Rb. Midden-Nederland - UTR 21/3403

From GDPRhub
Rb. Midden-Nederland - UTR 21/3403
Courts logo1.png
Court: Rb. Midden-Nederland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 6(1)(e) GDPR
Article 6(4) GDPR
Article 23(1)(e) GDPR
Article 9(1) Directive 2018/680
Article 18 Police Information Act
Article 19 Police Information Act
Article 6 Police Information Act
Decided: 09.05.2022
Published: 25.05.2022
Parties: Minister of Finance
National Case Number/Name: UTR 21/3403
European Case Law Identifier: ECLI:NL:RBMNE:2022:1771
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: Giel Ritzen

The District Court Midden-Nederland rejected a data subject’s claim that processing by the Tax Authority had been unlawful because Article 6(1)(e) GDPR provided a valid legal basis and there was no violation of Article 6(4) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller is the Minister of Finance. The data subject’s personal data was processed by the Tax Authority because it suspected him of not fulfilling his tax obligations. This suspicion was raised after the Fiscal Information and Investigation Service (FIOD) had carried out a criminal investigation into the data subject’s tax consultant. As a result of the Tax Authority’s investigation, the data subject had to pay additional taxes. The data subject claimed that the processing was unlawful requested the controller to erase his personal data pursuant to Articles 17(1)(d), 17(2), and 19 GDPR. The controller rejected this request. The data subject objected to the rejection. The controller declared the objection to be unfounded. The data subject then brought the case before the Court.

The data subject argued that there were two instances of processing: (1) the selection of the personal data by the Tax Authority of the data collected by the FIOD, and (2) the transfer of personal data from the FIOD to the Tax Authority. The data subject claimed that the Tax Authority processed his personal data without a legal basis, and for a different purpose than it was initially collected for (by the FIOD). The controller, claimed that the selection and collection of the personal data did not fall within the scope of the GDPR, because the Tax Authority acted in the context of assistance to criminal investigations under the Police Information Act at that time. Moreover, the controller stated that there was a legal basis since the Authority had to process for the fulfilment of a statutory obligation, and the performance of a task in the public interest, even though the transfer of the personal data to the Tax Authority did fall within the scope of the GDPR,

Holding[edit | edit source]

The Court rejected the data subject’s claim and held that the processing by the Tax Authority had been lawful.

First, the Court stated that the FIOD’s processing of personal data falls within the scope of the LED (Directive 2018/680), which has been transposed into the Police Information Act. Moreover, Articles 18 and 19 of the Police Information Act provide a legal basis for the structural and incidental provision of police data to particular persons or bodies for specifically defined purposes (such as the Tax Authority). The Court further stated that the Tax Authority selected (and therefore processed) the personal data for the purpose of checking whether the data subject was obligated to pay additional taxes. Since this purpose is not a purpose that is covered by the purposes as covered by the Police Information Act, it falls without of its scope, and within the scope of the GDPR.

Second, the Court stated that both the selection of personal data by the Tax Authority, as well as the transfer to Authority, falls under the legal basis of Article 6(1)(e) GDPR, since the Tax Authority processes this personal data to fulfil a public interest, and this obligation is laid down in Article 6(1)(c) AWR (General Act on State Taxation). Lastly, the Court stated that the processing also falls within the scope of Article 23(1)(e) GDPR, and thus the processing does not violate Article 6(4) GDPR. Hence, the Court concluded that all of the requirements as set out in Article 6 GDPR had been fulfilled.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

CENTRAL NETHERLANDS COURT

Seating location Utrecht

Administrative law

case number: UTR 21/3403

decision of the multiple chamber of 9 May 2022 in the case between

[claimant] from [place of residence] , claimant,

(agents: mr. G.J.M.E. de Bont and mr. S.A. Eckhardt)

and

the Minister of Finance, defendant

(Agents: mr. K. Jarbandhan and mr. M. Braam).

Introduction

1. Plaintiff previously lived in Switzerland. The FIOD has conducted a criminal investigation into the plaintiffs' tax adviser, in which data were requested from him from clients, including data from the plaintiff. The criminal prosecution of the tax adviser was eventually discontinued and the Rotterdam District Court ordered the FIOD to delete his data in a court decision at the request of the plaintiff.

