Rb. Noord-Holland - 20/3831

From GDPRhub
Rb. Noord-Holland - 20/3831
Courts logo1.png
Court: Rb. Noord-Holland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 5(1)(e) GDPR
Article 6(1)(e) GDPR
Article 17(1) GDPR
Article 17(3) GDPR
Article 3 Archiefwet 1995
Article 30 Wet structuur uitvoeringsorganisatie werk en inkomen
Decided: 22.09.2021
Published: 05.10.2021
Parties: Plaintiff
The Board of Directors of the Uitvoeringsinstituut werknemersverzekeringen (Employee Insurance Agency)
National Case Number/Name: 20/3831
European Case Law Identifier: ECLI:NL:RBNHO:2021:8514
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: Martijn Staal

The District Court Noord-Holland held that there is no obligation under Article 17(3)(b) GDPR for a government body to erase personal data if it is subject to a statutory processing obligation. Further, it found that the Archives Act supersedes the obligation under Article 5(1)(e) GDPR to delete personal data from archived documents.

English Summary

Facts

The plaintiff requested the defendant, the Board of Directors of the Uitvoeringsinstituut werknemersverzekeringen (UWV, Employee Insurance Agency), to provide access to phone notes and the deletion of these notes.

The plaintiff was granted access to the phone notes pursuant Article 15 of the GDPR, but the defendant did not delete them.

The defendant argued that the GDPR and the Archive Act must be seen in relation to each other. The phone notes were part of the file that was kept by the defendant in order to carry out their official authority (Article 6(1)(e) GDPR) and had to be saved for the required retention periods according to the Archive Act, which is an exemption from the Article 17 GDPR right to erasure.

The plaintiff argued that the processing of the phone notes was not necessary, but the court agreed with the position of the defendant: because the plaintiff made an application for unemployment benefits, initial processing of the phone notes was lawful. Pursuant to Article 30 of the Wet structuur uitvoeringsorganisatie werk en inkomen (Work and Income Implementation organisation Structure Act) the defendant had a duty in the public interest and could therefore base the processing of personal data on Article 6(1)(e) GDPR.

Holding

The court held that pursuant to Article 17(3) GDPR there is no obligation for a government body to erase personal data if it is subject to a statutory processing obligation. The court also held that there was no obligation to delete plaintiff's personal data from the phone notes pursuant to Article 5(1)(e) GDPR, because Article 3 of the Archives Act precludes the later modification of archival documents.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


                                
                            
        



    Body
    Court of North Holland
    Date of judgment
    22-09-2021

    Date of publication
    
05-10-2021

    Case number
    
20/3831

    
    Jurisdictions
    
Administrative law
    
    Special characteristics
    
First instance - single
    
    Content indication
    
Request for deletion of personal data under the GDPR. Relationship between the Archives Act and the GDPR.

    Locations
    
Rechtspraak.nl
    
        
        
            Enhanced pronunciation
        





    
        Share pronunciation
        
    
    
        print
        Save as PDF
        Copy link

    


        
            Pronunciation
        
        
  
    NORTH HOLLAND COURT
  
  
    Seating location Haarlem
  
  
    Administrative law
  
  
    case number: HAA 20/3831
    
      
      judgment of the single chamber of 22 September 2021 in the case between
    
    
      
      
        [plaintiff]
      , at [place of residence] , plaintiff
    (authorized representative: mr. E. Aerts),
  
  
    and
  
  
    
      the Board of Directors of the Institute for Employee Benefit Schemes, defendant
    (Agent: mr. K. Ait Moha).
  
  
    
      Process sequence
    
  
  
    In the decision of November 18, 2019 (primary decision), the respondent rejected the claimant's request to delete telephone notes and the respondent explained why information is exchanged between the various departments of the UWV.
  
  
    In the decision of 14 July 2020 (contested decision), the respondent dismissed the claimant's objection against the primary decision with regard to the telephone notes, while adjusting the motivation, and declared the objection with regard to the internal data exchange inadmissible.
  
  
    Plaintiff has appealed against the contested decision.
  
  
    Defendant has filed a statement of defence.
  
  
    The court heard the appeal on August 11, 2021. Plaintiff appeared, assisted by her attorney. Defendant was represented by his attorney.
  
  
    
      Considerations
    
  
  1. The run-up to the primary decision has been atypical. Plaintiff has requested defendant in several letters and e-mails for information and clarity regarding the information processing and flows. These letters and e-mails on the part of the claimant have led to the decision to be taken on 18 November 2019. Plaintiff cannot agree with the defendant's position that the telephone notes will not be removed, nor can it agree that information about Plaintiff and personal data is shared between the departments of the UWV.
  2. At the hearing, the court established that Plaintiff not only wishes to have the telephone notes removed, but has also – at some point – requested access to those notes. The data protection officer made an overview of the telephone notes available to the claimant by e-mail dated 28 February 2020. The court therefore finds that the request for access pursuant to Article 15 of the GDPR has been complied with and that this is not subject to further review.
  3. In the contested decision, the respondent has substantiated that the UWV must view the General Data Protection Regulation (GDPR)1 and the Archives Act in relation to each other when managing personal data. Drawing up telephone notes, insofar as personal data is collected, falls under the scope of the GDPR. The Respondent processes the personal data in the telephone notes pursuant to Article 6(1)(e) of the GDPR. It follows from this article that the processing must be necessary for the fulfillment of (statutory) tasks of general interest that have been assigned to the defendant. The telephone notes contribute to the handling and accountability of tasks performed by the defendant and have therefore been lawfully processed. The telephone notes are part of the claimant's file that is kept on the basis of the Archives Act. Archives that are kept on the basis of the Archives Act cannot simply be destroyed, this may only take place after the expiry of the retention periods specified in the selection list. The retention period follows from the 'Selection List of the Employee Insurance Agency'. This is an exception to the right to erasure within the meaning of Article 17 of the GDPR.
  With regard to the exchange of information within various departments, the respondent is of the opinion that it has not taken a decision on this within the meaning of the General Administrative Law Act (Awb) because the letter of 18 November 2019 is not aimed at legal consequences. The claimant's objection to this, therefore, was dismissed by the respondent as inadmissible.
  4. The legal framework is included in the appendix.
  
    
      5 The Phone Notes
    
      5.1
      Plaintiff disputes that the processing of telephone notes is necessary. According to the claimant, the retention of telephone notes is not in line with the principle of minimum data processing pursuant to Article 5(1) of the GDPR. The consequence of this is that the telephone notes have been processed unlawfully and for that reason the assessment framework and the retention periods of the Archives Act are not met. After all, the selection list concerns data that have already been archived, which presupposes that the archiving is lawful in itself and that, according to the claimant, is not the case. Plaintiff therefore has the right to erasure.
      
    
    
      5.2
      Respondent takes the position that pursuant to Article 30 of the Structure of the Implementation Organization for Work and Income Act the UWV has been assigned the task of the public interest. Plaintiff has applied for unemployment benefits and in order to determine entitlement to that benefit, defendant has created a file containing the telephone notes, containing personal data of Plaintiff. Respondent has therefore lawfully processed this data in view of its task. Under the Archives Act, the claimant's file is regarded as an archive document that must be kept on the basis of this Act. The telephone notes that are kept as part of the file therefore fall under the retention periods of the selection list. With regard to the request for erasure of data, the defendant is of the opinion that the plaintiff has not argued what its interest is in that right. Respondent is therefore unable to assess whether this interest outweighs the interest in keeping the telephone notes. The fact that the claimant no longer has any current benefits is not of sufficient weight.
      
      
        
          Which personal data and which processing operations are involved?
        
      
    
    
      5.3.
      
        The defendant has explained that the telephone notes contain at least the name of the claimant and that the telephone notes therefore contain personal data.
        The court further establishes that the claimant's request concerns both the filing of files in the context of the assessment of the right to benefit and the storage of those telephone notes in an archive after the benefit has been terminated.
       
      
      
        
          Is the processing of the personal data lawful?
          5.4. The request for erasure must be regarded as a request for erasure of personal data as referred to in Article 17(1) of the GDPR. That article provides that the data subject has the right to erasure – inter alia – when the personal data have been unlawfully processed. Plaintiff has requested the destruction of the telephone notes in their entirety, but in view of Article 17 of the GDPR, only the removal of the personal data can be requested and not the removal of the entire telephone notes. In which cases personal data has been lawfully processed is regulated in Article 6 of the GDPR.
       
      
    
    
      5.5.
      The court can follow the defendant in its position that the creation of a file of the plaintiff is necessary for the performance of its duties (Article 6, first paragraph, under e of the GDPR). In the opinion of the court, it is not unreasonable that telephone notes are also kept as part of this file, because they may contain information that is important for the file and the claimant's right to payment. It is therefore considered that the personal data included in the telephone notes have in principle been processed lawfully.
      
      
        
          Can the telephone notes also be kept?
        
      
    
    
      5.6.
      Plaintiff has put forward on appeal that she does not agree with the fact that the telephone notes – after completion of the benefit file – are kept.
      
    
    
      5.7.
      
        As the Division has previously considered2, it follows from Article 17(3) of the GDPR that the board is under no obligation to delete personal data without undue delay if it is subject to a statutory processing obligation.
        It follows from Article 3 of the 1995 Archives Act that the Commission is obliged to bring and keep the archive documents held by it in a good, ordered and accessible state. The UWV Selection List has been drawn up on the basis of Article 5 of the 1995 Archives Act. It follows from the UWV Selection List that the retention period for information for the purpose of deciding on entitlement to benefits, the amount and the duration of the benefits, is 5 years. Since the telephone notes, as the defendant argues, are kept in connection with the entitlement to benefits and the obligation to retain them is based on a legal basis, the defendant was right to take the position that it was not obliged to delete the plaintiff's telephone notes. .
       
      
      
        
          Should the personal data be removed from the telephone notes?
        
      
    
    
      5.9.
      
        Plaintiff argues that, in view of Article 5, first paragraph, under e, of the GDPR, the defendant must remove or erase the personal data from the telephone notes.
        The court does not follow the plaintiff's position. The Administrative Jurisdiction Division of the Council of State (the Division) determined on 8 March 2017, ECLI:NL:RVS:2017:620, that the Archives Act, in contrast to, for example, the Government Information (Public Access) Act, which has an information system, contains a system of documents. . According to the Division, editing documents, for example by making them anonymous, does not fit in with the document system. The defendant therefore rightly took the position at the hearing that archive documents cannot be changed. This is also in accordance with Article 3 of the Archives Act, which stipulates that the board has the duty to bring and keep the archive documents held by it in a good, orderly and accessible state, as well as to ensure the destruction of the relevant records. eligible records.3
       
      
      
        
          Correction (superfluous)
        
      
    
    
      5.10.
      Plaintiff argues that the content of the telephone notes is incorrect and therefore wishes to rectify the notes. Firstly, the court considers that this is not the subject of these proceedings. In doing so, the court considers that it has not been shown that the personal data included in the archive documents are incorrect. In addition, Article 45, first paragraph, of the General Data Protection Regulation Implementation Act (UAVG) states that the right to rectification does not apply to archive records.
      
    
  
  
    
      6 Data exchange within the UWV
    
      6.1
      Plaintiff argues that the data exchange between different departments is unlawful because this is contrary to the principle of minimization of data processing as referred to in Article 5 of the GDPR. Plaintiff also refers to Article 32 of the GDPR and argues that the security of her personal data is insufficiently guaranteed due to data exchange. Finally, it is not clear to Plaintiff how her personal data is secured and that is not in accordance with Article 12 of the GDPR.
      
    
    
      6.2
      The respondent takes the position that, pursuant to Article 34 of the UAVG, a written decision on a request as referred to in Articles 15 to 22 of the GDPR, insofar as it has been taken by an administrative authority, is a decision within the meaning of the AWB. Article 15 of the GDPR contains the right to access personal data and information about the processing of those personal data. According to the defendant, no information is required under that article about the security and control of the data exchange when processing personal data. Nevertheless, Plaintiff can put questions to Defendant about this, which she has done, and Defendant answered Plaintiff's questions and complaints during the interview on December 13, 2019. The respondent has explained the way in which the UWV implements the security and control of data exchange within the UWV. However, the defendant is not obliged to take a decision in this regard within the meaning of the Awb, since the provision of this information is not intended to have legal consequences under public law.
    
    
      6.3
      The court states first and foremost that the administrative judge's assessment is in principle limited to the question of whether the plaintiff has rightly been declared inadmissible. The court can follow the defendant's position and is of the opinion that the plaintiff's request is not a situation as referred to in Article 34 of the UAVG. Defendant could therefore not be obliged to take a decision in that regard and has not done so with the letter of 18 November 2019, because it provided an explanation that did not create any legal consequences. The court therefore finds that the defendant has rightly dismissed the claim of the plaintiff on this point.
      
      7. In view of all the foregoing, the appeal is unfounded.
      
      8. There is no reason for an order to pay costs.
      
      
        
          Decision
        
       
      
      
        The court dismissed the appeal.
       
      
      
        This statement was made by mr. M.H. Affourtit-Kramer, Judge, in the presence of Mr. L.E. Hesselink, clerk. The verdict was pronounced in public on September 22, 2021.
       
      
      
      
      
      
      
      
            
              
                clerk
              
              
                right
              
            
          
      
      
      
        A copy of this ruling has been sent to the parties at:
       
      
      
      
        
          Do you disagree with this statement?
        
        If you do not agree with this ruling, you can send a letter to the Administrative Jurisdiction Division of the Council of State explaining why you do not agree with it. This is called an appeal. You must submit this notice of appeal within 6 weeks of the day on which this decision was sent. You can see this date above.
       
      
      
        
          Appendix
        
       
      
      
        General Data Protection Regulation
       
      
      
        Article 5 reads as follows:
      
      1. Personal data must:
      
        
          be processed in a manner that is lawful, fair and transparent with regard to the data subject (‘lawfulness, fairness and transparency’);
        
        
          collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes; the further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes is not considered incompatible with the original purposes in accordance with Article 89(1) ("purpose limitation");
        
        
          are adequate, relevant and limited to what is necessary for the purposes for which they are processed ("minimal data processing");
        
        
          are accurate and updated if necessary; all reasonable steps must be taken to erase or rectify without undue delay any personal data which, having regard to the purposes for which they are processed, are inaccurate ("accuracy");
        
        
          be kept in a form that makes it possible to identify the data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods to the extent that the personal data are processed solely for the purpose of archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1), provided that the appropriate technical and organizational measures required by this Regulation are applied. taken to protect the rights and freedoms of the data subject ("storage restriction")
        
        
          are processed by taking appropriate technical or organizational measures in such a way that they are adequately secured, and that they are protected, inter alia, against unauthorized or unlawful processing and against accidental loss, destruction or damage ("integrity and confidentiality") .
        
      
      2 The controller is responsible for compliance with paragraph 1 and can demonstrate this ('accountability').
      
      
        Article 6, in so far as relevant, reads as follows:
      
      1. Processing is only lawful if and insofar as at least one of the following conditions is met:
      
        
          the data subject has given permission for the processing of his personal data for one or more specific purposes;
        
        
          the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
        
        
          the processing is necessary to comply with a legal obligation to which the controller is responsible;
        
        
          the processing is necessary for the performance of a task carried out in the public interest or of a task in the exercise of official authority conferred on the controller;
        
        
          the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular where the the person concerned is a child.
        
        
          the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular where the the person concerned is a child.
        
      
      
        Point (f) of the first subparagraph shall not apply to processing by public authorities in the performance of their duties.
        (…)
       
      
      
        Article 12, in so far as relevant, reads as follows:
      
      1. The controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and Article 34 in connection with the processing in a concise, transparent, intelligible and easily accessible form. and in clear and plain language, especially where the information is specifically intended for a child. The information shall be provided in writing or by other means, including, where appropriate, electronic means. If the data subject so requests, the information may be communicated orally, provided that the identity of the data subject is proven by other means.
      (…)
      
      
        Article 15, in so far as relevant, reads as follows:
      
      1. The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him/her is processed and, where that is the case, to obtain access to those personal data and to the following information:
      
        
          the processing purposes;
        
        
          the categories of personal data concerned;
        
        
          the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
        
        
          if possible, the period for which the personal data is expected to be stored, or if that is not possible, the criteria for determining that period;
        
        
          that the data subject has the right to request from the controller that personal data be rectified or erased, or that the processing of personal data concerning him/her be restricted, as well as the right to object to such processing;
        
        
          that the data subject has the right to lodge a complaint with a supervisory authority;
        
        
          where the personal data is not collected from the data subject, any available information about the source of that data;
        
        
          The existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of such processing for the data subject. (…)
        
      
      Article 17, in so far as relevant, reads as follows:
      1. The data subject shall have the right to obtain from the controller without undue delay the erasure of personal data concerning him or her and the controller shall be required to erase personal data without undue delay where one of the following applies:
      
        
          the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
        
        
          the data subject withdraws consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a), and there is no other legal basis for the processing;
        
        
          the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
        
        
          your personal data has been unlawfully processed;
        
        
          the personal data must be erased in order to comply with a legal obligation imposed on the controller under Union or Member State law;
        
        
          the personal data was collected in connection with an offer of information society services as referred to in Article 8(1).
        
      
      (…)
      3 Paragraphs 1 and 2 do not apply insofar as processing is necessary:
      (…)
      d. for archiving purposes in the public interest, (…) in accordance with Article 89(1) to the extent that the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the purposes of such processing.
      
      
        Article 32, in so far as relevant, reads as follows:
      
      1. Taking into account the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity to the rights and freedoms of individuals, the controller and the processor shall take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate:
      
        
          the pseudonymization and encryption of personal data;
        
        
          the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services on an ongoing basis;
        
        
          the ability to restore the availability of and access to the personal data in a timely manner in the event of a physical or technical incident;
        
        
          a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures to secure the processing.
        
      
      
      
        Implementation Act General Data Protection Regulation
       
      
      
        Article 34 reads as follows:
        A written decision on a request as referred to in Articles 15 to 22 of the Regulation shall be taken within the periods referred to in Article 12(3) of the Regulation and, insofar as it has been taken by an administrative authority, shall be considered a decision within the meaning of the General Administrative Law Act.
       
      
      
        Article 45 reads as follows:
      
      1. When processing personal data that form part of archive documents as referred to in Article 1, part c, of the Archives Act 1995, which are held in an archive repository as referred to in Article 1, part f, of that Act, Articles 15, 16 , 18, first paragraph, under a, and 20 of the Regulation do not apply.
      (…)
      
      
        Archives Act
       
      
      
        Article 3 reads as follows:
        The government bodies are obliged to bring and keep the archive documents held by them in a good, orderly and accessible state, as well as to ensure the destruction of the relevant archive documents.
       
      
      
        Article 5, in so far as relevant, reads as follows:
      
      1. The caretaker is obliged to design selection lists in which it is stated at least which archive documents are eligible for destruction.
      2 The lists are established insofar as they concern:
      (…)
      b. archive documents of the ministries: by Our Minister and Our Minister whom it also concerns;
      c. records of other government bodies: by Our Minister.
      (…)
      
    
  
  
  
  
1
     Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  2
     See the judgment of the Division of 12 May 2021, with ECLI:NL:RVS:2021:1028.
  3
     See also the judgment of the Division of 12 May 2021, ECLI:NL:RVS:2021:1028.