Rb. Amsterdam - AMS 22/5458

From GDPRhub
Rb. Amsterdam - AMS 22/5458
Courts logo1.png
Court: Rb. Amsterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 12(2) GDPR
Article 83(2) GDPR
Article 83(5) GDPR
5:46(2) GALA
Art 12(2) AVG
Art 7 BPA
Art 7 ECHR
Art 83 AVG
Decided: 10.08.2023
Published: 17.08.2023
Parties: Dutch DPA
DPG
National Case Number/Name: AMS 22/5458
European Case Law Identifier: ECLI:NL:RBAMS:2023:5074
Appeal from:
Appeal to: Not appealed
Original Language(s): Dutch
Original Source: de Rechtspraak (in Dutch)
Initial Contributor: n/a

The Amsterdam's District Court interpreted the meaning of the duty to 'facilitate' under Article 12(2) GDPR. It held that, in the specific case, requesting an ID to process erasure requests was a disproportionate and invasive means of verifying a data subject's identity, because the policy did not differentiate between requests concerning sensitive and non-sensitive data, and requested ID verification for all types of requests.

English Summary

Facts

The Dutch Data Protection Authority, the defendant in this case, received multiple complaints regarding DPG's (a magazine publisher) practice of requesting ID verification for data erasure requests. DPG clarified that ID verification was solely for erasure requests made outside of its online platform. The defendant subsequently levied a €525,000 fine on the data controller due to a violation of Article 12(2) GDPR. The DPA found that requesting ID verification to facilitate an erasure request was disproportionate, and contrary to the obligation of facilitating the exercise of the right to access and deletion.

DPG appealed the DPA's decision, and argued that the DPA's interpretation of Article 12(2) GDPR was wrong. They submitted that their privacy policy outlined their obligation to identify data subjects before facilitating erasure requests, and allowed that parts of the ID, such as the citizen service number and photo, might be hidden. Moreover, DPG argued that imposing the fine contradicted the principle of legal certainty (lex certa), and that the amount was contrary to the principle of proportionality.

Holding

The Court deliberated whether DPG adequately facilitated the exercise of GDPR rights for the purposes of Article 12(2) GDPR. This provision obliges controllers to "facilitate the exercise of data subject rights under Articles 15 to 22."

The Court interpreted "facilitation" in the context of Article 12(2) GDPR, in connection with Recitals 59 to 64 GDPR, concluding that data controllers must provide an accessible system for the exercise of data subjects' rights without introducing unnecessary obstacles.

Firstly, though DPG was obligated to validate the identity for data erasure requests, their rigid procedure required an ID copy for every request, irrespective of the data involved. This approach was disproportionate because it did not differentiate between requests concerning sensitive and non-sensitive data, and requested ID verification for all types of requests. The Court found that this policy imposed unwarranted obstacles on data subjects, and noted that the provision of ID provided more personal information than was necessary for identification.

Secondly, in response to DPG's argument concerning their privacy policy, the Court noted that this still amounted to a violation of Article 12(2) GDPR. While DPG's privacy policy noted that parts of the ID, such as the citizen service number and photo, might be hidden, this was not directly communicated to data subjects when DPG requested the ID for verification. As a result, the Court determined that DPG was in violation of Article 12(2) of the GDPR.

Finally, DPG’s submission based on the lex certa principle was dismissed. This principle calls for precise legislative clarity. The Court posited that while legislation might sometimes retain vagueness to capture unforeseeable offences, in this instance, the GDPR’s stipulations were sufficiently clear. DPG should have understood that its inflexible policy in violation with the principles of proportionality, subsidiarity, and data minimization.

The Court recognised the defendant's authority under Article 83(5) GDPR to impose fines for violations. However, the defendant's immediate decision to levy a fine on DPG was questioned. The Court noted that DPG attempted to ensure data subject identification in its policy. The Court came to the conclusion that DPG's breach was not grievous. In reaching this conclusion, the Court took into account the GDPR's recent implementation, DPG's forward-thinking policy modifications, and the lack of previous complaints made against DPG. Considering these elements, the Court dismissed the fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

COURT OF AMSTERDAM
Administrative law

Case number: AMS 22/5458

judgment of the three-judge chamber of 10 August 2023 in the case between
DPG Media B.V., established in Amsterdam, plaintiff (DPG)
(agents: [name 1] and [name 2] ),

and

Dutch Data Protection Authority, defendant
(Agents: [name 3] and [name 4] ).

