Rb. Amsterdam - AWB - 20 1863 - AMS 20/1863

From GDPRhub
Revision as of 13:37, 15 December 2022 by Nur-khmeydan (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Amsterdam |Court_Original_Name=Rechtbank Amsterdam |Court_Eng...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Rb. Amsterdam - AWB - 20 _ 1863 - AMS 20/1863
Courts logo1.png
Court: Rb. Amsterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 4 GDPR
Article 4(2) GDPR
Article 12 GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Decided: 27.07.2022
Published: 02.12.2022
Parties: The Board of Mayor and Aldermen of the Municipality of Amsterdam, Education, Youth and Care
National Case Number/Name: AWB - 20 _ 1863 - AMS 20/1863
European Case Law Identifier: ECLI:NL:RBAMS:2022:4217
Appeal from:
Appeal to: Not appealed
Original Language(s): Dutch
Original Source: de Rechtspraak (in Dutch)
Initial Contributor: nur-khmeydan

Amsterdam District Court held that data subjects must be specific in their requests when invoking their right to inspect their personal data. No infringements were found by the court in this case.

English Summary

Facts

The data subject is an undocumented immigrant that stayed in a shelter since 2015, The National Immigration Facilities (LVV) took over management of the facility in 2019. The data subject invoked his right to inspect all his personal data processed, including internal emails and messages regarding the data subject, by the authorities pursuant to Article 12 and 15 paragraph 1 GDPR. The contested decision (by the data controller) was the provision of a general overview of the personal data processed, three partially anonymized copies of documents, and the documents containing multiple factual and appreciative data about the characteristics and behaviors of the undocumented person.

Holding

First, the court acknowledged that the right to inspection only covers personal data pursuant to Article 4 GDPR. Second, the court found that art 15 paragraph 3 GDPR does not impose an obligation on administrative bodies to provide a copy of documents containing personal data. Instead, administrative bodies may do so but they can also choose the form in which the copy is provided as long as the method chosen fulfills the conditions in Article 15 paragraph 3 GDPR. Third, the court recognized the existence of exceptions, the authorities are not obliged to include the legal reasoning behind their decisions or the personal thoughts of employees as these were intended for internal consultation. The court has also found that the data subject had not sufficiently specified his GDPR request, and the general nature of his request would have placed a disproportionate burden on the data controller. The data controller made a request to the data subject under recital 63 GDPR to specify what personal data the subject wishes to receive, but the subject failed to respond to the request. In conclusion, the court has found the data subject’s appeal to be unfounded and no fine or order for a reimbursement of court fees was put in place. The data controller has complied with the GDPR request put forth by the data subject by providing a general overview of the data processed and three partially anonymized copies of data processed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. 

Authority
Court of Amsterdam
Date statement
27-07-2022
Date publication
02-12-2022
Case number
AWB - 20 _ 1863
Jurisdictions
Administrative law
Special characteristics
First instance - single
Content indication
request has not been sufficiently specified by the claimant. For that reason, in this case the defendant could suffice with a general overview of the processed personal data of the plaintiff and three (partially anonymised) copies. Appeal unfounded.

Locations
Rechtspraak.nl
Enriched pronunciation
Share pronunciation
Pronunciation
COURT OF AMSTERDAM
Administrative law

case number: AMS 20/1863

judgment of the single judge of 27 July 2022 in the case between
[plaintiff], in Amsterdam, plaintiff
(Agent: mr. L.A. Fischer),

and

The Board of Mayor and Aldermen of the Municipality of Amsterdam, Education, Youth and Care, defendant

(Agent: mr. D. Ahmed and [Agent] ).

Process flow
With the decision of 6 September 2019 (the primary decision), the defendant has taken a decision at the request of the claimant on the basis of Articles 12 and 15, first paragraph, of the General Data Protection Regulation ().

With the decision of 18 February 2020 (the contested decision), the defendant declared the claimant's objection well-founded for the part in which his request for personal data was not handled correctly and completely and declared unfounded for the part in which the claimant requested data that were not within the scope of the traps.

The plaintiff appealed against the contested decision.

Defendant has filed a statement of defence.

The hearing, joined to the cases AMS 20/1847, AMS 20/1857 and AMS 20/1862, took place on 18 July 2022. The parties were represented by their authorized representatives. After the hearing, things split again.

Considerations
Court fee exemption

1. The claimant has applied to the court for an exemption from court fees due to inability to pay. The court grants the request for exemption from the court fee because the plaintiff has made it plausible that he meets the conditions. This means that the claimant does not have to pay a court fee.

What preceded this procedure

2.1.
Plaintiff is a non-admitted foreign national residing in the reception center in Amsterdam. Since 1 October 2015, the defendant has been offering shelter on the basis of an extra-statutory favorable policy. Since 1 July 2019, the reception falls under the National Facility for Foreign Nationals (LVV). On July 25, 2019, the plaintiff requested the defendant to allow him access to his personal data processed at the defendant. In so far as relevant, the claimant has included the following in its request:

“(…) You process personal data of the client. I ask you to indicate which data it concerns; what is the purpose of the use; to whom you may provide the data; what appropriate safeguards for transfer you have in place if you have transferred this data to another country or to an international organisation; the origin of the data, if this is known and how long the data is expected to be stored.

I request you to provide a copy of the personal data processed by you. I also expressly request copies of e-mails, (telephone) reports and messenger messages relating to my client. I request you to inspect the data that you process yourself as well as the data that has been processed by you or your employees at third-party processors (including, for example, services such as Microsoft [Office 365, Exchange], Facebook [Whatsapp, Messenger], Telegram, Signal, etc.). This request pertains to all services, departments, subcontractors and authorized representatives that fall under your authority.

I invoke Articles 12 and 15, first paragraph, of the General Data Protection Regulation (). (…)”.

2.2.
With an e-mail dated August 2, 2019, the defendant requested the claimant to further specify his request in writing. Plaintiff has not responded to this.

2.3.
With the primary decision, the defendant has taken a decision at the plaintiff's request pursuant to Articles 12 and 15(1) of the .

2.4.
With the contested decision, the defendant declared the claimant's objection well-founded for the part in which his request for personal data was not handled correctly and completely and declared it unfounded for the part in which the claimant requested data that do not fall within the scope of the . In the contested decision, the defendant provided a general overview of the personal data processed by the plaintiff and additionally provided three (partially anonymised) copies of documents that appear in almost every file of undocumented migrants admitted to the Amsterdam Undocumented Persons Program and which, after a short period of time, and costly quest have been found. According to the defendant, these documents also contain several factual and appreciative data about the characteristics or behavior of the undocumented migrants. According to the defendant, these data are not sufficiently suitable for inclusion in the overview, so that the contested decision includes a (partly anonymised) copy of the Investigation report and advice field table, the Outcome field table and the Overview Hospitus.

Plaintiff's position

3.1.
The claimant takes the position that the basic principle of the right of inspection is that the claimant must be enabled to verify which of his data are being processed and whether that processing takes place in a manner that is lawful and proper in his regard. The defendant processed the plaintiff's data with, among other things, the purpose of

assess whether he is eligible for reception, which guidance scenario

is appropriate, in which reception location the reception must be provided and the route

to monitor. For that purpose, the defendant has factual data and conduct of the plaintiff

rated. According to the claimant, these assessments are also personal data within the meaning of the

, which do not lend themselves to inclusion in an overview. According to the claimant, the defendant also acknowledges this, because the reports of consultations at which the claimant was discussed are also sent. According to the claimant, access to the personal data that have been processed in this case means access to the internal correspondence of the defendant. After all, those e-mails and documents record which assessments were made in the decision whether or not the claimant

to provide shelter. This includes, for example, what the applicant's guidance scenario is and on the basis of which personal data and valuations of that personal data that scenario was chosen. These documents show on the basis of which personal characteristics and their assessments the choice was made for one reception location and not the other. To substantiate his position, the claimant has referred to the judgment of the Court of Justice of the European Union (CJEU) of 20 December 2017, ECLI:EU:C:2017:994, the judgment of the Court of Appeal of The Hague of 17 September 2019, ECLI:NL:GHDHA:2019:2398, and the judgment of the Noord-Holland District Court of 23 May 2019, ECLI:NL:RBNHO:2019:4283.

