Rb. Midden-Nederland - UTR 20/1703: Difference between revisions

From GDPRhub
m (Minor changes: mostly punctuation. Otherwise great!)
No edit summary
 
(One intermediate revision by the same user not shown)
Line 62: Line 62:
}}
}}


The District Court Midden-Nederland rejected a data subject’s claim to receive copies of emails that contained his personal data (on top of receiving a copy of the personal data itself), since it did not follow from [[Article 15 GDPR]] and from the overview of these emails that they were necessary for verifying the accurateness and lawfulness of processing.
The District Court Midden-Nederland rejected a data subject’s claim to receive copies of emails containing his personal data because he did not specifically ask for them in his request. In addition, the court held that the controller did not have to provide documents in which the personal data were processed, provided that an overview of the data was sufficient for verifying the accurateness and lawfulness of processing.


== English Summary ==
== English Summary ==
Line 69: Line 69:
The dispute is between the data subject and the Board of the Eindhoven University of Technology (the controller). In December 2017, the data subject requested access to his personal data pursuant to Article 35 of the Personal Data Protection Act, the predecessor of the GDPR. The controller provided an overview of all personal data concerning the data subject that it had processed. According to the data subject, however, this overview was not complete. After objecting to the decision, the case ultimately ended up in Court. However, the case was suspended to provide the controller the opportunity to carry out a further search for the data subject’s personal data. On 7 January 2021, the controller submitted an additional list containing 101 emails.  
The dispute is between the data subject and the Board of the Eindhoven University of Technology (the controller). In December 2017, the data subject requested access to his personal data pursuant to Article 35 of the Personal Data Protection Act, the predecessor of the GDPR. The controller provided an overview of all personal data concerning the data subject that it had processed. According to the data subject, however, this overview was not complete. After objecting to the decision, the case ultimately ended up in Court. However, the case was suspended to provide the controller the opportunity to carry out a further search for the data subject’s personal data. On 7 January 2021, the controller submitted an additional list containing 101 emails.  


According to the data subject, however, this list was provided too late, and was not sorted in a way to provide a coherent overview. Moreover, the data subject claimed that a mere overview of the emails is not enough, since it is plausible that the content of these emails contains more personal data, especially considering that opinions regarding the data subject by the authors of these emails must also be regarded as personal data. In order to be able to exercise his other rights (such as rectification, erasure, or restriction of processing) he wanted copies of these emails.
According to the data subject, however, this list was provided too late, and was not sorted in a way to provide a coherent overview. Moreover, the data subject claimed that a mere overview of the emails was not enough, since it was plausible that the content of these emails contained more personal data, especially considering that opinions regarding the data subject by the authors of these emails must also be regarded as personal data. In order to be able to exercise his other rights (such as rectification, erasure, or restriction of processing) he wanted copies of these emails.


=== Holding ===
=== Holding ===
First, the Court considered the data subject's claim that the overview was too vague and provided too late. It stated that the formulation of the access request determines the scope of the search to be performed by the administrative body: if the request is (very) general (and not too specific), the administrative body can facilitate the request by searching for the most commonly used personal data (such as name and address details). Because the data subject formulated his request very generally and did not specify it during the objection procedure but waited until the procedure in Court, the Court concluded that the controller’s initial search for the data subject’s personal data was sufficient, and the additional list was not provided too late.
First, the Court considered the data subject's claim that the overview was too vague and provided too late. It stated that the formulation of the access request determines the scope of the search to be performed by the administrative body: if the request is (very) general (and not too specific), the administrative body can facilitate the request by searching for the most commonly used personal data (such as name and address details). Because the data subject formulated his request very generally and did not specify it during the objection procedure but waited until the procedure in Court, the Court concluded that the controller’s initial search for the data subject’s personal data was sufficient, and the additional list was not provided too late.


Second, the Court considered that it does not follow from [[Article 15 GDPR#3|Article 15(3) GDPR]] that the data subject had a right of to access to  a copy of the actual physical/digital documents in which his personal data are processed. An overview of the processed data suffices, if this allows the data subject to verify the accurateness and whether the processing has been compliant with the GDPR. Because the controller mainly processed name and address details of the data subject, the Court found that an overview of these personal data was enough to comply with [[Article 15 GDPR|Article 15 GDPR]]. In this regard, the Court noted that it did not follow from the provided overview that it was likely that the emails contained facts and opinions regarding the data subject. Hence, the Court concluded that the controller did not have to provide copies of the respective emails. Lastly, because the data subject waited until the procedure in Court to explain that he needed the copies to potentially exercise his other rights, the controller could not include this in his search and the general overview provided sufficed to comply with the access request.
Second, the Court considered that it did not follow from [[Article 15 GDPR#3|Article 15(3) GDPR]] that the data subject had a right of to access to  a copy of the actual physical/digital documents in which his personal data were processed. An overview of the processed data sufficed, if this allowed the data subject to verify the accurateness and whether the processing had been compliant with the GDPR. Because the controller mainly processed name and address details of the data subject, the Court found that an overview of these personal data was enough to comply with [[Article 15 GDPR|Article 15 GDPR]]. In this regard, the Court noted that it did not follow from the provided overview that it was likely that the emails contained facts and opinions regarding the data subject. Hence, the Court concluded that the controller did not have to provide copies of the respective emails. Lastly, because the data subject waited until the procedure in Court to explain that he needed the copies to potentially exercise his other rights, the controller could not include this in his search and the general overview provided sufficed to comply with the access request.


== Comment ==
== Comment ==

Latest revision as of 15:38, 3 June 2022

Rb. Midden-Nederland - UTR 20/1703
Courts logo1.png
Court: Rb. Midden-Nederland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 15(1) GDPR
Article 15(3) GDPR
Decided: 09.07.2021
Published: 16.05.2022
Parties: The Board of the Eindhoven University of Technology
National Case Number/Name: UTR 20/1703
European Case Law Identifier: ECLI:NL:RBMNE:2021:3264
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtspraak.nk (in Dutch)
Initial Contributor: Giel Ritzen

The District Court Midden-Nederland rejected a data subject’s claim to receive copies of emails containing his personal data because he did not specifically ask for them in his request. In addition, the court held that the controller did not have to provide documents in which the personal data were processed, provided that an overview of the data was sufficient for verifying the accurateness and lawfulness of processing.

English Summary

Facts

The dispute is between the data subject and the Board of the Eindhoven University of Technology (the controller). In December 2017, the data subject requested access to his personal data pursuant to Article 35 of the Personal Data Protection Act, the predecessor of the GDPR. The controller provided an overview of all personal data concerning the data subject that it had processed. According to the data subject, however, this overview was not complete. After objecting to the decision, the case ultimately ended up in Court. However, the case was suspended to provide the controller the opportunity to carry out a further search for the data subject’s personal data. On 7 January 2021, the controller submitted an additional list containing 101 emails.

According to the data subject, however, this list was provided too late, and was not sorted in a way to provide a coherent overview. Moreover, the data subject claimed that a mere overview of the emails was not enough, since it was plausible that the content of these emails contained more personal data, especially considering that opinions regarding the data subject by the authors of these emails must also be regarded as personal data. In order to be able to exercise his other rights (such as rectification, erasure, or restriction of processing) he wanted copies of these emails.

Holding

First, the Court considered the data subject's claim that the overview was too vague and provided too late. It stated that the formulation of the access request determines the scope of the search to be performed by the administrative body: if the request is (very) general (and not too specific), the administrative body can facilitate the request by searching for the most commonly used personal data (such as name and address details). Because the data subject formulated his request very generally and did not specify it during the objection procedure but waited until the procedure in Court, the Court concluded that the controller’s initial search for the data subject’s personal data was sufficient, and the additional list was not provided too late.

Second, the Court considered that it did not follow from Article 15(3) GDPR that the data subject had a right of to access to a copy of the actual physical/digital documents in which his personal data were processed. An overview of the processed data sufficed, if this allowed the data subject to verify the accurateness and whether the processing had been compliant with the GDPR. Because the controller mainly processed name and address details of the data subject, the Court found that an overview of these personal data was enough to comply with Article 15 GDPR. In this regard, the Court noted that it did not follow from the provided overview that it was likely that the emails contained facts and opinions regarding the data subject. Hence, the Court concluded that the controller did not have to provide copies of the respective emails. Lastly, because the data subject waited until the procedure in Court to explain that he needed the copies to potentially exercise his other rights, the controller could not include this in his search and the general overview provided sufficed to comply with the access request.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

CENTRAL NETHERLANDS COURT

Seating location Utrecht

Administrative law

case number: UTR 20/1703

decision of the single chamber of 9 July 2021 in the case between

[claimant] , at [place of residence] , claimant

(Agent: mr. P. le Heux),

and

the Executive Board of Eindhoven University of Technology, defendant

(Agents: mr. M.E. Lips and mr. Ah Abdollahi Nejat).

Process sequence

In the decision of 14 February 2018 (primary decision), the respondent provided the claimant with an overview of all personal data processed by the respondent on the basis of Article 35 of the Personal Data Protection Act (Wbp).

In the decision of 19 March 2020 (contested decision 1), the respondent upheld the claimant's objection against the primary decision. Respondent thereby revoked the primary decision and changed the basis of the decision to Article 15 of the General Data Protection Regulation (GDPR).

The applicant appealed against the contested decision.

Defendant has filed a statement of defence.

The examination in court via Skype for Business took place on

November 24, 2020. Plaintiff has been represented by his authorized representative. The defendant was represented by [A] and [B] , assisted by attorney J. de Bruin and mr. A. Abdollahi Nejat.

The investigation was suspended during the hearing to give the defendant the opportunity to conduct a further search for the plaintiff's personal data.

By letter dated January 7, 2021, received by the court on January 11, 2021, the defendant submitted a new inventory list.

In a letter dated February 8, 2021, the plaintiff responded to the defendant's letter.

On May 27, 2021, a second hearing took place via Skype for Business. Plaintiff did not appear. The defendant was represented by [B] , [C] , assisted by his agents, mr. M.E. Lips and Mr. A. Abdollahi Nejat.

Considerations

Introduction

1. On 26 December 2017, the Claimant requested the Respondent on the basis of Article 35 of the Wbp for an overview of all the Claimant's personal data that were processed by the Respondent. According to the claimant, the communication must be complete and contain at least a description of the purpose or purposes of the processing, categories of data to which processing refers and recipients or categories of recipients, as well as the available information about the origin of the data. Plaintiff requests defendant to interpret the request broadly and to submit as many copies of underlying documents as possible. In the primary decision, the defendant submitted an overview of the processing of personal data of the plaintiff. In the contested decision 1, the defendant changed the basis of the decision to Article 15 of the GDPR and submitted a number of copies of e-mail messages. According to the respondent, the claimant is not entitled to copies of other documents containing the claimant's personal data.

Amended decision

2. Following the hearing on November 24, 2020, the respondent provided a new inventory list with further reasons. The court infers from this that the defendant does not uphold the contested decision 1. Defendant's letter

7 January 2021 is regarded by the court as an amended decision. Pursuant to Article 6:19 of the General Administrative Law Act, the appeal by operation of law also relates to the letter of 7 January 2021 designated as a decision (the contested decision 2).

3. Since the contested decision 1 has been replaced by the contested decision 2 and it has not become apparent that the plaintiff still has an interest in a substantive assessment of the contested decision 1, the District Court will declare the appeal against the contested decision 1 inadmissible.

Contested decision 2

4. In accordance with the agreement made between the parties at the hearing on November 24, 2020, the defendant performed an additional search for the plaintiff's personal data in e-mail messages sent by the Netherlands Organization for Scientific Research (NWO), the Centrum Wiskunde en Informatica (CWI) and the defendant . The result was a list of approximately 600 e-mail messages. Subsequently, the defendant manually

deleted e-mail messages pertaining to another person, also named [D] . Further filtering resulted in 101 unique e-mail messages containing the claimant's personal data. It should be noted that if an e-mail message is found in several mailboxes, that e-mail message is only included once in the inventory list. That list was submitted with the contested decision 2 .

Search stroke

5. On appeal, the claimant first argued that the defendant's search was insufficient because e-mail messages were not properly inventoried. The claimant has requested that the respondent submit a complete overview of processed personal data. It has also been argued that a further search is taking place at too late a stage.