2. Earlier, in the course of the criminal investigation, three employees of the Tax and Customs Administration obtained access to the criminal data requested by the FIOD from the clients of the tax adviser, because this may have included tax-relevant information. The agreements made between the FIOD and the Tax and Customs Administration in this regard are laid down in the official memo '[memo] . The employees of the Tax Authorities have made a selection from the customer data of the tax adviser. The claimant's customer data were part of this selection. The selection of data was provided by the FIOD to the Tax Authorities on 7 January 2020.

3. The Inspector of the Tax and Customs Administration has imposed additional assessments on the claimant, using the selected data obtained from the FIOD. According to the claimant, this was done on the basis of personal data that had been unlawfully processed. He has requested the defendant as controller to delete the data. He has made this request on the basis of Articles 17, first paragraph, under d, 17, second paragraph, and 19 of the General Data Protection Regulation (GDPR).1

4. By decision of 15 March 2021 (the primary decision), the respondent rejected the claimant's request. By decision of 2 July 2021 (the contested decision), the defendant declared the objection of the plaintiff unfounded. The applicant appealed against the contested decision and filed a claim for damages. Defendant has filed a statement of defence. The court rejected the plaintiff's request to hear witnesses in the preliminary investigation. The case was heard at the session of February 24, 2022, where the parties were represented by their representatives. The claim for compensation was withdrawn at the hearing.

The views of the parties

5. According to the claimant, there are two moments at which his personal data were processed: first when the officials of the Tax and Customs Administration selected the data collected by the FIOD, and then when the selected data were provided by the FIOD to the Tax and Customs Administration. Plaintiff argues that there is no valid processing basis and processing purpose. According to him, the disclosure of the data from the FIOD to the Tax and Customs Administration did not take place in the context of a criminal investigation into the plaintiff's tax adviser, but with a view to levying tax on the clients of the tax adviser or with a view to detecting the incorrect filing of tax returns by those clients. The three officials of the Tax and Customs Administration thus abused their powers. According to him, the processing of the claimants' personal data was done without a legal basis for a purpose other than that for which the personal data had been collected. Plaintiff has not given permission for this. The claimant now intends to later claim compensation from the defendant, if it is established in these proceedings that there is indeed unlawful processing of personal data.

6. Respondent takes the position that the selection by the officials of the Tax and Customs Administration does not fall within the scope of the AVG, because at that time action was taken in the context of assistance with the criminal investigation under the Police Data Act. According to the defendant, the GDPR does not apply to this. The defendant acknowledges that with the provision of the personal data by the FIOD to the Tax and Customs Administration, there was indeed processing that falls under the GDPR. According to the defendant, the legal basis for this is compliance with a legal obligation and the performance of a task in the public interest.

Considerations

7. Plaintiff's request and this resulting procedure are governed by the GDPR. The determining factor for the further assessment of the case is therefore first of all whether the processing of personal data falls within the scope of the GDPR. It is important here that there is a criminal aspect to this case and that the AVG coexists with Directive 2016/680.2 The AVG stipulates that the AVG does not apply to the processing of personal data for the purpose of investigation, detection and the prosecution of criminal offences, while the Directive precisely provides that it concerns the processing of such personal data.3 The court points out that the GDPR as a regulation is directly applicable in the Member States, while the Directive has an effect on the national legal order through its implementation in national law, which is discussed further below. It is also important that "processing" of personal data within the meaning of the GDPR is understood to mean the collection, recording, organization and structuring of data, and also the provision thereof by means of transmission or otherwise making available.4

8. The way in which the FIOD obtained the claimants' personal data from the tax adviser falls outside the scope of the GDPR and therefore outside the scope of this lawsuit. After all, the data was obtained in the context of the criminal investigation into the tax adviser. At the hearing, the parties confirmed that they agree with this opinion, whereby it was pointed out on behalf of the claimant that the Supreme Court still has to rule on the court decision of the court of Rotterdam in the criminal law track in cassation. In light of this, the Court takes the starting point for the further assessment of the case that the personal data of the claimant at some point in time came into the custody of the FIOD and at the time of the decision by the defendant was still in place.

9. The parties further agree and the court also finds that the provision of the selected data by the FIOD to the Tax Authorities on 7 January 2020 must be regarded as processing personal data within the meaning of the GDPR. After all, the personal data of the claimant were then forwarded, or in any case made available "in some other way". At that time, this was not done (any longer) with a view to a criminal investigation, but with a view to the tax interest.

10. With regard to the processing of personal data, the parties do differ on the selection made by the three employees of the Tax and Customs Administration in the period before 7 January 2020. First of all, the court ruled that the three employees of the Tax and Customs Administration collected, ordered and structured the personal data of the clients of the tax adviser present at the FIOD and that, therefore, this constitutes processing of personal data within the meaning of the GDPR.

11. Articles 18 and 19 of the Police Data Act provide a legal basis for providing police data to persons or bodies, on a structural or incidental basis, respectively, for a number of specifically determined purposes. Article 19 provides that basis for incidental provision directly. Article 18 provides that basis for structural provision for cases determined by or pursuant to an order in council. The latter provision is elaborated in Article 6 of the Police Data Decree on Special Investigative Services. The court ruled that the mere circumstance that the processing of personal data would be based on this legal basis does not mean that the applicability of the GDPR is excluded. The court motivates this judgment below, on the basis of the provisions of the GDPR and the Directive and the relevant case law.

12.Although the Directive, as mentioned, relates to the processing of personal data for the purpose of investigating, detecting and prosecuting criminal offences, it also includes the possibility of subsequently processing personal data collected for those purposes for other purposes . Under the Directive, this is only possible if such processing is permitted under Union or Member State law. In addition, it has been determined that when personal data is processed for such other purposes, the GDPR applies.5 The court must therefore look at the implementation of the Directive in Dutch law, and at the question whether that law permits criminal prosecution. collected personal data is processed for other purposes.

13. The Directive was implemented by amending the then existing Police Data Act.6 Articles 18 and 19 of the Police Data Act were not changed in substance during implementation. In the explanatory memorandum of the implementation law, the following has been considered with regard to the further processing of data obtained criminally for other purposes:

“The Data Protection Investigation and Prosecution Directive provides for the further processing of personal data, which are processed for the purposes within the scope of the Directive, for other purposes to the extent that such processing is prohibited under Union law or the law of the Member States. Allowed. The [GDPR] regulation then applies to the further processing by the recipient of the data (Article 9 Rl). For the Wpg and the Wjsg, this means that the directive allows the provision of data to third parties for purposes other than the investigation or prosecution of criminal offences, insofar as such provision is provided for by or pursuant to the law. This requirement has already been met in the Wpg and Wjsg (Articles 18, 19 and 20 Wpg and 9 to 14 Wjsg). The bill is in line with this for the provision of data regarding the execution and adjudication of criminal offenses.”7

14. The court rules that it follows from the foregoing that Articles 18 and 19 of the Police Data Act are the implementation of Article 9, first paragraph, of the Directive, insofar as they allow that personal data obtained under criminal law to be subsequently processed for other purposes, and that the GDPR applies to it. The Court finds confirmation of this judgment in the assessment framework that the European Court of Justice has provided to determine whether processing of personal data falls within the scope of the GDPR or the Directive,8 and in the explanation given by the Administrative Jurisdiction Division of the Council van State recently submitted to that case law.9 It follows from this that one of the cumulative conditions for the applicability of the Directive is that the competent authority processes the personal data with a view to the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of penalties, including protection against and prevention of threats to public safety. It must be deduced from this that the fact that personal data is being processed on the basis of Articles 18 and 19 of the Police Data Act does not mean that the GDPR cannot be applied for that reason alone. The criterion is whether the personal data have been processed for a criminal purpose, in short.

