Rb. Midden-Nederland - AWB - 20 3811
|Rb. Midden-Nederland - AWB - 20 _ 3811|
|Court:||Rb. Midden-Nederland (Netherlands)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 6(1)(c) GDPR
Article 82 GDPR
|National Case Number/Name:||AWB - 20 _ 3811|
|European Case Law Identifier:||ECLI:NL:RBMNE:2021:1865|
|Original Source:||De Rechtspraak (in Dutch)|
|Initial Contributor:||Gerard Ritsema van Eck|
The Court of First Instance of the Central Netherlands found that the personal data of a claimant's child was illegally shared with the Dutch tax office, in violation of the principles of proportionality and data minimisation. However, since the claimant failed to show any concrete damages, there was no right to compensation.
English Summary[edit | edit source]
Facts[edit | edit source]
The Sociale Verzekerinsbank (Social Security bank, hereafter SVB) sends personal data of all newly born children in the Netherlands to the 'toeslagen' (welfare benefits) department of the tax office in a 'start-message'. The start-messages are shared on the basis of an agreement between the SVB and the tax office. Data includes the BSN-number (a state-issued identity number), date of birth and country of residence of the child. The SVB has this data as it is responsible for paying out the general child allowance, to which all parents/caretakers are entitled. The tax office is responsible for paying out the 'kindgebonden budget' (child-related budget), an extra allowance for relatively low-income families. The data in the start-messages is used to quickly decide on applications for the child-related budget.
The claimant has a daughter born in 2016, whose personal data was shared by the SVB with the tax office in a start-message. The claimant's daughter does not qualify for the child-related budget.
Holding[edit | edit source]
The court considered whether the child's personal data was legally shared with the tax office under the GDPR, and where it was not, whether the representative of the child have a right to monetary compensation.
It held that whilst there was an infringement of the GDPR, the claimant is not entitled to compensation as damages could not be proven.
The court considers that there is a proper legal basis in the law for sharing the data in the start-messages in the form of Article 38 of the Algemene wet inkomensafhankelijke regelingen (General law on income-related schemes) which requires state organs to share all relevant information with the tax office which they may need to fulfil their obligations.
However, the data sharing through start-messages as required by the agreement between the SVB and the tax office is excessive. The court considers that data of all children is shared, whereas only about 42% of them qualify for the child-related budget. The agreement could therefore also have specified that when the tax office receives an application for the child-related budget, it requests data on the child in question from the SVB. This would eliminate 58% of the personal data processing without prejudice to the overall aim of the law and agreement. The court considers that the current setup of the agreement therefore fails the test of proportionality and subsidiarity (as established by the Dutch Supreme Court decision in the case of Santander, issued under the Dutch Personal Data Protection Act), and that the processing is not necessary. Additionally, the court considers that the current setup thus also interferes with the principle of data minimization.
Be that as it may, this infringement of the GDPR does not entitle claimant to a compensation of damages. Claimant failed to substantiate that it led to any concrete damages to his daughter. In line with Dutch jurisprudence, the mere infringement of a fundamental right does not lead to damages for which compensation can be sought. The court further considers that damages under the GDPR are not punitive in nature. The obligation in this respect does not go beyond full compensation of the actual damage suffered. Since such damage has not been demonstrated, there is no right to compensation.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Court of Central Netherlands Date of judgment 04-05-2021 Date of publication 18-05-2021 Case number AWB - 20 _ 3811 Jurisdictions European administrative law Special characteristics First instance - single Content indication AVG, compensation, application procedure administrative judge. The Social Insurance Bank is acting in violation of the GDPR by providing personal data of all children with child benefit to the Tax Authorities / Benefits. This is not proportional, because more than half of these children are not entitled to a child-related budget because of the parents' income. Sharing personal data with a view to this is then unlawful. The administrative judge is competent to hear this request for compensation, but ruled in this case that no damage has been suffered. Locations Rechtspraak.nl Enriched pronunciation Share pronunciation Print Save as PDF Copy link Statement COURT OF THE MIDDLE NETHERLANDS Seat in Utrecht Administrative law case numbers: UTR 20/3537 and UTR 20/3811 Judgment of the single Judge of 4 May 2021 in the case between [plaintiff], for his minor child [minor], both from [place of residence], plaintiff and the Board of Directors of the Social Insurance Bank, defendant (authorized representative: mr. C. Vooijs). preface 1. Plaintiff's daughter was born in 2016. In the same year, the Social Insurance Bank (SVB) provided its personal data to the Tax Authorities / Benefits, with a so-called start message. This is a digital notification stating that a child is entitled to child benefit from a certain date. The start message contains the citizen service number, date of birth and country of residence of the child. This case concerns whether the SVB was allowed to do that, whether the SVB should remove the start message from its system and whether the SVB should pay compensation. 2. The plaintiff has previously brought proceedings before the SVB, the court and the Administrative Law Division of the Council of State (ABRvS) about the question of how the provision of the starting message to the Tax Authorities / Benefits relates to the (now repealed) Personal Data Protection Act. (Wbp) and the General Data Protection Regulation1 (GDPR). It follows from the decision of the ABRvS of 6 June 20182 that it was now undisputed that the SVB explained at the request of the plaintiff which data of his daughter was provided to the Tax Authorities / Surcharges and that the SVB has thus fulfilled its obligation under Article 35 of the Wpb. In the decision of the ABRvS of 4 March 20203, it was ruled that the GDPR does not provide a basis for the SVB to order the Tax Authorities / Benefits to delete the data provided with the start message. 3. In the appeal proceedings before the court that led to the last-mentioned decision of the ABRvS, the plaintiff requested the SVB to remove the start message from its system. Plaintiff repeated that request in a message to the SVB of 10 February 2019. With the decision of 1 April 2019, the SVB rejected this request. With the decision of 14 August 2020, the SVB declared the objection made by the plaintiff to this unfounded. The plaintiff has appealed against that decision (case number UTR 20/3537). The SVB has filed a statement of defense. 4. On January 10, 2021, the plaintiff requested the court to order the SVB to compensate the damage suffered by providing the start notice to the Tax Authorities / Benefits (case number UTR 20/3811). The SVB has filed a statement of defense. 5. The appeal and the request for compensation were dealt with at the online session of 23 March 2021, at which the plaintiff and the representative of the SVB were present. The judgment of the court 6. In this case, the court finds that the SVB has unlawfully infringed the privacy of the plaintiff's daughter by providing her personal data to the Tax and Customs Administration / Benefits. The provision of start messages with the personal data of all children entitled to child benefits is not proportionate to the implementation of the legislation on the child-related budget, while that purpose can reasonably be achieved in a way that is less disadvantageous for (the parents). of) these children. The SVB does not have to pay compensation to the plaintiff, because the plaintiff has not demonstrated that his daughter was actually affected in her person by the privacy infringement. The SVB does not have to delete the data from the starting message, because they are still needed for child benefit. 7. The considerations underlying these judgments are set out below. Considerations about the claim for compensation The administrative judge is competent 8. The AVG came into effect on 25 May 2018. The AVG has its own regulation in Article 82 for compensation as a result of a (privacy) infringement. After the entry into force, the plaintiff made the request for compensation. The GDPR therefore applies to that request. 