Rb. Midden-Nederland - UTR 20/1102
|Rb. Midden-Nederland - UTR 20/1102|
|Court:||Rb. Midden-Nederland (Netherlands)|
|Relevant Law:||Article 17 GDPR|
Article 82 GDPR
|Parties:||Municipality of Utrechtse Heuvelrug|
|National Case Number/Name:||UTR 20/1102|
|European Case Law Identifier:||ECLI:NL:RBMNE:2020:5116|
|Original Source:||de Rechtspraak (in Dutch)|
|Initial Contributor:||Frederick Antonovics|
The District Court of Midden-Nederland held that the Municipal Executive of the municipality of Utrechtse Heuvelrug was a controller responsible for the posting of a citizen's personal data on an online forum by an officer, but that because the processing was rightfully based on Article 6(1)(e) GDPR and he complied with the person's request for deletion of that data, he was not liable for any damages.
English Summary[edit | edit source]
Facts[edit | edit source]
The claimant is a citizen who made an Article 17 GDPR request to the Municipal Executive of the municipality of Utrechtse Heuvelrug to delete his personal data processed on a forum used by different municipalities to cooperate and in emails to other administrative bodies. He also requested €3,000 in damages under Article 82 GDPR.
The Executive rejected the request for deletion because the claimant's personal data had already been removed from the forum and because no personal data of his had been processed by e-mail. He also rejected the claim for damages on the grounds that the application was insufficiently substantiated.
The claimant disagreed, arguing his data was still on a back-up of the forum. The defendant responded by stating the forum was responsible for data operations on the platform, and that the citizen should make his erasure request.
Holding[edit | edit source]
First, the District Court of Midden-Nederland assessed whether the Municipal Executive should considered a controller in this case. It considered a previous case by the Administrative Jurisdiction Division of the Council of State (ECLI:NL:RVS:2019:181) and held that because municipal officials placed messages about the claimant containing his personal data on the forum, their actions must be attributed to the municipal executive for which they work and he must be regarded as a controller.
However, it found he complied with his obligations after receiving the erasure request. Indeed, he contacted the forum which deleted the claimant's personal data from its platform.
Second, it evaluated whether the claim for damages should be upheld. It started by citing a previous court decision which confirmed the mention of the claimant's name on the forum was lawful in accordance with Article 6(1)(e) GDPR. It found that such processing was necessary and proportionate to the invasion of the plaintiff's privacy to prevent fraudulent claims for penalty payments from different municipalities.
Thus, the court rejected the claim for damages.
Finally, the court considered the claimant's request to refer questions to the CJEU for a preliminary ruling on the concept of damages in the GDPR. It took the view that:
"that national law must be followed in answering the question whether the alleged non-material damage in the event of unlawful processing of personal data is eligible for compensation, since the Court of Justice has not yet given an explanation in this regard and specifically on the concept of damage in the GDPR. However, the settled case-law of the Court of Justice applies that the damage to be compensated must be real and certain. The general principle that the alleged damage must be substantiated also applies here. There is no basis for considering that a breach of the GDPR simply implies an impairment of the integrity of a person and thus leads to compensation for damage. The starting point is therefore that the plaintiff must prove the damage in his person and substantiate the damage suffered by him with concrete data."
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Body Central Netherlands Court Date of judgment 10-11-2020 Date of publication 16-09-2021 Case number UTR - 20 _ 1102 Jurisdictions Administrative law Special characteristics First instance - single Content indication AVG removal request. Defendant controller, data processing lawful. Appeal upheld due to lack of motivation, legal consequences upheld. Application for damages and questions for a preliminary ruling rejected. Locations Rechtspraak.nl Enhanced pronunciation Share pronunciation print Save as PDF Copy link Pronunciation COURT CENTRAL NETHERLANDS Seating place Utrecht Administrative case number: UTR 20/1102 Judgment of the single chamber of 10 November 2020 in the case between [claimant] , in 's [place] , claimant (agent: mr. NGA Voorbach), and the municipal executive of the municipality of Utrechtse Heuvelrug, defendant (agent: M. Rozeboom). primary decision), the respondent rejected the claimant's request for the deletion of his personal data on the basis of the General Data Protection Regulation (GDPR). By letter dated October 8, 2019, the respondent rejected the claimant's request for compensation. By decision of February 13, 2020 (the contested decision), the defendant declared the objection of the plaintiff (against the primary decision) unfounded. By decision of 19 February 2020, the respondent declared the objection of the claimant against the letter of 8 October 2019 inadmissible. The claimant lodged an appeal against the contested decision. The respondent has submitted a statement of defense. The hearing took place on 18 August 2020. Plaintiff was represented by his attorney. Defendant was represented by his representative. Considerations1. On July 17, 2019, the claimant submitted a request to the respondent to delete personal data of him that had been processed by the respondent on the forum of [Name of forum] (hereinafter: [Name of forum]) and in e-mails addressed to other administrative bodies on the basis of Article 17 of the GDPR.1 In this request, he also requested compensation for the damage he suffered as a result of the unlawful processing of his data, pursuant to Article 82 of the GDPR, in the amount of €3,000. 