Process flow
By decision of 14 January 2022 (the primary decision), the defendant imposed a fine of € 525,000 on DPG for violation of Article 12, second paragraph, of the General Data Protection Regulation (GDPR).1

By decision of 4 October 2022 (the contested decision), the defendant declared DPG's objection against that decision to be unfounded.

DPG has lodged an appeal. Defendant has filed a statement of defence.

The hearing took place on 29 June 2023. DPG is represented by its authorized representatives, mr. van der Velde (lawyer), mr. van Breda (head of legal affairs at DPG), mr. Heerink (lawyer at DPG). The defendant was represented by its agents.

Considerations
Background

1. DPG is - among other things - a publisher of magazines, magazines and books. On 1 October 2021, DPG acquired Sanoma Media Netherlands B.V. (Sanoma) acquired. These proceedings mainly relate to the period in which Sanoma was still independent, before the takeover by DPG. The court will refer to “DPG” hereinafter, even if it concerned Sanoma at the time.

2. DPG processes personal data, such as the name, address and residence details of customers who, for example, have taken out a subscription for one of the magazines that DPG publishes. In that context, DPG may also have access to financial data, such as a bank account number.

3. On 29 January 2019, DPG received a request from the defendant for information about the policy it applied at that time with regard to requests for access and/or deletion of personal data, requesting a copy of proof of identity. The reason for this was five complaints that the defendant had received in the period from September 2018 to January 2019.

4. On 18 February 2019, DPG provided a written explanation. Subsequently, on 3 July 2019, the defendant requested DPG to respond to the individual complaints. DPG responded to the complaints on 17 July 2019.

5. On October 7, 2021, the defendant sent DPG the 'Investigation report on requesting a copy of ID for access or deletion requests from DPG Media Magazines B.V., formerly Sanoma Media Netherlands B.V.' dated September 29, 2021. In that report, the defendant concluded that DPG, with its policy and its active propagation, hindered the right of access and erasure and thus created unnecessary barriers to the use of these rights. For this reason, according to the defendant, there is a violation of Article 12, second paragraph, of the AVG in the period from May 2018 to June 18, 2021.

6. In a letter dated 7 October 2021, the defendant sent an enforcement intention to DPG, giving it the opportunity to submit a point of view. On November 16, 2021, DPG submitted an opinion, after which the defendant took the primary decision on January 14, 2022.

Defendant decision making

7. In the primary decision, upheld in the contested decision, the defendant imposed an administrative fine of € 525,000 on DPG. The defendant bases this on the fact that DPG has violated Article 12(2) of the GDPR. The violation consists of DPG requesting those involved who outside DPG's online login environment, namely via the online contact form, by e-mail or by letter, to exercise their right to inspect or erase their personal data, by default and in advance. asked to confirm their identity with a copy of their ID. DPG made this request without assessing in advance whether the applicant in question could be identified in a different, less drastic way. According to the defendant, with this working method DPG has not facilitated the exercise of the right of access and erasure according to the standards of Article 12, second paragraph, of the AVG. The defendant has seen no reason to deviate from the basic fine.

Position DPG

8. In short, DPG argues that the defendant wrongly concluded that DPG's working method constitutes a violation of article 12, second paragraph, of the AVG, because the defendant misinterprets the standard of the article. DPG's policy also left room for customization, which was also put into practice. Examples of this can be found in the research report. DPG further argues that the imposition of the fine is contrary to the lex certa principle. Finally, DPG argues that the imposition and amount of the administrative fine is contrary to the principle of proportionality.

Review by the court

9. In this case, the court assesses whether the defendant was allowed to impose the fine. The court does this on the basis of DPG's grounds for appeal.

