Rb. Den Haag - AWB - 20 5680: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 54: Line 54:
}}
}}


The District Court of Den Haag held that a data subject’s right of access could be restricted by omitting the identity of third parties who reported them, because of the privacy of these third parties per Article 23(1)(i) GDPR.
The District Court of Den Haag held that a data subject’s right of access could be restricted by omitting the identity of third parties who reported them, because of the right to privacy per Article 23(1)(i) GDPR of these third parties.  


== English Summary ==
== English Summary ==

Revision as of 10:40, 12 January 2022

Rb. Den Haag - AWB - 20 _ 5680
Courts logo1.png
Court: Rb. Den Haag (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 13(1) GDPR
Article 15(1) GDPR
Article 15(4) GDPR
Article 23(1)(i) GDPR
Decided: 08.12.2021
Published: 22.12.2021
Parties: Regional Public Health Service (RDOG) Hollands Midden
National Case Number/Name: AWB - 20 _ 5680
European Case Law Identifier: ECLI:NL:RBDHA:2021:13435
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: Giel Ritzen

The District Court of Den Haag held that a data subject’s right of access could be restricted by omitting the identity of third parties who reported them, because of the right to privacy per Article 23(1)(i) GDPR of these third parties.

English Summary

Facts

Controller is the managing board of the Regional Public Health Service (RDOG) Hollands Midden. Data subject is a person who was reported anonymously to the Care and Nuisance Reporting Centre of the Municipal Health Service (GGD) Hollands Midden. This Reporting Centre discussed the report in their meeting, and decided that this was not a task for them, so they closed the file. However, controller also received a notification of this report, and registered this notification in their system by mistake. Moreover, controller did not inform data subject about this notification.

After data subject became aware of the existence of the notification at the beginning of 2020, they wanted to find out who reported them. Hence, they filed an access request pursuant to Article 15 GDPR, after which they received a copy of the report that was made. However, because the report was anonymous, a passage containing personal data of the person who reported them, was omitted. Data subject wanted to know the identity of this person, so they could pursue further legal claims against this person, and brought the action before court.

Holding

The Court rejected the appeal.

First, it stated that the controller wrongfully did not inform the data subject regarding the notification, violating Article 13(1) GDPR. The controller, however, had already acknowledged this, had apologised to the data subject and adjusted the work process to avoid a similar situation in the future.

Second, the Court considered data subject’s claim to know the identity of the person who reported them. It stipulated that the GDPR is not intended for this purpose, since the purpose of the right to access is to enable the data subject to inform themselves of the processing of their personal data and to check the lawfulness thereof. According to the Court, it is not the controller’s task to enable the data subject to improve their legal claim against another entity, via the GDPR.

Moreover, the Court stated that, pursuant to Article 15(4) GDPR, the right of access cannot infringe the rights and freedoms of others, and, pursuant to Article 23(1)(i) GDPR, this right may be restricted (in brief) on account of the rights and freedoms of others. Hence, the Court found that the removal of personal data of the third parties was justified for the sake of their privacy. It even stated that the controller supplied more information than needed under the GDPR, since the mere notification that data subject’s personal data was processed, would have been sufficient.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


                                
                            
        



    Body
    Court of The Hague
    Date of judgment
    08-12-2021

    Date of publication
    
22-12-2021

    Case number
    
AWB - 20 _ 5680

    
    Jurisdictions
    
Administrative law
    
    Special characteristics
    
First instance - single
    
    Content indication
    
proceedings on the merits, GDPR

    Locations
    
Rechtspraak.nl
    
        
        
            Enhanced pronunciation
        





    
        Share pronunciation
        
    
    
        print
        Save as PDF
        Copy link

    


        
            Pronunciation
        
        COURT OF THE HAGUEAdministrative case number: SGR 20/5680ruling of the single chamber of 8 December 2021 in the case between
      [plaintiff], at [place of residence], claimant and the executive board of the Regional Public Health Service (RDOG) Hollands Midden, defendant (agent: mr. KJJW Smedts). Plaintiff has been granted access to her personal data. By decision of 22 July 2020 (the contested decision), the defendant declared the objection of the plaintiff unfounded. Plaintiff appealed against the contested decision. Defendant filed a statement of defence. The hearing was held on November 4, 2021. Plaintiff was present. The defendant was represented by its authorized representative, mr. K.J.J.W. smedts. [A] and Mr. [B] were also present for the defendant. ConsiderationsWhat is this case about?1. On November 16, 2018, an (anonymous) report was received about the plaintiff at the Hotline for Care and Nuisance of the GGD Hollands Midden. Defendant has processed this notification in the system without informing Plaintiff about this. Plaintiff became aware of the existence of the report at the beginning of 2020. Plaintiff wants to obtain all the documents that are available about her with the help of the AVG1 in order to find out who made this report about her. What are the rules ? 2. The request is subject to the GDPR. Article 15 of the GDPR regulates the data subject's right of access to the personal data concerning him. Article 23 of the GDPR and Article 41 of the UAVG specify the restrictions on the right of access. What do the parties on appeal think? 3.1. Plaintiff believes that a passage containing a third party's personal data has been incorrectly painted off in the notification form that she has received. She thinks this is censorship. According to her, it was the intention from the start to hide the report from her. The minutes of the care network meeting are too brief. In order to find out what was said there, she wants the contact details of the participants in the consultation, especially those of the employees of the municipality of Oegstgeest and the police. Plaintiff also wants to be provided with the advice issued by the Meldpunt. Plaintiff finds it incorrect that Defendant has interpreted and treated some parts of her objection as a complaint. According to her, these are indeed objections. 3.2. Defendant states that on 15 November 2018 a signal about Plaintiff was submitted to Meldpunt Zorg en Nuisance by the local police officer. Nothing was done with this report because it was not a matter for Meldpunt. The report received the day after, on November 16, 2018, was registered in the system by mistake. This was incorrect. Plaintiff should have been informed about this. The information requested by the claimant has been provided to her, with the exception of data from third parties. Their privacy opposes this. The signal that was submitted about the claimant was discussed once in the care network meeting of the Meldpunt. The minutes show that it was not a task for Meldpunt. The file is therefore closed. There has been no more or other communication about the claimant with other authorities. The minutes of the care network meeting are by definition brief. There is no question of a (substantive) response or advice to the report. What is the court's opinion? 4.1 The court states first and foremost that the defendant should have notified the plaintiff that her personal data has been processed. The defendant acknowledged this, apologized to the plaintiff and adjusted the work process to prevent a similar situation in the future. 4.2 As became apparent during the hearing, the claimant wants to find out through the respondent who made the (anonymous) report about her at the time. Plaintiff suspects that it is an official of the municipality of Oegstgeest and wants to take legal action against the municipality, such as submitting a complaint to the National Ombudsman. The court finds that the GDPR is not intended for that. The right of access under the GDPR aims to enable the data subject to be informed of the processing of his personal data and to check its lawfulness. It is not the defendant's task to enable the plaintiff to submit a complaint against the municipality that is as concrete as possible via the AVG. 4.3 In these proceedings it must be assessed whether the defendant has correctly handled the request for access by the plaintiff. The court finds that the defendant has provided to the plaintiff everything that was about the report, with the exception of the data of third parties. This concerns the data of the reporter and the data of the members of the care network consultation in which the report was discussed. In doing so, the defendant acted in accordance with the GDPR. Pursuant to Article 15(4) of the GDPR, the right of access does not affect the rights and freedoms of others. According to Article 23, first paragraph, preamble and under i, of the GDPR2, the right of access can be limited (in short) because of the rights and freedoms of others. It is therefore justified to omit the personal data of third parties for the sake of their privacy. Incidentally, the Respondent could have sufficed by inspecting or stating the Plaintiff's personal data and has therefore, strictly speaking, done more than he was obliged to do under the GDPR. 4.4 Plaintiff's argument that there should be more documents about her than she received is not successful. According to settled case law of the highest administrative court3, if the administrative authority does not deny that there are documents without credibility, it is up to the person concerned to demonstrate that the information is there. Defendant stated that Plaintiff received everything that was there and that there is no more. The court has no reason to doubt that. After all, the report was also inappropriate because the claimant does not belong to the target group of Meldpunt. Plaintiff has not made it plausible that there would be more or different documents.4.5 Finally, Defendant has correctly established that a number of parts of the objection relate to treatment and working method and can therefore be regarded as complaints. After all, this does not concern the right of inspection as such or the care with which the contested decision was taken. Conclusion5. The appeal is unfounded.6. The defendant does not have to pay any legal costs. Decision The court declares the appeal unfounded. This decision was made by mr. D. Biever, judge, in the presence of mr. B.M. van der Meide, clerk of the court. The verdict was pronounced in public on December 8, 2021.Registrar JudgeCopy sent to parties at:Do you disagree with this verdict? If you do not agree with this ruling, you can send a letter to the Administrative Jurisdiction Division of the Council of State explaining why you do not agree with it. This is called an appeal. You must submit this notice of appeal within 6 weeks of the day on which this decision was sent. You can see this date above. 1 General Data Protection Regulation2And the equivalent article 41 of the UAVG3 Decision of the Administrative Jurisdiction Division of the Council of State of 16 June 2021, ECLI:NL:RVS:2021:1278