2. Defendant rejected the request for removal in the primary decision, because the plaintiff's personal data had already been removed from the [Form Name] by the [Forum Name] and because no personal data about him was processed by e-mail. The claimant rejected the claim for compensation in a separate letter dated October 8, 2019, because, according to the respondent, the claim was insufficiently substantiated. 3. Plaintiff has objected to the primary decision, because according to him his personal data are still on a back-up of the [name of forum]. He also wants his data removed. On November 8, 2019, he informed the defendant that his objections were also directed against the letter of October 8, 2019. The defendant subsequently declared the plaintiffs' objection to the primary decision unfounded in the contested decision, taking over the advice of the Objections Committee of 12 February. 2020. In this opinion it is concluded that it is not the defendant, but the [Name of the forum] that is responsible for the data processing on the VNG forum. The claimant must therefore address his request to the [Name of forum] . In a letter dated 19 February 2020, the defendant declared the claimants' objection to the rejection of the request for compensation inadmissible, because a decision on a request for compensation is not a decision open to objection and appeal (within the meaning of Article 1:3, first member of the General Administrative Law Act). Plaintiff has argued on appeal that Defendant is responsible for the processing of its data on the VNG forum, as follows from the decision of the Administrative Jurisdiction Division of the Council of State (ABRvS) of January 23, 2019.2 Therefore, the contested decision lacks a statement of reasons. . 5. In this regard, the respondent took the position at the hearing that it is irrelevant whether or not it is responsible for the data processing on the VNG forum, because it concerns the removal of the data from the forum. Since the data has been removed from the forum, the claimant's request has thus been fulfilled. 6. The court considers that in the aforementioned judgment of 23 January 2019, the ABRvS determined that if municipal officials post messages on a forum administered by [Form Name], the actions of these officials must be attributed to the municipal executive for which they are employed. To that extent, the Board must be regarded as responsible within the meaning of Article 1, preamble and under d. In the situation of the claimant, it also applies that the defendant must be regarded as the controller for the posting of the claimant's personal data by its officials on the [Name of the forum]. The fact that the data is no longer on the forum does not change the responsibility. The defendant wrongly failed to recognize this in the contested decision, so that the decision must be annulled on the ground that it violates the principle of statement of reasons. 7. However, the court sees reason to uphold the legal consequences of the contested decision. In the opinion of the court, the respondent has satisfactorily complied with the claimant's request for the removal of his personal data. Respondent has contacted the [Name of forum] in order to obtain clarity about the removal of the claimant's personal data from the forum. [Name of forum] has cleaned the forum, so that the data of the claimant has been removed. This removal has been confirmed by [Name of forum] to the defendant in the context of the current proceedings. Whether or not the [Form Name] stores data on a back-up of the [Form Name], as argued by the Plaintiff, does not belong to the Defendant's processing responsibility in the opinion of the Court. A request to remove data from the backup of the [Form Name] as stated by the Claimant must therefore be submitted to the [Form Name] itself. Request for compensation8. Plaintiff argued in his notice of appeal that Defendant erred in rejecting the claim for damages. At the hearing, the plaintiff again filed a claim for damages. The request was made on the basis of Article 8:90(1) of the Awb. 9. Plaintiff argues that he is entitled to compensation because the processing of his personal data on the [Name of forum] was unlawful. The data processing did not comply with the principles of proportionality and subsidiarity, because the claimants' personal data were unnecessarily disclosed on the forum. In doing so, the defendant did not substantiate the basis for the data processing and the defendant failed to inform the plaintiff of the data processing. As a result of the processing, the claimant has suffered damage in the form of loss of control over his personal data. Under the GDPR, this is sufficient for compensation to be awarded, because the term 'damage' in the GDPR must be interpreted more broadly than under national law. The claimant has requested the court to refer questions for a preliminary ruling in this regard to the Court of Justice of the European Union. Plaintiff has requested damages in the amount of €3,000. He referred to various statements in support of this amount.10. The defendant has taken the position that the data processing was not unlawful and that the plaintiff has insufficiently substantiated his claim for compensation.11. The court considers the following with regard to the plaintiff's claim for damages. First of all, the court refers to the rulings of 1 April 20203 of the ABRvS. In these judgments, the ABRvS ruled that mentioning someone's name on the [Name of forum] at the request of another municipality is not unlawful if the aim was to ensure proper implementation of the Wob and to prevent the Wob from being abused. to collect periodic penalty payments if a decision on a request is not taken in time. According to the ABRvS, this purpose is in accordance with Article 8(e) of the Personal Data Protection Act (Wbp) and Article 6(1)(e) of the GDPR. The background to this is that the implementation of the Wob is a task under public law and it is important for the proper functioning of the Wob that an investigation into misuse of the Wob is conducted and that any misuse is established. By means of the [Name of forum], the VNG has set up a digital platform to enable municipalities to consult with each other about the method of approach and handling of the many Wob requests, often submitted solely for the collection of periodic penalty payments. On 1 October 2016, the legislator abolished the penalty payment for Wob requests. In 2017, the [forum name] cleaned up the Wob/municipalities section of the [forum name] by taking all discussions offline. Personal data posted before 1 April 2017 can no longer be traced.412. In the plaintiff's situation, his surname was mentioned by the defendant in the Wob/municipalities section of the [Name forum] in 2016 at the request of another municipality, which was repeated in 2016. The purpose of this was to prevent possible misuse of the Wob. This purpose is in accordance with Article 6(1)(e) of the GDPR. Contrary to what the claimant has argued, the processing of data for that purpose does not conflict with the requirements of proportionality and subsidiarity. The purpose of the processing was proportionate to the infringement of the plaintiff's privacy and could not be achieved by less intrusive means. It was necessary to state the plaintiff's surname, because only in this way could it be verified whether he had submitted Wob requests to several municipalities that were possibly aimed at collecting a penalty. Nor was it excessive to share this data on the [Form Name] . As the respondent explained at the hearing, only those who had a specific function related to the handling of Wob requests had access to the Wob/municipalities section of the [Name of forum]. Plaintiff has not made clear what concrete adverse consequences have been the result of mentioning his name on the [Name of forum]. It follows from this that the court is of the opinion that the processing of the claimant's personal data on the [Name of forum] is not unlawful.13. For that reason, the court rejected the claimant's request for compensation. Request for preliminary rulings14. With regard to the claimant's request to ask preliminary questions about the concept of damage in the GDPR, the court considers that the ABRvS ruled in its rulings of 1 April 20205 that national law must be followed when answering the question whether the alleged immaterial damage an unlawful processing of personal data qualifies for compensation, since the Court of Justice has not yet explained this and specifically the concept of damage in the GDPR. The settled case law of the Court of Justice does apply here that the damage to be compensated must be real and certain.6 The general principle that the alleged damage must be substantiated also applies here.7 There is no ground for the opinion that an infringement of the GDPR clearly implies a violation of the integrity of a person and thus leads to compensable damage. The basic principle is therefore that the claimant must prove the impairment in his person and must substantiate the damage suffered by him with concrete data. 32. The court sees no reason to ask preliminary questions. The court rejects the plaintiff's request. Conclusion15. The appeal is well founded. The contested decision is annulled. The court will determine that the legal consequences of the annulled decision remain in force. 16. The court rejects the claimant's request for compensation.17. The court orders the defendant to pay the costs incurred by the plaintiff. Based on the Administrative Costs Administrative Law Decree, the court sets these costs for legal assistance provided professionally by a third party at € 1,050 (1 point for submitting the notice of appeal and 1 point for appearing at the hearing, with a value per point of € 525,- and a weighting factor 1). DecisionThe court:- declares the appeal well-founded;- annuls the contested decision;- determines that the legal consequences of the annulled contested decision remain in force;- rejects the request for compensation;- orders the defendant to pay the court fee of € 178,- to compensate the plaintiff; - orders the defendant to pay the plaintiff's legal costs up to an amount of € 1,050. This statement was made by mr. L.M. Reijnierse, judge, in the presence of mr. E.H.W. Schierbeek, clerk. The decision was pronounced on November 10, 2020 and will be made public by publication onsrecht.nl. The registrar is prevented from signing this decision To sign this decision Registrar Judge Copy sent to parties at: Legal remedy On the day of dispatch thereof, an appeal may be lodged with the Administrative Jurisdiction Division of the Council of State.1 Regulation 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.2 ECLI:NL:RVS:2019:181, ro 3.2.3 ECLI:NL:RVS:2020:900 and ECLI:NL:RVS:2020:901, r.o. 30.4 See, inter alia, the judgment of the District Court of The Hague of 18 May 2017, ECLI:NL:RBDHA:2017:5404)5 ECLI:NL:RVS:2020:898, ECLI:NL:RVS:2020:899, ECLI:NL :RVS:2020:900 and ECLI:NL:RVS:2020:901.6 Cf. the judgment of the Court of Justice of 4 April 2017, C-337/15 P, European Ombudsman v Staelen, ECLI:EU:C:2017:256, point 91.7 Cf. the judgment of the Supreme Court of 15 March 2019 (See the judgments of the Supreme Court of 15 March 2019, ECLI:NL:HR:2019:376, ro4.2.2, of 28 May 2019, ECLI:NL:HR:2019 :793, ground 2.4.5 and of 19 July 2019, ECLI:NL:HR:2019:1278, ground 2.13.2.)