Rb. Oost-Brabant - C/01/371762 / EX RK 21-90
Rb. Oost-Brabant - C/01/371762 / EX RK 21-90 | |
---|---|
Court: | Rb. Oost-Brabant (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 13 GDPR Article 14 GDPR Article 15 GDPR Article 26(2) GDPR artikel 35 UAVG |
Decided: | 01.08.2022 |
Published: | 08.08.2022 |
Parties: | T-Mobile Netherlands B.V. |
National Case Number/Name: | C/01/371762 / EX RK 21-90 |
European Case Law Identifier: | ECLI:NL:RBOBR:2022:3257 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | rechtspraak.nl (in Dutch) |
Initial Contributor: | Jette |
The District Court Oost-Brabant held that T-Mobile violated a customer's right to access by failing to provide additional information on the existence of automated decision-making and profiling.
English Summary
Facts
The data subject had a phone subscription with T-Mobile (controller). The Central Bureau of Statistics (CBS) conducted statistical research with large datasets acquired from T-Mobile. T-Mobile stated that no personal data was shared with the CBS since all data had been anonymised.
The data subject doubted statement from T-Mobile. He submitted an access request for the personal data T-Mobile processed for the CBS’s research. T-Mobile rejected the request stating that it had not processed any of the data subject’s personal data in this regard. Since the data subject was convinced that T-Mobile had to comply with his request, he brought the issue before the court.
In an interim decision the court held that T-Mobile violated Article 15 GDPR because any anonymisation process involves processing of personal data at least in the initial phase. The Court stipulated that T-Mobile had to indicate the exact nature and origin of the processed’ personal data. Although T-Mobile claimed that it had deleted that data, it submitted no proof of this. The court decided to suspend the proceedings and T-Mobile was given the opportunity to submit additional documents.
T-Mobile submitted these additional documents in the case at hand. However, the data subject stated that these documents still did not include all the information requested.
Holding
The court mostly adhered to its interim decision. It held that T-Mobile did provide all the information required under Article 15(1)(a), (c), (d), and (g) GDPR. The court found that an email where T-Mobile's director of Intelligence & Insights stated that "the data had been deleted" sufficient evidence of that fact. As there was no data, it could not be provided to the data subject.
However, T-Mobile did not provide sufficient information about automated decision-making and profiling (Article 15(1)(h) GDPR). The Court ordered T-Mobile to provide the data subject with information about the existence of automated decision-making and profiling within two months. It also required the controller to explain the underlying reason, the importance and the expected consequences of that processing for the data subject.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
order COURT EAST BRABANT Civil rights Seating place 's-Hertogenbosch case number / claim number: C/01/371762 / EX RK 21-90 Order of August 1, 2022 in the case of [applicant] , residing at [residence] , applicant, hereinafter referred to as: [applicant] , appeared in person, and the private company with limited liability T-MOBILE NETHERLANDS B.V., located in The Hague, defendant, hereinafter referred to as: T-Mobile, lawyer: mr. Q.R. Kroes in Amsterdam. 1 The further procedure 1.1. In the interim decision of 2 March 2022, T-Mobile was given the opportunity to submit the following documents: - the statement as referred to under 5.15 with regard to the deletion of the processed personal data; - the agreement regarding the pilot between T-Mobile and CBS; - the privacy statement to which T-Mobile [applicant] referred; - a written explanation that the provision of the privacy statement, the press statement of March 11, 2021 and the agreement between T-Mobile and CBS has fulfilled its obligations under art. 13, 14 and 26 GDPR; - (if T-Mobile deems it expedient) in advance the information as referred to under 5.13 and 5.14 (the information requested by [applicant] under Art. 15 GDPR). 1.2. T-Mobile submitted a number of documents by e-mail of 12 April 2022, after which [applicant] was given the opportunity to respond to them. [Applicant] did this by e-mail of 3 June 2022. 1.3. It has subsequently been determined that a final decision will be made. 2 The further assessment 2.1. The District Court (for the most part, see below under 2.6) with what it considered in its previous decision of 2 March 2022. It is established that T-Mobile has submitted the documents requested by the court. It also provided an explanation of the documents submitted, which plays a role in the assessment of the requests submitted by [applicant]. Below, the court will consider the requests made by [applicant] and the question of whether T-Mobile has already complied with those requests, insofar as they can be granted. The requests under B and C 2.2. As the court in r.o. 5.13 and 5.14 of its interim order, the request of [applicant] can in principle be granted insofar as it is based on the provisions of Article 15 paragraph 1 under a, b, c, d, g and h of the GDPR. T-Mobile was given the opportunity in that interim decision to provide this information to [applicant]. 2.3. T-Mobile has submitted the requested information with regard to the categories of personal data (Article 15 paragraph 1 sub b AVG) by deed. [Applicant] acknowledges this. [Applicant] notes in this regard that T-Mobile has not yet submitted all the information he has requested. 2.3.1. The court is of the opinion that T-Mobile – after the explanation it has provided – has provided all the information pursuant to Article 15 paragraph 1 sub a, c, d and g of the GDPR. After all, T-Mobile has explained that it has processed personal data with the aim of making mobility analyzes and statistics possible by Statistics Netherlands, so that it has provided [applicant] with information about the processing purposes of the personal data (sub a). Furthermore, T-Mobile stated without being contradicted that it provided the (anonymised and aggregated) personal data to Statistics Netherlands – as recipient – (sub c). With regard to the period during which the personal data is expected to be stored, or if that is not possible, the criteria for determining that period (sub d), T-Mobile has explained in its deed that it has now deleted the personal data used ( pursuant to the provisions of the Telecommunications Act). It therefore also provided information to [applicant] about this. T-Mobile also stated without being contradicted that it was the one who (independently) provided (signalling) data of its customers to CBS. It has not been argued by [applicant] and it has not become apparent that there is another source where the personal data were collected, so that T-Mobile has complied with what it has information about on the basis of the provisions of Article 15 paragraph 1 preamble and under g of the GDPR. should provide. 2.3.2. Sub h of the aforementioned Article provides that the data subject has the right to access and obtain information about the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subject. In the court's opinion, T-Mobile has not yet provided [applicant] with any information about this. The court will grant the request – as formulated under B – of [applicant] insofar as it relates to this information. Otherwise, the court denies the request. 2.4. In the opinion of the court, the request of [applicant] as he formulated it under C cannot be granted. After all, T-Mobile has made it sufficiently plausible that it has deleted the data it used for the implementation of the pilot with CBS. To this end, the court considers as follows. 2.4.1. In its e-mail of April 12, 2022, T-Mobile submitted a statement from its director of Intelligence & Insights, named [A] , in which – insofar as relevant here – it is stated: “(…) For the pilot with CBS, T-Mobile used signaling data from its 4G network as source data. This is technical data that is automatically and continuously exchanged between a peripheral device and the mobile network to maintain the connection. A limited set of these signaling data was used for the pilot per peripheral device: - Date_time stamp (ie: date and timestamp for the data concerned); - E_cgi (which creates a link to a cell in the mobile network); - IMSI (which stands for International Mobile Subscriber Identity; a unique number associated with all GSM and UMTS peripherals that is stored on the SIM card in the device). This data is automatically hashed before being processed for the internal anonymization process for the CBS pilot. Alert data qualify in a legal sense as traffic data within the meaning of Article 11.1 of the Telecommunications Act. This means that, pursuant to Article 11.5, the basic principle is that they must be anonymized or deleted as soon as they are no longer needed for the transmission of the communication. T-Mobile applies a data retention policy on the basis of this statutory regulation. Below, traffic data is deleted after six months. The pilot with CBS ended more than 2 years ago at T-Mobile's own initiative. The traffic data used therein has since been deleted. (…)”. 2.4.2. [applicant] argues that the submitted statement does not substantiate T-Mobile's assertion that it has deleted the data and no longer has it in its possession, because T-Mobile only declares that the "traffic data" has been deleted and – in short – the copied data and subsequent processing, such as hashing, fall outside the retention obligation of the Telecommunications Act. 2.4.3. As is apparent from the statement submitted by it, T-Mobile stated without being contradicted that it used signaling data from its 4G network as source data for the pilot with CBS and that a limited set of signaling data was used per peripheral device. Furthermore, T-Mobile stated without being contradicted that this signaling data was automatically hashed before being processed for the internal anonymization process. [Applicant] argues that this does not show whether other personal data such as pseudonymised or hashed data are available and whether that data has been deleted or not. The court is of the