Rb. Rotterdam - ROT 19/5030
|Rb. Rotterdam - ROT 19/5030|
|Court:||Rb. Rotterdam (Netherlands)|
|Relevant Law:||Article 4(7) GDPR|
Article 4(8) GDPR
Article 12 GDPR
Article 15(1) GDPR
Article 28 GDPR
|Parties:||Minister van Buitenlandse Zaken, Directie Juridische Zaken|
|National Case Number/Name:||ROT 19/5030|
|European Case Law Identifier:||ECLI:NL:RBROT:2021:2306|
|Original Source:||de Rechtspraak (in Dutch)|
The Rotterdam Court of First Instance ruled that the Directorate of Legal Affairs of the Dutch Ministry of Foreign Affairs was wrong in rejecting a DSAR because it didn’t view itself as controller. It also ruled that a DSAR where another procedure is concerned only constitutes an abuse of rights in certain circumstances none of which were resent in this case.
English Summary[edit | edit source]
Facts[edit | edit source]
On 28 March 2019, the complainant submitted a DSAR to the Directorate of Legal Affairs of the Ministry of Foreign Affairs (The Directorate). The complainant has previously received an email from the Repatriation and Departure Service (DT&V), containing data about the claimant. According the DT&V, that data originated from the Directorate.
On 29 April 2019, the Directorate rejected the complainant’s request of access to his personal data. On 17 September 2019, complainant’s objection to this decision was rejected as unfounded.
The complainant appeals against this decision.
Dispute[edit | edit source]
The Directorate claims that the complainant’s DSAR cannot be granted because the Ministry is not controller of the affected personal data: the identity investigation in question was ordered by the Repatriation and Departure Service (DT&V).
In addition, after rejecting the complainant’s objection, the Directorate claimed that the complainant was abusing his rights. The Directorate pointed out that complainant has submitted access requests to both DT&V and the Directorate, and that he wanted to use this data in other process, so access to personal data was not the end goal of the request.
Holding[edit | edit source]
The Court considered that it was not obvious that the complainant’s wish to access his data was contrary to the purpose of the GDPR. The fact that these data could be used in another procedure also did not not lead the Court to believe that there was an abuse of rights. The Court also pointed to the case law, from which it follows that the access request where another procedure is concerned only constitutes an abuse of rights in special circumstances. For example, if rights or powers have been used so manifestly without reasonable purpose or for a purpose other than that for which they were granted. The Court saw no reason to rule that there had been an abuse of rights by the complainant.
When deciding whether the Directorate was a controller or a processor, the Court considered the following. The Directorate failed to provide the documents (required following Article 28(3) GDPR) to demonstrate that the purposes and means of processing were determined by the DT&V and that the Directorate had no factual influence over the key elements of the personal data processing. Considering that the term “controller” must be interpreted broadly, the Court ruled that the Directorate was wrong in assuming that it was a data processor.
The Court declared the appeal against the Directorate’s decision well founded.
Comment[edit | edit source]
The Court referred to this judgement to rule on the abuse of rights question:
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
COURT ROTTERDAM Seat in Rotterdam Administrative law case number: ROT 19/5030 Judgment of the single Judge of 19 March 2021 in the case inter [name of claimant], at [place of residence of claimant], claimant authorized representative: mr. FLM van Haren, and Minister of Foreign Affairs, Legal Affairs Department, defendant authorized representative: mr. R. Geraedts. Process course By decision of April 29, 2019 (primary decision), the respondent rejected the claimant's request for access to the personal data processed by the respondent. By decision of September 17, 2019 (contested decision), the defendant declared the plaintiff's objection against the primary decision unfounded. The plaintiff has appealed against the contested decision. Respondent has lodged a statement of defense. The hearing took place on February 18, 2021. Plaintiff and his representative attended the hearing via a Skype connection. Respondent was represented by his agent. The case has been joined with the case with case number ROT 19/4649. At the hearing, the court closed the investigation. After that, things were split up for making a decision. Considerations 1. The relevant legislation and regulations are included in an appendix that forms part of this decision. 2. On 28 March 2019, the plaintiff requested the defendant for information on the basis of articles 12 and 15, first paragraph, of Regulation 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and with regard to the free movement of such data and repealing Directive 95/46 / EC (the General Data Protection Regulation: GDPR). In his request, the plaintiff indicated that he had received an e-mail from the Repatriation and Departure Service (DT&V) with information that would relate to him and that, according to the DT&V, would come from the defendant. The respondent has rejected the aforementioned request of the plaintiff.The defendant based this rejection on the basis that he is not the controller within the meaning of Article 4 (7) of the GDPR, because the investigation by the Dutch embassy in Baku (Azerbaijan) in this case was carried out on behalf of the DT&V. . The DT&V has the file documents drawn up and collected by the respondent in the context of the assignment, so that the GDPR request to DT&V concerns the same personal data. Moreover, the contact with the person who carried out the on-site investigation took place verbally, according to the defendant. Plaintiff has objected to this rejection.V has the file documents drawn up and collected by the respondent in the context of the assignment, so that the GDPR request to DT&V concerns the same personal data. Moreover, the contact with the person who carried out the on-site investigation took place verbally, according to the defendant. Plaintiff has objected to this rejection.V has the file documents drawn up and collected by the respondent in the context of the assignment, so that the GDPR request to DT&V concerns the same personal data. Moreover, the contact with the person who carried out the on-site investigation took place verbally, according to the defendant. Plaintiff has objected to this rejection. 3. In the contested decision, the defendant declared the plaintiff's objection unfounded and maintained the primary decision. Respondent added that there was abuse of rights by the plaintiff and referred to the decision of the Northern Netherlands District Court of 23 April 2019 (ECLI: NL: RBNNE: 2019: 3761). Respondent points out in this regard that the plaintiff has submitted a request for inspection to both the defendant and the DT&V and that the plaintiff wishes to use the personal data in another procedure (an 'no-fault procedure'), so that he ultimately does not care about the correctness of the the actual personal data. The plaintiff is also already entitled to the documents relating to the case under the General Administrative Law Act (Awb) in the 'no-fault procedure'. 4. The court is first faced with the question of whether there has been an abuse of law. 4.1. As the Administrative Jurisdiction Division of the Council of State (Division) considered in, for example, its decision of 31 October 2018 (ECLI: NL: RVS: 2018: 3553), Article 13, read in conjunction with Article 15, of Book 3 of the Civil Code (BW), the power to appeal to the administrative court cannot be invoked insofar as this power is misused. These articles preclude the substantive handling of an appeal brought before the administrative court that involves an abuse of law, and provide a legal basis for declaring such an appeal inadmissible. To this end, compelling grounds are required, which are present, among other things, if rights or powers are clearly used without a reasonable purpose or for a purpose other than that for which they have been granted,that the exercise of those rights or powers is evidence of bad faith. In the opinion of the court, this cannot be established in this case. In that regard, the court considers the following. 4.2. The GDPR is intended to give data subjects (natural persons) access to the way in which administrative bodies, among others, process their personal data. In his request, the plaintiff asked the defendant various questions, with the aim of obtaining the information referred to in Article 15, first and second paragraphs, of the GDPR. In view of this, it cannot be concluded that it is not actually possible for the plaintiff to become acquainted with the personal data processed by the respondent and the manner in which the respondent processes these personal data in accordance with the purpose of the GDPR. The fact that the plaintiff has also submitted a request for access to the DT&V does not make this any different, all the more because the DT&V has indicated that the defendant does not provide any underlying information to them,to protect the researcher engaged and the research methods engaged by him. The fact that the plaintiff will use any personal data obtained in another procedure does not lead the court to conclude that this constitutes an abuse of law. This in itself does not mean that the purpose of the request is no longer in line with the purpose of the GDPR. In that context, the court also refers to case law of the Division relating to the Government Information (Public Access) Act (Wob) (for example, the decision of 29 January 2020 (ECLI: NL: RVS: 2020: 265), from which it follows that a request for disclosure of information with a view to a different procedure only constitutes an abuse of law in special circumstances.The court sees no reason to rule differently in this case.Such special circumstances have not become apparent to the court. Finally, the defendant's reference to the judgment of the Northern Netherlands District Court of 23 April 2019 cannot succeed, since there are no comparable cases. In that case, the applicant had been in possession of the requested documents and it had not become apparent that other personal data had been processed. 4.3. In view of the foregoing, the court sees no reason to declare the appeal inadmissible because of abuse of the law. 5. In appeal, the plaintiff takes the position that the defendant is the controller. The DT&V and the respondent implement parts of the policy in parallel. The fact that the investigation took place in Baku in the context of an identity investigation in response to a request for mediation from the DT&V does not change that. Respondent passed on the data orally to an unknown / undisclosed confidential counselor who reported back verbally, which, according to Claimant, is a particularly irresponsible handling of personal data for which the Respondent himself is responsible. The DT&V has indicated that it does not have the underlying parts of the file '[filename 1] and [filename 2]',in which the oral report is filed and in which the existence of a 'death record registration', a 'marriage records registration' and a passport is mentioned. In view of the harmful consequences associated with this information, the Claimant should be enabled to see on which this information is based. 5.1. The court infers from Article 4, opening words and under 7 and under 8 of the GDPR that a processor has no control over the processing and may only act under the responsibility of the controller and according to his instructions. When the processor independently makes decisions about the purposes and means of the processing, he becomes responsible for those processing operations himself. Pursuant to Article 28 of the GDPR, where processing is carried out on behalf of a controller, the processing must be regulated by a processor in a contract or in another legal act under Union or Member State law binding the processor to the controller. 5.2. In view of the purpose of the GDPR, as laid down in Article 1, second paragraph, of the GDPR, namely to protect the right of natural persons to the protection of personal data in particular, a broad interpretation should be given to the term 'controller'. The court refers, for example, to the judgment of the Court of Justice of the European Union (Court of Justice) of 5 June 2018, Schleswig-Holstein, (C-210/16, ECLI: EU: C: 2018: 388), paragraph 26 -28. Although this judgment explains Directive 95/46 / EC, it is also important for the interpretation of the term 'controller' in the GDPR. Indeed, it follows from recital 9 of the preamble to the GDPR that the objectives and principles of Directive 95/46 / EC are maintained. Also comes the content of the definitions of 'controller',as included in Article 2 (d) of Directive 95/46 / EC and 'processor' as included in Article 2 (e) of Directive 95/46 / EC, almost entirely correspond to the definitions of 'processor' and ' controller 'in the GDPR. 5.3. In the court's opinion, in this case, the defendant should be regarded as the controller, in view of the foregoing. Although the respondent has taken the position that the Dutch embassy in Baku, on behalf of the DT&V, had an on-site investigation carried out by a confidential advisor, that the objective set by the DT&V was an identity investigation and that he only acted as a mediator, This is not sufficiently substantiated (with documents) that the purposes and means of the processing by the defendant have been determined by the DT&V and that he himself had no actual influence on the processing of the plaintiff's personal data. The defendant's assertions at the hearing that an identity investigation commissioned by DT &V is always carried out by engaging a confidential adviser and the fact that he only plays a minor role in passing on a research question to a confidential adviser does not detract from this - bearing in mind the broad interpretation of the term 'controller'. Nor has the defendant provided an agreement or explained in which other legal act the processing is regulated under Union or Member State law. 5.4. Since the defendant wrongly took the position that it is a 'processor' and not a controller, and therefore rejected the claimant's request under Articles 12 and 15 of the GDPR, the contested decision was taken in breach of these articles and insufficiently carefully prepared and motivated. The court will therefore declare the appeal well-founded and set aside the contested decision. The court sees no possibilities to uphold the legal consequences of the contested decision, to provide for the case itself or to apply an administrative loop. The respondent must therefore make a new decision on the objection with due observance of this ruling. 6. Because the court declares the appeal to be well-founded, the defendant must reimburse the plaintiff for the court fee paid by him. 7. The court orders the defendant to pay the costs incurred by the plaintiff. On the basis of the Administrative Costs Decree, the court sets these costs for the legal aid provided by a third party at € 1,068 (1 point for submitting the notice of appeal and 1 point for appearing at the hearing, with a value per point of € 534 and weighting factor 1). There is no reason for reimbursement of the legal costs in an objection as requested, since the condition in Article 7:15, second paragraph, of the Awb, namely that a decision has been revoked, has not been met. Decision The court: - declares the appeal well-founded; - annuls the contested decision; - instructs the defendant to take a new decision on the objection, with due observance of this statement; - orders the defendant to reimburse the plaintiff the paid court fee of € 174; - orders the defendant to pay the plaintiff's legal costs up to an amount of € 1,068. This judgment was made by mr. AMJ Adriaansen, judge, in the presence of mr. HL de Vries, registrar. The ruling was delivered in public on March 19, 2021. The clerk is out of state registrar judge A copy of this ruling is sent to the parties at: Do you disagree with this statement? An appeal against this decision can be lodged with the Administrative Jurisdiction Division of the Council of State within six weeks of the date on which it was sent. Annex - legal framework 1. It follows from recital 9 of the preamble to the GDPR that the objectives and principles of Directive 95/46 / EC remain valid, (…). It follows from recital 74 of the preamble to the GDPR that the responsibility and liability of the controller must be established for any processing of personal data carried out by or on his behalf. In particular, the controller should be required to implement appropriate and effective measures and be able to demonstrate that any processing activity is carried out in accordance with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of natural persons. Pursuant to Article 4, opening words and under 7 of the GDPR, 'controller' means: a natural or legal person, a public authority, a service or other body that, alone or together with others, has the purpose of and determine the means of processing personal data; where the purposes and means of such processing are established in Union or Member State law, they may determine who the controller is or by what criteria it is designated. Pursuant to Article 4, opening words and under 8 of the GDPR, 'processor' is understood to mean: a natural or legal person, a public authority, a service or other body that processes personal data on behalf of the controller. Article 12 on transparent information, communication and detailed rules for exercising the rights of the data subject provides: 1. The controller shall take appropriate measures to ensure that the data subject provides the information referred to in Articles 13 and 14 and the communication related to the processing referred to in Articles 15 to 22 and Article 34 in a concise, transparent, comprehensible and easily accessible form and receive it in plain and simple language, especially when the information is specifically for a child. The information shall be provided in writing or by other means, including, where appropriate, electronic means. If requested by the data subject, the information may be communicated orally, provided that the identity of the data subject is proven by other means. 2. The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11 (2), the controller may not refuse to comply with the data subject's request to to exercise his rights under Articles 15 to 22, unless the controller demonstrates that he is unable to identify the data subject. 3. The controller shall provide the data subject with information on the action taken on the request without undue delay and in any case within one month of receipt of the request under Articles 15 to 22. Depending on the complexity of the requests and the number of requests, this period can be extended by another two months if necessary. The controller shall notify the data subject of any such extension within one month of receipt of the request. When the data subject submits his request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise. 4. If the controller does not act on the request of the data subject, he shall inform the data subject without delay and at the latest within one month of receipt of the request why the request has not been followed up and inform him of the possibility of lodging a complaint. should be brought before a supervisory authority and appeal to the courts. 5. The provision of the information referred to in Articles 13 and 14 and the communication and the taking of the measures referred to in Articles 15 to 22 and Article 34 shall be free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular due to their repetitive nature, the controller may either: a. charge a reasonable fee in light of the administrative costs associated with providing the requested information or communication and taking the requested action; either b) refuse to act on the request. It is up to the controller to demonstrate the manifestly unfounded or excessive nature of the request. (…) Article 15 on the data subject's right of access provides: 1. The data subject has the right to obtain from the controller a decision as to whether or not personal data concerning him / her is being processed and, where that is the case, to have access to such personal data and the following information: a. a) the purposes of the processing; b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; d) if possible, the expected period for which the personal data will be stored or, if that is not possible, the criteria for determining that period; e) that the data subject has the right to request the controller to rectify or erase personal data, or to restrict the processing of personal data concerning him or her, as well as the right to object to such processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, all available information about the source of that data; (h) the existence of automated decision-making, including the profiling referred to in Article 22 (1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the person concerned. (…) 3. The controller shall provide the data subject with a copy of the personal data being processed. If the data subject requests additional copies, the controller may charge a reasonable fee based on the administrative costs. When the data subject submits his request electronically, and does not request other arrangements, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 is without prejudice to the rights and freedoms of others. Article 28 on the processor states: 1. When processing is carried out on behalf of a controller, the controller shall only rely on processors who offer adequate guarantees regarding the application of appropriate technical and organizational measures to ensure that the processing complies with the requirements of this Regulation and the protection of rights of the data subject is guaranteed. 2. The processor shall not employ any other processor without the prior specific or general written consent of the controller. In the case of general written consent, the processor shall notify the controller of any envisaged changes to add or replace other processors, giving the controller the opportunity to object to those changes. 3.The processing by a processor shall be governed by a contract or other legal act under Union or Member State law binding the processor to the controller, and which sets out the subject matter and duration of the processing, the nature and purpose of the processing. processing, the type of personal data and the categories of data subjects, and the rights and obligations of the controller are described. That agreement or other legal act provides in particular that the processor: a) processes the personal data only on the basis of written instructions from the controller, including in relation to transfers of personal data to a third country or an international organization, unless a provision of Union or Member State law applicable to the processor requires him to process ; in that case, the processor shall notify the controller of that legal requirement prior to processing, unless such legislation prohibits such notice for important reasons of public interest; (b) ensures that the persons authorized to process the personal data are committed to confidentiality or are bound by an appropriate legal obligation of confidentiality; (c) takes all measures required in accordance with Article 32; (d) meets the conditions referred to in paragraphs 2 and 4 for employing another processor; (e) taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, as far as possible, in fulfilling his duty to respond to requests for the exercise of the data subject's rights set out in Chapter III ; (f) taking into account the nature of the processing and the information available to it, assists the controller in enforcing the obligations under Articles 32 to 36; (g) after the end of the processing services, at the choice of the controller, deletes or returns all personal data and deletes existing copies, unless storage of the personal data is required by Union or Member State law; (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and enables and contributes to audits, including inspections, by the controller or a controller authorized by the controller. With regard to point (h) of the first subparagraph, the processor shall immediately notify the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions. 4.Where a processor engages another processor to carry out specific processing activities on behalf of the controller, a contract or other legal act under Union or Member State law imposes on that other processor the same data protection obligations as those set out in the The agreement or other legal act referred to in paragraph 3 between the controller and the processor is included, in particular the obligation to provide adequate guarantees with regard to the application of appropriate technical and organizational measures to ensure that the processing complies with the provisions of this Regulation. If the other processor fails to fulfill its data protection obligations,the first processor remains fully liable to the controller for the fulfillment of the obligations of that other processor. (…) 9. The agreement or other legal act referred to in paragraphs 3 and 4 shall be in written form, including electronic form. 10. Where a processor determines the purposes and means of a processing in breach of this Regulation, that processor shall be considered the controller without prejudice to Articles 82, 83 and 84 in respect of that processing. 2. Article 2 of Directive 95/46 / EC reads, where relevant: Definitions For the purposes of this Directive: (d) "controller" means the natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by national or Community laws, regulations or administrative provisions, national or Community law may determine who is the controller or according to which criteria it is designated; (e) "processor" means the natural or legal person, public authority, agency or other body which processes or processes personal data on behalf of the controller;