Rb. Midden-Nederland - UTR 19/1627
From GDPRhub
| Rb. Midden-Nederland - UTR 19/1627 | |
|---|---|
 | |
| Court: | Rb. Midden-Nederland (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 55(3) GDPR Article 30b Wet op de Raad van State |
| Decided: | 09.06.2023 |
| Published: | 31.07.2023 |
| Parties: | Autoriteit Persoonsgegevens |
| National Case Number/Name: | UTR 19/1627 |
| European Case Law Identifier: | ECLI:NL:RBMNE:2023:3539 |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | Dutch |
| Original Source: | Recht.nl (in Dutch) |
| Initial Contributor: | Enzo Marquet |
A Dutch Court held that the Dutch DPA correctly applied Article 55(3) GDPR when it declared itself not competent to supervise the Council of State's decision to share procedural documents with journalists. A committee specifically created within the Council of State was the competent data protection supervisor.
English Summary
Facts
The data subject requested the Dutch DPA enforce the GDPR against the Council of State. In particular, the data subject asked the DPA to review whether giving journalists access to procedural documents was in accordance with the GDPR. The DPA declared itself not competent to decide on the processing operations undertaken by a court in its "judicial capacity".
The data subject appealed this decision before the District Court Midden-Nederland. Among others, the data subject argued that if the DPA lacked competence to decide on their enforcement request, it should have forwarded it to an independent supervisory authority. The GDPR committee of the Council of State, mentioned by the DPA, did not qualify as independent.
The court referred preliminary questions to the CJEU on the interpretation of 'judicial capacity' in the sense of Article 55(3) GDPR. The CJEU decided on 24 March 2022 (C-245/20) that it is part of a court's exercise of its "judicial tasks" within the meaning of Artilce 55(3) GDPR to temporarily provide journalists with documents containing personal data that originate from a judicial procedure, in order to enable them to report more effectively on the progress of that procedure.
Holding
The Court implemented the CJEU decision and held that the DPA was right in declaring itself not competent. As a matter of fact, under Article 55(3) GDPR a DPA does not have the competence to oversee processings such as the ones at issue in the present case.
The Court mentioned Recital 20 GDPR, which allows to specific bodies within the judicial organisation of each Member State to supervise data processing by courts and other judicial authorities. The Dutch legislator intentionally left the organisation of judicial supervision to the judiciary itself. The Council of State created a specific GDPR committee to handle such supervision. The committee is competent to overview processing operations undertaken within the Council of State's judicial tasks, according to GDPR in Article 55(3). Thus, the court declared that the DPA dealt with the competence matter appropriately by forwarding the data subject's complaint to the GDPR committee. The data subject's argument that the internal Committee was not indipendent was rejected.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Content indication
The claimant has requested the Dutch Data Protection Authority to take enforcement action against the Administrative Jurisdiction Division of the Council of State. The court has asked preliminary questions about the interpretation of the term "judicial task" in Article 55, third paragraph, of the GDPR. The Court of Justice has answered these questions by judgment of 24 March 2022. It follows from the judgment that the data processing in dispute is part of the exercise by a court of its judicial task. The AP has therefore rightly declared itself incompetent to take cognizance of the request for enforcement. Everything that the claimant has put forward in his opinion, such as that the Department is not the processor and that he has also requested enforcement of the failure to report a data breach, cannot detract from this. The appeal is unfounded. The plaintiff will receive compensation for exceeding the reasonable period.
Authority
Central Netherlands Court
Judgment date
2023-06-09
Publication date
2023-07-31
Case number
UTR 19/1627
Jurisdiction
Administrative law
Locations
Rechtspraak.nl
Pronunciation
COURT CENTRAL NETHERLANDS
Seating place Utrecht
Administrative law
case number: UTR 19/1627
judgment of the three-judge chamber of 9 June 2023 in the case between [plaintiff] , from [place of residence] , plaintiff
and
the Dutch Data Protection Authority, the AP,
(Agents: mr. W. van Steenbergen and mr. Y. Witteman).
The following has been designated as a third party: the State of the Netherlands (the Minister for Legal Protection).
Process flow
By decision of 9 January 2019 (the primary decision), the DPA informed the claimant that it is not authorized to take enforcement action against the Administrative Jurisdiction Division of the Council of State (the Division).
By decision of 19 April 2019 (the contested decision), the AP declared the claimant's objection to this unfounded.
Plaintiff appealed against this decision.
The chairman of the Division has indicated that he will not participate in this proceedings as a party.
The AP has submitted a statement of defence.
The hearing took place on December 10, 2019. Plaintiff did not appear. The AP was represented by its authorized representatives.
By order of reference dated 29 May 2020, the court asked the Court of Justice of the European Union (the Court of Justice) for a preliminary ruling as referred to in Article 267 of the Treaty on the Functioning of the European Union.
By judgment of 24 March 2022, the Court of Justice answered the questions posed by the court. The parties have been given the opportunity to comment on the judgment of the Court of Justice. Plaintiff did this by letter of 26 April 2022 and the AP by letters of 28 March 2022 and 9 May 2022. Given the opportunity to do so, none of the parties stated that they wished to make use of the right to be heard at a further hearing. heard, after which the court closed the investigation on April 28, 2023.
On May 29, 2023, the claimant submitted a request for compensation due to the fact that the reasonable period was exceeded.