9. On April 1, 2020, the ABRvS issued rulings on the jurisdiction of the administrative courts in violation of the privacy rules of the GDPR by administrative bodies.4 From these rulings it follows that someone who, on the basis of Article 82 of the GDPR, believes he is entitled to compensation as a result of the unlawful processing of personal data by an administrative body, has the freedom to have this assessed by the administrative or civil courts. In order to go to an administrative court, it is required that the request for compensation is related to a decision as referred to in Article 34 of the GDPR Implementation Act. The administrative judge will then deal with the request in accordance with the regulation for compensation from Article 8:88 of the General Administrative Law Act (Awb). The restriction follows from this that if the request is for more than € 25,000, only the civil court has jurisdiction. 10. The Board of Directors of the SVB is an administrative body. The plaintiff's claim for damages is related to the SVB's decision not to remove the starting message. This is a decision within the meaning of Article 34 of the GDPR Implementation Act. The damage that plaintiff states that his daughter has suffered is less than € 25,000. The plaintiff can therefore go to the administrative judge. The court has jurisdiction to rule on the claim for compensation. 11. The alleged unlawful act took place in 2016, before the entry into force of the GDPR. The Wbp therefore applies to the assessment of the unlawfulness of such acts. The aforementioned rulings of the ABRvS also ruled on this transitional phase, in which, after the entry into force of the GDPR, a request was made to compensate damage in connection with actions that took place before that and that were in violation of the Wbp and would now also be in conflict. deliver with the GDPR. In that case, the material assessment framework is the same and the legal protection referred to above must be offered to the administrative court. This situation arises here, because the GDPR has similar provisions to the provisions of the Wbp that are relevant to this case. These provisions are discussed in more detail below. No court fees due 12. As stated, it follows from the aforementioned rulings of the ABRvS that someone can submit a request for compensation in accordance with Article 8:88 of the Awb to the administrative judge, if it is related to a decision within the meaning of Article 34 of the GDPR Implementation Act. . In line with this, the court ruled that Article 8:94, second paragraph, and Article 8:91 of the Awb must be applied accordingly in the sense that no court fee is due if the request is made to the administrative court where the appeal against that decision is pending. This is the case in this case: the claimant has submitted his request for compensation to the court during the appeal procedure about the removal of the starting message. Plaintiff does not owe a court fee for the request in case number UTR 20/3811. The state of affairs surrounding the start messages 13. The SVB is responsible for providing child benefits, to which parents of all children are entitled. The SVB has the personal data of the parents and the children. 14. The Tax and Customs Administration / Benefits is responsible for providing the child-related budget. This is an allowance to which parents of children are entitled, depending on the level of their income, on the basis of the Child Budget Act (Wkb). The parents of these children do not have to take any action themselves: the Tax and Customs Administration / Allowances will report to them if it has been established that there is a right to allowance. 15. For this purpose, the Tax and Customs Administration needs the personal data of all children, which they receive from the SVB via the start messages. The SVB and the Tax Authorities / Toeslagen have concluded a covenant for this. The Tax and Customs Administration / Benefits determines, based on the personal data from the starting message, set against the income data of the parents, who is entitled to the supplement. In this procedure, the SVB has explained that about 42% of the children for whom a starting message is issued a right to a child-related budget. The implementation of the covenant therefore means that starting messages are made by the SVB for all newborn children who are eligible for child benefit, which are then sent to the Tax Authorities / Benefits. This has also happened for the plaintiff's daughter. The positions of the parties 16. The SVB is of the opinion that it is legally obliged to provide the information from the starting messages to the Tax and Customs Administration / Surcharges. The General Act on income-related schemes (Awir) requires this in Article 38. Although it is clear that not every parent is entitled to a child-related budget and therefore not the personal data of all children is required for the implementation of the Wkb, the SVB does not know for which children that entitlement is or is not an issue. The SVB therefore takes the position that the data of all children can be important for the implementation of the Wkb. The SVB also considers this method of data processing proportional, because it enables a quick payment to people who are entitled to a child-related budget. In this way, the Tax and Customs Administration / Benefits can determine that right without an application, which reduces the administrative burden for citizens. 