Rb. Gelderland - C/05/404505 / HA RK 22-99

From GDPRhub
Rb. Gelderland - C/05/404505 / HA RK 22-99
Courts logo1.png
Court: Rb. Gelderland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 15(1) GDPR
Article 22 GDPR
35 UAVG
Money Laundering and Terrorist Financing (Prevention) Act
Decided: 01.11.2022
Published: 08.11.2022
Parties: Mollie (data controller)
National Case Number/Name: C/05/404505 / HA RK 22-99
European Case Law Identifier: ECLI:NL:RBGEL:2022:6145
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: rechtspraak.nl (in Dutch)
Initial Contributor: Elene Amiranashvili

The District Court of Gelderland held that Mollie B.V. fulfilled its obligation regarding a data subject's access request. The data subject did not substantiate what additional personal data was being processed to form a risk profile and how.

English Summary

Facts

The data subject was the director of two foundations engaged in activities with regard to the Islam. Foundation 1 focussed on, among other things, arranging funerals in accordance with Islamic rules. Foundation 2 focussed on promoting and disseminating knowledge about the Islam. The data subject was also the Ultimate Beneficial Owner (UBO) for both foundations.[1] Both foundations used Mollie B.V. (the controller) as a payment service provider. To be in compliance with the Money Laundering and Terrorist Financing (Prevention) Act (Wwft),Mollie B.V. conducted a customer due diligence, where it requested and obtained data on the data subject in his capacity as the UBO for both foundations.

Following a periodic inspection, the controller terminated its services to both foundations. It stated that the account was no longer a good fit due to recent changes in legislation and its internal policies. Later, the controller informed Foundation 1 that the service was terminated, partly due to its affiliation with foundation 2, as it had become aware that foundation 2 might have used its payment system for improper purposes. Foundation 1 contested the termination in court. However, in a preliminary ruling, the Court held that the controller lawfully terminated the contract.

The data subject then submitted multiple access requests with Mollie B.V. which, in turn, denied all of them. Therefore, the data subject brought the matter before the court.

The data subject requested the Court to order the controller to provide him with all personal data relating to him in the context of the customer due diligence. More specifically data relating to him (i) in his capacity as UBO, (ii) regarding signals received by the controller, (iii) regarding transactions, and (iv) regarding the risk profile drawn up and risk classification. The data subject further requested the purposes for processing, the categories of personal data concerned and the recipients of his data. In addition, the existence of automated decision-making, including the profiling. The data subject argued that the controller had all identification and verification data and 'other data' regarding the UBO. Moreover, the identification and verification of the UBO was important for the risk classification of the client. The subject stated that further investigation into him in his capacity as UBO was carried out as part of the foundations' due diligence.

During the proceedings, the controller claimed to have fully complied with its obligations towards the data subject under the GDPR. The controller stated the information regarding its request to the UBO register were already provided to the data subject. In addition, it provided a message from the controller to ABN AMRO (a Bank) that included personal data of the data subject.

Holding

The Court noted that the central question in these proceedings was whether the controller provided all information required by Article 15 GDPR. The Court examined both the data that was collected and processed during the customer due diligence and the transaction monitoring process (ongoing oversight).

Regarding the customer due diligence, the Court noted that the data subject was unclear as to which 'other data' the controller should have processed about him in his capacity as UBO. To the extent the request related to this, the Court rejected it as insufficiently specified. In addition, the fact that the risk profile of one foundation influenced the other was not sufficient evidence that the data subject's personal data was processed when the risk profiles were drawn up. The Court therefore found that the data subject insufficiently substantiated his claim that the controller was processing additional personal data as part of the customer due diligence. When examining the transaction monitoring process, the Court found that it was not able to deduce that personal data of the data subject were processed more than once as part of ongoing monitoring from the data subject's assertions. The Court held that it was neither stated nor apparent that the controller drafted a report of an unusual transaction involving the foundations and dismissed the request.

Regarding the purposes of processing, the Court noted that the data subject did not specify which information would not have been provided by the controller. The Court thus also dismissed this claim.

The data subject claimed that the controller was using fully automated decision-making and that AI was used for performing customer due diligence. The Court stated that it would not be enough for the controller to simply state that there was always a person involved in the decision-making process. The Controller stated that no automated decision-making took place, especially not based on profiling. There may be third parties engaged by the controller which use AI, but the controller did not make decisions that are fully automated. The controller disputed the applicability of Article 22 GDPR for this reason.

The Court reiterated the importance of Article 13 GDPR, Article 14 GDPR and Article 15 GDPR. Since the controller disputed the applicability of Article 22 it was up to the data subject to prove otherwise. The usage of AI by third parties engaged by the controller was not deemed sufficient to substantiate the claim. Therefore, the Court rejected it. Additional claims to provide copies of the personal data and to impose a penalty payment were submitted, but as the Court was not able to find any substantive violation, these claims were also rejected.

Comment

An UBO is the 'ultimate beneficiary owner' of an organisation. In other words, the person effectively in control of the organisation. Registration of UBO's became mandatory after the Money Laundering and Terrorist Financing (Prevention) Act (Wwft) went into force. The Wwft was based on the amended fourth EU Anti-Money Laundering Directive. The UBO register helps to prevent financial and economic crimes such as money laundering, financing terrorism, tax fraud and corruption. The register makes it clear to whom money is sent.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

order

GELDERLAND COURT

Canton and commercial law team

Seating location Arnhem

case number / claim number: C/05/404505 / HA RK 22-99 754/1496

Order of November 1, 2022

in the case of

[applicant] ,

living in Lochem,

applicant, hereinafter: [applicant] ,

lawyer mr. S. Bouharrou in The Hague,

against

the private company with limited liability

MOLLIE B.V.,

Based in Amsterdam,

defendant, hereinafter: Mollie,

authorized representative mr. J. de Haan in Amsterdam.

1 What this case is about

1.1.

This request concerns a request as referred to in art. 35 Implementation Act of the General Data Protection Regulation (UAVG). This procedure concerns the question of whether Mollie has a duty to provide certain information within the framework of the GDPR or to answer certain questions, and if so, whether it has already complied with this information obligation.

2 The procedure

2.1.

The course of the procedure is apparent from:

-

the petition,

-

Exhibits 1 to 4 sent by Mollie for the oral procedure,

-

the oral hearing of 12 September 2022, the speaking notes submitted by Mollie on that occasion, with documents provided to [applicant] as appendices, and speaking notes from [applicant]. Appeared were [applicant], assisted by mr. Bouharrou, and on behalf of Mollie, mr. [person involved 1] and Mrs. [person involved 2] .

2.2.

Finally, a decision has been made.

3 The facts

3.1.

[applicant] is a director of the [foundation 1] (hereinafter: [foundation 1]) and of the [foundation 2] (hereinafter: [foundation 2] ). [foundation 1] is (among other things) engaged in arranging funerals in accordance with Islamic regulations, offering Islamic alternatives to insurance and acquiring and maintaining Islamic cemeteries. [foundation 2] is engaged in, among other things, the promotion and dissemination of knowledge of Islam, Islamic theology and Islamic education.

3.2.

Mollie is a payment service provider ('payment service provider') that enables companies and institutions to receive payments from consumers via a package with various payment methods. Payment methods that Mollie supports include iDeal, PayPal and SEPA direct debit. Mollie is a regulated financial services provider and is licensed by De Nederlandsche Bank.

3.3.

Mollie offers its services under conditions laid down in a 'User Agreement'. Companies that want to use its services can register online by creating an account and providing certain information about the company and the websites (URLs) on which the payment services will be used. Mollie has explained in a 'Privacy Statement' how it processes the personal data of, among other things, (potential) customers.

3.4.

[foundation 1] and [foundation 2] have created an account with Mollie and after a registration process they started using the services of Mollie in 2018. In order to comply with its obligations under the Money Laundering and Terrorist Financing (Prevention) Act (hereinafter: Wwft), Mollie conducted a customer due diligence during the registration process and requested and obtained data about [applicant] as the ultimate beneficial owner (' Ultimate Beneficial Owner', hereinafter: UBO) of [foundation 1] and [foundation 2].

3.5.

Mollie has canceled its services to [Foundation 2] and [Foundation 1] by e-mail messages of May 26 and August 24, 2021 with due observance of the notice period of one month. Mollie has stated as the reason for the cancellation, insofar as relevant:

‘(…) We have seen your account again during periodic checks. During this check, however, it turned out that your account no longer fits within our portfolio due to recent changes in legislation and Mollie policy. (…)'

3.6.

On October 15, 2021, Mollie informed [foundation 1] insofar as it is relevant:

Mollie's decision to terminate the client relationship with the Foundation [Foundation 1] is partly based on the connection between the Foundation [Foundation 1] and the Foundation [Foundation 2], in the form of the director and UBO of both foundations (the Mr [applicant]) and the signals that Mollie has received in that regard, from which follows the unacceptable risk that its payment systems may be used for improper purposes.'

3.7.

After this, [foundation 1] summoned Mollie in summary proceedings before the preliminary relief judge of the Amsterdam District Court and, among other things, demanded that Mollie be sentenced to continue her services to [foundation 1]. By judgment in summary proceedings of 3 November 2021, the preliminary relief judge refused the requested provisions. It was considered in this regard that although it could not be assumed for the time being that there was an integrity risk as a result of which Mollie was obliged to terminate the User Agreement on the basis of its Wwft obligations, Mollie could terminate the agreement in view of the principle of freedom of contract.

3.8.

Following a request for inspection from [applicant] dated 19 October 2021, Mollie replied by letter dated 23 November 2021. In it she wrote, among other things:

'(…) Mollie does not enter into the assessment of the suitability or dignity of an individual acting as director or legal representative of its client, but looks at the client's (risk) profile as a whole and the transactions that the client makes. . This means that the data that Mollie processes for this purpose, such as transaction data, is not personal data that says something about you as an individual. Information relating to your organization that Mollie processes was obtained from yourself, when you registered your foundation with Mollie, and from the Chamber of Commerce (…)'

3.9.

By e-mail of 5 April 2022, [applicant] again requested Mollie to inspect his personal data.

3.10.

Mollie rejected the request by letter dated 19 April 2022.

3.11.

The documents submitted by Mollie at the hearing include the following correspondence:

An e-mail dated March 17, 2021 from the Investigations/Service Desk of ABN AMRO to Mollie, in which it is written, among other things:

‘On 15-03-2021 you submitted a collection order of EUR 20.00 from the account (black bar) in favor of your account (black bar) with our reference (…).

The correspondence bank has informed us that the assignment has been put “on hold” for compliance* reasons (*Implementation and compliance with rules imposed on companies and institutions by the government and financial regulators.)

The foreign bank asks us the following questions.

quote:

PLEASE PROVIDE US WITH THE FOLLOWING INFORMATION:

1. PLEASE PROVIDE FULL NAME, ADRESS AND REGISTRATION NUMBER OF ENTITY MENTIONED IN REMITTANCE FIELD FOUNDATION [foundation 2]

(…)'

An e-mail from Mollie to ABN AMRO of 5 April 2021 in which she gave 'the details of the trader', namely: '[applicant] – Stichting [stichting 2]' with the address, telephone number, e-mail address and Chamber of Commerce Foundation number.

4 The dispute

4.1.

[applicant] requests that the court, by order to be declared provisionally enforceable, Mollie:

I. recommends that within one month after this decision has been served, [applicant] can inspect:

i. all personal data relating to him that it processes, including the personal data referred to in paragraph 4 of the petition in the context of the customer due diligence, more specifically all processed personal data of [applicant] in his capacity as UBO, all signals received by Mollie regarding and/or traceable to [applicant], all transactions that are linked and/or related to and/or traceable to [applicant], the risk profile drawn up, risk classification and division into segments in which the personal data of [applicant] are involved or processed, the objective and subjective risk factors used that are linked to [applicant] and used to draw up the risk profile and/or classification in risk classifications;

ii. the processing purposes, the categories of personal data concerned, the recipients or categories to whom personal data have been or will be disclosed;

iii. the existence of automated decision-making, including those referred to in art. profiling referred to in Article 22(1) and (4), and at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for [applicant] ,

II. orders to provide copies of all (digital) documents in which the personal data of [applicant] have been or will be processed within one month of notification of this decision, as required under Art. 15 para. 3 GDPR,

III. orders to pay a penalty in the event that it fails to comply in full with one or more of the orders referred to under I and II,

IV. ordered to pay the costs of the proceedings.

4.2.

[applicant] bases his requests under I sub (i) and (ii) on art. 15 para. 1 GDPR. According to him, [applicant] has the right to inspect personal data that have been processed in the context of customer due diligence and ongoing supervision. According to correspondence between the parties, Mollie received certain signals about [applicant], on the basis of which further investigation was conducted into him and personal data was therefore collected. There is also the right to inspect transactions that are linked to [applicant] . Correspondence between the parties has shown that this has happened. Furthermore, according to her letter of 14 April 2022, Mollie works together with third parties that process personal data for her. Mollie must provide information about which personal data and assignments it provides and which frameworks it provides to these processors. With that information, [applicant] can determine how, with what logic and for what purpose his personal data are processed, so that it can be assessed whether that processing is correct, complete and lawful.

4.3.

The request under I sub (iii) is based on art. 15 paragraph 1 preamble and art. 22 GDPR (automated decision-making and profiling). According to [applicant], Mollie uses fully automated decision-making as referred to in art. 22 GDPR, now that, according to its Privacy Statement, its processors use artificial intelligence and algorithms to perform customer due diligence for Mollie, which also includes investigations into the UBO [applicant].

4.4.

[applicant] states that he has a great interest in inspecting the processing of his personal data because Mollie has associated him with the Wwft as a UBO.

4.5.

Mollie opposes granting the requests. Mollie states that under the Wwft she identified [applicant] as the UBO of the foundations and requested his personal data at the start of the business relationship with the foundations. These personal data have already been provided to [applicant]. In addition, it provided the message from Mollie to ABN AMRO as included under 3.11, in which personal data of [applicant] are included. In doing so, it states that it has fully complied with its obligations towards [applicant] under the GDPR.

4.6.

In so far as relevant, the arguments of the parties are discussed in more detail below.

5 The assessment

5.1.

The central question in these proceedings is whether what Mollie has provided to [applicant] after filing the petition, concerns all information that Mollie has provided on the basis of art. 15 GDPR to [applicant], as Mollie states, or that there is more that Mollie should provide, as [applicant] strongly suspects.

5.2.

Art. 15 para. 1 GDPR reads:

The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him/her is processed and, if so, to obtain access to those personal data and to the following information:

the processing purposes;

the categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(…)

(h) the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected impact of such processing on the person concerned.

5.3.

Pursuant to art. 22 GDPR, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or which otherwise significantly affects him or her.

The request under I sub i.

5.4.

[Applicant] has requested access to personal data that (must) have been processed by Mollie during the customer due diligence and ongoing supervision.

Client survey:

5.5.

It is not in dispute that a payment service provider, such as Mollie, is obliged as a financial institution to conduct customer due diligence and that, in the context of that customer due diligence, the customer must be screened and the UBO by the financial institution must be identified and verified. After that, too, the payment service provider is obliged under the Wwft to ensure that it has sufficient data from the UBO and, for example, to request a new copy of an identity document if such proof has expired. It is also not in dispute that [applicant] qualifies as a UBO at both foundations as a director of [foundation 2] and [foundation 1].

5.6.

Mollie has argued that the personal data of [applicant], which Mollie processed in the context of the client due diligence of the foundations, were obtained through [applicant] himself, when he registered the foundations with Mollie, and through the Chamber of Commerce. After all, it is obliged to check whether the legal entity has correctly registered the UBOs with the UBO register of the Chamber of Commerce. In that context, she requested and obtained, among other things, the surname, first names, date of birth and a copy of the identity document. This information has since been provided to [applicant] in response to the application.

5.7.

[applicant] does not consider it credible and unlikely that the customer due diligence, as far as the UBO is concerned, was limited to this. [applicant] states that Mollie must have all identification and verification data and 'other data' regarding the UBO and refers, among other things, to art. 5 paragraph 1 sub c Wwft. [Applicant] has also requested access to the prepared risk profile, the risk classification and the division into segments in which the personal data of [Applicant] are involved or processed, as well as the objective and subjective risk factors used that are linked to [Applicant] and that were used for drawing up the risk profile and/or the classification in risk classifications. He argues that the identification and verification of the UBO is important for the risk classification of the client legal entity, and it is unlikely that no further investigation would have been carried out into the UBO natural person in the context of the due diligence investigation of the foundations. He states that any registered antecedents of the UBO natural person will be investigated and that public sources will be searched for indications relating to the UBO that may entail an increased risk for the financial institution. This includes 'adverse media', sanctions and PEPS. The processors engaged by Mollie conduct such investigations under Mollie's responsibility, according to [applicant].

5.8.

Mollie has argued that it does indeed identify and verify the UBO, but that this does not mean that Mollie uses this to create profiles of UBOs or approve or reject them, whether or not by means of fully automated decisions. There is no profiling within the meaning of Article 4 sub 4 of the GDPR, because Mollie does not analyze personal aspects of a natural person on the basis of personal data or predict whether profiles will be created. There is therefore no profiling of the UBO in either the customer due diligence or the transaction monitoring process. [applicant] is also not qualified as a possible integrity risk. Mollie does not instruct third parties to also search for the name of the UBOs of foundations when investigating risks (including 'adverse media'). Personal data of the UBO will only be provided to processors if the copy of the proof of identity must be examined for authenticity. It does not provide insight into the factors used to draw up the risk profile of its customers and/or the classification in risk classifications, because this is internal, sensitive business information, according to Mollie.

5.9.

The court considers that what [applicant] has stated does not contain any indications that the access that Mollie has provided to [applicant]'s personal data processed in the context of the customer due diligence is incomplete. To this end, it considers the following.

5.10.

[Applicant] has not explained which 'other data' regarding [applicant] as a UBO and which Mollie had not provided. Insofar as the request relates to this, it must be rejected as insufficiently specified. The statement made by [applicant] during the hearing that Mollie in any case does not meet the requirements as set out in Article 15 of the GDPR because they do not have the account details of the accounts with Mollie (email addresses, contact details, telephone numbers, IP address, etc.) provided cannot be tracked. This concerns foundations and not a sole proprietorship of [applicant], so that the aforementioned company data do not qualify as personal data of [applicant].

5.11.

The request for access is partly based on the assumption that the personal data of [applicant] have been processed when drawing up and/or adjusting the risk profile of the foundations. This is disputed by Mollie. The court understands that the risk profile of [foundation 1] is influenced by the risk profile of the foundation [foundation 2] affiliated with [foundation 1]. However, the fact that these foundations are linked because they have the same UBO does not say anything about the characteristics of the UBO and does not mean that the personal data of the UBO have been processed when drawing up the risk profile of the foundations. [Applicant] has argued that public sources are being searched for antecedents and other indications with regard to the UBO that may entail an increased risk for the financial institution, but he has not substantiated that assertion and focused on this case. The examples of situations in which an apparently dubious UBO natural person of a company, referred to in paragraphs 11 and 12 of the speaking notes of the lawyer of [applicant], does not substantiate the statement that the personal data of [applicant] is processed must have been prior to the termination of the agreements.

5.12.

On the basis of the foregoing, the court therefore concludes that [applicant]'s assertion that Mollie has processed other personal data of [applicant] in addition to the data already provided in the context of the customer due diligence, which it has not provided access to, as opposed to Mollie's dispute. , has not been sufficiently substantiated.

Transaction monitoring process (the ongoing oversight):

5.13.

[applicant] has further requested access to all signals received by Mollie regarding and/or traceable to [applicant] and all transactions that are linked and/or related to and/or traceable to [applicant]. [applicant] pointed out that in the context of a report of an unusual transaction to the Financial Intelligence Unit on the basis of art. 16 paragraph 2 Wwft the identity of the UBO must also be included in the notification. It also appears from the e-mail submitted that a transaction in 2021 is actually linked to the person of [applicant]. It is striking that only the name of [applicant] is mentioned in that e-mail, while there are two other directors, according to [applicant].

5.14.

Mollie first argued that the alleged 'signals' regarding [applicant] were not received. During the term of the User Agreement, Mollie has conducted research into the nature, size and amount of transactions carried out via Mollie's payment systems on the basis of continuous supervision of the business relationship with [Foundation 1] and [Foundation 2]. Access to the only transaction involving the personal data of [applicant] has already been provided by submitting the response to a compliance request from ABN AMRO as included under 3.11. The fact that only the name of [applicant] is stated on it and not the names of the other two UBOs can be explained because Mollie was only known to [applicant] as the sole UBO of this foundation. This is apparent from the overview provided with data from Stichting [Stichting 2] . The monitoring and analysis of transactions takes place at the level of the merchant (in this case the foundations) on the basis of art. 16 Wwft (on reporting unusual transactions). Transactions by the UBO itself are not part of this investigation. The termination was related to the risk profile of [foundation 1] that was too high in connection with the association of this foundation with foundation [foundation 2] via [applicant] as UBO. For reasons of secrecy, Mollie cannot provide access to documents and data carriers regarding transactions and monitoring thereof, or other data on the basis of which Mollie has decided to terminate its collaboration with the foundations, according to Mollie.

5.15.

The court ruled that it cannot be deduced from the statements of [applicant] that personal data of [applicant] have been processed more than once in the context of ongoing supervision. It would have been up to [applicant] to clarify on the basis of which it must be assumed that Mollie is withholding other documents. Contrary to what [applicant] seems to suggest, Mollie has stated in her letter from

15 October 2021 (see 3.6) it is not written that she has received signals about [applicant], now that letter is written about 'signals that have reached her in that regard'. It has not been argued or proven that Mollie reported an unusual transaction to the Financial Intelligence Unit in which the foundations were involved, so that the mere reference to art. 16 paragraph 2 of the Wwft is not effective. The court cannot therefore conclude with regard to this part of the request that Mollie provided incomplete access.

5.16.

The request under I sub i will therefore be rejected.

The request under I sub ii.

5.17.

[applicant] has also requested access to the processing purposes, the categories of personal data concerned, and the recipients or categories to whom personal data have been or will be provided.

5.18.

Mollie has argued that it has already provided this access by means of her letters to [applicant] of 23 November 2021 and 19 April 2022 and by referring to the information contained in her Privacy Statement.

5.19.

Now that [applicant] has not indicated in response to this which information would not have been provided herein and which would have been provided under art. 15 paragraph 1 under a, b and c GDPR, the court assumes that this part of the request for access has been adequately answered. The request under I sub ii will therefore be rejected.

The request under I sub iii.

5.20.

Finally, [applicant] requests access to the existence of automated decision-making, and information about – in short – the expected consequences of that processing for [applicant]. According to [applicant], Mollie makes use of fully automated decision-making now that its processors use artificial intelligence and algorithms to perform customer due diligence for Mollie, which also includes investigations into the UBO. It deduces this from the products and services that some of the processors engaged by Mollie offer according to their websites. Mollie cannot suffice with her statement that decisions are always judged by a person. In view of the information provided to date and the far-reaching technological work processes of Mollie and processors engaged by it, it is not credible that a meaningful human assessment of decisions taken automatically takes place. Mollie processes data on a large scale and systematically monitors financial data. [Applicant] cannot check this and Mollie must therefore provide insight into the logic of its processing or algorithm process. If it turns out that decisions taken automatically are checked by a person, Mollie must provide insight into the logic and parameters of such a process. [applicant] argues that Mollie cannot invoke legislation that must protect its trade secrets, because [applicant] does not request access to the technology itself, but only to his personal data.

5.21.

Mollie argues that it does not engage in automated decision-making or profiling, nor does it engage in automated decision-making based on profiling. All decisions are made by specialized and trained employees. Mollie does not purchase all products and/or services from the third parties mentioned by [applicant] that are offered on the websites of the parties concerned. The third parties engaged by Mollie may use 'artificial intelligence' and 'machine learning' technologies in their products and/or services, but Mollie never makes a decision that is fully automated. There is always human intervention before a decision is made. From fully automated decision-making pursuant to art. 22 GDPR is therefore out of the question. There is also no question of profiling, according to Mollie.

5.22.

The court states first and foremost that on the basis of Articles 13, 14 and 15 of the GDPR, information must be given about the processing of personal data in algorithms to those to whom these personal data relate (the 'data subject') and that if there is profiling and / or automated decision-making, this must be made known. Mollie disputes that profiling or automated decision-making is involved. It was therefore up to [applicant] to provide concrete indications to the contrary. However, the court did not find those indications in the statements made by [applicant]. It has also not been shown in any other way that Mollie takes decisions that are fully automated when deciding on an application or during the term of the User Agreement. The fact that Mollie may share personal data with third parties on the basis of its Privacy Statement if this is necessary to be able to provide its products and services, and that the third parties engaged by Mollie may use artificial intelligence and machine learning, is insufficient to deem it plausible that Mollie uses a prohibited form of automatic decision-making. In this state of affairs, the request under I sub iii will also be rejected.

5.23.

In view of the foregoing, the requests for inspection under I are rejected. It follows from this that the requests to provide copies (request II) and to impose a penalty payment (request III) are also rejected.

5.24.

With regard to the costs of the proceedings, the court considers that Mollie only provided the requested copies of documents containing personal data of [applicant] after the petition had been filed, and not immediately after [applicant] had requested this in his letters. On the other hand, for the most part, the requests are not eligible. The court therefore considers each of the parties to be (wrong) in the wrong on some point. The costs of the proceedings will therefore be compensated.

6 The decision

The court

6.1.

rejects the requests,

6.2.

compensates the costs of the proceedings between the parties, in the sense that each party bears its own costs.

This decision was given by mr. M.S.T. Called and pronounced publicly on November 1, 2022.
  1. see comment