Rb. Oost-Brabant - C/01/371762 / EX RK 21-90 (interim decision)
|Rb. Oost-Brabant - C/01/371762 / EX RK 21-90 (interim decision)|
|Court:||Rb. Oost-Brabant (Netherlands)|
|Relevant Law:||Article 13 GDPR|
Article 14 GDPR
Article 15 GDPR
Article 26(2) GDPR
artikel 35 UAVG
|National Case Number/Name:||C/01/371762 / EX RK 21-90 (interim decision)|
|European Case Law Identifier:||ECLI:NL:RBOBR:2022:787|
|Original Source:||rechtspraak.nl (in Dutch)|
A district court held that T-Mobile violated Article 15 GDPR by refusing to comply with a customer’s access request, after they had shared the data subject's personal data with the national bureau of statistics for statistical purposes.
English Summary[edit | edit source]
Facts[edit | edit source]
T-Mobile is the controller and the data subject a customer. In March 2021, a Dutch newspaper (NRC) published an article about the controller and the Central Bureau of Statistics (CBS), in which it was stated that the CBS conducted statistical research with large datasets, acquired from controller. The goal of this research was to look for solutions against urban congestion in large cities. The controller issued a press statement on its website on 11 March 2021, in which it stated that no personal data was shared since all data had been anonymised. On 12 March 2021, the subject requested access to the personal data the controller processed on him for the CBS’s research, pursuant to Article 15 GDPR. The controller, however, rejected the request since it claimed that it had not processed any of the data subject’s personal data. Since the data subject was convinced that the controller had to comply with his request, he brought the issue before court.
Holding[edit | edit source]
The District Court Oost-Brabant managed the case. The Court partially upheld the claim.
First, it considered that the controller did process personal data when providing datasets to the CBS, since the anonymisation of their customers’ location data, is processing personal data. Hence, the Court found that the controller had to comply with the data subject’s access request pursuant to Article 15. The Court stipulated that the controller had to indicate the exact nature and origin of the processed’ personal data, i.e., by providing GPS or customary coordinates, IMSI numbers etc. Although the controller claimed that it had deleted that data, it submitted no proof of this. Hence, the Court gave the controller the opportunity to “submit a statement by their Board”. The Court also required the controller to provide the essence of the joint-controllership arrangement with CBS pursuant to Article 26(2).
Second, the Court found that it was competent to assess whether the controller should be ordered to comply with the obligations that follow from Article 12, 13, 14 and 26 GDPR, although this competence does not directly follow from Article 35 of the General Data Protection Implementation Act (on the applicability of civil law to decisions of non-administrative bodies). The Court considered Article 79 and noted regarding the information obligations, that “this concerns the fulfilment relatively simple, but in the light of the GDPR essential information obligations”.
However, the Court also decided that it could not yet assess whether the controller violated their obligations under Articles 12, 13, 14 and 26 GDPR, since it needs to be determined what are the respective responsibilities of the controller and CBS in their joint-controllership agreement. The Court decided to suspend the proceedings, and give the controller time until 30 March 2022 to provide further information.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
order COURT EAST BRABANT Civil rights Seating location 's-Hertogenbosch case number / claim number: C/01/371762 / EX RK 21-90 Order of March 2, 2022 in the case of [applicant] , residing at [residence] , applicant, hereinafter referred to as: [applicant] , appeared in person, against the private company with limited liability T-MOBILE NETHERLANDS B.V., located in The Hague, defendant, hereinafter referred to as: T-Mobile, lawyer mr. Q.R. Kroes in Amsterdam. 1 What is this case about? This case concerns the question whether T-Mobile has certain information obligations to [applicant] that are included in the General Data Protection Regulation (hereinafter: AVG) regarding the processing of personal data. must comply, and if so, whether it has complied with it. The court also rules on the question of whether T-Mobile can be ordered to provide the information referred to in art. 13 and 14 and art. 26 para. 2 GDPR. The court rules that T-Mobile must comply with certain information obligations with regard to the processing of [applicant]'s personal data. The court asks T-Mobile to submit certain documents and to explain them in more detail. 2 The procedure 2.1. The court received the application with attachments from [applicant] on 11 June 2021. T-Mobile filed a statement of defense by e-mail dated 6 December 2021. The oral hearing took place on 14 December 2021, at which the parties appeared. The parties have made use of speaking notes. 2.2. Finally, decision has been made on today. 3 The facts 3.1. T-Mobile is a provider of a public communications network and public electronic communications services. 3.2. [applicant] is a lawyer. In private, he has been a customer of T-Mobile for many years when it comes to mobile telephony. 3.3. On March 10, 2021, NRC Handelsblad published an article about T-Mobile and Statistics Netherlands (hereinafter: CBS) with the headline: 'How CBS and T-Mobile violated privacy'. The article states, among other things: “It was therefore remarkable that CBS turned out to have been monitoring the movements of large groups of Dutch people from 2017 – well before corona. On its website, CBS claimed to have worked with "very large data sets" from T-Mobile. This company is the second largest mobile provider in the Netherlands and had 5.6 million mobile customers at the beginning of last year. This data was used to track where people stay during the hours of the day. This insight would be important in areas such as mobility – where should a carpool lane be located? – or safety: which areas should be closed due to crowds?” and “The contract with CBS states that T-Mobile may also use the method for determining location data for its own purposes, “both during and after the pilot”. A lucrative algorithm that would be developed with government money. T-Mobile also asked CBS to map visitors to T-Mobile stores based on telecom data.” 3.4. On March 11, 2021, T-Mobile published the following message on its website: “From September 2017 to December 2019, T-Mobile participated in a CBS pilot project into the problems that large cities experience due to suddenly increasing crowds in the city. This increase has an impact on mobility, safety, disaster relief and tourism in the city in question, among other things. The government wanted to have a better understanding of this. Earlier research by Statistics Netherlands, together with other market parties, showed that anonymized mobile telephone data was a promising source. In the interest of protecting customer privacy, this was not about individual personal data but about anonymized and aggregated movement patterns that make it possible to count how many devices (always with a minimum of 15) are within range of a given moment at a time. certain transmission tower. It is therefore clearly incorrect that Statistics Netherlands had access to individual personal data and obtained insight into who had been in contact with whom in whatever form. In this study, the anonymized and aggregated network data was shared with Statistics Netherlands exclusively and without receiving compensation. T-Mobile underlines the importance of the CBS surveys for improving the quality of life in the Netherlands and has therefore cooperated. Clear agreements were made with Statistics Netherlands at the time about the data made available by T-Mobile. For example, CBS employees, under very strict conditions and after taking the necessary security measures, only had access to a set of pseudonymised data under the supervision and responsibility of T-Mobile. The employees only had access to the specific dataset for this pilot via a T-Mobile encrypted laptop. The set of pseudonymised data has therefore never left T-Mobile's digital and secure IT infrastructure. The pilot was discontinued at the end of 2019.” 3.5. [applicant] wrote to T-Mobile in a letter dated 12 March 2021. The applicant invoked the provisions of art. 12 to 15 and art. 26 paragraph 2 General Data Protection Regulation (hereinafter: AVG). The letter states, among other things: “In this letter, in summary, I make a request for information about the data processing in the context of the collaboration between TMNL [T-Mobile, rb.] and the CBS and a request for access to the personal data that has been processed in this regard – without my consent. consent – have been processed. These requests are necessary, since the My T-Mobile environment does not offer the possibility to take cognizance of the relevant data and information.” […] I must be able to form a complete picture of the processing of my personal data. Therefore, I request that you provide the information in as much detail as possible. Think of specific location data, such as – but not limited to – GPS coordinates and cartographic data, and other relevant data such as traffic data and/or data related to, for example, IMSI, IMEI, MAC address(es), etc. as well as related information about data and time(s). Please note that the information to be provided must be understandable to me and enable me to verify the accuracy of the data and the lawfulness of data processing. This can therefore lead to more information than just personal data having to be provided.” 3.6. On April 29, 2021, T-Mobile submitted a substantive response. The email in question includes: “Thank you for your access request. In this way I will respond substantively to your previous e-mails regarding the CBS pilot. […] You have made several requests in your email. I will go into each topic below. Information about the data processing and access to the processed personal data. You request T-Mobile to provide information about the implementation of Articles 13 and 14 of the GDPR. I hereby inform you that T-Mobile has not shared personal data of individual customers with CBS. These are anonymized and aggregated movement patterns (with a minimum number of 15) that make it possible to count how many devices were within range of a certain cell tower at a given time. These movement patterns cannot be traced back to persons. In view of the foregoing, we are therefore unable to provide you with access to the personal data that you believe may have been provided during the Pilot, because no personal data was leaked or shared. Of course we can give you access to the personal data that we process about you. Privacy Statement Do you want to know how we process your data? Then I would also like to refer you to our Privacy Statement. It states exactly how and why we as a telecom organization collect and process data from our customers. We always do this as carefully as possible.” 3.7. On April 30, 2021, [applicant] notified T-Mobile by e-mail that, in his opinion, T-Mobile's decision on his request is incorrect and he has given T-Mobile the opportunity until May 7, 2021 at the latest to to make the right decision. 4 The request 4.1. The [applicant] requests the court to order by provisionally enforceable order: A. Order T-Mobile to provide [applicant] with information about the processing of personal data referred to in the petition, within one month of the decision being served, or at least within a reasonable period to be determined by the court: the legal basis for the processing; where applicable, the legitimate interests of the controller or of a third party; and answer to the question whether the provision of personal data is a legal or contractual obligation; and/or Order T-Mobile to provide [applicant] with information about the processing of personal data referred to in the application, within one month of the decision being served, or at least within a reasonable period to be determined by the court: the processing purposes; the categories of personal data concerned; the recipients to whom the personal data has been or will be disclosed; if possible, the period for which the personal data is expected to be stored, or if this is not possible, the criteria for determining that period; if the personal data is not collected from T-Mobile, all available information about the source of that data; the existence of automated decision-making and, if such decision-making is applicable, useful information about the underlying logic, as well as the importance and expected consequences of that processing for [applicant] ; and/or Order T-Mobile, within one month after notification of the decision, at least within a reasonable period to be determined by the court, with regard to the processing of personal data referred to in the petition: provide [applicant] with a definite answer about the processing of personal data concerning him, and/or: to allow [applicant] to inspect the personal data processed about him by providing [applicant] with a copy of the personal data, in a common electronic format such as XLS(X) or CSV and whereby the information to be provided to [applicant] or data is understandable and enables him to check the accuracy of the personal data and the lawfulness of the processing of that data; and/or Order T-Mobile, within one month after notification of the order, or at least a reasonable period to be determined by the court, with regard to the processing of personal data referred to in the application, to allow [applicant] to inspect the essential content of the arrangement between CBS and T-Mobile; and/or Order T-Mobile to pay a penalty of € 10,000 (in words: ten thousand euros), at least a penalty to be determined by the court, for each day or part thereof that T-Mobile fails to comply in full with one or more of the orders mentioned under A and/or B and/or C and/or D, and/or; Order T-Mobile to pay the costs of the proceedings. 4.2. [Applicant] bases his requests on the following, with reference to the AVG, the UAVG, case law and press reports – summarized in abbreviated form. T-Mobile's privacy statement that applies to the contractual relationship between [applicant] and T-Mobile makes no mention of data processing for algorithms. Despite being requested to do so, T-Mobile has failed to provide information about the legal basis for the processing, if applicable the legitimate interests of T-Mobile or a third party and whether the provision of personal data is a legal or contractual obligation. T-Mobile is legally obliged to provide [applicant] with this information free of charge. T-Mobile wrongly takes the position that it is not required to provide access to data that has been anonymized. Anonymization is a form of processing personal data. The anonymized personal data is most likely still personal data within the meaning of the GDPR. T-Mobile and CBS are jointly responsible for data processing as part of their collaboration. As a data subject, [applicant] has the right to inspect the arrangement to be drawn up in this regard on the basis of the GDPR between T-Mobile and Statistics Netherlands. The 'Agreement on Pilot Statistical analyzes based on the T-Mobile network' does not contain, or at least not entirely, the information that T-Mobile is obliged to provide to [applicant] under the GDPR. The application of a penalty is justified. Firstly, [applicant] has a great interest in the requested information and data so that he can exercise his rights in the context of the processing of his personal data. Furthermore, despite having been given ample opportunity to do so, T-Mobile continues to fail to provide the requested information and data. Finally, the requested periodic penalty payments are in proportion to T-Mobile's financial capacity. 4.3. T-Mobile has filed a substantiated defence. According to T-Mobile, [applicant] in his requests on the basis of art. 12 to 14 and 26 para. 2 GDPR inadmissible. For the rest, T-Mobile submitted to the request on the basis of art. 15 GDPR. She also argued that the traffic and location data relating to [applicant] were deleted during the CBS pilot in accordance with the Telecommunications Act and its privacy statement. 4.4. In so far as relevant, the other statements of the parties are discussed below. 5 The assessment 5.1. The request concerns (partly) a request as referred to in art. 35 Implementation Act of the General Data Protection Regulation (hereinafter: UAVG). [applicant] has submitted his application in view of the provisions of art. 35 paragraph 2 UAVG submitted on time. To that extent, he is admissible in her request. 5.2. T-Mobile has argued that T-Mobile must be declared inadmissible in its requests under A and D because these are claims that, according to T-Mobile, must be initiated with a summons. Insofar as that should have happened in this case – the court will rule on this below – this does not lead to the conclusion that [applicant] is inadmissible in those claims, but the court will have to apply the provisions of art. 69 Code of Civil Procedure (Rv) and [applicant] must offer the opportunity to remedy the wrong initiation of the procedure insofar as these claims are concerned. 5.3. In the further assessment, the court states the following. This procedure concerns the question of whether T-Mobile is under a duty to provide certain information or to answer certain questions within the framework of the GDPR. In these proceedings, the court does not rule on the correctness of any information yet to be provided by T-Mobile. The question of whether or not T-Mobile (also) participated in the CBS pilot for its own commercial reasons (see the newspaper article quoted above and paragraph 1.3 of [applicant]'s speaking notes) is not an answer in these proceedings and to that extent also not the correctness of any answers to be given by T-Mobile to questions about, for example, the processing purposes and/or the legal grounds for the processing. 5.4. The court will then first assess the requests under B and C and then the requests under A and D. The requests under B and C 5.5. It is not in dispute between the parties that T-Mobile (in the past) personal data as referred to in art. 4 paragraph 1 GDPR of [applicant], and that T-Mobile is the controller within the meaning of paragraph 7 of that article and [applicant] can be regarded as a data subject within the meaning of art. 15 para. 1 GDPR. It is also not in dispute between the parties that [applicant] in these proceedings does not concern the processing of his personal data insofar as this is necessary to implement the agreement between the parties (including monthly invoicing). [Applicant] concerns the processing of his personal data by T-Mobile for the pilot with CBS. 5.6. Article 15 GDPR reads: 1. The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him/her is processed and, where that is the case, to obtain access to those personal data and to the following information: a) the processing purposes; b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) if possible, the period for which the personal data is expected to be stored, or if that is not possible, the criteria for determining that period; e) that the data subject has the right to request from the controller that personal data be rectified or erased, or that the processing of personal data concerning him/her be restricted, as well as right to object to such processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information about the source of that data; (h) the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected impact of such processing on the person concerned. 2. When personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards in accordance with Article 46 on the transfer. 3. The controller shall provide the data subject with a copy of the personal data being processed. If the data subject requests additional copies, the controller may charge a reasonable fee based on the administrative costs. Where the data subject submits his request electronically, and does not request a different arrangement, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others. 5.7. T-Mobile has argued that the assessment of the requests must be based on the requests as made by [applicant] on 12 March 2021. After all, it is against the decision by T-Mobile on these requests that [applicant] is now challenging in court, according to T-Mobile. That position is correct. 5.8. In the letter of 12 March 2021 from [applicant] to T-Mobile it states with regard to the access he wishes to see in the personal data that he believes to be processed: “I would therefore like to receive information from you – in accordance with Article 26 (2) of the GDPR but also, insofar as necessary, Articles 12 to 15 of the GDPR – in any case about: the processing purposes for which the personal data are (or are being processed), the categories of personal data that have been (or will be) processed; the legal basis for the processing operations, including information about the legitimate interests of the controllers where the "subparagraph f" legal basis applies. the (intended) recipients to whom the personal data has been (or will be) provided; the period in which the data has been (or will be) processed or stored; the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4) GDPR as well as useful information about the underlying logic, as well as the importance and expected consequences of those processing operations for me as a data subject; all available information about the (intended) source and/or sources from which the personal data came (or would have come); whether the personal data has been (or will be) processed in a third country, and if so – what appropriate safeguards have been put in place pursuant to Article 46 of the GDPR on international transfers. In addition, I request that you provide me with all other relevant information, including clear and complete information about the processing operations related to the different phases of the (intended) data processing and the roles of the actors involved, such as TMNL and Statistics Netherlands.” and “In addition, I invoke my right to inspect the data processed about me. More specifically, I request access to the personal data that relate to me and that have been processed in the context of the collaboration between TMNL and CBS.” 5.9. [Applicant] thus requests to inspect his processed personal data (if applicable) and the information referred to in Article 15 paragraph 1 under a, b, c, d, g, h AVG. 5.10. T-Mobile argues that the personal data requested by [applicant] has not been processed. She refers to T-Mobile's response of April 29, 2021. 5.11. [applicant] states that the anonymization of personal data also falls under the definition of the term 'processing' as defined in Article 4 paragraph 2 of the GDPR: “processing” means an operation or a set of operations on personal data or a set of personal data, whether or not carried out by automated means, such as collecting, recording, organising, structuring, storing, updating or modifying, retrieving, consulting, use, provide by transmission, dissemination or otherwise make available, align or combine, block, erase or destroy data;” 5.12. He also pointed out that the GDPR recognizes the concept of 'pseudonymisation' (art. 4 para. 5” : ““pseudonymisation”: the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without the use of additional data, provided that these additional data are kept separately and technical and organizational measures are taken to ensure that that the personal data are not linked to an identified or identifiable natural person;” 5.13. The court is of the opinion that T-Mobile has processed personal data in the context of the pilot with CBS, if only to anonymize customer location data available by T-Mobile and to place them in "anonymized and aggregated movement patterns" that to it made available to CBS. Whether or not to select personal data to be included in the datasets to be made available to Statistics Netherlands (CBS) also concerns the processing of personal data as referred to under the GDPR. Until now, it has remained unclear whether T-Mobile has used data from all its customers with a mobile phone subscription and from whom it has obtained location data (by using the mobile phone) for the dataset or whether there has been a restriction on this. . The court is also of the opinion that T-Mobile has not made it sufficiently plausible that it would not have processed any personal data of [applicant] in the context of the pilot. T-Mobile argued at the hearing that it follows from the text of Article 15, paragraph 1 of the GDPR that T-Mobile is not obliged to provide information about (pseudonymized) personal data processed in the past. This reading of art. 15 GDPR is an error of law. This means that on the basis of the GDPR, T-Mobile must provide [applicant] with the information as referred to in Article 15 paragraph 1 under a, b, c, d, g, h AVG and in Art. 26 para. 2 GDPR. 5.14. In that regard, T-Mobile will in any case have to indicate to [applicant] the precise nature (and origin) of the personal data that it has processed in the context of the pilot with CBS (for example, location data based on GPS or other common coordinates, IMSI numbers and so on). Simply put, T-Mobile will have to provide transparent insight into which personal data it has processed for the datasets made available to CBS and where exactly this data came from. As the designer of the datasets, T-Mobile will (still) need to know what kind of (personal) data is or was included in the datasets. To that extent, the court will grant [applicant]'s request insofar as it is based on the provisions of Article 15 of the GDPR. 5.15. T-Mobile states that it has deleted the data that it anonymized in the context of the pilot with CBS and subsequently made available to CBS due to, among other things, legal obligations, and that it no longer possesses that data. can no longer provide access to personal data [applicant] has argued that T-Mobile has not submitted any evidence of this, for example in the form of log data or statements from IT auditors, and believes it is possible that the data sets are still stored somewhere in the IT infrastructure or outside it. In this regard, the court will give T-Mobile the opportunity to submit a statement from its management, for example by its director of IT & Technology and/or its director of Legal Affairs, Regulations and Public Affairs (see: https:/ /www.t-mobile.nl/over-ons/organisation) and reserve the decision on this point. The requests under A and D 5.16. The court will first consider whether the requests under A and D can be assessed in the context of these proceedings. T-Mobile has first argued that these requests belong in a summons procedure, because they do not fall within the scope of art. 35 UAVG and that the legislator has nowhere stipulated that a claim for compliance with the information obligations referred to in art. 12 to 14 and art. 26 para. 2 GDPR can also be initiated by means of a petition. According to T-Mobile, including those requests in the present proceedings is contrary to the principle of legality because the application procedure judge lacks the power to do so. According to T-Mobile, a summons procedure does not conflict with the Rewe principles (ECLI:EU:C:1976:188). T-Mobile has also argued that it is relatively easy to determine whether a controller has complied with a request for access, but this does not apply to more far-reaching claims under the GDPR. According to T-Mobile, these would soon be extensive and complex. Claims under Articles 13 and 14 GDPR are such claims, according to T-Mobile. [applicant] stated in his petition and repeated at the hearing that the provisions of art. 35 UAVG should also apply to requests that are (partly) based on other articles of the GDPR, insofar as those requests relate to the exercise of the rights of data subjects such as [applicant]. If this were not the case, the consequence would be that [applicant] would have to initiate separate proceedings. According to [applicant], this is undesirable in view of the high level of protection that the GDPR and therefore also the UAVG grants to those involved, as well as for procedural economic reasons. At the hearing, [applicant] explained that the information he requested can be provided relatively easily by T-Mobile. 5.17. Art. 79 GDPR paragraph 1 reads: “Without prejudice to any other administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority under Article 77, any data subject shall have the right to an effective remedy if he considers that his or her rights under have been infringed under this Regulation as a result of processing of his personal data which does not comply with this Regulation.” 5.18. According to the legal history of the UAVG, the legislator has not paid attention to the question of which legal remedy a data subject should choose and which (civil law) legal protection applies if he wishes to comply with a data controller's obligation to provide information to a data subject laid down in the GDPR, insofar as it does not concern the information obligations referred to in Articles 15 to 22 GDPR. The legal principle is that claims are filed by means of a summons (cf. art. 78 paragraph 1 in conjunction with 261 paragraph 2 DCCP). 5.19. In ECLI:NL:RBAMS:2020:7536, the Amsterdam District Court, with reference to the judgment of the Court of Appeal of The Hague (ECLI:NL:GHDHA:2015:2332) cited by the applicants in those proceedings: “The court agrees with [applicants] that under current law, despite the fact that Article 82 AVG is not mentioned in Article 35 UAVG, it is not excluded that (material and intangible) compensation under Article 82 AVG - which is apparent from point 146 of the preamble to the GDPR must be complete and effective – if it is requested in the same application containing the request pursuant to Article 35 UAVG, it can also be dealt with and granted in that procedure. This does not alter the fact that, as is also apparent from the decision referred to under 2.8, this option was given, because the original reason for not making it possible (i.e. that the evidence regime under the then law of the application procedure was not geared to this) had meanwhile been lapsed by the introduction of (the current) Article 284 paragraph 1 DCCP, which stipulates that the right of evidence of the summons procedure also applies in the application procedure. It should be noted that the conclusion of that provision reads: "unless the nature of the case precludes this". This is particularly important in view of what has been considered above about the procedure pursuant to Article 35 UAVG that it must be quick and simple, while damage assessment is usually not quick and simple. This leads the court to the conclusion that the request for compensation in a petition procedure pursuant to Article 35 UAVG can only be dealt with insofar as damage has been suffered as a result of a (determined or easily identifiable) direct infringement of one or more provisions of the UAVG. the GDPR, this damage is not related to it any further and is easy to determine. This will often involve reimbursement of costs incurred by the applicant as a result of actions by the processor or controller that conflict with the provisions of the GDPR, as the case law has also shown to date. Compensation for loss of income will generally fall outside the scope of this, as will, as also requested here, compensation for other damage as a result of the deactivation of the Uber account of the applicants, notwithstanding the fact that in this case this may have to be assessed under other law than Dutch. to become. The ordinary (subpoena) procedure remains open for this.” 5.20. The court concurs with the considerations set out above and considers that, in view of these considerations, it must be ruled that the requests made by [applicant] under A and D can in principle also be included in a procedure on the basis of art. 35 UAVG. Contrary to what T-Mobile argues, it concerns compliance with relatively simple, but in light of the GDPR essential information obligations that (may) rest on T-Mobile under the GDPR. 5.21. In view of what has been considered above, it is therefore not necessary to refer [applicant] to the civil summons procedure. The requests under A and D 5.22. The court will now assess whether the requests of [applicant] under A and D should be granted. 5.23. At the hearing, T-Mobile argued in addition to its previous defense of inadmissibility that [applicant] firstly lacks sufficient interest in bringing proceedings and insofar as this interest is that [applicant] is already aware of the information requested by him and that the in art. 26 para. 2 GDPR does not apply. 5.24. T-Mobile has pointed out that [applicant] has taken note of T-Mobile's privacy statement, the press statement and the agreement between T-Mobile and CBS. [applicant] has stated in his petition that the agreement does not contain the information that T-Mobile is required to provide him with regard to the provisions of Article 26, paragraph 2 of the GDPR. According to [applicant], the agreement does not contain information about the data that the controller(s) must provide under Articles 13 and 14 GDPR, including the purposes of the data processing, retention periods, disclosures to third parties. It is also not clear from the agreement how the mutual responsibility is divided, which according to [applicant] comes down to an explanation of the phases of the data processing and the parties involved. 5.25. The court considers as follows. The first question to be answered with regard to request D is whether there are joint controllers as referred to in art. 26 GDPR. The first sentence of paragraph 1 of that article reads: “When two or more controllers jointly determine the purposes and means of the processing, they are joint controllers.” 5.26. [applicant] stated with reasons that T-Mobile and CBS are joint controllers and T-Mobile has not disputed this. Neither [applicant] nor T-Mobile has challenged the agreement between T-Mobile and CBS. The court has determined that this agreement can still be found on the T-Mobile website (see: https://www.t-mobile.nl/company/media/pdf/Overeenkomst %20pilot%20CBS%20T-Mobile.pdf ) , but it is not for the court to assess this agreement independently in the light of the provisions of art. 13, 14 and 26 GDPR. 5.27. The court will give T-Mobile the opportunity to still dispute the agreement and to explain where in that agreement the essential content of the mutual arrangement referred to in art. 26 GDPR can be found. The court points out to T-Mobile that on the basis of art. 12 GDPR the information to be provided to a data subject in a concise, transparent, comprehensible and easily accessible form and in clear and simple language. A business arrangement between two legal entities may not meet that standard. That does not alter the fact that [applicant] is a lawyer. [Applicant] will then be given the opportunity to respond. 5.28. With regard to the request under A, the court considers that the press statement does not provide an adequate answer to all questions as stated in the request under A. In addition, T-Mobile could have been expected in the context of these proceedings that, insofar as it believes that the requested information can be found in its privacy statement or in the agreement that it had specifically explained this. In the court's opinion, T-Mobile has failed to do this sufficiently so far. For procedural economic considerations, the court will enable T-Mobile to answer the questions in the request under A at the same time when submitting the other documents. 5.29. Any further decision is reserved 6 The decision The court 6.1. gives T-Mobile the opportunity to submit the following at the latest on March 30, 2022: the statement as referred to under 5.15 with regard to the deletion of the processed personal data; the agreement regarding the pilot between T-Mobile and CBS; the privacy statement to which T-Mobile [applicant] referred; a written explanation that the provision of the privacy statement, the press statement of March 11, 2021 and the agreement between T-Mobile and CBS has fulfilled its obligations under art. 13, 14 and 26 GDPR; (if T-Mobile deems it expedient) in advance the information as referred to under 5.13 and 5.14 (the information requested by [applicant] under Article 15 of the GDPR). 6.2. [Applicant] will then be given the opportunity to respond in writing to the documents submitted by T-Mobile. 6.3. Any further decision is reserved. This decision was given by mr. E.J.C. Adang and pronounced in public on March 2, 2022.