Considerations
Introduction
This case raises the question of whether the AP, the national supervisory authority, is competent to judge whether the Department's granting access to court documents to journalists is in accordance with the General Data Protection Regulation (GDPR). In order to answer that question, it is important whether giving journalists access to procedural documents falls under the judicial task of the Division. The AP has no authority to supervise the processing of personal data by courts in the exercise of their judicial duties. Because this concerns the interpretation of the EU law concept of “judicial task” and the assessment of the compatibility of the national interpretation of the concept of “judicial task” with EU law is reserved for the Court of Justice, the Court has submitted this question to the Court of Justice.
For a description of the reason for these proceedings and the facts, the court refers to the aforementioned referral decision. The response by the Court of Justice
The Court of Justice has answered the questions referred for a preliminary ruling by the District Court as follows. “Article 55(3) of the GDPR must be interpreted as meaning that it is part of the exercise by a court of its ‘judicial functions’ within the meaning of that provision to make available temporarily documents containing personal data arising from legal proceedings. to journalists to enable them to better report on the course of those proceedings.” Court assessment
The court agrees with the AP that it follows from the judgment of the Court of Justice that the AP rightly considered itself incompetent to rule on the claimant's request for enforcement. After all, this enforcement request related to the provision of procedural documents containing personal data to journalists, in the eyes of the claimant, in violation of the GDPR. The fact that personal data is processed as referred to in Article 4, part 2, of the GDPR is not in dispute. The Court of Justice has ruled that this data processing is part of the exercise by a court of its judicial task. Pursuant to Article 55(3) of the GDPR, the supervisory authority has no power to supervise this.
Everything that the claimant put forward in his opinion of 26 April 2022 cannot detract from this. First of all, Plaintiff argues that the Department is not the processor, but this is not relevant to the question of the AP's enforcement powers. The point is that this form of data processing is part of the exercise of a judicial task, regardless of who exactly is the processor and/or the controller and which employee of the court carries out this task in practice. In addition, the processing of personal data takes place under the responsibility of the chairman of the Department. The Court also does not follow that the Division is not an independent judicial body, as the plaintiff argues. Pursuant to Section 30b of the Council of State Act, the Division is charged with adjudicating disputes assigned to it by law. The Division functions as one of the highest administrative courts and is part of the judicial organization of the Netherlands. The Division is therefore a court as referred to in Article 55(3) of the GDPR.
Plaintiff further states that he has also requested enforcement of the failure to report a data breach. This is not data processing and therefore does not fall within the scope of Article 55(3) of the GDPR according to the claimant. The court considers that the DPA also has no authority on this point, because notification pursuant to Article 33 of the GDPR must be made to the supervisory authority competent in accordance with Article 55. The AP is therefore not the competent supervisory authority on that point either.
Finally, the claimant argued that if the AP was not authorized to decide on the enforcement request, it should have forwarded its enforcement request to an independent supervisor. The AVG committee to which the AP has sent the enforcement request cannot be regarded as such. The court also disagrees with the plaintiff in this regard. Recital (20) of the preamble to the GDPR states that the supervision of data processing operations by courts and other judicial authorities should be entrusted to specific bodies within the judicial system of the Member State, which should, in particular, enforce compliance with the rules of this Regulation. guarantee, raise awareness among members of the judiciary of their obligations under this Regulation, and deal with complaints related to those data processing operations. This has not been elaborated further and the Dutch legislature has also deliberately left the organization of supervision of the judiciary to the judiciary itself. The AVG Implementation Act does not contain any rules on this. The chairman of the Division, together with the court boards of the Central Appeals Board and the Trade and Industry Appeals Tribunal, has set up the AVG Committee on Administrative Law Boards. This committee is tasked with advising the chairman on the settlement of complaints for the purpose of a (further) decision on the relevant request for application of the privacy rights referred to in the GDPR. The committee has the task of assessing whether the processing of the personal data of the complainant has infringed the GDPR. This is laid down in the Regulations on the processing of personal data by administrative law colleges. The chairman of the Division and the AVG committee are therefore the specific bodies within the judicial organization that are charged with monitoring compliance with the AVG, as intended by the AVG. Exceeding the reasonable term
8. By letter dated 29 May 2023, the claimant requested compensation for exceeding the reasonable term. In this case, the court sees reason to deal with the request submitted after the investigation has been closed. The reasonable period started on April 16, 2019 and would normally end on May 16, 2021. With today's ruling including the shipping period, there is an overrun of 29 months. Due to the complexity of the case, in this case expressed in the preliminary ruling procedure, 22 months must be deducted from this, leaving an excess of 7 months. This arose because the decision of the court after answering the preliminary questions was delayed too long. Because the exceedance concerns more than 6 and less than 12 months, the claimant is eligible for compensation of € 1,000.
9. Pursuant to section 8:26 of the General Administrative Law Act, the court has designated the State of the Netherlands as a party to this appeal. In view of the Policy Rule of the Minister of Security and Justice of 8 July 2014 (Government Gazette 2014, 20210), the Court has seen no reason to reopen the investigation and to give the Minister the opportunity to defend the request for compensation. Conclusion and implications
It follows from the foregoing that the DPA has rightly concluded that it is not authorized to deal with the claimant's request for enforcement. This means that the appeal is unfounded. There is no reason for an order for costs, because there is no question of legal assistance provided by a third party. Since no court fee is levied for the submission of a request for compensation such as the present one, there is also no reason to reimburse this.
Decision
The court
- declares the appeal unfounded;
- grants the request for compensation and orders the State of the Netherlands to pay the claimant compensation for immaterial damage of € 1,000 (in words: one thousand euros).
This statement was made by mr. J.J. Catsburg, chairman, and mr. P.J.M. Mol and mr. A.A.M. Elzakkers, members, in the presence of mr. M.L. Bressers, clerk. The verdict was pronounced in public on June 9, 2023.
