RvS (Netherlands) - 202006082/1/A3: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 52: Line 52:
}}
}}


The Raad van State held that a municipality was justified in asking a data subject to identify themselves for the purposes of an access request by showing a valid ID, or by re-submitting the request via an online government identity management portal. The municipality had reason to doubt the identity of the data subject under Article 12(6) GDPR, in particular because the request appeared to have been signed by his "Beneficiary, Authorised Agent, and Representative."
The Raad van State held that a municipality was justified in asking a data subject to identify themselves for the purposes of an access request by showing a valid ID, or by re-submitting the request via an online government identity management portal. The municipality had reason to doubt the identity of the data subject because the request appeared to have been signed by his "Beneficiary, Authorised Agent, and Representative."


== English Summary ==
== English Summary ==

Revision as of 12:01, 11 August 2021

RvS (Netherlands) - 202006082/1/A3
Courts logo1.png
Court: RvS (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 11 GDPR
Article 12(6) GDPR
Article 15 GDPR
Decided: 04.08.2021
Published: 04.08.2021
Parties: College van burgemeester en wethouders van Leeuwarden
National Case Number/Name: 202006082/1/A3
European Case Law Identifier:
Appeal from: Rb. Noord-Nederland (Netherlands)
19/2909
Appeal to: Unknown
Original Language(s): Dutch
Original Source: de Rechtspraak (in Dutch)
Initial Contributor: n/a

The Raad van State held that a municipality was justified in asking a data subject to identify themselves for the purposes of an access request by showing a valid ID, or by re-submitting the request via an online government identity management portal. The municipality had reason to doubt the identity of the data subject because the request appeared to have been signed by his "Beneficiary, Authorised Agent, and Representative."

English Summary

Facts

A data subject submitted an an access request to the Municipality of Leeuwaarden concerning information on the collection, processing, and storage of data by the chip card reader attached to the waste container at his home address.

The request included the following words:

"Yours faithfully but with kind regards,: [appellant name]: I AM Without Prejudice UCC 1-308 Beneficiary, Authorized Agent and Representative for the legal fiction [appellant name]"

In response, the Municipality asked the data subject to submit his request online and signed with his DigiD within 14 days, or to identify himself at the town hall with a valid identification document. DigiD is an identity management platform used by government agencies in the Netherlands. The Municipality explained that the request concerns personal data, which must not be provided to the wrong person, and it is therefore important to properly establish the data subject's identity. Indeed, Recital 64 GDPR states that the controller should take all reasonable steps to verify the identity of a data subject requesting access. And, following Article 12(6) GDPR, if there is reason to doubt the identity, additional information may be requested that is necessary to confirm the identity of the data subject.

When the data subject did not identify himself in the way it requested, the Municipality issued a decision stating it would not consider his request. The data subject lodged an objection to this decision, which the Municipality declared unfounded.

On 2 October 2020, the District Court of Northern Netherlands dismissed an appeal by the data subject regarding the Municipality's decision to reject his request. The data subject ('appellant') then appealed to the Council of State.

The appellant argued that the District Court erroneously ruled that the Municipality could reasonably doubt his identity and could therefore ask him to identify himself. In particular, this is because the Municipality had previously sent letters to him, which he had answered without further identification being necessary. It is unlikely that the data requested by him would not reach him along the same route. Further, in another procedure from 2018 against the Municipality about a municipal tax assessment, he signed his letters in the same way and that was no reason for the college to doubt his identity. In those proceedings, the Commission itself referred to data from the waste processor to demonstrate that waste had been presented. It is contradictory that the Board now refuses to provide such information to him.

The appellant also argued that the Municipality's request for him to submit his request digitally with DigiD or to visit the town hall to identify himself was a disproportionate way to establish his identity, partly because it concerns data from the waste processing of the residential address where only he lives. Lastly, in view of the non-sensitive nature of that data, the Commission could have sent the data to his address without any problem.

Holding

The Council of State declared the appeal unfounded.

The District Court rightly decided that the Municipality had reason to doubt the identity of the appellant on the basis of Article 12(6) GDPR. This is apparent from the way in which the appellant's request was submitted, namely the words "beneficiary of [appellant]', and 'Beneficiary, Authorized Agent and Representative for the legal fiction [appellant]', as well as from the fact that the appellant did not comply with the request for identification.

Contrary to what the appellant argued, the fact that the Municipality sent correspondence to his home address did not alter the fact that it could reasonably have doubts about his identity. It is true that only the appellant lives at the address in question, but this does not necessarily mean that he is also the person who made the request. Other persons could live at that address who are not registered there and who can send letters on behalf of the appellant. The residential address therefore does not automatically provide a definitive answer about the identity of the applicant.

Further, the fact that the municipality, as argued by the appellant, has not objected in other proceedings to the way in which he arranged his requests and has even previously used the description 'beneficiary of [appellant]', does not affect the fact that that in this case the Municipality could have reasonable doubts about his identity. The Municipality rightly stated that under the GDPR, it is important that it ascertains his identity. The aim of the GDPR is to strive for high protection of personal data.

The Council of State also emphasised that the nature of the data requested has no bearing on the applicability of Article 12(6) GDPR, and he Municipality did not have to take into account the sensitivity of the data requested. The appellant also has not argued that there is an objective obstacle for him to submit his application via DigiD or to identify himself at the town hall. The District Court therefore rightly considered that the information required by the Municipality was proportionate.

Comment

Whilst this decision as a whole appears sound, the finding that a data subject's refusal to identify themselves can constitute a reason for a controller to doubt their identity is arguably somewhat unsafe. It would mean that, even where a data subject has a reasonable concern regarding the necessity, lawfulness and proportionality of a controller's request for additional information, their refusal to provide that information could de facto satisfy Article 12(6) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


                                
                            
        



    Body
    Council of State
    Date of judgment
    04-08-2021

    Date of publication
    
04-08-2021

    Case number
    
202006082/1/A3

    
    Jurisdictions
    
Administrative law
    
    Special characteristics
    
Appeal
    
    Content indication
    
By decision of 9 April 2019, the Municipal Executive of Leeuwarden did not consider the request of a person calling himself [appellant] to inspect the registered waste consumption of his home address. On 20 February 2019, the Board received a request for inspection under Article 15 of the General Data Protection Regulation from a sender who calls himself a 'beneficiary of [applicant]'. The identity of the sender is under discussion, but for the sake of readability of this judgment, the Division, like the District Court, has used the name [appellant] on the cover page of this judgment and the name [appellant] in the remainder of the judgment, because the 'beneficiary of [appellant]' states that he is [appellant]. [appellant] has requested access to the registration, processing and storage of data from the chipped waste containers at his home address.

    Locations
    
Rechtspraak.nl
    
        
        
            Enhanced pronunciation
        





    
        Share pronunciation
        
    
    
        print
        Save as PDF
        Copy link

    


