Rb. Amsterdam - AWB - 20 1863 - AMS 20/1863
|Rb. Amsterdam - AWB - 20 _ 1863 - AMS 20/1863|
|Court:||Rb. Amsterdam (Netherlands)|
|Relevant Law:||Article 4 GDPR|
Article 4(2) GDPR
Article 12 GDPR
Article 15(1) GDPR
Article 15(3) GDPR
|Parties:||The Board of Mayor and Aldermen of the Municipality of Amsterdam, Education, Youth and Care|
|National Case Number/Name:||AWB - 20 _ 1863 - AMS 20/1863|
|European Case Law Identifier:||ECLI:NL:RBAMS:2022:4217|
|Appeal to:||Not appealed|
|Original Source:||de Rechtspraak (in Dutch)|
The Amsterdam District Court held that the municipality had sufficiently answered an access request for all the data subject's personal data, by providing a general overview and three partially anonymised documents. The controller processed large amounts of data and initially asked the data subject to specify his request, to which the data subject did not reply.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject was an undocumented immigrant who lived in a shelter. He invoked his right to access and requested a copy of all his personal data processed by the municipality (controller), including internal emails and messages regarding the data subject (Articles 12 and 15(1) GDPR). He also requested access to personal data which was processed by the controller's employees using certain services, for example Microsoft (Office 365 and Exchange), Facebook (Whatsapp, Messenger), Telegram and Signal. His goal was to get insight in how the controller was monitoring and assessing him, to determine, among other things, which shelter should be offered to him.
The controller asked the data subject to specify his access request, to which the latter did not reply (more precisely, the data subject stated that he was not able to specify his request any further because he did not know the specifics of the processing). The controller answered the request by providing a general overview of the personal data processed and three partially anonymized copies of documents. Being not satisfied with the controller's response, the data subject filed an action before the competent court. During the procedure, the court also revealed that the data subject had already send multiple similar access requests to the same controller in the past.
Holding[edit | edit source]
The court concluded that the controller's answer to the access request was sufficient.
The court found that the data subject had not sufficiently specified his access request. The general nature of his request would have placed a disproportionate burden on the controller, considering the large amount of personal data processed, which would result in disproportionate amount of time and financial resources spent by the controller to search for the requested personal data. The court also considered here that the data subject had already filed multiple similar requests in the past.
Also, the controller had asked the data subject to specify his request (recital 63), but the he had failed to respond. The data subject's argument regarding not being able to specify his request was rejected by the court. The court determined that he could have specified his on multiple occasions, after the controller had provided the general overview. The data subject could also have asked for a specification of the timeframe of the processing.
Therefore, the controller's reply to the request was sufficient and the data subject’s appeal was unfounded. The court did not fine the controller and no reimbursement of court fees was put in place.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Court of Amsterdam Date statement 27-07-2022 Date publication 02-12-2022 Case number AWB - 20 _ 1863 Jurisdictions Administrative law Special characteristics First instance - single Content indication request has not been sufficiently specified by the claimant. For that reason, in this case the defendant could suffice with a general overview of the processed personal data of the plaintiff and three (partially anonymised) copies. Appeal unfounded. Locations Rechtspraak.nl Enriched pronunciation Share pronunciation Pronunciation COURT OF AMSTERDAM Administrative law case number: AMS 20/1863 judgment of the single judge of 27 July 2022 in the case between [plaintiff], in Amsterdam, plaintiff (Agent: mr. L.A. Fischer), and The Board of Mayor and Aldermen of the Municipality of Amsterdam, Education, Youth and Care, defendant (Agent: mr. D. Ahmed and [Agent] ). Process flow With the decision of 6 September 2019 (the primary decision), the defendant has taken a decision at the request of the claimant on the basis of Articles 12 and 15, first paragraph, of the General Data Protection Regulation (). With the decision of 18 February 2020 (the contested decision), the defendant declared the claimant's objection well-founded for the part in which his request for personal data was not handled correctly and completely and declared unfounded for the part in which the claimant requested data that were not within the scope of the traps. The plaintiff appealed against the contested decision. Defendant has filed a statement of defence. The hearing, joined to the cases AMS 20/1847, AMS 20/1857 and AMS 20/1862, took place on 18 July 2022. The parties were represented by their authorized representatives. After the hearing, things split again. Considerations Court fee exemption 1. The claimant has applied to the court for an exemption from court fees due to inability to pay. The court