Article 12, second paragraph, of the GDPR

10. The court states first and foremost that the fine imposed by the defendant specifically relates to the policy with regard to requests for access to or deletion of personal data that were made outside DPG's login environment. It is common ground between the parties that the vast majority of requests for inspection or deletion were made within the login environment. The Respondent has no comments regarding the handling of those requests. The question at issue in these proceedings is whether or not the respondent has rightly taken the position that DPG, with its policy regarding requests made outside the login environment, sufficiently facilitated the exercise of the rights of data subjects in the meaning of Article 12, second paragraph, of the GDPR. To this end, the court will first discuss what DPG's policy entailed on this point and what the term 'facilitation' means within the meaning of Article 12, second paragraph, of the GDPR.

11.1.
At the time, DPG's policy with regard to requests outside the login environment consisted of - in short - requesting a copy of the proof of identity with every request as standard and in advance. This is apparent from, among other things, the privacy statement at the time, which is included in the case file. When receiving a request to inspect or delete personal data, DPG always asked for a copy of proof of identity. If the request was submitted via the online form, this was done automatically. If the request was made by e-mail, an e-mail was sent back by DPG with a request to provide a copy of an ID. A request was only processed after a copy of an identity document had been provided. The privacy statement and the working method were on the website of DPG and DPG confirmed in the letter of 17 July 2019 that it used this working method. The privacy statement also stated that a protected copy, where the citizen service number and photo were made unrecognizable, could be provided and this was also sufficient. DPG did not yet explicitly mention this possibility in cases where it asked an applicant to send a copy of the proof of identity after the applicant had not sent a copy with the contact form.

11.2.
For the interpretation of the term 'facilitation' in Article 12, paragraph 2, of the AVG, the court seeks a connection with the preamble of the AVG, in particular recitals 59 to 64. Partly against this background, the court reads the regulation as follows that 'facilitating' means that a controller must provide for an arrangement that makes it possible to exercise the rights under the GDPR, such as the right of access and erasure, on the understanding that there must be no unnecessary obstacles to regarding the exercise of these rights. The defendant has rightly pointed out that an additional obligation applies that the controller checks the identity of the person requesting access. The controller must take all reasonable measures to this end. This may be a hindrance, but it should not be unnecessary. The principles of proportionality, subsidiarity and data minimization will have to be taken into account when making and implementing the regulations.

12. The court therefore concludes that there is an area of tension with regard to 'facilitating' the right of inspection and the obligation to identify. After all, under the GDPR, DPG is obliged to provide applicants with access to their processed personal data, whereby no unnecessary obstacles may be raised, but at the same time DPG is obliged to identify applicants in order to prevent personal data from being provided to the wrong person ( data breach), which can have an obstructive effect. It is not possible to draw a rigid line, applicable in all cases, in advance between what is and is not permitted in this respect when fulfilling the identification obligation and what must be considered unnecessarily restrictive and what is not. At this point, as considered above, the principles of proportionality, subsidiarity and data minimization play a role. This depends, among other things, on which personal data an organization processes. It is undisputed between the parties - and the court also assumes this - that more sensitive data must be guaranteed with more security measures.

13. Against this background, the court considers the following with regard to DPG's policy with regard to requests for inspection or deletion outside the login environment.

14. The court shares DPG's position that a copy of an identity document is not in itself an unreasonable means of identifying a person. This has also been confirmed by the Administrative Jurisdiction Division of the Council of State (the Division).2 However, in the cases referred to here, DPG always asked for a copy of the identity document and did not process a request until a copy was provided. . This while - as discussed at the hearing - not all cases involved (highly) sensitive personal data of DPG's customers and it was in any case also possible in some cases to identify personal data in a different, less drastic way. applicants by providing a copy of proof of identity (such as identification by e-mail, which was later introduced as standard procedure). It must be assumed that the proof of identity to be provided often also contained more personal data than necessary to identify the applicant, such as a citizen service number, a photo and a document number. This is not in line with the principle of data minimization. Although the privacy statement stated that the citizen service number and the photo could be shielded, DPG did not mention this possibility if it requested a copy of an identity document.

15. In the opinion of the court, DPG's policy therefore offered insufficient scope to meet the requirements of proportionality and subsidiarity. In the opinion of the court, DPG applied too rigid a procedure for identifying applicants, which in any case created an unnecessary obstacle for some of the applications in advance. It turned out that in practice there was more scope if applicants, after making the request, complained that they had to provide a copy of their proof of identity. In the opinion of the court, however, that is too late. DPG could and should have designed its process in such a way that there was more room at an earlier stage to take into account all relevant circumstances, including the nature of the request and the information requested. For example, in the case of a simple request to no longer receive advertising material, the requirement of a (shielded) copy of an identity document as a condition for processing that request will usually be disproportionate and subsidiary. The procedure must be flexible enough to make it easier to deal with such a request.

16
The court therefore concludes that DPG's policy is not in accordance with the provisions of Article 12, second paragraph, of the GDPR.

17. The court does not follow the plaintiff's appeal to the lex certa principle. According to settled case law of the Division, the lex certa principle, which is included in Article 7 of the ECHR, requires the legislature to describe the prohibited conduct as clearly as possible with a view to legal certainty.3 In doing so, it must be It should not be forgotten that the legislator sometimes describes prohibited behavior with a certain vagueness, consisting of the use of general terms, in order to prevent behavior that is punishable from falling outside the scope of that description. This vagueness can be unavoidable, because it is not always possible to foresee how the interests to be protected will be violated in the future and because, if this can be foreseen, the descriptions of prohibited conduct will otherwise be too refined, with the result that the clarity disappears and thus harms the importance of the general clarity of legislation.

18. In this case, the court is of the opinion that there is no conflict with this principle. The legislator of the GDPR had to keep the text sufficiently general to make it usable for all controllers and processors. Although the standard of Article 12(2) of the GDPR is open, the standard is not so unclear that it conflicts with the lex certa principle. It should have been clear to DPG that the policy in this rigid form could not meet the requirements of proportionality, subsidiarity and data minimization.

The means and amount of the fine

19. Pursuant to Article 83, paragraph 5, of the AVG, the defendant is authorized to impose a fine in the event of an infringement of Article 12 of the AVG. Pursuant to the Penalty Policy Rules of the Dutch Data Protection Authority (Penalty Policy Rules), the violation of Article 12, second paragraph, of the GDPR falls under Category III. The basic Category III fine is € 525,000.4 When imposing a fine, the defendant must take a number of factors into account. These factors are listed in Article 83, second paragraph, of the GDPR and Article 7 of the Fining Policy Rules.

20. According to settled case law of the Division5, when applying the power to impose a fine, an administrative authority must adjust the amount of the fine to the seriousness of the violation and the extent to which it can be attributed to the offender. The circumstances under which the offense was committed must be taken into account. This is regulated in Section 5:46(2) of the General Administrative Law Act. The defendant has established policy rules in which the fines for the violations are laid down. Even if the court has not found the policy to be unreasonable, the defendant must, when applying it in an individual case, assess whether that application is in accordance with the aforementioned statutory requirements for the exercise of the power to impose a fine. With regard to the fine, if necessary in addition to or in deviation from the policy, it must always be determined that it is proportionate. The court reviews the decision without reservation.

21. The court is of the opinion that the defendant in this case should not have simply imposed the fine. In the opinion of the court, the defendant failed to take into account the following circumstances sufficiently.

22. The purpose of the GDPR is to protect personal data. The identification obligation also serves this purpose. When drawing up the policy, DPG has given substance to this identification obligation, to ensure that the person making a request is the data subject within the meaning of the GDPR. In doing so, it did not treat its obligations as a controller lightly, but only made an incorrect assessment of the required balance between data protection and the facilitation of other rights from the GDPR. There can be no question of serious culpable conduct in this respect. Moreover, as stated in consideration 14, a copy of an identity document is, according to the Division, in itself a good means of identifying someone.

