Rb. Midden-Nederland - UTR 19/1627: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Midden-Nederland |Court_Original_Name=Rechtbank Midden-Nederland |Court_English_Name=District Court Midden-Nederland |Court_With_Country=Rb. Midden-Nederland (Netherlands) |Case_Number_Name=UTR 19/1627 |ECLI=ECLI:NL:RBMNE:2023:3539 |Original_Source_Name_1=Recht.nl |Original_Source_Link_1=https://www.recht.nl/rechtspraak/uitspraak/?ecli=NL:RBMNE:2023:3539 |O...")
 
 
Line 64: Line 64:
}}
}}


A Dutch Court held that the Dutch DPA should declare itself incompetent to supervise processing by the administrative law Division of the Council of State. The Court hereby confirmed the C-245/20 holding on [[Article 55 GDPR#3|Article 55(3)]] and "judicial tasks". Additionally, a committee specifically created by the Council of State to supervise its data processing, is the correct appealing body in line with [[Article 55 GDPR#3|Article 55(3)]] and recital 20.
A Dutch Court held that the Dutch DPA correctly applied Article 55(3) GDPR when it declared itself not competent to supervise the Council of State's decision to share procedural documents with journalists. A committee specifically created within the Council of State was the competent data protection supervisor.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject requested the Dutch DPA to take enforcement against against the Division administrative law of the Council of State. It asked the DPA to review whether the Division giving journalists access to procedural documents is in accordance with the GDPR. The DPA declared itself incompetent. The data subject appealed this decision at the District Court Midden-Nederland. The Court referred questions to the CJEU on the interpretation of 'judicial capacity' in the sense of [[Article 55 GDPR#3|Article 55(3)]]. The CJEU decided on 24 March 2022 (C-245/20) that the GDPR must be interpreted as meaning that it is part of a court's exercise of its "judicial tasks" within the meaning of this provision to temporarily provide journalists with documents containing personal data that originate from a judicial procedure, in order to enable them to report more effectively on the progress of that procedure.
The data subject requested the Dutch DPA enforce the GDPR against the Council of State. In particular, the data subject asked the DPA to review whether giving journalists access to procedural documents was in accordance with the GDPR. The DPA declared itself not competent to decide on the processing operations undertaken by a court in its "judicial capacity".


On top of that, the data subject argued that if the DPA lacked authority to decide on their enforcement request, it should have forwarded it to an independent supervisory authority. The GDPR committee of the Council of State did not qualify as independent.
The data subject appealed this decision before the District Court Midden-Nederland. Among others, the data subject argued that if the DPA lacked competence to decide on their enforcement request, it should have forwarded it to an independent supervisory authority. The GDPR committee of the Council of State, mentioned by the DPA, did not qualify as independent.


Lastly, the data subject complained about that an unreasonable time had passed before a decision was finally ruled.
The court referred preliminary questions to the CJEU on the interpretation of 'judicial capacity' in the sense of [[Article 55 GDPR#3|Article 55(3) GDPR]]. The CJEU decided on 24 March 2022 ([[CJEU - C-245/20 - Autoriteit Persoonsgegevens|C-245/20]]) that it is part of a court's exercise of its "judicial tasks" within the meaning of Artilce 55(3) GDPR to temporarily provide journalists with documents containing personal data that originate from a judicial procedure, in order to enable them to report more effectively on the progress of that procedure.


=== Holding ===
=== Holding ===
The Court held that the DPA rightfully declared itself incompetent because the CJEU ruled that the contested data processing and notification of a data breach falls within the scope of a court's exercise of its judicial task. Under [[Article 55 GDPR#3|Article 55(3)]] the DPA does not have the authority to oversee such processing.
The Court implemented the CJEU decision and held that the DPA was right in declaring itself not competent. As a matter of fact, under [[Article 55 GDPR#3|Article 55(3) GDPR]] a DPA does not have the competence to oversee processings such as the ones at issue in the present case.


The Court decided that the Division of the Council of State falls under the definition of court under [[Article 55 GDPR#3|Article 55(3)]]. The Division functions as one of the highest administrative courts and is part of the judicial organisation of the Netherlands.
The Court mentioned Recital 20 GDPR, which allows to specific bodies within the judicial organisation of each Member State to supervise data processing by courts and other judicial authorities. The Dutch legislator intentionally left the organisation of judicial supervision to the judiciary itself. The Council of State created a specific GDPR committee to handle such supervision. The committee is competent to overview processing operations undertaken within the Council of State's judicial tasks, according to GDPR in [[Article 55 GDPR#3|Article 55(3)]]. Thus, the court declared that the DPA dealt with the competence matter appropriately by forwarding the data subject's complaint to the GDPR committee. The data subject's argument that the internal Committee was not indipendent was rejected.  
 
The Court held cited Recital (20) of the GDPR preamble, which allows specific bodies within the judicial organisation of each member state to supervise data processing by courts and other judicial authorities. The Dutch legislature intentionally left the organisation of judicial supervision to the judiciary itself. The Council of State created a specific GDPR committee to handle such supervision. As such, the committee is competent to overview the judicial tasks, as intended by the GDPR in [[Article 55 GDPR#3|Article 55(3)]]. The Court declared that the DPA handled correctly by forwarding the data subject's complaint to the GDPR committee.  
 
The Court followed the data subject's complaint on the exceeding of a reasonable time period. The reasonable time limit for the case started on April 16, 2019, and should have ended on May 16, 2021. However, the court ruling was delayed, resulting in a total exceedance of 29 months. Due to the complexity of the case and the involvement of the CJEU, 22 months were deducted from the exceedance, leaving a remaining delay of 7 months. As this delay falls between 6 and 12 months, the data subject was entitled to receive €1,000 in compensation.


== Comment ==
== Comment ==

Latest revision as of 09:13, 8 August 2023

Rb. Midden-Nederland - UTR 19/1627
Courts logo1.png
Court: Rb. Midden-Nederland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 55(3) GDPR
Article 30b Wet op de Raad van State
Decided: 09.06.2023
Published: 31.07.2023
Parties: Autoriteit Persoonsgegevens
National Case Number/Name: UTR 19/1627
European Case Law Identifier: ECLI:NL:RBMNE:2023:3539
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: Recht.nl (in Dutch)
Initial Contributor: Enzo Marquet

A Dutch Court held that the Dutch DPA correctly applied Article 55(3) GDPR when it declared itself not competent to supervise the Council of State's decision to share procedural documents with journalists. A committee specifically created within the Council of State was the competent data protection supervisor.

English Summary

Facts

The data subject requested the Dutch DPA enforce the GDPR against the Council of State. In particular, the data subject asked the DPA to review whether giving journalists access to procedural documents was in accordance with the GDPR. The DPA declared itself not competent to decide on the processing operations undertaken by a court in its "judicial capacity".

The data subject appealed this decision before the District Court Midden-Nederland. Among others, the data subject argued that if the DPA lacked competence to decide on their enforcement request, it should have forwarded it to an independent supervisory authority. The GDPR committee of the Council of State, mentioned by the DPA, did not qualify as independent.

The court referred preliminary questions to the CJEU on the interpretation of 'judicial capacity' in the sense of Article 55(3) GDPR. The CJEU decided on 24 March 2022 (C-245/20) that it is part of a court's exercise of its "judicial tasks" within the meaning of Artilce 55(3) GDPR to temporarily provide journalists with documents containing personal data that originate from a judicial procedure, in order to enable them to report more effectively on the progress of that procedure.

Holding

The Court implemented the CJEU decision and held that the DPA was right in declaring itself not competent. As a matter of fact, under Article 55(3) GDPR a DPA does not have the competence to oversee processings such as the ones at issue in the present case.