grants the request for exemption from the court fee because the plaintiff has made it plausible that he meets the conditions. This means that the claimant does not have to pay a court fee. What preceded this procedure 2.1. Plaintiff is a non-admitted foreign national residing in the reception center in Amsterdam. Since 1 October 2015, the defendant has been offering shelter on the basis of an extra-statutory favorable policy. Since 1 July 2019, the reception falls under the National Facility for Foreign Nationals (LVV). On July 25, 2019, the plaintiff requested the defendant to allow him access to his personal data processed at the defendant. In so far as relevant, the claimant has included the following in its request: “(…) You process personal data of the client. I ask you to indicate which data it concerns; what is the purpose of the use; to whom you may provide the data; what appropriate safeguards for transfer you have in place if you have transferred this data to another country or to an international organisation; the origin of the data, if this is known and how long the data is expected to be stored. I request you to provide a copy of the personal data processed by you. I also expressly request copies of e-mails, (telephone) reports and messenger messages relating to my client. I request you to inspect the data that you process yourself as well as the data that has been processed by you or your employees at third-party processors (including, for example, services such as Microsoft [Office 365, Exchange], Facebook [Whatsapp, Messenger], Telegram, Signal, etc.). This request pertains to all services, departments, subcontractors and authorized representatives that fall under your authority. I invoke Articles 12 and 15, first paragraph, of the General Data Protection Regulation (). (…)”. 2.2. With an e-mail dated August 2, 2019, the defendant requested the claimant to further specify his request in writing. Plaintiff has not responded to this. 2.3. With the primary decision, the defendant has taken a decision at the plaintiff's request pursuant to Articles 12 and 15(1) of the . 2.4. With the contested decision, the defendant declared the claimant's objection well-founded for the part in which his request for personal data was not handled correctly and completely and declared it unfounded for the part in which the claimant requested data that do not fall within the scope of the . In the contested decision, the defendant provided a general overview of the personal data processed by the plaintiff and additionally provided three (partially anonymised) copies of documents that appear in almost every file of undocumented migrants admitted to the Amsterdam Undocumented Persons Program and which, after a short period of time, and costly quest have been found. According to the defendant, these documents also contain several factual and appreciative data about the characteristics or behavior of the undocumented migrants. According to the defendant, these data are not sufficiently suitable for inclusion in the overview, so that the contested decision includes a (partly anonymised) copy of the Investigation report and advice field table, the Outcome field table and the Overview Hospitus. Plaintiff's position 3.1. The claimant takes the position that the basic principle of the right of inspection is that the claimant must be enabled to verify which of his data are being processed and whether that processing takes place in a manner that is lawful and proper in his regard. The defendant processed the plaintiff's data with, among other things, the purpose of assess whether he is eligible for reception, which guidance scenario is appropriate, in which reception location the reception must be provided and the route to monitor. For that purpose, the defendant has factual data and conduct of the plaintiff rated. According to the claimant, these assessments are also personal data within the meaning of the , which do not lend themselves to inclusion in an overview. According to the claimant, the defendant also acknowledges this, because the reports of consultations at which the claimant was discussed are also sent. According to the claimant, access to the personal data that have been processed in this case means access to the internal correspondence of the defendant. After all, those e-mails and documents record which assessments were made in the decision whether or not the claimant to provide shelter. This includes, for example, what the applicant's guidance scenario is and on the basis of which personal data and valuations of that personal data that scenario was chosen. These documents show on the basis of which personal characteristics and their assessments the choice was made for one reception location and not the other. To substantiate his position, the claimant has referred to the judgment of the Court of Justice of the European Union (CJEU) of 20 December 2017, ECLI:EU:C:2017:994, the judgment of the Court of Appeal of The Hague of 17 September 2019, ECLI:NL:GHDHA:2019:2398, and the judgment of the Noord-Holland District Court of 23 May 2019, ECLI:NL:RBNHO:2019:4283. 3.2. According to the claimant, under Article 4(2) of the 'processing' also includes retrieving data and forwarding or otherwise sharing data. For this reason, the claimant must be able to check which data has been shared about him and with whom. The client therefore does indeed give the right to an overview in an understandable form of who has been in contact with at what time about the client and which of his data has been shared. If the defendant has shared assessments and valuations about the plaintiff, or otherwise personal data that do not lend themselves to inclusion in an overview, the most appropriate way to grant access is to grant access to the (e-mail) correspondences about the plaintiff. In this way, the claimant can check which of his data has been shared and with whom, and he can check whether there was a basis for this under the , that is, whether the sharing of that data was lawful in that situation. The overview provided and a list of organizations with which data has been exchanged is not sufficient for this. 3.3.1. According to the claimant, the defendant also wrongly limits the right of inspection, because looking up all internal and external (e-mail) correspondence would cost a disproportionate amount of time and financial resources. However, it obliges controllers to process personal data in a transparent manner. The Respondent cannot therefore limit the right of inspection on the grounds that personal data have been processed (in the past) in a way that currently makes it difficult to trace that processing. 3.3.2. Insofar as the defendant indicates that it cannot be easily ascertained which data has been processed because the request for access is too broad and unspecified would be, the plaintiff argues that it has become sufficiently clear in the objection that the request for inspection relates to the shelter offered to the plaintiff by the defendant. Because the defendant provides an overview of when care was provided, an overview of the data that has been processed and an overview of organizations with which data has been shared, it appears that it is clear to the defendant what the request for access pertains to. The size of the request is not in question here. The request for access is specified in time and subject. The request is therefore sufficiently specified. Defendant's position 4. The defendant takes the position that in this case an overview will suffice, because the right of inspection does not extend so far that it can reasonably be demanded that – given the circumstances of this case – all processed personal data be collected according to content. This is too costly a quest. In that context, a general overview containing the categories of personal data will suffice. This also meets the claimant's request to gain more insight into the (work) process of the reception of undocumented migrants. Insofar as the data are not suitable for inclusion in an overview – unlike in the primary decision – three appendices have been provided with the contested decision. Assessment framework 5.1. For the legal framework used, the court refers to the appendix that is attached to this judgment and forms part of it. 5.2. The right of access is limited to personal data. Article 4 of the defines what personal data is. This concerns all information about an identified or identifiable natural person. Examples include a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The ECJ and the Supreme Court have given a broad interpretation to the concept of personal data. The concept of personal data potentially extends to any kind of information, both objective and subjective information in the form of opinions or assessments, as long as that information concerns the data subject. This is the case if the information is associated with a natural person because of its content, purpose or consequence.1 5.3. You have the right to a complete overview, in an understandable form, of all personal data. That is to say in a form that enables the data subject to take note of his data and to check whether they are correct and have been processed in accordance with the . The Division has ruled that the obligation to provide a 'copy of the personal data' pursuant to Article 15(3) of the does not mean that an administrative authority is obliged to provide a copy of the documents containing that personal data. An administrative body may do so, but it may also opt for another form in which the copy of the personal data is provided, provided that the chosen method of provision meets the purpose of Article 15, paragraph 3, of the . The concrete material form in which the data must be provided therefore depends on the concrete circumstances. Judgments of the Supreme Court show that, insofar as documents contain data that go beyond name and address data, such as factual and appreciative data about characteristics or behavior of natural persons, these data are not suitable for inclusion in an overview. In principle, a data subject is therefore entitled to a (possibly partially blacked out) copy of the documents containing that data in order to provide information that is as complete and clear as possible, on the basis of which the lawfulness and correctness of the data can be checked.2 5.4. There are, however, a number of exceptions to this principle. According to settled case law, the right of inspection does not extend, for example, to internal notes containing the personal thoughts of employees of the controller and which are exclusively intended for internal consultation and deliberation.3 In its judgment of 17 July 2014, the ECJ also ruled that legal analyzes based on personal data as such are not qualified as personal data.4 The verdict of the court 6. The dispute is whether the defendant has complied with the plaintiff's request, in which he has requested access to the personal data processed by the defendant. 