Rb. Midden-Nederland - C/16/502323 / HA RK 20-122
Rb. Midden-Nederland - C/16/502323 / HA RK 20-122 | |
---|---|
Court: | Rb. Midden-Nederland (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 15 GDPR Art 35(2) Uitvoeringswet Algemene verordening gegevensbescherming |
Decided: | 24.03.2021 |
Published: | 12.04.2021 |
Parties: | NWO-I (Netherlands Foundation of Scientific Research Institutes) |
National Case Number/Name: | C/16/502323 / HA RK 20-122 |
European Case Law Identifier: | ECLI:NL:RBMNE:2021:1354 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | de Rechspraak (in Dutch) |
Initial Contributor: | n/a |
The Court of First Instance of the Central Netherlands ordered an organisation to provide a data subject with certain emails of its employees sent to third parties, in response to a data access request. While the organisation had not initially provided the data subject with these emails because his access request was formulated too broadly, the Court held that the data subject now had the right to view the emails as he had made it sufficiently plausible to the Court that they were sent and included his personal data.
English Summary
Facts
NWO-I (Netherlands Foundation of Scientific Research Institutes) rejected the applicant’s subject access request. More specifically, the applicant wanted to see what personal data was sent to his former employer by email and examine the related documents.
Dispute
NWO-I is of the opinion that the access request is formulated too broadly and must be rejected. Moreover, NMO-I claims that it has checked its personnel files and that these do not contain any personal data of the applicant.
Holding
The initial request of the applicant was indeed very broadly formulated. However, the applicant has subsequently explained that he was looking for specific emails between NWO-I and his former employer. Moreover, the applicant was able to demonstrate an email chain where he was mentioned.
The Court noted that the right of access does not extend to (parts of) internal notes that contain the personal thoughts of employees of the data controller and that are exclusively intended for internal consideration. However, this exception does not apply in this case because the personal data were shared with third parties outside of NMO-I.
NMO-I must provide the applicant with the complete overview of all personal data it processed via emails with third parties concerning the applicant and his former employer. NMO-I must also provide copies of underlying documents, but it can edit out the names of the senders and recipients.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Court of Central Netherlands Date of judgment 24-03-2021 Date of publication 12-04-2021 Case number C / 16/502323 / HA RK 20-122 Jurisdictions European civil law Special characteristics First instance - single Decision Content indication Request pursuant to article 15 AVG, 35 UAVG. Requested a complete overview of processed data and underlying documents. Locations Rechtspraak.nl Enriched pronunciation Share pronunciation Print Save as PDF Copy link Statement decision COURT OF THE MIDDLE NETHERLANDS Civil rights trading room location Utrecht case number / application number: C / 16/502323 / HA RK 20-122 Order of March 24, 2021 in the case of [applicant] , living in [residence], applicant, hereinafter: [applicant], lawyer P. Le Heux, against the foundation FOUNDATION OF THE NETHERLANDS SCIENTIFIC RESEARCH INSTITUTES, based in Utrecht, respondent, hereinafter: NWO-I, lawyers mr. G-J. Zwenne and mr. L. Groeneveld. 1 The procedure 1.1. [petitioner] filed a petition with the court on 13 May 2020. The petition is based on Article 35 paragraph 2 of the General Data Protection Regulation Implementation Act (hereinafter: UAVG). NWO-I submitted a statement of defense on 11 September 2020. [Applicant] subsequently submitted a further response to the statement of defense. NWO-I also responded in writing. 1.2. The court has determined an oral hearing. It took place on February 3, 2021 via Skype. Mr. Le Heux appeared before [applicant]. NWO-I is represented by its attorneys G-J. Zwenne and Mr. L. Groenveld and two of her employees: Mr. [A] and Mrs. [B]. 1.3. The court has decided that the verdict is today. 2 What is this case about? 2.1. [applicant] has reason to assume that NWO-I processes and shares his personal data with third parties, including his former employer, [applicant's former employer]. 2.2. On 8 March 2020, [applicant] submitted a request under Article 15 of the General Data Protection Regulation (hereinafter: GDPR) to NWO-I. NWO-I made a decision on that request on 31 March 2020. In that decision it stated that it does not have and does not process the personal data of [applicant]. In these proceedings, [applicant] is challenging that decision on the basis of Article 35 of the GDPR Implementation Act (hereinafter: UAVG). 2.3. [applicant] would like a complete overview from NWO-I of the personal data it processes, a description of the purpose or purposes of the processing, the categories of data to which the processing relates and the recipients or categories of recipients and the available information about the origin of the data. [Applicant] also wants NWO-I to provide copies of the underlying documents and to inform them in writing whether and to whom it has shared the relevant personal data. [Applicant] requests all this to be ordered, subject to a penalty. In his further defense, [applicant] additionally, and as the explanation at the hearing appears in the alternative, requested that NWO-I also specifically provide the personal data it sent to the [applicant's former employer]. 2.4. NWO-I has put up a defense against the request of [applicant]. Where necessary, the court will discuss NWO-I's defense below. 3 The assessment Scope of right of access according to Article 15 GDPR 3.1. The purpose of Article 15 of the GDPR is to enable a data subject to become aware of the personal data collected about him / her and to check whether that data is correct and lawfully recorded. Article 15 GDPR provides: "1. The data subject has the right to obtain information from the controller as to whether or not personal data concerning him / her is being processed and, if so, to obtain access to such personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; [...] (g) where the personal data are not collected from the data subject, all available information about the source of that data; [...] 3. The controller shall provide the data subject with a copy of the personal data being processed. If the data subject requests additional copies, the controller may charge a reasonable fee based on the administrative costs. [...] " 3.2. The right of access according to Article 15 GDPR is limited to personal data. The explanation of the term "personal data" is therefore decisive for the scope of the right of access. The Court of Justice of the European Union has considered that the concept of personal data has the potential to cover any kind of information, both objective and subjective information relating to the data subject. The latter is the case if the information is associated with a natural person because of its content, purpose or effect.1 This means that if the data contribute to determining the way in which the person concerned is assessed or treated in society, that data is considered personal data are considered. Not only data on the basis of which a natural person can be identified, but also factual or appreciative data about characteristics, opinions or behavior of a person are therefore personal data. Insofar as such data is automatically processed or contained in files, the right of access applies to it. 2 Has the [applicant's] request been sufficiently specified? 3.3. The court is of the opinion that the right to inspect personal data as referred to in Article 15 of the GDPR does not in principle mean that the data subject has a general right to inspect or copies of the documents or files if their personal data are contained therein. In the first place, the data subject should sufficiently specify his request, especially if the controller is processing a large amount of personal data. 3.4. On 3 March 2020, [applicant] requested NWO-I to provide an overview of all of his personal data that NWO-I has processed. According to NWO-I, [applicant's] request has been formulated too broadly and should therefore be rejected. NWO-I did check its personnel files for the personal data of [applicant]. The personnel files of NWO-I do not contain any personal data of [applicant]. 3.5. The court considers as follows. The [applicant's] request is broadly formulated and initially unspecified. However, [applicant] has explained that his search query mainly concerns e-mails from NWO-I to third parties. It is true that NWO-I has stated that it has not processed data from [applicant] in the personnel files, but [applicant] has reason to assume that NWO-I has processed his personal data in emails to third parties. 3.6. It follows from case law4 that the person who states that there must be more personal data, after the controller has conducted an investigation into that personal data and has not disbelievably stated that there are no more personal data, must demonstrate that there are more personal data. [applicant] has made this sufficiently plausible in these proceedings, because he submitted an email exchange from March 2016 between employees of CWI (part of NWO-I) in which [applicant] is mentioned and his person is associated with the or failure to participate in a project of the [former employer of the applicant]. 3.7. Because of the explanation of [applicant], including the subsidiary request, the court will therefore assume that his request is aimed at the e-mails from NWO-I to third parties about the project of / collaboration with the [former employer of the applicant] . The [applicant] has an interest in that request, because he must be able to verify whether NWO-I has processed his personal data lawfully and correctly in the context of the aforementioned correspondence. [applicant] has reason to assume that this is not the case. [Applicant] wishes to delete or correct the personal data if it appears that they have not been processed lawfully or incorrectly. Insofar as the request of [applicant] goes further than the e-mail correspondence referred to, the court is of the opinion that it cannot be awarded because it is insufficiently specified. Must NWO-I provide an overview? 3.8. The material form in which the data must then be provided depends on the concrete circumstances. After all, it must always be examined whether it is possible to comply with the request for access by means of a different form of disclosure.5 There is therefore no absolute right to access all documents. But there is in any case a right to a complete processing overview (in an understandable form) of all personal data. That is, in a form that enables the data subject to take note of his data and to check whether they are correct and have been processed in accordance with the GDPR. 3.9. NWO-I has informed [applicant] that it does not process any personal data of [applicant] and that it does not have any of his personal data. The court understands NWO-I in such a way that it based its response on the result of its search, which was limited to its personnel files. For this, the court considered that it assumes that the request of [applicant] focuses in any case on the e-mails from NWO-I to third parties, about the project of / collaboration with the [applicant's former employer], at least that [applicant] to the extent that his request for access to the processing of his personal data can be received. 