The Court mentioned Recital 20 GDPR, which allows to specific bodies within the judicial organisation of each Member State to supervise data processing by courts and other judicial authorities. The Dutch legislator intentionally left the organisation of judicial supervision to the judiciary itself. The Council of State created a specific GDPR committee to handle such supervision. The committee is competent to overview processing operations undertaken within the Council of State's judicial tasks, according to GDPR in Article 55(3). Thus, the court declared that the DPA dealt with the competence matter appropriately by forwarding the data subject's complaint to the GDPR committee. The data subject's argument that the internal Committee was not indipendent was rejected.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Content indication
    The claimant has requested the Dutch Data Protection Authority to take enforcement action against the Administrative Jurisdiction Division of the Council of State. The court has asked preliminary questions about the interpretation of the term "judicial task" in Article 55, third paragraph, of the GDPR. The Court of Justice has answered these questions by judgment of 24 March 2022. It follows from the judgment that the data processing in dispute is part of the exercise by a court of its judicial task. The AP has therefore rightly declared itself incompetent to take cognizance of the request for enforcement. Everything that the claimant has put forward in his opinion, such as that the Department is not the processor and that he has also requested enforcement of the failure to report a data breach, cannot detract from this. The appeal is unfounded. The plaintiff will receive compensation for exceeding the reasonable period.
Authority
    Central Netherlands Court
Judgment date
    2023-06-09
Publication date
    2023-07-31
Case number
    UTR 19/1627
Jurisdiction
    Administrative law


Locations

        Rechtspraak.nl

Pronunciation
COURT CENTRAL NETHERLANDS

Seating place Utrecht

Administrative law

case number: UTR 19/1627
judgment of the three-judge chamber of 9 June 2023 in the case between [plaintiff] , from [place of residence] , plaintiff

and

the Dutch Data Protection Authority, the AP,

(Agents: mr. W. van Steenbergen and mr. Y. Witteman).

The following has been designated as a third party: the State of the Netherlands (the Minister for Legal Protection).

Process flow

By decision of 9 January 2019 (the primary decision), the DPA informed the claimant that it is not authorized to take enforcement action against the Administrative Jurisdiction Division of the Council of State (the Division).

By decision of 19 April 2019 (the contested decision), the AP declared the claimant's objection to this unfounded.

Plaintiff appealed against this decision.

The chairman of the Division has indicated that he will not participate in this proceedings as a party.

The AP has submitted a statement of defence.

The hearing took place on December 10, 2019. Plaintiff did not appear. The AP was represented by its authorized representatives.

By order of reference dated 29 May 2020, the court asked the Court of Justice of the European Union (the Court of Justice) for a preliminary ruling as referred to in Article 267 of the Treaty on the Functioning of the European Union.

By judgment of 24 March 2022, the Court of Justice answered the questions posed by the court. The parties have been given the opportunity to comment on the judgment of the Court of Justice. Plaintiff did this by letter of 26 April 2022 and the AP by letters of 28 March 2022 and 9 May 2022. Given the opportunity to do so, none of the parties stated that they wished to make use of the right to be heard at a further hearing. heard, after which the court closed the investigation on April 28, 2023.

On May 29, 2023, the claimant submitted a request for compensation due to the fact that the reasonable period was exceeded.

Considerations

Introduction

This case raises the question of whether the AP, the national supervisory authority, is competent to judge whether the Department's granting access to court documents to journalists is in accordance with the General Data Protection Regulation (GDPR). In order to answer that question, it is important whether giving journalists access to procedural documents falls under the judicial task of the Division. The AP has no authority to supervise the processing of personal data by courts in the exercise of their judicial duties. Because this concerns the interpretation of the EU law concept of “judicial task” and the assessment of the compatibility of the national interpretation of the concept of “judicial task” with EU law is reserved for the Court of Justice, the Court has submitted this question to the Court of Justice.

For a description of the reason for these proceedings and the facts, the court refers to the aforementioned referral decision. The response by the Court of Justice

The Court of Justice has answered the questions referred for a preliminary ruling by the District Court as follows. “Article 55(3) of the GDPR must be interpreted as meaning that it is part of the exercise by a court of its ‘judicial functions’ within the meaning of that provision to make available temporarily documents containing personal data arising from legal proceedings. to journalists to enable them to better report on the course of those proceedings.” Court assessment

The court agrees with the AP that it follows from the judgment of the Court of Justice that the AP rightly considered itself incompetent to rule on the claimant's request for enforcement. After all, this enforcement request related to the provision of procedural documents containing personal data to journalists, in the eyes of the claimant, in violation of the GDPR. The fact that personal data is processed as referred to in Article 4, part 2, of the GDPR is not in dispute. The Court of Justice has ruled that this data processing is part of the exercise by a court of its judicial task. Pursuant to Article 55(3) of the GDPR, the supervisory authority has no power to supervise this.

Everything that the claimant put forward in his opinion of 26 April 2022 cannot detract from this. First of all, Plaintiff argues that the Department is not the processor, but this is not relevant to the question of the AP's enforcement powers. The point is that this form of data processing is part of the exercise of a judicial task, regardless of who exactly is the processor and/or the controller and which employee of the court carries out this task in practice. In addition, the processing of personal data takes place under the responsibility of the chairman of the Department. The Court also does not follow that the Division is not an independent judicial body, as the plaintiff argues. Pursuant to Section 30b of the Council of State Act, the Division is charged with adjudicating disputes assigned to it by law. The Division functions as one of the highest administrative courts and is part of the judicial organization of the Netherlands. The Division is therefore a court as referred to in Article 55(3) of the GDPR.

Plaintiff further states that he has also requested enforcement of the failure to report a data breach. This is not data processing and therefore does not fall within the scope of Article 55(3) of the GDPR according to the claimant. The court considers that the DPA also has no authority on this point, because notification pursuant to Article 33 of the GDPR must be made to the supervisory authority competent in accordance with Article 55. The AP is therefore not the competent supervisory authority on that point either.

Finally, the claimant argued that if the AP was not authorized to decide on the enforcement request, it should have forwarded its enforcement request to an independent supervisor. The AVG committee to which the AP has sent the enforcement request cannot be regarded as such. The court also disagrees with the plaintiff in this regard. Recital (20) of the preamble to the GDPR states that the supervision of data processing operations by courts and other judicial authorities should be entrusted to specific bodies within the judicial system of the Member State, which should, in particular, enforce compliance with the rules of this Regulation. guarantee, raise awareness among members of the judiciary of their obligations under this Regulation, and deal with complaints related to those data processing operations. This has not been elaborated further and the Dutch legislature has also deliberately left the organization of supervision of the judiciary to the judiciary itself. The AVG Implementation Act does not contain any rules on this. The chairman of the Division, together with the court boards of the Central Appeals Board and the Trade and Industry Appeals Tribunal, has set up the AVG Committee on Administrative Law Boards. This committee is tasked with advising the chairman on the settlement of complaints for the purpose of a (further) decision on the relevant request for application of the privacy rights referred to in the GDPR. The committee has the task of assessing whether the processing of the personal data of the complainant has infringed the GDPR. This is laid down in the Regulations on the processing of personal data by administrative law colleges. The chairman of the Division and the AVG committee are therefore the specific bodies within the judicial organization that are charged with monitoring compliance with the AVG, as intended by the AVG. Exceeding the reasonable term

8. By letter dated 29 May 2023, the claimant requested compensation for exceeding the reasonable term. In this case, the court sees reason to deal with the request submitted after the investigation has been closed. The reasonable period started on April 16, 2019 and would normally end on May 16, 2021. With today's ruling including the shipping period, there is an overrun of 29 months. Due to the complexity of the case, in this case expressed in the preliminary ruling procedure, 22 months must be deducted from this, leaving an excess of 7 months. This arose because the decision of the court after answering the preliminary questions was delayed too long. Because the exceedance concerns more than 6 and less than 12 months, the claimant is eligible for compensation of € 1,000.

9. Pursuant to section 8:26 of the General Administrative Law Act, the court has designated the State of the Netherlands as a party to this appeal. In view of the Policy Rule of the Minister of Security and Justice of 8 July 2014 (Government Gazette 2014, 20210), the Court has seen no reason to reopen the investigation and to give the Minister the opportunity to defend the request for compensation. Conclusion and implications

It follows from the foregoing that the DPA has rightly concluded that it is not authorized to deal with the claimant's request for enforcement. This means that the appeal is unfounded. There is no reason for an order for costs, because there is no question of legal assistance provided by a third party. Since no court fee is levied for the submission of a request for compensation such as the present one, there is also no reason to reimburse this.


Decision

The court

- declares the appeal unfounded;

- grants the request for compensation and orders the State of the Netherlands to pay the claimant compensation for immaterial damage of € 1,000 (in words: one thousand euros).


This statement was made by mr. J.J. Catsburg, chairman, and mr. P.J.M. Mol and mr. A.A.M. Elzakkers, members, in the presence of mr. M.L. Bressers, clerk. The verdict was pronounced in public on June 9, 2023.