7. The court is of the opinion that the defendant in the present case has complied with the request made by the plaintiff by providing a general overview of the processed personal data and three (partially anonymised) copies to the plaintiff. The court considers this as follows. 8.1. The court considers that plaintiff's request is formulated in general terms and is therefore fairly broad in scope. The defendant has therefore – in accordance with recital 63 of the – requested a specification of the personal data that the plaintiff wishes to receive. Plaintiff did not respond to defendant's request for specification, which was made with an e-mail dated 2 August 2019, which was also acknowledged by plaintiff at the hearing, with the reason that this e-mail must have been received but not seen by him. Subsequently, at the hearing in the objection – as far as the court has been able to determine in the hearing report – the plaintiff only specified that he did not wish to inspect the case files, including legal considerations of the municipality's house lawyer in previous court cases. 8.2. In view of the foregoing, the court is of the opinion that the plaintiff has insufficiently specified his request and that this means that for the defendant, who as controller processes a large amount of data, the search for and provision of personal data in, for example, e-mail messages is disproportionately would take a lot of time and financial resources. The court also takes into account that the plaintiff has submitted a considerable number of identical requests to the defendant. Insofar as the plaintiff acknowledged at the hearing that he had briefly specified his request, but stated that he simply could not specify this further because he did not know which personal data were processed by the defendant and by whom this was done, the court does not follow this statement . The claimant could have further specified his objection request, for example on the basis of the overview of his personal data that the defendant had provided with the primary decision. Such a specification, which the defendant also indicated at the hearing, could also have been made in time, for example. Since the plaintiff has not done so, in this case the defendant could suffice with a general overview of the processed personal data of the plaintiff and three (partially anonymised) copies. 9. Needless to say, the court considers that the defendant stated at the hearing that much information relating to the LVV is arranged decentrally and that the personal data are therefore processed and stored in a fairly fragmented manner. The defendant also pointed out that this is partly due to the fact that there is an extra-statutory favorable policy. The court advises the defendant that if an identical request is made in more detail by a data subject, a labour-intensive search by the defendant cannot be ruled out in advance due to decentralized processing and storage. Conclusion 10. The appeal is unfounded. This means that the plaintiff is not right. 11. There is no reason for an order to pay the costs of the proceedings or reimbursement of the court fee. Decision The court declares the appeal unfounded. This statement was made by Mr. F.P. Lauwaars, Judge, in the presence of L.H.J. van Haarlem, clerk. The decision was publicly announced on July 27, 2022. clerk judge Copy sent to parties on: Remedy An appeal against this judgment may be lodged with the Administrative Jurisdiction Division of the Council of State within six weeks of the day it was sent. If an appeal has been lodged, an application may be made to the provisional relief judge of the appellate court for provisional relief. Annex: Legal framework Article 4 of the stipulates the following: “1) “personal data” means any information relating to an identified or identifiable natural person (“the data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (…)” . Article 12, first paragraph, of the stipulates the following: “The controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and Article 34 in relation to the processing in a concise, transparent, intelligible and easily accessible form and in clear and plain language, especially when the information is specifically intended for a child. The information shall be provided in writing or by other means, including, where appropriate, electronic means. If requested by the data subject, the information may be communicated orally, provided that the identity of the data subject is proven by other means. Article 15, first paragraph, of the stipulates the following: “1. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, to obtain access to those personal data and to the following information: a. a) the processing purposes; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) if possible, the period for which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period; e) that the data subject has the right to request from the controller that personal data be rectified or erased, or that the processing of personal data concerning him or her be restricted, as well as the right to object to such processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; g) where the personal data is not collected from the data subject, all available information about the source of that data; (h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subject.”