15.Applied to this case leads to the following assessment. The contested decision states that information was provided on the basis of Article 19 of the Police Data Act, i.e. on an incidental basis. However, the memo [memo] states that the data will be exchanged on the basis of Article 6 of the Police Data Decree on Special Investigative Services, ie (via Article 18 of the Police Data Act) on a structural basis. For the assessment, however, the difference in the two bases does not matter, because it has been decided that the processing purpose is decisive: whether or not with a criminal purpose. The memo states that the three employees of the Tax Authorities, in consultation with two others, will “select the items that qualify for treatment by the Tax Authorities”. The court ruled that no basis for processing for a criminal purpose can be derived from this. After all, the Tax and Customs Administration is charged with levying and collecting taxes, so that “treatment by the Tax and Customs Administration” implies that the personal data were provided with a view to that task and not with a view to criminal prosecution. In the contested decision it is rightly noted that intentionally making incorrect tax returns and intentionally failing to file tax returns are criminal offences, but in the opinion of the court that is only a possible consequence and not the reason for the “treatment by the tax".

16.From the foregoing, the intermediate conclusion can be drawn that both the selection of the personal data by the three officials of the Tax Authorities and the provision of the selected data by the FIOD to the Tax Authorities fall under the scope of the GDPR and the processing of personal data within the meaning of that Regulation. The court therefore follows the plaintiff's position to that extent, also with regard to the memo [memo] and its significance for the applicability of the GDPR. This means that hearing the witnesses nominated by the claimant can no longer reasonably contribute to the assessment of the case. The court therefore rejects the request to that effect on the basis of Article 8:63, second paragraph, of the General Administrative Law Act.

17. Employees of the Tax Authorities have processed the claimants' personal data by selecting the data available at the FIOD. Subsequently, the claimants' personal data were again processed when they were provided to the tax authorities. The court is of the opinion that the basis for the two moments of processing in this case can be found in the general legal obligation of the Tax Authorities under the AWR, Article 6, first paragraph, sub c, of the GDPR, and in the fulfillment of a task in the public interest, Article 6(1)(e) of the GDPR, of the Tax Authorities to levy tax, which task the Tax Authorities are also charged with under the AWR.

18. The court has ruled above that the purpose of the further processing, after the personal data have come into the custody of the FIOD, was to levy and collect taxes. That is a different purpose than the criminal purpose for which the data was originally collected. Such further processing of the personal data for another purpose must comply with Article 6(4) of the GDPR. It states that such further processing is lawful, inter alia, if it is based on a provision of Union or Member State law that constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives of Article 23(1) of the GDPR. One of these objectives is (point e) an important objective of general interest of the Union or a Member State, in particular an important economic or financial interest of the Union or of a Member State, including tax matters.

19. The court rules that levying and collecting taxes in light of this must be regarded as an important objective of the financial interest of the Netherlands within the meaning of Article 23, first paragraph, of the GDPR. This means that the processing of personal data for this purpose was lawful in the light of Article 6(4) of the GDPR.

20. The appeal is unfounded. There is no reason for an order to pay costs.

Decision

The court dismissed the appeal.

This statement was made by mr. K. de Meulder, chairman, and mr. J.J. Catsburg and
mr. J.E. van den Brink, members, in the presence of mr. S. Westerhof, registrar. The decision was handed down on 9 May 2022 and will be made public by publication onsrecht.nl.

Registrar President

Copy sent to parties on:

Remedy

An appeal can be lodged against this decision with the Administrative Jurisdiction Division of the Council of State within six weeks of the date on which it was sent.

1 Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2 Directive (EU) 2016/680 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data and repealing Framework Decision 2008/977/JHA.

3 Article 2, second paragraph, preamble and under d) of the GDPR and Article 1, first paragraph, of the Directive.

4 Article 4, preamble, and under 2) of the GDPR.

5 Article 9, first paragraph, of the Directive.

6 Act amending the Police Data Act and the Judicial and Criminal Data Act to implement European regulations on the processing of personal data with a view to the prevention, investigation, detection and prosecution of criminal offenses or the execution of sentences.

7 Parliamentary Papers II 2017/18, 34 889, no. 3, p. 16.

8 Judgment of 22 June 2021 (B v Latvijas Republikas Saeima), ECLI:EU:C:2021:504, paragraphs 69-72.

9 Judgment of 23 February 2022, ECLI:NL:RVS:2022:574, recital 7.2.