3.2.
According to the claimant, under Article 4(2) of the 'processing' also includes retrieving data and forwarding or otherwise sharing data. For this reason, the claimant must be able to check which data has been shared about him and with whom. The client therefore does indeed give the right to an overview in an understandable form of who has been in contact with at what time about the client and which of his data has been shared. If the defendant has shared assessments and valuations about the plaintiff, or otherwise personal data that do not lend themselves to inclusion in an overview, the most appropriate way to grant access is to grant access to the (e-mail) correspondences about the plaintiff. In this way, the claimant can check which of his data has been shared and with whom, and he can check whether there was a basis for this under the , that is, whether the sharing of that data was lawful in that situation. The overview provided and a list of organizations with which data has been exchanged is not sufficient for this.

3.3.1.
According to the claimant, the defendant also wrongly limits the right of inspection, because looking up all internal and external (e-mail) correspondence would cost a disproportionate amount of time and financial resources. However, it obliges controllers to process personal data in a transparent manner. The Respondent cannot therefore limit the right of inspection on the grounds that personal data have been processed (in the past) in a way that currently makes it difficult to trace that processing.

3.3.2.
Insofar as the defendant indicates that it cannot be easily ascertained which

data has been processed because the request for access is too broad and unspecified

would be, the plaintiff argues that it has become sufficiently clear in the objection that the request for inspection relates to the shelter offered to the plaintiff by the defendant. Because the defendant provides an overview of when care was provided, an overview of the data that has been processed and an overview of organizations with which data has been shared, it appears that it is clear to the defendant what the request for access pertains to. The size of the request is not in question here. The request for access is specified in time and subject. The request is therefore sufficiently specified.

Defendant's position

4. The defendant takes the position that in this case an overview will suffice, because the right of inspection does not extend so far that it can reasonably be demanded that – given the circumstances of this case – all processed personal data be collected according to content. This is too costly a quest. In that context, a general overview containing the categories of personal data will suffice. This also meets the claimant's request to gain more insight into the (work) process of the reception of undocumented migrants. Insofar as the data are not suitable for inclusion in an overview – unlike in the primary decision – three appendices have been provided with the contested decision.

Assessment framework

5.1.
For the legal framework used, the court refers to the appendix that is attached to this judgment and forms part of it.

5.2.
The right of access is limited to personal data. Article 4 of the defines what personal data is. This concerns all information about an identified or identifiable natural person. Examples include a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The ECJ and the Supreme Court have given a broad interpretation to the concept of personal data. The concept of personal data potentially extends to any kind of information, both objective and subjective information in the form of opinions or assessments, as long as that information concerns the data subject. This is the case if the information is associated with a natural person because of its content, purpose or consequence.1

5.3.
You have the right to a complete overview, in an understandable form, of all personal data. That is to say in a form that enables the data subject to take note of his data and to check whether they are correct and have been processed in accordance with the . The Division has ruled that the obligation to provide a 'copy of the personal data' pursuant to Article 15(3) of the does not mean that an administrative authority is obliged to provide a copy of the documents containing that personal data. An administrative body may do so, but it may also opt for another form in which the copy of the personal data is provided, provided that the chosen method of provision meets the purpose of Article 15, paragraph 3, of the . The concrete material form in which the data must be provided therefore depends on the concrete circumstances. Judgments of the Supreme Court show that, insofar as documents contain data that go beyond name and address data, such as factual and appreciative data about characteristics or behavior of natural persons, these data are not suitable for inclusion in an overview. In principle, a data subject is therefore entitled to a (possibly partially blacked out) copy of the documents containing that data in order to provide information that is as complete and clear as possible, on the basis of which the lawfulness and correctness of the data can be checked.2

5.4.
There are, however, a number of exceptions to this principle. According to settled case law, the right of inspection does not extend, for example, to internal notes containing the personal thoughts of employees of the controller and which are exclusively intended for internal consultation and deliberation.3 In its judgment of 17 July 2014, the ECJ also ruled that legal analyzes based on personal data as such are not qualified as personal data.4

The verdict of the court

6. The dispute is whether the defendant has complied with the plaintiff's request, in which he has requested access to the personal data processed by the defendant.