opinion that the statement by (the director of Intelligence & Insights of) T-Mobile provides sufficient evidence that in the pilot with CBS it only made use of signaling data and that T-Mobile used that data (under the Telecommunications Act). ) has deleted. There is no indication that "other personal data" is being used. 2.4.4. Insofar as [applicant] has argued that T-Mobile has stated that it has automatically hashed the signaling data (meaning that an offline copy was made) before they were processed for the pilot and that that (copied) data is beyond the reach of falls under the retention obligation of the Telecommunications Act, the court is of the opinion that T-Mobile's statement sufficiently demonstrates that it has also deleted those data. After all, T-Mobile has stated that it has deleted all signaling data, even after it has been hashed. The answer to the question whether it has done this on the basis of the provisions of the Telecommunications Act or for another reason is irrelevant. It is therefore established that T-Mobile no longer has that data, so that it cannot (any longer) submit it to [applicant]. 2.4.5. Even if it used [applicant]'s data for this (which, according to T-Mobile, is plausible if [applicant] used T-Mobile's 4G network with a 4G device during the period that the pilot was running ), T-Mobile can for that reason no longer provide a definitive answer or give [applicant] access to the personal data processed by him, except to sketch a general picture of this (as T-Mobile has already done). Therefore, the court denies this request. The requests under A and D 2.5. In the interim order, the court gave T-Mobile the opportunity to answer the questions in the request under A. 2.6. At the request of the court, T-Mobile has submitted its privacy statement to that effect, applicable from 13 December 2018. In doing so, it referred to the provisions of Article BB Anonymized or aggregated data. This article states: “T-Mobile can collect data from a group of customers for third parties, for example for scientific research, mobility analyzes or statistics. The data provided to a third party is anonymised. This means that this data cannot be traced back to you. Aggregated means that the data concerns a large group, in which your data cannot be traced. For example, if you watch television via T-Mobile, we will inform the Viewing Figure Research Foundation (SKO) of the time of viewing, the type of device you are watching and the channel. This data in itself cannot be traced back to you as an individual customer by SKO. SKO therefore does not know what you have watched or whether you are watching television via T-Mobile. We may also pass on your anonymous data to third parties for mobility analysis. For example, traffic flows and traffic volume can be derived from the number of callers at a particular location.” T-Mobile has explained that it has informed its customers about the possibility that their data could be processed into anonymised/aggregated data that can be provided to third parties for (among other things) mobility analyzes or statistics. 2.7. [Applicant] argues that it is an outdated privacy statement and that the privacy statement does not answer the questions he posed, because the statement concerns data collections for "scientific research, mobility analyzes or statistics", while the NRC article is about the development of algorithms for the exploitation of information about mobility and residence behavior for municipalities and provinces and for commercial exploitation by T-Mobile. 2.8. The privacy statement submitted by T-Mobile states that it is valid from December 13, 2018. T-Mobile has stated without being contradicted that it participated in the pilot with CBS from September 20, 2017 to December 2019, so that this privacy statement is in any case case was applicable in part of the pilot period. It has been argued by [applicant] that the privacy statement does not concern data processing for the development of algorithms discussed in the NRC article. The court is of the opinion that what is stated about this in the NRC article is not leading. After all, T-Mobile has stated without contradiction – and very extensively – what kind of data it exchanged with Statistics Netherlands in the context of the pilot, i.e. anonymized and aggregated movement patterns with a minimum number of 15 (also referred to as signaling data). The agreement between T-Mobile and CBS, which T-Mobile submitted by deed, does not mention the development of algorithms, in whatever form. After all, Article 2, paragraph 3 of that agreement states: “CBS will not use the data for other investigations. (…)”. Also from the explanation of T-Mobile it does not appear in any way that data processing for the development of algorithms would have taken place. Furthermore, the privacy statement, namely in the aforementioned article BB, states unambiguously and clearly that the anonymous data of its customers can be given to third parties for mobility analyzes in order, for example, to better estimate the traffic flows and traffic density at a certain location. 2.9. In addition, T-Mobile has further explained in a deed what the background of the collaboration between it and CBS was and which personal data was processed in that context. T-Mobile states that there was anonymized mobile phone data, in which no individual personal data was used, but only anonymized and aggregated datasets that made it possible to count how many devices (with a minimum of 15) were located at a given moment. within the range of a particular cell tower and that these data sets were derived from signaling data from T-Mobile's 4G network. 2.10. [Applicant] argues against this that T-Mobile has only formulated the aim of "enabling mobility analyzes and statistics by Statistics Netherlands", while other objectives are mentioned in the NRC article. In addition, [applicant] argues that T-Mobile only partially fulfills its information obligations under Articles 13 and 14 of the GDPR. According to the applicant, the following information is still missing: - where applicable, the contact details of the DPO, - the right of data subjects to access, rectify, delete, restrict processing, object and transferability, - the right to lodge a complaint with a supervisory authority, - whether the provision of personal data is a legal or contractual obligation or a necessary condition to conclude a contract, and whether the data subject is obliged to provide the personal data and what the possible consequences are if this data is not provided - the existence of automated decision-making, including profiling, and, where applicable, useful information about the underlying logic, as well as the importance and expected consequences of such processing for the data subject. According to [applicant], that information must still be provided by T-Mobile. 2.11. In its deed, T-Mobile has explained in more detail – insofar as it is obliged to do so – what the background was to its collaboration with CBS, what data it exchanged with CBS for the pilot and how it erased that data. Insofar as [applicant] argues that the NRC article refers to a purpose other than the one formulated by T-Mobile, the court refers to what it has stated above in r.o. 2.8 has considered: what is stated in the NRC article is not leading. It is important that T-Mobile informs the person whose data it processes about how it has done this and whether it has fulfilled its obligations to that end. In the opinion of the court, it has been sufficiently established that T-Mobile has done so. [Applicant] further stated that he has not yet received all the information that T-Mobile is required to provide to him under the provisions of Articles 13 and 14 of the GDPR. The court will discuss this below for each type of information. The court will not address the question of whether the personal data were collected from the data subject (Article 13 GDPR) or whether the personal data were not obtained from the data subject (Article 14 GDPR). In both cases, a controller must provide information to the data subject. 2.11.1. [applicant] states that T-Mobile has not yet provided all information with regard to the purposes of and the legal basis for the processing and with regard to the period during which the personal data will be stored. The court is of the opinion that T-Mobile has meanwhile done this and refers in that regard to what it has considered above. 2.11.2. [applicant] states that T-Mobile has not yet provided the contact details of the data protection officer. Article 37 GDPR specifies in which cases the controller and the processor must appoint a data protection officer. It has not been argued and there is no evidence whatsoever that T-Mobile and CBS have designated such an officer. Therefore, the court is of the opinion that T-Mobile is not required to provide that information to [applicant]. 2.11.3. Furthermore, [applicant] states that T-Mobile has not provided all information about the data subject's right to: access, rectification, erasure, restriction of processing, objection and transferability as referred to in Article 13 paragraph 2 preamble and under b and Article 14, paragraph 2, preamble and under c GDPR. However, [applicant] did not request this information in his application or in his earlier request to T-Mobile in the letter of 12 March 2021 (which must be used for the assessment of the requests). The Court is therefore unable to assess this assertion by [applicant]. 2.11.4. [applicant] also states that T-Mobile has not provided all information about the right to submit a complaint to a supervisory authority as referred to in Article 13 paragraph 2 preamble and under d and Article 14 paragraph 2 preamble and under e of the GDPR. With regard to the provision of this information, the same applies as has been considered above under 2.11.3. [applicant] did not request this information in his application, so that the court cannot assess this assertion. 