17. Plaintiff is not entitled to a child-related budget for his daughter because of his income. He therefore believes that there is no need for the SVB to provide the details of his daughter to the Tax Authorities / Benefits. According to the plaintiff, the Awir does not create a legal obligation for the SVB to provide start messages with regard to all children. He points out that it follows from the percentage stated by the SVB that more than half of the start messages provided are not necessary for the implementation of the Wkb. It is therefore not necessary to provide this personal data, including that of the plaintiff's daughter. According to the plaintiff, this constitutes a violation of the AVG and the Wbp. Relevant regulations 18. Pursuant to Article 8, opening words and under c, of the (now lapsed) Wbp, personal data may only be processed if this is necessary to comply with a legal obligation to which the controller is subject. 19. Pursuant to Article 5, paragraph 1, opening words and under a) of the GDPR, personal data must be processed in a manner that is lawful, fair and transparent with regard to the data subject. Pursuant to Article 6, paragraph 1, opening words and under c) of the GDPR, the processing of personal data is lawful if it is necessary to comply with a legal obligation resting on the controller. 20. Pursuant to Article 38, first paragraph, of the Awir, public bodies that have acquired legal personality by or pursuant to a special law provide the Tax Authorities / Surcharges free of charge, on request, with all data and information that may be important for the implementation of an income-dependent scheme. . Proportionality, subsidiarity and the Santander decision 21. The processing of personal data must also be necessary to comply with the legal obligation to do so. The court ruled that it “must be necessary” in this context means that the principles of proportionality and subsidiarity must be complied with. This means that the infringement of the interests of the data subject by the processing of personal data must not be disproportionate in relation to the purpose to be served with the processing, and that this purpose cannot reasonably be achieved in another way that is less disadvantageous for the data subject. are realized. The court first explains how it arrived at this standard and will then assess the plaintiff's case against it. 22. The translation of the “must be necessary” of the processing of personal data to the principles of proportionality and subsidiarity, and the elaboration thereof described above, is derived by the court from the decision of the Supreme Court in the Santander case.5 This decision has been given about the application of the Wbp, but the court ruled that the GDPR must be applied and interpreted in the same way. The GDPR builds on the Personal Data Protection Directive, of which the Wbp was the implementation.6 It is not intended to limit the rights of natural persons to the protection of their personal data compared to that Directive. Moreover, this principle is in accordance with the European fundamental right to protect natural persons when processing personal data.7 The GDPR refers to that fundamental right.8 It is also in line with the consideration in the GDPR that personal data may only be processed if the purpose of the processing cannot reasonably be carried out in any other way, and based on the principle of minimal data processing.9 The assessment framework from the Santander decision therefore applies not only to the Wbp, but also to GDPR matters. The court thus follows the line of the courts in GDPR cases that are brought before a civil court 23. In the Santander decision, the required test against the principles of proportionality and subsidiarity is derived, among other things, from the intention of the legislator in the creation of the Wbp, with reference to legal history. It is relevant to this case that the legislator has explicitly referred to the required balancing of interests with regard to the legal obligation as a basis for data processing: “The task of performing a legal obligation does not justify every data processing. For example, the controller may not process more data or other data than is necessary for the implementation of the legal obligation to fulfill the legal obligation. Given the nature of the invasion of privacy, it is necessary to weigh up interests on a case-by-case basis. ”11 With reference to the previous consideration, the court finds that this framework also still applies as a background to the required balancing of interests under the GDPR. Article 38 of the Awir provides a legal basis ... 24. The SVB is a public body with legal personality. The Wkb is an income-dependent scheme that is implemented by the Tax and Customs Administration / Benefits. In the light of the positions of the parties, the court must first answer the question whether Article 38, first paragraph, of the Awir is a legal provision that can form the basis for data processing within the meaning of the Wbp and the GDPR. The court answers this question with yes and the following is considered. 25. The preamble to the GDPR provides information on the scope and purport of the GDPR basis for complying with a legal obligation when processing personal data. It follows from the preamble that the GDPR does not prescribe that specific legislation is required for each individual processing. Legislation serving as the basis for several processing operations based on a legal obligation resting on the controller will suffice. It should also be Union or Member State law that determines the purpose of the processing. 12 26. In the light of this, the court ruled that the provision of Article 38, first paragraph, of the Awir can form the basis for the processing of personal data as the SVB does with the start messages, also when it concerns start messages from children whose later it turns out that there is no entitlement to a child-related budget. It follows from this provision that the purpose of the processing is that means-tested schemes can be implemented. In doing so, the legislator has had in mind that the entitlement to or the amount of an allowance to which the Awir applies may partly depend on information that is not available within the national tax authorities or the Tax Authorities / Allowances.13 The Awir applies to all income-dependent schemes. and therefore not only for the implementation of the Wkb. It is in line with this that Article 38, first paragraph, does not provide very specifically that the SVB must provide personal data of children who are entitled to child benefit, or that such provision must even be limited to the data of children who meet the requirements. of the Wkb. The more generally formulated provision is therefore sufficient as a legal obligation towards the SBV to process the personal data of those children in the manner in which it does so with the start messages. To this extent, the court follows the SVB in its position. … But the data processing does not comply with proportionality and subsidiarity 27. The court will now assess whether the principles of proportionality and subsidiarity are complied with in this case. The court answers that question with no. It is of the opinion that the provision of starting messages with the personal data of all children entitled to child benefit is not proportionate in relation to the implementation of the Awir and the Wkb, while that goal can reasonably be achieved in a different way that is less disadvantageous for ( the parents of these children. 28 The court considers in the first place that the scope of the statutory provision does not go as far as the SVB assumes. Although Article 38 of the Awir provides a broad basis for data provision, it does not follow from this the obligation for the SVB to provide personal data of all children who are entitled to child benefit to the Tax Authorities / Benefits. The right to child benefit is a condition for a child-related budget.14 Whether a right to it subsequently actually exists depends on the substantive criteria from the Wkb regarding the income of the parents. On this basis, only some of the parents who are entitled to child benefit are also entitled to a child-related budget. This is in accordance with the nature of the child-related budget as an income-dependent scheme. In this light, the data of all children are therefore not important for the implementation of the Wkb. For the implementation of its legal obligation, it would be sufficient if the SVB only provided start messages from children for whom it has already been established that the other conditions for the right to a child-related budget are met. The SVB would then not have to process more than 42% of the current volume of personal data. 29 The purpose of the processing of personal data here is the implementation of the Wkb. The SVB can know and also knows that the majority of the start messages it provides contain personal data that is not necessary for that purpose. The SVB rightly points out that it cannot know in advance for which children a right to a child-related budget applies, because this is precisely being assessed by the Tax and Customs Administration / Benefits. However, this does not necessarily mean that the GDPR allows this method. That would fail to recognize that providing the personal data in any case also results in the personal data of many children being shared that is not necessary for this. It can be admitted to the SVB that it is necessary to provide starting messages for all children in order, as is currently the case, to determine the right to a personal budget without an application and without much administrative hassle for the parents. However, the Wkb itself does not provide for such an ex officio determination and low-threshold allocation. This follows from the own working method of the Tax and Customs Administration / Benefits and from the covenant with the SVB. The SVB can also request further information from the Tax Authorities / Allowances: if the Tax Authorities / Allowances have parents submit an application for a child-related budget and first assess whether the other requirements of the Wkb are met, those children can then the SVB are asked whether they are also entitled to child benefit. That is therefore another way of implementing the Wkb, which is less disadvantageous for the plaintiff. The court understands that this alternative is not in line with the wishes of the Tax and Customs Administration / Surcharges to be able to provide a child-related budget in a low-threshold and without application. However, in the light of the non-concrete legal basis from the Awir, a covenant between two implementing organizations is not sufficient to regulate this in a way that the GDPR allows. The SVB provides, without any selection, starting messages from all children with a view to an income-dependent scheme that by its nature is not aimed at all children and with regard to whom in practice less than half of them are entitled to the benefit in question, the child-related budget. The court ruled that the SVB thus processes personal data in a way in which the infringement of the interests of the data subject - in this case: the plaintiff's daughter - is disproportionate to the purpose of that processing, while that purpose also reasonably applies to another, for the the person concerned can be realized in a less detrimental way. The conclusion is therefore that the principles of proportionality and subsidiarity are not complied with in this case. The SVB wrongly did not recognize this. 32. This does not mean that the working method used by the SVB and the Tax and Customs Administration / Surcharges would never be possible. In the judgment of the court, importance is attached to the fact that in this case it has been established between the parties that more than half of the starting messages are not necessary for the implementation of the Wkb. Moreover, this case may have to be viewed differently when the legal basis for the processing of personal data is specifically aimed at implementing the Wkb and obtaining information about beneficiaries of child benefit from the SVB. However, the fact that two implementing organizations make an agreement among themselves in a covenant cannot replace the role of the legislator on this point. 33. The conclusion is that the processing of the personal data of the plaintiff's daughter in a starting message to the Tax and Customs Administration / Surcharges in the circumstances as established in this case is contrary to both the Wbp and the GDPR. There was an unlawful privacy breach in 2016. Assessment framework for compensation 34. Now that it has been established that the provision of the start message was unlawful, it must be assessed whether this caused immaterial damage and whether it is eligible for compensation. For this assessment, a link is sought with the civil compensation law on Article 6: 106 of the Dutch Civil Code. In the aforementioned rulings of the ABRvS of April 1, 2020, it was ruled that the application of this national law complies with the requirements of the GDPR and with the compensation case law of the Court of Justice of the European Union. 35. Pursuant to Article 6: 106 of the Dutch Civil Code, with regard to immaterial damage, there is a right to an equitable compensation if the injured party has suffered physical injury, has been harmed in his honor or good name or otherwise in his person is affected. There is no question of physical injury or damage to the honor or reputation in this case, so the assessment focuses further on the aforementioned damage in person "in another way". If - as in this case - the existence of mental harm cannot be assumed, the person who invokes the harm must substantiate this with concrete data. This is only different if the nature and seriousness of the violation of the norm mean that the adverse consequences for the injured party that are relevant in this context are so obvious that an impairment in the person can be assumed. Infringement in the person "in another way" is not already the case with the mere violation of a fundamental right. The court refers to the case law of the Supreme Court in this regard. 15 In this case, no damage has been found 36. In this case, the nature and seriousness of the privacy infringement are not such that the adverse consequences are so obvious that an infringement in the person can be assumed. The starting point is therefore that the plaintiff must prove that his daughter in person has been affected and that he must substantiate the damage suffered with concrete data. The court finds that the plaintiff has not succeeded in this. At the hearing, he pointed out that the personal data provided with the start message can continue to exist digitally for a long time and that this can be harmful to his daughter. In this way, the Plaintiff has only stated in general terms that damage has been suffered and has not been able to specify this in concrete terms. He has therefore not made plausible that the provision of his daughter's personal data to the Tax and Customs Administration / Surcharges resulted in the harm of her person and that the consequences of the infringement directly affected her. 37. The court considers that the general fear of identity fraud is insufficient for a conviction in immaterial damage. Although this fear is conceivable and identity fraud as a result of the privacy breach cannot be ruled out, it is not sufficiently concrete to conclude that the plaintiff's daughter in her person has been compromised. The court also takes into account in this judgment that it follows from the aforementioned rulings of the ABRvS of 1 April 2020 that compensation under the GDPR is not punitive in nature. The purpose of damages is to redress or provide compensation for an unlawful invasion of privacy. The obligation to do so under the GDPR does not go beyond full compensation for the actual damage suffered. 38. Since no concrete damage has been found, there is no basis for ordering the SVB to pay compensation. This means that in this case the court only establishes that a privacy violation has taken place, but that the plaintiff's request is rejected. Appeal considerations about the removal of the start message 39. Pursuant to Article 17, first paragraph, opening words and under d) of the GDPR, the controller is obliged to delete personal data without unreasonable delay if the personal data have been processed unlawfully. From the above judgment on the claim for damages, it follows that this is the case with regard to the starting message. However, on the basis of the third paragraph, opening words and under b), this obligation to delete the data from the start message does not apply insofar as processing is necessary for the fulfillment of a legal processing obligation resting on the controller. The case focuses on whether that is the case here. 40. According to the SVB, it had to keep the starting message under the 1995 Archives Act for a period of five years. However, from the opinion that the personal data of the plaintiff's daughter were unlawfully provided to the Tax and Customs Administration / Benefits with the start message, it follows that there was no reason for the SVB to prepare the start message. As a result, the start message is by its nature not intended to be deposited with the SVB. The starting message is therefore not an archive document within the meaning of the 1995 Archives Act. 41. This does not alter the fact, however, that the SVB must continue to have access to the personal data contained in the starting message. The social security number, date of birth and country of residence of the plaintiff's daughter must have and keep the SVB in order to continue to provide child benefit. This information is necessary for compliance with the General Child Benefit Act. And because Article 17 of the GDPR is about the personal data as such and not about the start message as a document, there is no obligation to delete. 42. The SVB therefore rightly decided not to delete the data, but incorrectly motivated this in the decision on the objection with a reference to the 1995 Archives Act. The appeal against the decision of 14 August 2020 is therefore well-founded and the court will annul that decision, because it is contrary to article 7:12, first paragraph, of the Awb. Since it is clear that the data do not need to be deleted in the light of the implementation of the General Child Benefit Act, the court will uphold the legal consequences of that decision. This means that the SVB no longer has to take action with regard to the starting message, at least as long as there is a right to child benefit with regard to the plaintiff's daughter. 43. Because the court declares the appeal to be well-founded, the court determines that the defendant reimburses the plaintiff for the court fee paid by him. It has not been found that legal costs have been incurred that qualify for reimbursement. Decision The court: - declares the appeal against the decision of 14 August 2020 to be well-founded; - annuls the decision of 14 August 2020; - stipulates that the legal effects of that decision will be upheld; - orders the defendant to reimburse the plaintiff the court fee of € 178 paid in case number UTR 20/3537; - rejected the claim for compensation. This judgment was made by mr. K. de Meulder, judge, in the presence of Mr. L.M. Janssens-Kleijn, Registrar. The decision was pronounced on May 4, 2021 and will be made public by publication onrechtspraak.nl. the clerk is unable to sign the ruling clerk judge Copy sent to parties on: Remedy An appeal can be lodged against this decision with the Administrative Jurisdiction Division of the Council of State within six weeks of the date on which it was sent. 1 Regulation 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC . 2 ECLI: RVS: 2018: 1877. 3 ECLI: RVS: 2020: 674. 4 ECLI: NL: RVS: 2020: 898, ECLI: NL: RVS: 2020: 900 and ECLI: NL: RVS: 2020: 901. 5 Order of 9 September 2011, ECLI: NL: HR: 2011: BQ8097. 6 Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. 7 Article 8, paragraph 1, of the Charter of Fundamental Rights of the European Union. 8 Preamble to the GDPR, No. 1. 9 Preamble of the GDPR, no. 39 and Article 5, first paragraph, opening words and under c of the GDPR. 10 'S-Hertogenbosch Court of Appeal, 6 August 2020, ECLI: NL: GHSHE: 2020: 2536, r.o. 3.6.1 .; Court of Appeal of The Hague 10 November 2020, ECLI: NL: GHDHA: 2020: 2068, r.o. 3.15; Arnhem-Leeuwarden court of appeal 17 December 2020, ECLI: NL: GHARL: 2020: 10564, r.o. 4.9; Amsterdam Court of Appeal, 9 February 2021, ECLI: NL: GHAMS: 2021: 459, r.o. 3.11. 11 Parliamentary papers II 1997/98, 25 892, no. 3, p. 83. 12 Preamble to the GDPR, No. 45. 13 Parliamentary papers II 2004/05, 29 764, no. 3, p. 60. 14 Pursuant to Article 2, paragraph 1, of the Wkb. 15 See the judgments of the Supreme Court of 15 March 2019, ECLI: NL: HR: 2019: 376, para 4.2.2, of 28 May 2019, ECLI: NL: HR: 2019: 793, para. 2.4.5. and of 19 July 2019, ECLI: NL: HR: 2019: 1278, r.o. 2.13.2.