Raad van State - ECLI:NL:RVS:2023:4155
| Raad van State - ECLI:NL:RVS:2023:4155 | |
|---|---|
 | |
| Court: | Raad van State (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 2(1) GDPR |
| Decided: | 08.11.2023 |
| Published: | 08.11.2023 |
| Parties: | Ministry of Finance |
| National Case Number/Name: | ECLI:NL:RVS:2023:4155 |
| European Case Law Identifier: | ECLI:NL:RVS:2023:4155 |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | Dutch |
| Original Source: | de Rechtspraak (in Dutch) |
| Initial Contributor: | n/a |
The Netherlands’ highest administrative court ruled that the data processing activities of the Fiscal Intelligence and Investigation Services (FIOD) were excluded from the material scope of the GDPR under Article 2(1)(d) GDPR. While the body is under the administration of the Ministry of Finance, it is tasked with preventing criminal offences, and thus Article 2(1)(d) GDPR was applicable to them regardless.
English Summary
Facts
On 15 June 2019, the data subject made an access request under Article 15 GDPR to the Dutch Fiscal Intelligence and Investigation Service (FIOD). The FIOD is a government agency in the Netherlands responsible for investigating financial crimes, and is under the administration of the Ministry of Finance. On 7 August 2019, the FIOD responded to the data subject, stating that no personal data which the GDPR applied to was being processed by them. Instead, the data subject’s data was processed under the Police Data Act, which offered no equivalent right of access as under the GDPR. The data subject challenged the FIOD’s response at a District Court. In a judgment dated 22 November 2022, the District Court dismissed the data subject’s claims on the grounds that the FIOD’s activity’s fell under Article 2(1)(d) GDPR. This Article provides that the GDPR does not apply to the processing of personal data ‘by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’ Consequently, the data subject had no right of access as the GDPR did not apply to the FIOD’s processing activities. The data subject appealed the District Court’s decision to the Council of State (Raad van State), the Netherlands’ highest administrative court. On 11 October 2023, the Council of State heard the data subject’s appeal. In the appeal, the data subject submitted that the District Court had erred in its reading of Article 2(1)(d) GDPR and should not have interpreted the Article as applying to the FIOD, as the FIOD was under the administration of the Ministry of Finance and was not a police body. As a result, the data subject argued that their data held by the FIOD fell under the GDPR’s material scope, and thus, they had a right of access to the data.
Holding
The Council of State held that the District Court had correctly interpreted the scope of Article 2(1)(d) GDPR, as a result they were correct to dismiss the data subject’s claims. The Council of State held that the processing activities of the FIOD fell under Article 2(1)(d) GDPR, regardless of whether it is under the administration of the Ministry of Finance. The determining factor of whether a ‘competent authority’ falls under the scope of Article 2(1)(d) GDPR is its purpose. In this case, the FIOD is tasked with preventing criminal offences and thus its purpose is to maintain the rule of law. Consequently, their processing activities fell under Article 2(1)(d) GDPR and so, this excluded the application of the GDPR from the FIOD’s processing activities.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
