Rb. Amsterdam - AWB 21/3724
|Rb. Amsterdam - AWB 21/3724|
|Court:||Rb. Amsterdam (Netherlands)|
|Relevant Law:||Article 15 GDPR|
Article 57(1)(f) GDPR
|National Case Number/Name:||AWB 21/3724|
|European Case Law Identifier:||ECLI:NL:RBAMS:2022:349|
|Original Source:||Rechtspraak.nl (in Dutch)|
|Initial Contributor:||Giel Ritzen|
The District Court of Amsterdam upheld the Dutch DPA’s decision not to handle a data subject’s complaint regarding an access request based on the low societal relevance of the complaint and limited resources.
English Summary[edit | edit source]
Facts[edit | edit source]
On 20 December 2018, the data requested access to his personal data from his previous employer, the Minister of Finance. On 5 February 2019, he filed a complaint with the Dutch DPA (Autoriteit Persoonsgegevens) to take enforcement action against the Minister, because the Minister did not timely and fully comply with his access request. At the same time, he filed administrative appeal against the Minister’s failure to make a timely decision, and brought the issue before Court. On 9 April 2019, the Court acknowledged his claim and ordered the Minister to comply with the access request, which the Minister did on 1 May 2019.
On 8 January 2021, the DPA rejected the data subject’s complaint for enforcement against the Minister, for two reasons. First, because the Court had already ruled that the decision had not been made within due time, the DPA would not have to rule anymore whether or not the decision had been made timely. Second, regarding the question whether or not the request had been fully complied with, the DPA considered that this would require further investigation. However, the alleged infringement was not considered to be harmful enough, according to the DPA’s own "Policy Rules on Prioritising AP Complaints Investigation", and therefore did not handle the complaint.
According to the data subject, the Court’s judgement proves that the Minister violated the GDPR and the DPA therefore had to take enforcement action. Hence, he appealed to the DPA’s rejection of his complaint, before Court and claimed that the DPA should issue a fine against the Minister. Moreover, he requested to be compensated for immaterial damages.
Holding[edit | edit source]
The District Court Amsterdam rejected the claim.
First, it considered that the DPA has limited resources and receives tens of thousands complaints every year. Hence, the DPA has to consider which complaints they handle, and which complaints have a higher priority to be dealt with. The Court found that it follows from Article 57(1)(f) GDPR that the DPA has this margin to decide whether or not a complaint must be dealt with. The Court also acknowledged the DPA’s argument that this case was not that important in terms of societal impact. The Court therefore rejected the data subject’s claim.
Comment[edit | edit source]
It is unclear if this judgement is in line with EU law principles, as it in effect leads to data subjects not being able to enforce their rights under Article 77 GDPR in the Netherlands, if the DPA deems the case not to be relevant. The right to access or data protection is an individual right and does not require a larger impact as a precondition. To the contrary: usually an access request by definition only concerns an individual data subject. There is however, Dutch jurisprudence on the collective dimension of the right of access. See https://hestialabs.org/en/blog/editorial/uber-trial-amsterdam/
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
COURT OF AMSTERDAM Administrative law case number: AMS 21/3724 judgment of the single chamber of 2 February 2022 in the case between [claimant] , in Diemen, claimant, and Dutch Data Protection Authority, defendant (Agent: E. Nijhof and O.S. Nijnenveld). The following took part in the proceedings as a third party: the Minister of Finance, (Agent: mr. drs. I.A. Huppertz). Process sequence With a decision of January 8, 2021 (the primary decision), the respondent rejected the claimant's request of February 6, 2019 to the respondent to take enforcement action against the Minister of Finance (hereinafter: the Minister). With a decision of 3 June 2021 (the contested decision), the defendant declared the objection of the plaintiff unfounded. The applicant appealed against the contested decision. Defendant has filed a statement of defence. The case was heard at the hearing on January 6, 2022. Plaintiff appeared. Defendant was represented by his attorneys. The minister was represented by his authorized representative. Considerations What preceded this procedure 1. On 20 December 2018, the claimant submitted a request for access to his personal data to the minister, the claimant's ex-employer. 2. On February 5, 2019, the claimant filed a complaint with the respondent, whereby the claimant requests the respondent to take corrective measures against the minister. According to the claimant, the minister has not complied with his request for access in time and in full, as a result of which the General Data Protection Regulation (GDPR) has been violated. 3. The claimant has also appealed against the failure to make a timely decision on his request for inspection to the minister on the basis of the AVG. The court upheld the appeal on 9 April 2019, instructed the minister to make a decision on the plaintiff's request within two weeks and determined that the minister forfeits to the plaintiff a penalty of €100 for each day with which he exceeds the term. exceeds two weeks. 4. On 1 May 2019, the minister still made a decision on the claimant's request. 5. The defendant assessed the plaintiff's complaint as a request to take enforcement action against the minister. Defendant divided the complaint into two parts of the complaint. The first part of the complaint relates to the minister's failure to respond in time to the request for inspection. The second part of the complaint relates to the minister's failure to respond fully to the request for inspection. In the primary decision – upheld with the contested decision – the defendant rejected the request for maintenance with regard to both parts of the complaint. The first part of the complaint was rejected by the defendant, because a judge has already ruled on the underlying issue. Moreover, it appears that the minister made a decision on the request for inspection on 1 May 2019. The respondent does not consider it appropriate to go through a parallel administrative procedure, as it were, in addition to the existing legal protection that is available against administrative decision-making, via the route of further investigation in response to a GDPR complaint. With regard to the second part of the complaint, according to the respondent, it is not possible on the basis of the present information for the respondent to determine whether a violation of the GDPR or related laws and regulations has occurred. According to the defendant, this requires further investigation. In order to be able to determine whether the complaint qualifies for further investigation, the respondent first tested against the “Policy rules for prioritization of complaints investigation AP” (hereinafter: prioritization criteria). This considers how harmful the alleged violation is for the person concerned, what the scope of the broader social significance is of any action by the defendant and the extent to which the defendant is able to act effectively and efficiently. According to the defendant, the complaint does not meet the prioritization criteria. Plaintiff's position 6. Plaintiff argues – in summary – that in its judgment of 9 April 2019 the District Court has already ruled in favor of Plaintiff and has ruled that there has been a violation of the GDPR. According to the claimant, the defendant is bound by the fact that a violation of the GDPR has been established through judicial review. The defendant should therefore have taken appropriate measures against the minister, according to the plaintiff. The Plaintiff further argues that the Defendant must further investigate the information provided by the Minister in the context of the request for inspection and that the Defendant, in accordance with the law, still imposes a fine if the Defendant is found to have committed a violation. Finally, the plaintiff requests non-material damages. The court's verdict 7. The court finds that the defendant has discretion to decide whether or not to take enforcement action. The respondent explained at the hearing that it receives tens of thousands of complaints every year and that it has limited capacity. The defendant is often unable to investigate complaints extensively, or not in all respects, and must make choices in this regard. In doing so, the defendant makes use of prioritization criteria. The court considers that the defendant has this scope on the basis of Article 57, first paragraph, under f, of the GDPR, which stipulates that the content of the complaint will be investigated to the extent that this is appropriate. At the hearing, the defendant further explained that it is not considered expedient in this case to take further steps. According to the defendant, the social impact is among other things considered, which is not estimated highly in this case, since it concerns a specific response to a specific request for access. This follows the court. Moreover, on the basis of the results of the desk investigation, including the minister's response, the defendant was unable to establish whether the inspection had been granted in full. The court therefore rules that the defendant – after checking against the prioritization criteria – did not conduct any further investigation on good grounds and that it refrained from taking enforcement action. 8. The court also notes the following. At the hearing it emerged that part of the data had not (yet) been provided, because it should have been varnished and in that case the claimant would have received more than he would have been entitled to under the GDPR. According to the minister, the claimant could have viewed this data via P-direkt. After his suspension, however, the claimant was no longer able to log in to P-direkt. According to the minister, the claimant could have gained access to P-direkt through personnel affairs or his (former) manager to view the data. The court finds that this kind of formal approach to administrative bodies leads to unnecessary procedures. The court advises the minister to deal with this in a practical way and to provide the documents (lacquered) after all. 9. The appeal is unfounded. There is no reason for an order to pay the costs of the proceedings and reimbursement of the court fee. 10. The request for non-material compensation is rejected. Decision The court dismissed the appeal. This decision was made by mr. R. van de Water, judge, in the presence of mr. I.N. van Soest, clerk. The decision was made public on February 2, 2022. clerk judge Copy sent to parties on: Remedy An appeal can be lodged against this decision with the Administrative Jurisdiction Division of the Council of State within six weeks of the date on which it was sent.