2.11.5. Furthermore, [applicant] states that T-Mobile has not yet provided information about whether the provision of personal data is a legal or contractual obligation or a necessary condition for concluding an agreement, and whether the person concerned is obliged to provide the personal data and what the possible consequences if this data is not provided (as referred to in Article 13, paragraph 2, preamble and under e of the GDPR). Although the [applicant] requested in his application (under A) to provide information on whether the provision of personal data is a legal or contractual obligation, he did not specifically request this information in his letter of 12 March 2021. As in r.r. 5.7 of the interim order, the assessment of the requests must be based on the requests as made by [applicant] on 12 March 2021. In addition, the court is of the opinion that [applicant] has no interest in the information requested by him on this point, because it appears from the corresponding statements of both parties that there is a contractual obligation. To that end, T-Mobile has submitted the agreement it concluded with CBS. The court therefore denies that request. 2.11.6. [applicant] also stated that T-Mobile did not provide him with information about the existence of automated decision-making, including profiling, and, if applicable, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subject as referred to in Article 13 paragraph 2 preamble and under f and Article 14 paragraph 2 preamble and under g GDPR. [Applicant] requested that information in his petition under B and also in his letter of 12 March 2021. T-Mobile did not provide any information about this in its deed, however. However, this concerns the same information that T-Mobile is required to provide to [applicant] on the basis of the provisions of Article 15, paragraph 1, preamble and under g of the GDPR. The court will therefore order T-Mobile to provide that information, as stated below under the decision. 2.12. In T-Mobile's explanation of the agreement submitted by it, T-Mobile (correctly) noted that it had already contested in its speaking notes that it submitted during the oral hearing that T-Mobile and CBS are joint controllers, so that according to its Article 26 GDPR is not applicable. In the interim order (see grounds 5.26 and 5.27), the District Court erroneously and therefore incorrectly determined – if not contested – that this was indeed the case. The court will return to that. However, the court is of the opinion that it is immaterial to answer the question whether the requests of [applicant] can be granted whether there are joint controllers. After all, [applicant] has requested access to the essential content of the arrangement between CBS and T-Mobile. T-Mobile submitted the agreement between it and CBS with regard to the pilot by deed, so that – despite the answer to the question whether it was obliged to do so – it has already implemented the request under D. The court will therefore reject this request, for lack of interest. The request under E 2.13. [applicant] has requested, if T-Mobile is ordered to provide him with information, that a penalty payment be attached to that order. However, the court sees no reason to attach a penalty payment to this order. After all, T-Mobile has taken a willing position (at least after the interim order) and has – as the court understands – done its best to provide [applicant] with as much of the information requested by [applicant] and to [applicant] insight. to indicate how his data may have been processed in the context of the CBS pilot. T-Mobile also stated in its deed that it was prepared to enter into discussions with [applicant] and to provide [applicant] with the information it had not yet provided. Therefore, the court denies this request. 2.14. In view of the current holiday period, the court sees further reason to determine that T-Mobile – insofar as the requests are granted – must provide the information to [applicant] within a period of two months after notification of the decision. The process costs 2.15. As the (largely) unsuccessful party, T-Mobile will be ordered to pay the costs of the proceedings. After all, T-Mobile only complied with that request after the court had ruled in its interim order that it had to provide information to [applicant] and not immediately after [applicant] had already requested this in his letter of 12 March 2021. In addition, it has been established in this (final) decision that T-Mobile is obliged to provide [applicant] with further information. Because [applicant] litigates in person, did not engage an authorized representative and he has not made any claims nor has it become apparent that he has incurred costs, the court estimates the costs of the proceedings on his side at nil. 3 The decision The court 3.1. orders T-Mobile to provide [applicant] with information about the existence of automated decision-making, including the information referred to in Article 22(1) and (4), within two months of notification of the decision with regard to the processing of personal data referred to in the petition; the profiling referred to and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of such processing for the data subject; 3.2. orders T-Mobile to pay the costs of the proceedings, estimated at nil on the part of [applicant] to date; 3.3. otherwise denies the requests. This decision was given by mr. E.J.C. Adang and pronounced in public on August 1, 2022.