23. In addition, the GDPR had only recently entered into force in the period in question, namely on 25 May 2018. The Respondent then informed by e-mail of

contacted DPG for the first time on 29 January 2019, to which DPG responded on 18 February 2019. After February 18, 2019, DPG then heard nothing for some time, after which the defendant asked it on July 3, 2019 to respond specifically to the five complaints that the defendant had received. After DPG complied with this request on July 17, 2019, DPG only heard up

October 21, 2021 only from the defendant again, when he sent the draft report. The court considers that the defendant could have started the discussion at an earlier stage and, at the very least, could have made the suggestion to adjust the policy. This is all the more pressing now that DGP had already explicitly raised the question in its letter of February 18, 2019 whether it could continue its policy in this way, while the defendant, certainly in the period immediately after the entry into force of the GDPR, also played an informative role on acted as a supervisory authority. In the first response of 18 February 2019, DPG had already provided such openness about its policy that the defendant could have established at that time that, in its opinion, the policy was in conflict with the provisions of Article 12 of the GDPR . All this means that the long-term nature of the violation referred to by the defendant cannot be invoked against DPG. In addition, the court also notes that DPG had already changed the policy of its own accord when the draft report was published. From 17 December 2020, DPG no longer asked for a copy of the proof of identity as standard and in advance. Although the privacy statement only changed in October 2021, the court is of the opinion that the change on December 17, 2020 meant that a copy of the identity document was no longer requested as standard and in advance.

24. Finally, the court considers it important that DPG's policy received a much wider range of requests than the part covered by the present decision. As already considered, it appears from the file and the proceedings at the hearing that in the vast majority of cases, namely if a data subject requests inspection or deletion of personal data within the login environment, there is no question of a violation of Article 12, second paragraph, of the AVG used to be. In this case, it concerns a relatively limited number of requests. Moreover, the Respondent has not established in how many of those cases the policy actually led to an unnecessary obstacle in practice, because asking for a copy of the proof of identification was actually not necessary, and in how many cases DPG had good reasons to do so. In the opinion of the court, against the background of all the foregoing, it cannot be established that there has been more than a minor infringement of the GDPR.

25. When imposing the fine, the defendant paid insufficient attention to the aforementioned circumstances. The court is of the opinion that, in view of all these circumstances, the defendant should not have imposed a fine. Perhaps the circumstances could give cause to impose an alternative measure as referred to in Article 58, second paragraph, of the GDPR, but the court has left this in the middle. It is up to the defendant to determine whether there is any reason to do so.

Conclusion
26. In view of what has been considered about the plea and the amount of the fine, the court will declare the appeal well-founded. The court annuls the contested decision and revokes the primary decision insofar as the fine has been imposed therein. The court determines that this judgment replaces the decisions to that extent.

27. Because the court declares the appeal well-founded, the court rules that the defendant will reimburse DPG for the court fee it paid in the amount of €365.

28. The court orders the defendant to pay the legal costs incurred by DPG. Pursuant to the Administrative Law Procedural Costs Decree, the court sets these costs at € 1,674 for professional legal assistance provided by a third party (1 point for submitting the notice of appeal, 1 point for appearing at the hearing, with a value per point of €837 and a weighting factor of 1).

Decision
The court:

-
declares the appeal well-founded;

-
quash the contested decision insofar as a fine has been imposed and revokes the primary decision insofar as a fine has been imposed;

-
determines that this ruling supersedes;

-
instructs the defendant to reimburse the paid court fee of € 365 to DPG;

-
orders the defendant to pay the costs of the plaintiff in the amount of Rs

€1,674.

This statement was made by mr. S.D. Arnold, chairman, and mr. M.F. Ferdinand and

Mr. A.K. Glerum, members, in the presence of K.M. Nannan Panday, clerk.

The decision was publicly announced on August 10, 2023.

clerk

chair

is unable to sign the statement

Copy sent to parties on:

Remedy
An appeal against this judgment may be lodged with the Administrative Jurisdiction Division of the Council of State within six weeks of the day it was sent.

If an appeal has been lodged, an application can be made to the provisional relief judge of the appellate court for provisional relief.