7. The court is of the opinion that the defendant in the present case has complied with the request made by the plaintiff by providing a general overview of the processed personal data and three (partially anonymised) copies to the plaintiff. The court considers this as follows.

8.1.
The court considers that plaintiff's request is formulated in general terms and is therefore fairly broad in scope. The defendant has therefore – in accordance with recital 63 of the – requested a specification of the personal data that the plaintiff wishes to receive. Plaintiff did not respond to defendant's request for specification, which was made with an e-mail dated 2 August 2019, which was also acknowledged by plaintiff at the hearing, with the reason that this e-mail must have been received but not seen by him. Subsequently, at the hearing in the objection – as far as the court has been able to determine in the hearing report – the plaintiff only specified that he did not wish to inspect the case files, including legal considerations of the municipality's house lawyer in previous court cases.

8.2.
In view of the foregoing, the court is of the opinion that the plaintiff has insufficiently specified his request and that this means that for the defendant, who as controller processes a large amount of data, the search for and provision of personal data in, for example, e-mail messages is disproportionately would take a lot of time and financial resources. The court also takes into account that the plaintiff has submitted a considerable number of identical requests to the defendant. Insofar as the plaintiff acknowledged at the hearing that he had briefly specified his request, but stated that he simply could not specify this further because he did not know which personal data were processed by the defendant and by whom this was done, the court does not follow this statement . The claimant could have further specified his objection request, for example on the basis of the overview of his personal data that the defendant had provided with the primary decision. Such a specification, which the defendant also indicated at the hearing, could also have been made in time, for example. Since the plaintiff has not done so, in this case the defendant could suffice with a general overview of the processed personal data of the plaintiff and three (partially anonymised) copies.

9. Needless to say, the court considers that the defendant stated at the hearing that much information relating to the LVV is arranged decentrally and that the personal data are therefore processed and stored in a fairly fragmented manner. The defendant also pointed out that this is partly due to the fact that there is an extra-statutory favorable policy. The court advises the defendant that if an identical request is made in more detail by a data subject, a labour-intensive search by the defendant cannot be ruled out in advance due to decentralized processing and storage.

Conclusion

10. The appeal is unfounded. This means that the plaintiff is not right.

11. There is no reason for an order to pay the costs of the proceedings or reimbursement of the court fee.

Decision
The court declares the appeal unfounded.

This statement was made by Mr. F.P. Lauwaars, Judge, in the presence of L.H.J. van Haarlem, clerk. The decision was publicly announced on July 27, 2022.

clerk

judge

Copy sent to parties on:

Remedy
An appeal against this judgment may be lodged with the Administrative Jurisdiction Division of the Council of State within six weeks of the day it was sent.

If an appeal has been lodged, an application may be made to the provisional relief judge of the appellate court for provisional relief.

Annex: Legal framework

Article 4 of the stipulates the following:

“1) “personal data” means any information relating to an identified or identifiable natural person (“the data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a

online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (…)” .

Article 12, first paragraph, of the stipulates the following:

“The controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and Article 34 in relation to the processing in a concise, transparent, intelligible and easily accessible form and in clear and plain language, especially when the information is specifically intended for a child. The information shall be provided in writing or by other means, including, where appropriate, electronic means. If requested by the data subject, the information may be communicated orally, provided that the identity of the data subject is proven by other means.

Article 15, first paragraph, of the stipulates the following:

“1. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, to obtain access to those personal data and to the following information:

a. a) the processing purposes;

b) the categories of personal data concerned;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) if possible, the period for which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period;

e) that the data subject has the right to request from the controller that personal data be rectified or erased, or that the processing of personal data concerning him or her be restricted, as well as the right to object to such processing;

f) that the data subject has the right to lodge a complaint with a supervisory authority;

g) where the personal data is not collected from the data subject, all available information about the source of that data;

(h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subject.”
Retrieved from "https://gdprhub.eu/index.php?title=Rb._Amsterdam_-_AWB_-_20_1863_-_AMS_20/1863&oldid=29990"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki