Rb. Rotterdam - ROT 19/3036: Difference between revisions

Rb. Rotterdam - ROT 19/3036
Court:	Rb. Rotterdam (Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 4(1) GDPR Article 4(2) GDPR Article 4(7) GDPR Article 4(8) GDPR Article 4(11) GDPR Article 5 GDPR Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 28 GDPR Article 77 GDPR
Decided:	19.03.2021
Published:	23.03.2021
Parties:
National Case Number/Name:	ROT 19/3036
European Case Law Identifier:	ECLI: NL: RBROT: 2021: 2304
Appeal from:	AP (The Netherlands)
Appeal to:	Unknown
Original Language(s):	Dutch
Original Source:	Rechtspraak.nl (in Dutch)
Initial Contributor:	n/a

The Court of Rotterdam (Rechtbank Rotterdam) declared the appeal against the Dutch DPA's decision unfounded. The court concluded that the DPA had rightly taken the position that there was no obvious violation of the GDPR and that there was no reason to further investigate the plaintiff's complaint.

English Summary

Facts

The controller engaged DEX Online Services to automate its membership administration, which contained personal data of the plaintiff. He also offered its members the opportunity to use the Yogibit app to gain access to their own data, so that they can, for example, deregister and register for lessons. On January 30, 2019, the plaintiff filed a complaint with the Dutch DPA against the controller. The DPA rejected the complaint by decision of 27 February 2019, because it found no obvious violation of the GDPR . Plaintiff has objected to this rejection.

According to the DPA, both the controller and DEX Online Services have complied with the claimant's request for removal within the meaning of Article 17 of the GDPR. The controller has a valid basis for the processing of the plaintiff's personal data and it has not been shown that his personal data has been processed in the YogiBit app.

In appeal, the plaintiff argues that the controller should have first explicitly requested permission from him before his personal data would be provided to DEX Online Services. According to the plaintiff, the defendant has forgotten to look at the definition of 'consent', as set out in Article 4 (11) of the GDPR . Additionally, it was not necessary for the controller to enable DEX Online Services for its student administration. According to the plaintiff, the controller could also have chosen to hire a secretary. In addition, the plaintiff stated that as a free EU citizen he has the right to choose whether he wants to go along with the choice of the controller for that third party.

Plaintiff argued that it was up to DEX Online Services to ascertain that the controller complied with the conditions set out in Article 6 of the GDPR . In his view, on the basis of Article 5(2) GDPR the controller has an accountability obligation and must be able to demonstrate compliance with Article 5, first paragraph, of the GDPR . The plaintiff argued that the decision did not provide evidence of such compliance. He stated that this also applied with regard to the entry of his personal data in the YogiBit app.

Dispute

Holding

In the court's opinion, the controller was free to decide to process the personal data within the organization, or to outsource the processing to an external organization as processor, in this case DEX Online Services. In that context, Dex Online Services could rely on the basis of the controller, whereby he remained responsible for the processing that it had outsourced to Dex Online Services. Contrary to the plaintiff's submission, DEX Online Services as processor is not under any obligation to ensure that the controller, meets the obligations referred to in Article 6 GDPR.

In the court's opinion, the DPA was able to take the position that the accountability duty of the controller with regard to compliance with Article 5 (1) GDPR has been fulfilled . As the DPA explained at the hearing, this was substantiated in this case by submitting the signed processing agreement between the controller and DEX Online Services.

The court concluded that the respondent has rightly taken the position that there is no obvious violation of the GDPR and that there is no reason to further investigate the plaintiff's complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

COURT ROTTERDAM
Seat in Rotterdam

Administrative law

case number: ROT 19/3036


Judgment of the single Judge of 19 March 2021 in the case inter
[name of plaintiff], at [plaintiff's place of residence], plaintiff
and

Dutch Data Protection Authority, defendant
attorneys: mr. OS Nijveld and mr. JMA Koster.

Participants in the proceedings as a third party: [name of party], at [place of business]
authorized representative: [name 1].

Process course
By decision of 27 February 2019 (primary decision), the defendant informed the plaintiff about the handling of his complaint.

By decision of 16 May 2019 (contested decision), the defendant declared the claimant's objection against the primary decision unfounded.

The plaintiff has appealed against the contested decision.

Respondent has lodged a statement of defense.

The hearing took place on February 18, 2021. Plaintiff has appeared . The defendant was represented by his attorneys. [name of party] was represented by her proxy, accompanied by her daughter [name 2].

Considerations
1. [name of party] has engaged DEX Online Services to automate its membership administration, which contains personal data of the plaintiff. [Name of party] also offers its members the opportunity to use the Yogibit app to gain access to their own data, so that they can, for example, deregister and register for lessons. On January 30, 2019, the plaintiff filed a complaint with the defendant about [name of party] and requested the defendant to take (enforcement) measures against [name of party],GDPR ). The defendant rejected the complaint by decision of 27 February 2019, because it found no obvious violation of the GDPR . Plaintiff has objected to this rejection.

2. In the contested decision, the defendant declared the plaintiff's objection unfounded. It underlies the defendant submitted that [name of party] by enabling DEX Online Services not contravenes the AVG . Both [name of party] and DEX Online Services have complied with the claimant's request for removal within the meaning of Article 17 of the GDPR. [name of party] has a valid basis for the processing of the plaintiff's personal data and it has not been shown that his personal data has been processed in the YogiBit app. In view of the foregoing, there was for the defendant on the basis of paragraph 2.5. Policy rules for prioritizing complaint investigation (Policy rules) do not provide grounds for testing this issue against the prioritization criteria and for further investigation. Respondent sees no reason to take enforcement or otherwise action against [name of party] or DEX Online Services.

3. In appeal, the plaintiff argues that [name of party] should have first explicitly requested permission from him before his personal data would be provided to DEX Online Services. According to the plaintiff, the defendant has forgotten to look at the definition of 'consent', as set out in Article 4 (11) of the GDPR . According to the plaintiff, it was not necessary for [name of party] within the meaning of Article 6, first paragraph, opening words and under b, of the GDPR, to enable DEX Online Services for its student administration. [name of party] could also have chosen to hire a secretary, which might have been necessary. In addition, the plaintiff states that as a free EU citizen he has the right to choose whether he wants to go along with the choice of [name of party] for that third party. In the contested decision, the respondent ignored the fact that, before DEX Online Services was engaged, [name of party] always independently kept the membership records and that, although this is necessary, there is no convincing evidence or evidence for engaging a third party. argument has been submitted. In the absence of necessity, according to the Claimant, Article 6, paragraph 1, under a, of the GDPR applicable and his consent was required to provide his personal data to DEX Online Services.

By way of a subsidiary point of view, Plaintiff argues that it was up to DEX Online Services to ascertain that [name of party] complied with the conditions set out in Article 6 of the GDPR . Plaintiff also argues that on the basis of Article 5, second paragraph, of the GDPR, as a controller, [name of party] has an accountability obligation and must be able to demonstrate compliance with Article 5, first paragraph, of the GDPR . He argues that the decision does not provide evidence of such compliance. Plaintiff states that the foregoing also applies with regard to the entry of his personal data in the YogiBit app.

4. The legal framework is included in the appendix. The appendix is ​​part of this statement.

4.1.
The court considers as follows.

4.2.
It is not in dispute that [name of party] must be regarded as a controller within the meaning of Article 4, opening lines and under 7 of the GDPR and that DEX Online Services should be regarded as a processor within the meaning of Article 4, opening lines and under 8. , of the GDPR . [name of party] has engaged DEX Online Services to automate its membership administration and thereby determines the purpose and means of the processing. DEX Online Services processes personal data of [name of party] on behalf of [name of party].

4.3.
The possible bases for lawful processing of personal data are set out in Article 6 of the GDPR . Insofar as relevant here, the processing is lawful under Article 6 (1) (a) of the GDPR if the data subject has given consent to the processing of his / her personal data for one or more specific purposes. Pursuant to Article 6 (1) (b) of the GDPR , the processing is lawful if the processing is necessary for the performance of a contract to which the data subject is a party.

4.4.
The necessity test means that the principles of proportionality and subsidiarity must be complied with. The principle of proportionality means that the infringement of the interests of the person involved in the processing of the personal data must not be disproportionate in relation to the purpose to be served with the processing. On the basis of the principle of subsidiarity, the purpose for which the personal data are disclosed cannot reasonably be achieved in another way that is less disadvantageous for the person involved in the processing of personal data.

4.5.
The court establishes that the purpose of the processing of the personal data is to keep the membership records by [name of party]. The parties agree that this is a legitimate purpose within the meaning of Article 5, first paragraph, opening words and under b, of the GDPR. The parties also agree that keeping the membership records by [name of party] is necessary in order to be able to comply with the agreement that the plaintiff had with [name of party]. As the respondent rightly states, the parties agree that [name of party] can, in principle, rely on the basis 'necessary for the agreement'. The parties do, however, disagree on the question of whether the calling in of DEX Online Services by [name of party] was necessary for the automation of its membership administration and whether this is important.

4.6.
In the court's opinion, [name of party] as controller was free to decide to process the personal data within the organization, or to outsource the processing to an external organization as processor, in this case DEX Online Services. In that context, Dex Online Services can rely on the basis of the controller, [name of party], whereby [name of party] remains responsible for the processing that it has outsourced to Dex Online Services. In that context, there is also a processor agreement, as referred to in Article 28 of the GDPR, between [name of party] and Dex Online Services. The fact that this agreement may be backdated, as the plaintiff stated at the hearing, does not make the court doubt the correctness of (the formation of) this agreement. DEX Online Services was then obliged to process the personal data with due regard to the agreement between the claimant and [name of party]. In that context, there was also no reason to separately ask the plaintiff for permission to do so. Completely superfluous, the court notes that, insofar as it should nevertheless be judged that the necessity requirement would also apply with respect to Dex Online Services, this is met in this case. In that context, [name of party] explained at the hearing that the administration was first kept on paper and in Excel, but that because of the enormous growth of [name of party] a different way of administration was necessary. Initially, a secretary was called in, but because this turned out not to be a financially viable solution, it was decided - partly from a security point of view - to have the administration run via DEX Online Services in the future. The court sees no reason to doubt this, so that the court sees no ground for the judgment that outsourcing the processing to DEX Online Services was not necessary. Also, contrary to the plaintiff's submission by way of an alternative point of view, DEX Online Services as processor is not under any obligation to ensure that [name of party], as controller, meets the obligations referred to in Article 6 of the Initially, a secretary was called in, but because this turned out not to be a financially viable solution, it was decided - partly from a security point of view - to have the administration run via DEX Online Services in the future. The court sees no reason to doubt this, so that the court sees no ground for the judgment that outsourcing the processing to DEX Online Services was not necessary. Also, contrary to the plaintiff's submission by way of an alternative point of view, DEX Online Services as processor is not under any obligation to ensure that [name of party], as controller, meets the obligations referred to in Article 6 of the Initially, a secretary was called in, but because this turned out not to be a financially viable solution, it was decided - partly from a security point of view - to have the administration run via DEX Online Services in the future. The court sees no reason to doubt this, so that the court sees no ground for the judgment that outsourcing the processing to DEX Online Services was not necessary. Also, contrary to the plaintiff's submission by way of an alternative point of view, DEX Online Services as processor is not under any obligation to ensure that [name of party], as controller, meets the obligations referred to in Article 6 of the it was decided - partly from a security point of view - to have the administration run via DEX Online Services in future. The court sees no reason to doubt this, so that the court sees no ground for the judgment that outsourcing the processing to DEX Online Services was not necessary. Also, contrary to the plaintiff's submission by way of an alternative point of view, DEX Online Services as processor is not under any obligation to ensure that [name of party], as controller, meets the obligations referred to in Article 6 of the it was decided - partly from a security point of view - to have the administration run via DEX Online Services in future. The court sees no reason to doubt this, so that the court sees no ground for the judgment that outsourcing the processing to DEX Online Services was not necessary. Also, contrary to the plaintiff's submission by way of an alternative point of view, DEX Online Services as processor is not under any obligation to ensure that [name of party], as controller, meets the obligations referred to in Article 6 of theGDPR obligations.

4.7.
In the court's opinion, the respondent was able to take the position that the accountability duty of [name of party] with regard to compliance with Article 5 (1) of the GDPR has been fulfilled . As the respondent explained at the hearing, this was substantiated in this case by submitting the signed processing agreement between [name of party] and DEX Online Services.

4.8.
In the court's opinion, the respondent has taken the position with sufficient reasons that it has not been shown that the personal data of the plaintiff have been processed in the YogiBit app and that members of [name of party] are free to use or not use this app. app. In addition, [name of party] indicated at the hearing that alternatives were offered to plaintiff, so that he did not have to use the app. Plaintiff did not dispute this on appeal with sufficient reasons. In view of the foregoing, what the plaintiff has put forward in appeal with regard to the entry of his data in the YogiBit app cannot succeed.

4.9.
In view of the foregoing, the respondent has rightly taken the position that there is no obvious violation of the GDPR and that there is no reason to further investigate the plaintiff's complaint. The claims of the plaintiff, that as an EU citizen he does not feel protected by the defendant and that unsubstantiated allegations were made during the hearing by [name of party] and Dex Online Services, such as that plaintiff would have received newsletters with explanations, lead the court not to a different opinion, since these statements cannot affect the lawfulness of the contested decision.

5. Finally, the claimant 's grounds for appeal that, even if the GDPR had not entered into force, he would have been protected by the Personal Data Protection Act (Wbp), is also not successful. Giving The reason for this purpose alone is that the AVG is in force, and has become applicable on May 25, 2018. The Wbp was then withdrawn.

6. In view of the foregoing, the appeal is unfounded.

7. There is no reason for an order for costs to be awarded.

Decision
The court declares the appeal unfounded.

This judgment was made by mr. AMJ Adriaansen, judge, in the presence of mr. HL de Vries, registrar. The ruling was delivered in public on March 19, 2021.

The registrar is out of state

Registrar

judge

A copy of this ruling is sent to the parties at:

Do you disagree with this statement?
An appeal against this decision can be lodged with the Administrative Jurisdiction Division of the Council of State within six weeks of the date on which it was sent.

Annex - legal framework

1. Recital 141 of the preamble to Directive 95/46 / EC (the General Data Protection Regulation: GDPR) reads: Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of habitual residence, and an effective remedy before a court of 4.5.2016 L 119/25 Official Journal of the European Union NL in accordance with Article 47 of the Charter if it believes that its rights under this Regulation have been infringed or if the supervisory authority does not act on a complaint, rejects or rejects a complaint in whole or in part, or if it does not act when such action is necessary to protect the rights of the data subject. Investigations conducted in response to a complaint do not go beyond what is appropriate in the specific case and may be subject to judicial review. The supervisory authority must inform the data subject of the progress and outcome of the complaint within a reasonable period of time. If the case requires further investigation or coordination with another supervisory authority, interim information should be provided to the data subject. Each supervisory authority should take measures to facilitate the submission of complaints, such as making a complaint form available that can also be completed electronically, without excluding other means of communication. interim information should be provided to the data subject. Each supervisory authority should take measures to facilitate the submission of complaints, such as making a complaint form available that can also be completed electronically, without excluding other means of communication. interim information should be provided to the data subject. Each supervisory authority should take measures to facilitate the submission of complaints, such as making a complaint form available that can also be completed electronically, without excluding other means of communication.

Article 4 of the GDPR reads:

Definitions

For the purposes of this Regulation:

1) "personal data" means any information relating to an identified or identifiable natural person ("the data subject"); an identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;

2) 'processing' means an operation or a set of operations relating to personal data or a set of personal data, whether or not carried out by automated processes, such as collection, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting , use, provide by means of forwarding, dissemination or otherwise making available, aligning or combining, blocking, deleting or destroying data;

(…)

7) 'controller' means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are set out in Union or Member State law, they may determine who the controller is or by which criteria it is designated;

8) 'processor' means a natural or legal person, public authority, service or other body that processes personal data on behalf of the controller;

(…)

11) 'consent' of the data subject means any free, specific, informed and unambiguous expression of will by which the data subject accepts by means of a statement or an unambiguous active action regarding the processing of personal data;

(…)

Article 5 of the GDPR reads:

Principles for processing of personal data

1 Personal data must:

a. (a) processed in a way that is lawful, fair and transparent with regard to the data subject ('lawfulness, fairness and transparency');

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; the further processing for archiving in the public interest, scientific or historical research or statistical purposes is not considered incompatible with the original purposes in accordance with Article 89 (1) ('purpose limitation');

(c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ('data minimization');

(d) accurate and updated as necessary; all reasonable steps must be taken to promptly erase or rectify personal data which are incorrect in view of the purposes for which they are processed ('accuracy');

e) kept in a form that makes it possible to identify the data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data are processed for the sole purpose of archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89 (1), provided that the appropriate technical and organizational measures required by this Regulation are taken into account. taken to protect the rights and freedoms of the data subject (“storage restriction”);

(f) processed by taking appropriate technical or organizational measures in such a way as to ensure adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality ”).

2.The controller is responsible for and can demonstrate compliance with paragraph 1 ('accountability').

Article 6 of the GDPR reads:

Lawfulness of the processing

The processing is only lawful if and insofar as at least one of the following conditions is met:

a) the data subject has consented to the processing of his / her personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is a party, or to take measures at the request of the data subject prior to the conclusion of an agreement;

(…)

Article 28 of the GDPR states:

1. When processing is carried out on behalf of a controller, the controller shall only rely on processors who offer adequate guarantees regarding the application of appropriate technical and organizational measures to ensure that the processing complies with the requirements of this Regulation and the protection of rights of the data subject is guaranteed.

2. The processor shall not employ any other processor without the prior specific or general written consent of the controller. In the case of general written consent, the processor shall inform the controller of any envisaged changes to add or replace other processors, giving the controller the opportunity to object to those changes.

3. The processing by a processor shall be governed by a contract or other legal act under Union or Member State law which binds the processor to the controller, and which sets out the subject matter and the duration of the processing, the nature and purpose of the processing. processing, the type of personal data and the categories of data subjects, and the rights and obligations of the controller are described. That agreement or other legal act provides in particular that the processor:

a) processes the personal data only on the basis of written instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless a provision of Union or Member State law applicable to the processor requires him to process ; in that case, the processor shall notify the controller of that legal requirement prior to processing, unless such legislation prohibits such notice for important reasons of public interest;

(b) ensures that the persons authorized to process the personal data are committed to confidentiality or are bound by an appropriate legal obligation of confidentiality;

(c) takes all measures required in accordance with Article 32;

(d) meets the conditions referred to in paragraphs 2 and 4 for employing another processor;

e) taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, as far as possible, in fulfilling his duty to respond to requests for the exercise of the data subject's rights set out in Chapter III ;

(f) taking into account the nature of the processing and the information available to it, assists the controller in enforcing the obligations under Articles 32 to 36;

(g) after the end of the processing services, at the choice of the controller, deletes or returns all personal data and deletes existing copies, unless storage of the personal data is required by Union or Member State law;

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and enables and contributes to audits, including inspections, by the controller or a controller authorized by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately notify the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4.Where a processor engages another processor to carry out specific processing activities on behalf of the controller, a contract or other legal act under Union or Member State law imposes on that other processor the same data protection obligations as those set out in the The agreement or other legal act referred to in paragraph 3 between the controller and the processor is included, in particular the obligation to provide adequate guarantees with regard to the application of appropriate technical and organizational measures to ensure that the processing complies with the provisions of this Regulation. If the other processor fails to fulfill its data protection obligations,

(…)

9. The agreement or other legal act referred to in paragraphs 3 and 4 shall be in written form, including electronic form.

10. Where a processor determines the purposes and means of a processing in breach of this Regulation, that processor shall be considered the controller without prejudice to Articles 82, 83 and 84 in respect of that processing.

Article 77 of the GDPR states:

1. Without prejudice to any other administrative or judicial remedy, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State where he habitually resides, has his place of work or where the alleged infringement was committed. , if he considers that the processing of personal data concerning him constitutes an infringement of this Regulation.

(…)

2. Section 2.5. of the Policy Rules for Prioritizing Complaint Investigation (Policy Rules), reads:

First assessment of the complaint

Complaints can be submitted by telephone, post or digitally via an (electronic) complaint form. When dealing with a complaint, the Dutch Data Protection Authority (AP) investigates the complaint to the extent appropriate. What is appropriate may vary from case to case and will depend on all the concrete facts and circumstances of the case.

On the basis of an initial assessment of the complaint, the AP will determine whether there may be a

violation against which the AP can act. In doing so, the AP will in any case investigate the received

information from the complainant and available information from the alleged offender. For example, the website or information known to the AP from previous investigations and signals. Furthermore, insofar as there is reason to do so in the opinion of the AP, the AP may investigate one or more of the following sources:

-
information from other national and international regulators;

-
general information on the internet or from other public sources and media (such as relevant legislation, regulations and case law and relevant (legislative) advice from the Dutch DPA; and

-
comparable files at the AP.

If necessary, the AP will contact the complainant and / or the alleged violator and ask them in writing or by telephone for further information in order to gain sufficient insight into the alleged violation, the consequences of this alleged violation and the involvement of the alleged violator. .

It is possible that after an initial assessment of the content of a complaint it appears that there has been a violation and that the AP can (immediately) deal with it satisfactorily. For example, the complainant can be contacted by telephone, where the DPA gives him information and advice, for example to approach the (Data Protection Officer of the) alleged offender and how he can best do this. In this way, the complainant can ensure that his complaint is resolved.

In other cases, the AP can, for example, aim for mediation. It is also possible that, after the AP has contacted the complainant, it is immediately clear that there is no violation and that he explains why and then ends the complaint.

These examples make it clear that the complainant, without the need for an in-depth investigation, can nevertheless receive sufficient assistance. The complaint has also been investigated in an appropriate manner and therefore in accordance with the GDPR . In addition, if it is immediately clear that a violation has occurred, the AP can make use of informal interventions towards the (alleged) violator. These can often be deployed relatively quickly and with limited supervisory capacity. This could include a telephone confrontation, a norm-transferring conversation or a warning letter. Where appropriate, this form of complaint handling can also be qualified as appropriate.

The initial assessment of the complaint or a request for enforcement can, without the need for additional information, be sufficiently clear that there is no violation, or that this is the case. In the first case, the AP will reject the request for enforcement or terminate the handling of the complaint. In the second case, the AP starts an enforcement process and, in principle, takes enforcement action, unless there are special circumstances such as concrete prospects for legalization or when enforcement action would be disproportionate.

If the initial assessment shows that there are sufficient indications in the file that there is a violation, but a further investigation is necessary to establish the violation, the investigation will move to the next phase. In this phase, the prioritization criteria are tested.