6. The court states first and foremost that the wording of the request for access to personal data determines the scope of the search to be performed by the administrative authority. In the case of a generally formulated request for inspection, a general search by the administrative authority for the most common personal data (including name and address details) will suffice in principle. This is different with a more concrete and specifically formulated request. In such a situation, a more in-depth investigation may be required from an administrative body. In the applicant's case there was initially a very generally formulated request for access. Plaintiff did not specify his request after it had been submitted and during the objection procedure. Not even after the defendant asked him to do so. At the time when the contested decision 1 was taken, there was no reason for the respondent, contrary to what the claimant believes, to also search for personal data sent between the NWO, the CWI and the respondent. On appeal, the plaintiff specified his request for access and provided examples of

referred to as e-mail messages sent by the defendant, the NWO and the CWI. As a result of this specification, the defendant has carried out a further search, which is aimed at the exchange of e-mail messages with the NWO, the CWI and the defendant. Now that the claimant has not specified his request before on appeal, the court can follow the defendant in its position that it did not have to conduct a further search earlier into the e-mail messages with the NWO, the CWI and the defendant. In response to the contested decision 2 the claimant has not indicated that there should be more e-mail messages with personal data of the claimant vis-à-vis other parties. Under those circumstances, the court comes to the conclusion that the search by the defendant for the personal data of the plaintiff in the contested decision 2 is sufficient.

E-mail transcript

7. Furthermore, the claimant argues that the respondent has not been able to suffice with providing an overview of the e-mail messages because, according to the claimant, it is probable that the text of the e-mails contains many personal data and that the inventory list does not contain all of the claimant's personal data. have been provided. Facts and valuations of the defendant's employees about the plaintiff should also be regarded as personal data. The provision of the personal data and the provision of copies is in this case necessary to enable the claimant to exercise the other rights under the GDPR, such as the right to rectification, the right to erasure and the right to restriction of the processing.

8. With regard to this ground of appeal, the court considers that Article 15 of the GDPR does not give the right to a copy of the physical or digital documents in which the personal data are processed. Article 15(3) of the GDPR only refers to a copy of the personal data itself and not to a copy of the document in which the personal data is stored. The right to inspect personal data therefore does not mean that the data subject has the right to inspect or make copies of the documents or files as such if their personal data appear in them. There is, however, a right to an overview, in comprehensible form, of all personal data. That is, in a form that enables the data subject to take cognizance of his data and to check whether they are correct and have been processed in accordance with the GDPR. The claimant cannot derive the right from the GDPR to obtain a copy of the original document or file containing the data, if the request for access can be met by means of another form of disclosure.1 In which material form the data must be is therefore dependent on the specific circumstances. Insofar as documents do not only contain name and address details, but also factual and valuation data about the characteristics or behavior of natural persons, such data are not suitable for inclusion in an overview. In that case, a data subject is in principle entitled to a copy of the documents in which that data is included, because this is the most effective way in which the obligation to provide information as complete and clear as possible, on the basis of which the lawfulness and accuracy of the data can be checked.

9. The court considers that the defendant has in particular processed name and address details of the plaintiff. In the view of the court, it is sufficient for this type of data to comply with a request for access under Article 15, first paragraph, of the GDPR to provide an overview of this personal data and to indicate in this overview in which documents the personal data are processed. In the context of the present request for access, the court does not see any data among the personal data provided by the defendant that would require a copy of the document containing these data. For example, it cannot be deduced from the overview provided by the respondent that the respondent has processed factual and evaluative information about the characteristics and behavior of the claimant. Respondent was therefore able to provide an overview of the processed personal data of the claimant and did not have to provide copies of e-mail messages to the claimant. Plaintiff has only indicated on appeal that he needs copies of e-mail messages to exercise other rights under the GDPR. Since the claimant has only submitted an appeal, the respondent could not include this in his search. Respondent could therefore take the general request for access to personal data as a starting point.

Reasonable period

10. Finally, the claimant argues that the reasonable term as referred to in Article 6 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) has been exceeded because the notice of objection was submitted on March 28, 2018. As a result, Plaintiff has experienced tension and frustration and is requesting compensation.

11. Respondent takes the position that the reasonable term has not been exceeded. Defendant repeatedly asked to enter into consultations about Plaintiff's request, but Plaintiff did not respond.

12. The court will assess whether the reasonable term has been exceeded, and if so whether and for what part the judicial phase is to blame.

13. The question of whether the reasonable period referred to in Article 6 of the ECHR has been exceeded must be assessed in the light of the circumstances of the case. Cases such as these, in which there is an objection and appeal procedure, may take a maximum of two years to deal with. The period to be assessed starts with the date on which the notice of objection is filed and continues until the date on which the court has rendered its decision. The circumstances of the case may justify a longer treatment duration. If the reasonable term has been exceeded, the starting point for the compensation is a rate of € 500 per six months by which that term has been exceeded, with the total of the exceeding being rounded up. The court must assess how the exceeding of the time limit should be attributed to the objection and appeal phase. The order for compensation for that damage must be pro rata, charged to the administrative authority or, if the term has been exceeded on appeal, to the State of the Netherlands (the State).

14. The main rule is that the objection phase may take six months and the appeal phase one and a half years. The court finds that three years and four months have elapsed from the receipt of the claimant's notice of objection on March 28, 2018 to this ruling. There is no reason to consider this long treatment time justified. This means that the procedure took a year and four months too long. The claimant is therefore entitled to compensation of € 1,500.

14. The objection procedure lasted one year, eleven months and nineteen days, calculated from the receipt of the notice of objection on March 28, 2018. That is one year, five months and nineteen days too long. The procedure at the court lasted one year, two months and nine days, calculated from the receipt of the notice of appeal on April 29, 2020 until this decision. The court stayed within the period of one and a half years. Contrary to the defendant's contention, it has not been shown that the time limit has been exceeded due to the behavior of the plaintiff. On October 18, 2018, the Plaintiff had already given Defendant notice of default due to the lack of a decision on the objection. The hearing was not held until 5 November 2018. After that, the objections advisory committee of Eindhoven University of Technology has already

November 28, 2018 Defendant advised. Plaintiff again sues Defendant

Sent a notice of default on March 8, 2020, after which the defendant did not make a decision on the objection until March 19, 2020. As the defendant has argued, it does not appear from the file that the plaintiff responded to the two requests from the defendant of

December 19, 2018 and January 11, 2019 to get in touch and discuss the request. However, this circumstance does not mean that the defendant could not have made a decision on the notice of objection more quickly. The conclusion is that the time limit is exceeded attributable to the defendant. The court will therefore order the defendant to pay € 1,500 in compensation for exceeding the reasonable term.

Conclusion

15. In view of the foregoing, the court concludes that the search made by the defendant in response to the claimant's request has been sufficient and that the defendant does not have to provide copies of the e-mail messages stated on the inventory list. The appeal against the contested decision 2 is therefore dismissed as unfounded.

16. The court sees no reason to issue an order for costs of the proceedings. The amended decision was taken by the respondent in response to the further specification made by the claimant of his request for access to personal data during the appeal phase, so that the respondent did not have to conduct a further search before that phase.

17. Because the court has concluded above that the reasonable term has been exceeded, it grants the request for compensation in the sense that it orders the defendant to pay the plaintiff € 1,500.

Decision

The court declares:

- the action, in so far as it is directed against the contested decision 1, is inadmissible;

- the appeal, in so far as it is directed against the contested decision 2, is unfounded;

- orders the defendant to pay compensation to the claimant up to an amount of € 1,500.

This statement was made by mr. L.M. Reijnierse, judge, in the presence of

mr. A. Wilpstra-Foppen, clerk. The decision was handed down on 9 July 2021 and will be made public by publication onsrecht.nl.

clerk

judge

A copy of this ruling has been sent to the parties at:

Do you disagree with this statement?

If you do not agree with this ruling, you can send a letter to the Administrative Jurisdiction Division of the Council of State explaining why you do not agree with it. This is called an appeal. You must submit this notice of appeal within 6 weeks of the day on which this decision was sent. You can see this date above.

1 Court of Justice of the European Union 17 July 2014 (ECLI:EU:C:2014:2081).