3.10. [applicant] is entitled to a complete processing overview (in an understandable form) of all personal data that NWO-I has processed in that context. The court notes that personal data is not only name and address data, but can also be factual and appreciative characteristics or behavior of a person. E-mails in which such personal data of [applicant] have been processed must therefore also be mentioned in the overview. Must NWO-I provide underlying documents? 3.11. If documents do not only contain name and address data, but also factual and appreciative data about a person's characteristics or behavior, that data does not always lend itself well to inclusion in a processing overview. According to the Supreme Court, the data subject may therefore be entitled to a copy (possibly partly blackened) of the documents in which that data is included, because that is the most effective way in which the obligation to provide information as completely and clearly as possible can be fulfilled. on the basis of which the legality and correctness of the data can be checked. 6 3.12. The court notes that the right of inspection does not extend to (parts of) internal notes that contain the personal thoughts of employees of the controller and that are exclusively intended for internal consultation and deliberation.7 Legal analyzes based on personal data are also not possible as such. are qualified as personal data.8 Therefore, NWO-I is not obliged to share such internal correspondence with [applicant]. 3.13. NWO-I will have to provide the e-mails that its employees have sent to third parties. The [applicant] has made it sufficiently plausible that e-mails were sent containing factual and appreciative data about his characteristics or behavior. If this data has been shared with third parties outside the organization, there is no longer an internal communication or an analysis that is only intended to be shared internally. [applicant] must be able to verify which personal data NWO-I has shared with third parties and whether those data are correct. 3.14. To safeguard the privacy interests of the employees of NWO-I and any addressees, NWO-I will suffice with a copy of the e-mail messages in which the names of the senders and recipients have been made illegible. The names of the sending and receiving organizations must remain legible. Penalty 3.15. Insofar as it must be understood that [applicant] also intended in his alternative application to request the imposition of a penalty, this will be rejected. The court sees no reason to assume that NWO-I, now that it has been determined sufficiently specifically what it should provide to [applicant], will not comply with the conviction. Conclusion 3.16. NWO-I must provide [applicant] with a processing overview in which - in short - it states which personal data of [applicant] NWO-I has processed, to which third parties those personal data were provided and when. The overview must be limited to the processing of the personal data of [applicant] in e-mails from NWO-I to third parties about the project of / collaboration with the [applicant's former employer]. NWO-I must also provide the documents underlying the processing overview to [applicant], insofar as the e-mails are addressed to third parties outside the NWO-I organization. The request of [applicant] is otherwise rejected because it is insufficiently specified and because the right to inspect the underlying documents is limited. 3.17. NWO-I was largely unsuccessful, which is why it has to pay [applicant's] legal costs. These are in total € 1,435 and consist of: € 309 registry fee and € 1,126 (2 points x rate II) salary representative. It is also considered important that, as appears from NWO-I's defense, the attorney of [applicant] had already informed her by means of telephone consultation about the specific data to which he was referring. 4 The decision The court 4.1. orders NWO-I to provide a complete processing overview of all personal data of [applicant] that NWO-I has processed in e-mails from NWO-I to third parties about the project of / collaboration with the [applicant's former employer]; 4.2. orders NWO-I to provide the underlying documents pertaining to the processing overview referred to under 4.1, thereby allowing the names of the employees of the organizations involved to be made illegible; 4.3. orders NWO-I to pay the costs of these proceedings, estimated on the part of [applicant] at € 1,435, of which € 1,126 as a salary representative; 4.4. declares this decision provisionally enforceable; 4.5. rejects the more or different requested. This decision was made by mr. F.H. Charbon and pronounced in public on March 24, 2021. 9 1 Court of Justice December 20, 2017 (Case C-434/16 P. Nowak v Data Protection Commissioner) ECLI: EU: C: 2017: 994. 2 See also, among others, District Court of Central Netherlands 15 June 2020 ECLI: NL: RBMNE: 2020: 2222. District Court of The Hague October 10, 2019, ECLI: NL: RBDHA: 2019: 13029, District Court of Noord-Holland May 23, 2019 ECLI: NL: RBNHO: 2019: 4283. 3 See, among others, number 63 of the preamble to the AVG, Amsterdam District Court, 20 June 2019, ECLI: NL: RBAMS: 2019: 4418, Den Bosch Court, 1 February 2018, ECLI: GHSHE: 2018: 363 and Noord-Holland District Court, 23 May 2019, ECLI: NL: RBNHO: 2019: 4283. 4 See, among others, the Administrative Jurisdiction Division of the Council of State 7 June 2017 ECLI: NL: RVS: 2017: 1519 r.o. 4.3. 5 Court of Justice 17 July 2014 (Joined Cases C-141/12 and C-372/12 YS v Minister for Immigration, Integration and Asylum) 6 Supreme Court 29 June 2007, ECLI: NL: HR: 2007: AZ4663, ECLI: NL: HR: 2007: AZ4664 and ECLI: NL: HR: 2007: BA3529. 7 A.o. Amsterdam Court of Appeal 5 July 2011 ECLI: NL: GHAMS: 2011: BR3020, Supreme Court 29 June 2007 ECLI: NL: HR: 2007: AZ4663, ECLI: NL: HR: 2007: AZ4664, ECLI: NL: HR: 2007: BA3529. 8 Court of Justice 17 July 2014, ECLI: EU: C: 2014: 2081 (Joined Cases C-141/12 and C-372/12 YS v Minister for Immigration, Integration and Asylum). 9 type: RvdH / 4142 coll: