Rb. Noord-Holland - HAA 21/6573

From GDPRhub
Revision as of 14:44, 29 August 2023 by 84.113.103.211 (talk) (clarified identity of controller and fixed english translation in box below)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Rb. Noord-Holland - HAA 21/6573
Courts logo1.png
Court: Rb. Noord-Holland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 15(3) GDPR
Article 16 GDPR
Article 17 GDPR
Decided: 06.07.2023
Published: 21.08.2023
Parties:
National Case Number/Name: HAA 21/6573
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: Rb. Noord-Holland (in Dutch)
Initial Contributor: n/a

Court found Dutch Inland Revenue to be in violation of Articles 16 and 17 GDPR for failure to comply with a rectification request and an erasure request.

English Summary[edit | edit source]

Facts[edit | edit source]

On 20 May 2021, the data subject (claimant) received a letter from the Dutch Inland Revenue, notifying him that he had been unlawfully registered in the Dutch Inland Revenue's (Belastingdienst) database - the Fraud Signalling Facility (FSV). The controller in this case was the minister of Finance, as the Dutch Inland Revenue is under the administration of the ministry of Finance

Overall, the use of this facility did not comply with the GDPR, as too many employees had access to the data and the data retention period was too long. Some individuals’ data was wrongly included and wrongly used. The controller attempted to rectify this by revoking tax employees' access to the FSV on 27 February 2020 and removing it as a point of use from the Tax Administration's implementation of (tax) legislation.

In a letter dated 25 June 2021, the data subject objected to the recording of his data in the FSV. In this letter, he made an access request under Article 15 GDPR, a data rectification request under Article 16 GDPR, and an erasure request under Article 17 GDPR.

The controller responded on 22 July 2021, partially responding to the access request (Article 15 GDPR), but refusing the requests made under Articles 16 and 17 GDPR. The data subject brought claims against the incomplete response to his data access request, and refusal of data rectification and erasure requests.

Holding[edit | edit source]

The court found no violation of Article 15 GDPR, but found a violation of Articles 16 and 17 GDPR.

Firstly, the controller’s response was GDPR-compliant for the purposes of Article 15 GDPR. An incomplete response to an access request was not inherently a violation of Article 15(3) GDPR. The controller had provided a summary of the data subject’s personal data, along with an explanatory note outlining the processing purposes. In reaching its conclusion, the court referenced CJEU judgment of 4 May 2023 (ECLI: EC: C: 2023: 369), wherein it was established that Article 15(3) GDPR does not confer the right to obtain a copy of complete documents if these are not necessary to enable the data subject to effectively exercise the rights conferred on him by the GDPR. This response was sufficient to fulfil the specificity requirements of Article 15(3) GDPR, thus there was no violation of Article 15(3) GDPR.

Secondly, the controller’s failure to enforce the data subject’s erasure request was a violation of Article 17 GDPR. Given that the data subject’s data was unlawfully processed to begin with, they were entitled to the erasure of their personal data under Article 17(1)(d) GDPR. Moreover, the court concluded that the controller had no grounds to argue the application of Article 17(3) GDPR, which outlines instances where a controller may lawfully refuse an erasure request. The court found that “the defendant (controller) could not reasonably have considered it necessary to retain the claimant’s personal data in connection with archiving, investigation or legal proceedings.”

Thirdly, the court found that the controller’s refusal to rectify the data subject’s data was a violation of Article 16 GDPR. However, the right to rectification under Article 16 GDPR was to be disregarded in this case, as the data subject’s erasure request was upheld.

The controller (defendant) was ordered to reimburse the data subject’s court fees and legal costs.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Introduction
1.1

In this judgment, the court assesses the claimant's appeal on the partial rejection of his request under the General Data Protection Regulation (GDPR).
1.2

The defendant partially rejected this request with the decision of 22 July 2021. With the decision of 28 October 2021 contested on appeal on the claimant's objection, the defendant stood by the partial rejection of the request.
1.3

The defendant responded to the appeal with a statement of defence.
1.4

The court heard the appeal on 18 August 2022 at a hearing together with the appeal with case number HAA 21/6615. Participating in this were: the plaintiff and the first two named agents of the defendant.
1.5

The court adjourned the hearing to give the defendant the opportunity to provide the court with an unvarnished version of the claimant's registration in the Tax Administration's Fraud Signalling Facility (FSV) within two weeks of the hearing, with or without a notice as referred to in Section 8:29 of the General Administrative Law Act (Awb).
1.6

By letter dated 2 September 2022, the respondent provided the court with an unvarnished version of the claimant's registration in the FSV, informing it, pursuant to Section 8:29 of the Awb, that only the court may take cognisance thereof.
1.7

By letter dated 24 October 2022, the claimant responded to the defendant's communication.
1.8

By decision of 15 November 2022, the court's secrecy chamber ruled that restriction of knowledge of the unvarnished version of the claimant's registration in the FSV was justified.
1.9

The claimant did not grant the court permission as referred to in section 8:29(5) of the Awb to rule partly on the basis of the unvarnished document.
1.10

The court heard the appeal at a further hearing on 21 April 2023 together with the appeal with case number HAA 21/6615. Participating in this were the plaintiff and the last two named agents of the defendant.
Assessment by the court
2.1

The court assesses whether the defendant was entitled to (partially) reject the claimant's AVG request for inspection and correction. It does so on the basis of the claimant's grounds of appeal.
2.2

The appeal is well-founded. The court will annul the contested decision, partially revoke the primary decision and determine that the defendant deleted the claimant's personal data in the FSV. Below, the court explains how it reached this judgment and the consequences of this judgment.
2.3

The laws and regulations cited in this judgment in abbreviated form can be found in the annex that forms part of this judgment.

Facts and circumstances
3.1

In the letter dated 20 May 2021, the Inland Revenue informed the claimant that data about him was contained in the FSV. Overall, the use of this facility did not comply with the AVG, as too many employees had access and the data in it were kept for too long. Some data of some individuals were wrongly included and some wrongly used. Therefore, the defendant turned off tax employees' access to the FSV on 27 February 2020 and it will no longer be used in the Tax Administration's implementation of (tax) legislation.
3.2

In the letter dated 25 June 2021, the claimant objected to the longstanding secret and unlawful recording of his data in the FSV. In it, the claimant requested the Tax Administration to immediately remedy (the consequences of) the unlawful registration and to immediately stop the unlawful action and destroy the registration. The claimant further requested the transmission of all documents in his FSV file, including the complete registration data. The defendant classified this letter as a request for inspection, rectification and data erasure under Articles 15, 16 and 17 of the AVG and as an objection under Article 21 of the AVG to the processing of his personal data.
3.3

In its decision of 22 July 2021, the defendant provided some of the claimant's personal data and some other data listed in the claimant's registration in the FSV to the claimant, with an explanation, but refused erasure of data. On appeal, the defendant submitted a printout of the claimant's registration in the FSV, which included both the personal data already provided previously and some additional data, but omitted (deleted) parts in that registration.

Contested decision

4. Following the request for inspection, the defendant decided to provide the claimant with a summary of the claimant's personal data processed in the FSV. In doing so, the defendant considered that the right of inspection under the AVG is not intended to provide access to records and documents. Leaving aside that the FSV is a digital system, although documents may contain personal data, they also contain more and other information in any event. The documents themselves do not constitute information covered by the right of inspection.

The defendant further rejected the claimant's request for rectification and deletion and the claimant's objection to the processing of its personal data. The defendant based this on the fact that the FSV was made inaccessible to the Tax Administration's employees in February 2020. From that moment on, the FSV no longer supported the original purpose: exercising the assigned statutory (supervisory) tasks. Since 27 February 2020, the data from the FSV are no longer used by the Tax Administration and can only be accessed by FSV request handlers. The data are in a separate, secure environment for further investigation, including by the Personal Data Authority. In addition, the data in the FSV are needed for further investigations to determine whether the FSV's flaws have caused adverse effects on citizens. After these investigations are completed, the FSV - and thus the claimant's data - will be destroyed. Providing an opportunity for retrospective accountability (if necessary) for the processing of personal data is a purpose that derives from the original purpose of processing personal data. Even after making the FSV inaccessible, that purpose is still undiminished and, moreover, highly topical, given the ongoing investigations. Furthermore, the Respondent refers to the undertakings given by the State Secretary for Finance to the House of Representatives in this regard, not to destroy any more physical archives throughout the Tax Administration until further notice.

Has the defendant complied with the request for access to the claimant's personal data?
5.1

The Claimant argues that the summary provided to him of his personal data processed in the FSV is incomplete. The defendant wrongly did not provide for inspection the names of tax employees, which do appear in (the printout of) the record of his data. Since this is an illegal registration of his personal data in the FSV, the claimant wants to know who is responsible for it. Given all the unlawful actions taken by the Inland Revenue in relation to him, he has a strong interest in that information and should be able to see all the relevant documents and thus the complete registration of his data.
5.2

The Respondent argues that it intended to make available for inspection all of the Claimant's personal data processed in the FSV. However, it occurred to the defendant that the decision on the AVG request and the decision on objection did not provide the information contained in the FSV records under the heading "source". The Respondent did so at the time of the defence. Furthermore, although data were entered in the "entered by", "reviewed by" and "partner BSN" sections, the data entered there are not provided because they are personal data of third parties.
5.3

The court points out that the obligation to provide a "copy of the personal data" under Article 15(3) of the AVG does not mean that an administrative body is obliged in all cases to provide a copy of the documents in which those personal data appear.1 An administrative body may do so, but it may also choose a different form in which the copy of the personal data is provided, provided that the chosen method of provision fulfils the purpose of Article 15(3) of the AVG. In this case, the defendant initially chose to provide the claimant with a summary of the personal data that - according to the defendant - had been processed about him in the FSV, accompanied by an explanatory note. The personal data thus provided were sorted according to the headings used in the FSV record and corresponded verbatim to what was entered therein. This mode of provision in itself fulfils the purpose of Article 15(3) of the AVG. The Court of Justice of the European Union, in its judgment of 4 May 2023, ECLI:EU:C:2023:369, held that Article 15(3) of the AVG does imply a right to obtain a copy of complete documents, if the provision of such a copy is indispensable to enable the data subject to effectively exercise the rights conferred on him by the AVG. However, the claimant no longer has an interest in a ruling on whether obtaining a copy of his FSV registration was indispensable, since he has still received a copy of it on appeal, with the deletion of the data which, according to the defendant, are not personal data of the claimant. Whether that obliteration was justified is assessed below.
5.4

The court further notes that, in its defence, the defendant still disclosed the information entered in the FSV under the heading "source", namely the word "query". The defendant explained that this word refers to searches carried out by the Tax Administration to analyse (large quantities of) returns for possible inaccuracies. The defendant took the view that this information was wrongly omitted from the contested decision. The ground for appeal therefore succeeds to that extent.
5.5

The only data the defendant has kept secret are those entered under "submitted by", "assessed by" and "partner BSN". Since the plaintiff did not give the court permission to take cognisance of these confidential data, the court did not inspect them. Therefore, the fact that the court was unable to see these data is at the plaintiff's risk. As argued by the defendant and also considered in the secrecy chamber's decision of 15 November 2022, this concerns only the names of handling officials of the Inland Revenue and the citizen service number of the plaintiff's partner. The court sees no reason to doubt this and therefore assumes it. The court finds that the deleted data are not personal data concerning the claimant, because they are personalia of other persons and the court has not been able to establish that those data in this case (further) identify the claimant within the meaning of Article 4, opening words and first paragraph, of the AVG.2 The data deleted by the defendant therefore do not fall within the scope of the claimant's right of inspection under Article 15 of the AVG. Under that article, the claimant is only entitled to access personal data concerning himself. The defendant therefore correctly refused to provide the data to the claimant. The ground for appeal does not succeed to that extent.

Was the defendant entitled to refuse erasure of the claimant's personal data?
6.1

The claimant argues that the defendant was not entitled to refuse his request to erase his personal data. His personal data were unlawfully recorded in the FSV. The defendant has no interest in retaining these personal data.
6.2

The Respondent takes the view that the original FSV application has been deactivated and can therefore no longer be used for the regular supervisory tasks of the Inland Revenue. To that extent, the Claimant's request to delete the data is therefore granted. A copy of the FSV is still being used, on the one hand to deal with the many (AVG) requests from individuals whose data have been processed in the FSV and on the other hand for the various general investigations carried out on the FSV. Therefore, the Claimant's request cannot be fully accommodated at this time. At the hearing, the defendant took the additional position that the erasure of the claimant's personal data will not be carried out because in tax proceedings, a document from the FSV can be a case-related document as referred to in Article 8:42 of the Awb. Moreover, the House of Representatives has been promised not to erase the FSV data yet and the Archives Act 1995 also requires data retention.
6.3

The court finds that it is not in dispute that the claimant's personal data were unlawfully processed in the FSV. This amounts to one of the cases mentioned in Article 17(1) of the AVG, namely under d, in which the data subject is entitled to erasure of his personal data under that paragraph. However, under Article 17(3) of the AVG, the first paragraph does not apply to the extent that processing is necessary for the cases mentioned in that paragraph. Also, Article 41(1) of the General Data Protection Regulation Implementation Act, enacted to implement Article 23(1) of the AVG, contains exceptions that do not require erasure of personal data. However, the defendant's arguments for not proceeding to erasure of the claimant's personal data do not fit into any of these exceptions. The Archives Act 1995, Article 8:42 of the Awb and commitments to the House of Representatives cannot in themselves form a basis for rejecting a request for erasure of personal data. Indeed, rejection is permitted under Article 17(3) of the AVG and Article 41(1) of the Implementation Act only in the cases mentioned in those paragraphs. To the extent that the defendant intended to invoke Article 17(3)(d) or (e) of the AVG, the court finds that the defendant could not reasonably have considered it necessary to retain the claimant's personal data in connection with archiving, investigation or legal proceedings. For example, it cannot be seen that it is necessary for the processing of the claimant's AVG request to retain his personal data, since the defendant provided the claimant with all of his personal data contained in the FSV. Nor can it be seen that the retention of the personal data is necessary for the proceedings concerning tax decisions taken against the claimant and the claimant's compensation claims related to those decisions, which proceedings were the reason for the claimant to request the data from the FSV. Indeed, the defendant explained that those decisions concerned facts prior to the FSV records. Finally, it is also impossible to see that keeping the personal data is necessary for archiving and investigation in connection with political accountability for the FSV registration. Indeed, the present proceedings continue to record that the claimant was registered in the FSV. Moreover, the defendant said at the hearing that it was prepared to proceed with the erasure of the claimant's personal data immediately after the conclusion of these proceedings. In view of the foregoing, the defendant was not entitled to refuse erasure of the claimant's personal data. The ground for appeal succeeds.

Claimant's other AVG requests

7. Because the claimant's personal data must be erased, the court does not reach the assessment of the claimant's other AVG requests, which concerned rectification and further processing of the data.
Conclusion and consequences
8.1

The appeal is well-founded because the contested decision violates Articles 15 and 17 of the AVG. There is a breach of Article 15 of the AVG because the defendant did not give the claimant access to all his personal data in the FSV. There is a breach of Article 17 of the AVG because the defendant refused the request to erase these data. The court therefore annuls the contested decision.
8.2

The court sees reason to decide the case itself, applying Article 8:72(3)(b) of the Awb. The court revokes the primary decision on the claimant's AVG request insofar as it concerns the erasure of personal data and, to that extent, takes a new decision on the request instead. In doing so, the court does not take a new decision on access to the claimant's personal data in the FSV, as the claimant has now been granted access to all such data, so that a further decision on this matter is no longer necessary. The court therefore suffices with the decision that the defendant will still proceed to erase the claimant's personal data in the FSV. In view of Article 12(3) of the AVG, the court sets a deadline of one month for this.
8.3

As the appeal is well-founded, the defendant must reimburse the plaintiff for the court fee and the plaintiff will also be reimbursed for its legal costs, namely costs of leave to appeal. Since the claimant did not further substantiate his request for costs of compensation and it is only established how long the claimant was absent from work, the court fixes the costs of compensation at the minimum rate of €8 per hour for 3.5 hours, pursuant to the Administrative Law Procedural Costs Decree.3