Rb. Noord-Holland - HAA 21/6573

From GDPRhub
Revision as of 13:23, 28 August 2023 by Aa (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Noord-Holland |Court_Original_Name=Rechtbank Noord-Holland |Court_English_Name=District Court Noord-Holland |Court_With_Country=Rb. Noord-Holland (Netherlands) |Case_Number_Name=HAA 21/6573 |ECLI= |Original_Source_Name_1=Rb. Noord-Holland |Original_Source_Link_1=https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBNHO:2023:7865&showbutton=true&keyword=...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Rb. Noord-Holland - HAA 21/6573
Courts logo1.png
Court: Rb. Noord-Holland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 15(3) GDPR
Article 16 GDPR
Article 17 GDPR
Decided: 06.07.2023
Published: 21.08.2023
Parties:
National Case Number/Name: HAA 21/6573
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: Rb. Noord-Holland (in Dutch)
Initial Contributor: n/a

Tax Authority found to be in violation of Articles 16 and 17 GDPR for failure to comply with a rectification request and an erasure request.

English Summary

Facts

On 20 May 2021, the data subject (claimant) received a letter from the Dutch Inland Revenue, notifying him that he had been unlawfully registered in the Tax Administration’s (controller) database - the Fraud Signalling Facility (FSV).

Overall, the use of this facility did not comply with the GDPR, as too many employees had access to the data and the data retention period was too long. Some individuals’ data was wrongly included and wrongly used. The controller attempted to rectify this by revoking tax employees' access to the FSV on 27 February 2020 and removing it as a point of use from the Tax Administration's implementation of (tax) legislation.

In a letter dated 25 June 2021, the data subject objected to the recording of his data in the FSV. In this letter, he made an access request under Article 15 GDPR, a data rectification request under Article 16 GDPR, and an erasure request under Article 17 GDPR. The controller responded on 22 July 2021, partially responding to the access request (Article 15 GDPR), but refusing the requests made under Articles 16 and 17 GDPR. The data subject brought claims against the incomplete response to his data access request, and refusal of data rectification and erasure requests.

Holding

The court found no violation of Article 15 GDPR, but found a violation of Articles 16 and 17 GDPR.

Firstly, the controller’s response was GDPR-compliant for the purposes of Article 15 GDPR. An incomplete response to an access request was not inherently a violation of Article 15(3) GDPR. The controller had provided a summary of the data subject’s personal data, along with an explanatory note outlining the processing purposes. This response was sufficient to fulfil the specificity requirements of Article 15(3) GDPR. In reaching this conclusion, the court referenced CJEU judgment of 4 May 2023 (ECLI: EC: C: 2023: 369), wherein it was established that Article 15(3) GDPR does not confer the right to obtain a copy of complete documents if these are not necessary to enable the data subject to effectively exercise the rights conferred on him by the GDPR.

Secondly, the controller’s failure to enforce the data subject’s erasure request was a violation of Article 17 GDPR. Given that the data subject’s data was unlawfully processed to begin with, they were entitled to the erasure of their personal data under Article 17(1)(d) GDPR. Moreover, the court concluded that the controller had no grounds to argue the application of Article 17(3) GDPR, which outlines instances where a controller may lawfully refuse an erasure request. The court found that “the defendant (controller) could not reasonably have considered it necessary to retain the claimant’s personal data in connection with archiving, investigation or legal proceedings.”

Thirdly, the court found that the controller’s refusal to rectify the data subject’s data was a violation of Article 16 GDPR. However, the right to rectification under Article 16 GDPR was to be disregarded in this case, as the data subject’s erasure request was upheld.

No fines were imposed in this case, but the controller (defendant) was ordered to reimburse the data subject’s court fees and legal costs.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=Rb._Noord-Holland_-_HAA_21/6573&oldid=34592"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki