s data was processed under the Police Data Act, which offered no equivalent right of access as under the GDPR. The data subject challenged the FIOD’s response at a District Court.

In a judgment dated 22 November 2022, the District Court dismissed the data subject’s claims on the grounds that the FIOD’s activity’s fell under Article 2(1)(d) GDPR. This Article provides that the GDPR does not apply to the processing of personal data ‘by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’ Consequently, the data subject had no right of access as the GDPR did not apply to the FIOD’s processing activities.

The data subject appealed the District Court’s decision to the Council of State (Raad van State), the Netherlands’ highest administrative court.

On 11 October 2023, the Council of State heard the data subject’s appeal. In the appeal, the data subject submitted that the District Court had erred in its reading of Article 2(1)(d) GDPR and should not have interpreted the Article as applying to the FIOD, as the FIOD was under the administration of the Ministry of Finance and was not a police body. As a result, the data subject argued that their data held by the FIOD fell under the GDPR’s material scope, and thus, they had a right of access to the data.

Holding

The Council of State held that the District Court had correctly interpreted the scope of Article 2(1)(d) GDPR, as a result they were correct to dismiss the data subject’s claims.

The Council of State held that the processing activities of the FIOD fell under Article 2(1)(d) GDPR, regardless of whether it is under the administration of the Ministry of Finance. The determining factor of whether a ‘competent authority’ falls under the scope of Article 2(1)(d) GDPR is its purpose. In this case, the FIOD is tasked with preventing criminal offences and thus its purpose is to maintain the rule of law. Consequently, their processing activities fell under Article 2(1)(d) GDPR and so, this excluded the application of the GDPR from the FIOD’s processing activities.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

@@ Line 62: / Line 62: @@
 }}
-The Netherlands’ highest administrative court ruled that the data processing activities of the Fiscal Intelligence and Investigation Services (FIOD) were excluded from the material scope of the GDPR under [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]]. While the body is under the administration of the Ministry of Finance, it is tasked with preventing criminal offences, and thus [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]] was applicable to them regardless.
+The Netherlands’ highest administrative court, the Council of State, ruled that the data processing activities of the Fiscal Intelligence and Investigation Services (FIOD) were excluded from the material scope of the GDPR under [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]].
 == English Summary ==
@@ Line 68: / Line 68: @@
 === Facts ===
 On 15 June 2019, the data subject made an access request under [[Article 15 GDPR|Article 15 GDPR]] to the Dutch Fiscal Intelligence and Investigation Service (FIOD). The FIOD is a government agency in the Netherlands responsible for investigating financial crimes, and is under the administration of the Ministry of Finance.
 On 7 August 2019, the FIOD responded to the data subject, stating that no personal data which the GDPR applied to was being processed by them. Instead, the data subject’s data was processed under the Police Data Act, which offered no equivalent right of access as under the GDPR. The data subject challenged the FIOD’s response at a District Court.
 In a judgment dated 22 November 2022, the District Court dismissed the data subject’s claims on the grounds that the FIOD’s activity’s fell under [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]]. This Article provides that the GDPR does not apply to the processing of personal data ‘by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’ Consequently, the data subject had no right of access as the GDPR did not apply to the FIOD’s processing activities.
 The data subject appealed the District Court’s decision to the Council of State (Raad van State), the Netherlands’ highest administrative court.
 On 11 October 2023, the Council of State heard the data subject’s appeal. In the appeal, the data subject submitted that the District Court had erred in its reading of [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]] and should not have interpreted the Article as applying to the FIOD, as the FIOD was under the administration of the Ministry of Finance and was not a police body. As a result, the data subject argued that their data held by the FIOD fell under the GDPR’s material scope, and thus, they had a right of access to the data.
 === Holding ===
 The Council of State held that the District Court had correctly interpreted the scope of [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]], as a result they were correct to dismiss the data subject’s claims.
-The Council of State held that the processing activities of the FIOD fell under [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]], regardless of whether it is under the administration of the Ministry of Finance. The determining factor of whether a ‘competent authority’ falls under the scope of [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]] is its purpose. In this case, the FIOD is tasked with preventing criminal offences and thus its purpose is to maintain the rule of law. Consequently, their processing activities fell under [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]] and so, this excluded the application of the GDPR from the FIOD’s processing activities.
+The Council of State held that the processing activities of the FIOD fell under [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]], regardless of whether it is under the administration of the Ministry of Finance. The determining factor of whether a ‘''competent authority''’ falls under the scope of [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]] is its purpose. In this case, the FIOD is tasked with preventing criminal offences and thus its purpose is to maintain the rule of law. Consequently, their processing activities fell under [[Article 2 GDPR#1d|Article 2(1)(d) GDPR]] and so, this excluded the application of the GDPR from the FIOD’s processing activities.
 == Comment ==