        
            Pronunciation
        
        202006082/1/A3.Date of judgment: August 4, 2021DEPARTMENT OF ADMINISTRATIVE JURISDICTION.Judgment on the appeal of: [appellant], residing in Leeuwarden, against the judgment of the District Court of the Northern Netherlands of 2 October 2020 in case no. 19/2909 in the proceedings between : [appellant] and the municipal executive of Leeuwarden.Process procedure By decision of 9 April 2019, the municipal executive did not consider the request of a person calling himself [appellant] to inspect the registered waste consumption of his home address. By decision of 15 July In 2019, the Board declared the objection lodged by [appellant] unfounded. By decision of 2 October 2020, the District Court declared the appeal lodged by [appellant] unfounded. This judgment has been attached. [appellant] has lodged an appeal against this judgment. The Board has given a written explanation. [appellant] has submitted further documents. The Division dealt with the case in court on 7 July 2021, where [appellant], represented by [authorized representative], and the college, represented by BK Kroese, have appeared.ConsiderationsIntroduction1. On February 20, 2019, the Board received a request for access under Article 15 of the General Data Protection Regulation (hereinafter: AVG) from a sender who calls himself a 'beneficiary of [applicant]'.1.1. The identity of the sender is under discussion, but for the sake of readability of this judgment, the Division, like the District Court, has used the name [appellant] on the cover page of this judgment and the name [appellant] in the remainder of the judgment, because the 'beneficiary of [appellant]' states that he is [appellant].1.2. [appellant] has requested access to the registration, processing and storage of data from the chipped waste containers at his home address. The request is signed as follows: Yours faithfully,: [appellant]: I AMWithout Prejudice UCC 1-308Beneficiary, Authorized Agent and Representative for the legal fiction [appellant]Issued pursuant to and governed by I AM, eternal essence, In body, Ref. no. IAM-ap17051978. Rec. no. 2013032035, restated and incorporated by reference as if set forth in full; PRE-AUTHORIZED, PRE-APPROVED and PRE-PAID.Notice to the Principal is Notice to the Agent and Notice to the Agent is Notice to the Principal"He who fails to assert his rights, has none.""We are BORN with equal These are not GRANTED by any kind of ruler, be it a constitution, a government or an international body."Preserved and protected in perpetuity UCC Rec. no. 2000043135, restated and incorporated by reference as if set forth in full, guaranteed, protected and secured, public policy, UCC 1-103, common law remedy thereunder guaranteed, public policy, UCC 1-305; Duly witnessed, secured, entered and noticed; Without prejudice as promised, preserved, and protected, public policy, UCC 1-308, NUNC PRO TUNC, PRAETEREA PRETEREA: Ø/s/[appellant], as conscious eternal essence embodied, transparent in Absolute Truth Eternal Essence.Living by the Universal Decleration of Human Right, transcending Dutch Constitution art.94The request is not signed.1.3. In a letter dated 28 February 2019, the Municipal Executive requested [appellant] to submit the request online and signed with his DigiD within 14 days of the date of this letter or to identify himself at the town hall with a valid identification document, because it concerns personal data. which may not be provided to the wrong person and it is therefore important for the Board that it properly establishes the identity of [appellant]. The Board has pointed out to [appellant] that it will not consider his request if he does not comply with this request for identification. [appellant] responded in a letter dated 11 March 2019 and signed this letter, but did not comply with the Commission's request for identification. The Commission has therefore left the request out of consideration by decision of 9 April 2019 on the basis of Article 4:5, first paragraph, of the General Administrative Law Act.1.4. With reference to the advice of the Advisory Committee on Objections of 28 June 2019, the Commission pointed out in the decision on objection of 15 July 2019 that it applies a fixed policy with regard to GDPR requests. This policy means that anyone who makes a request on the basis of the AVG must submit it via DigiD or must identify themselves in person at the counter. In this way, the Commission aims to obtain certainty that the person who requests access to the data registered about him is actually who he says he is, so that personal data never falls into the wrong hands. In addition, in case of doubt about the identity of the person submitting the request on the basis of Article 12(6) of the GDPR, the Board may request additional information that is necessary to confirm the identity of the requester. In view of the terms used by [appellant] in his request, such as 'beneficiary of [appellant]' and 'Beneficiary, Authorized Agent and Representative for the legal fiction Aron [appellant]', there was reason to doubt the identity of [appellant] , according to the Board. Appeal2. [appellant] argues that the court erroneously ruled that the Board could reasonably doubt his identity and could therefore ask him to identify himself. The court failed to recognize that the college sent letters to him which he answered, so that it cannot be seen that there are doubts about his identity. It is unlikely that the data requested by him would not reach him along the same route. In another procedure from 2018 against the college, about a municipal tax assessment, he signed his letters in the same way and that was no reason for the college to doubt his identity. In those proceedings, the Commission itself referred to data from the waste processor to demonstrate that waste had been presented. It is contradictory that the college now refuses to provide such information to him. According to [appellant], the court did not recognize that the response of the municipal executive to submit his request digitally with DigiD or to visit the town hall to identify himself is in this case a disproportionate way to establish his identity, partly because it concerns data from the waste processing of the residential address where only he lives. In view of the nature of that data, the Commission could have sent the data to his address without any problem. There is therefore no risk of dissemination of privacy-sensitive data to third parties and there is no legal identification requirement under the GDPR. Finally, the court failed to substantiate its decision and ignored the substantive arguments put forward by him, according to [appellant]. The legal framework is included in an appendix and forms part of this decision. Assessment of the appeal4. Pursuant to Article 15, first paragraph, of the GDPR, a person has the right to inspect his own personal data and therefore not personal data that belongs exclusively to others. Recital 64 of the preamble to the GDPR states that the controller should take all reasonable steps to verify the identity of a data subject requesting access. If there is reason to doubt the identity, additional information may be requested that is necessary to confirm the identity of the data subject, as follows from Article 12, sixth paragraph, of the GDPR.4.1. The court has rightly ruled that the Board, as controller, had reason to doubt the identity of [applicant] on the basis of Article 12(6) of the GDPR. This is apparent from the way in which [appellant]'s request was submitted and from the fact that he did not comply with the request for identification. The court therefore rightly ruled that the Board was allowed to disregard [appellant's] request.4.2. Contrary to what [appellant] argues, the fact that the Board sent correspondence to his home address does not alter the fact that it could reasonably have doubts about his identity. As appears from the Personal Records Database (hereinafter referred to as: Brp), it is true that only [appellant] lives at the address in question, but that does not necessarily mean that he is also the person who made the request. This does not exclude the possibility that other persons also live at that address who have not registered in the BrP and who can send letters on behalf of [appellant]. The residential address therefore does not automatically provide a definitive answer about the identity of the applicant. Compare the decision of 9 December 2020, ECLI:NL:RVS:2020:2927, under 6.2. That the municipality, as argued by [appellant] and explained with documents, did not object in other proceedings to the way in which he submitted his requests. and even used the description 'beneficiary of [applicant]' in the address, does not alter the fact that in this case the Board may have reasonable doubts about the identity of the applicant. The Commission has rightly stated that under the GDPR it is important that an administrative body ascertains that identity. After all, the aim of the AVG is to strive for high-quality protection of personal data. For the question of whether the Board can request additional information on the basis of Article 12, sixth paragraph, of the AVG to confirm the identity of the applicant, it is otherwise then [appellant] argues with his reference to the non-privacy-sensitive nature of the requested data, in his view, it is not relevant to what kind of personal data the request of a data subject refers to. The District Court therefore rightly ruled that the Board did not have to take into account the nature of the data requested by [appellant]. to submit a request via DigiD or to identify yourself at the town hall. The court therefore rightly did not consider the information required by the Commission to be disproportionate. The argument fails.Slotsom5. The appeal is unfounded. The judgment under appeal must be affirmed.6. The Board is not required to reimburse any legal costs. Decision The Administrative Jurisdiction Division of the Council of State confirms the appealed decision. As determined by Mr E. Helder, chairman, and Mr F.D. van Heijningen and mr. A. ten Veen, members, in the presence of mr. J. de Vries, clerk of the court. -960 APPENDIX | LEGAL FRAMEWORK Article 4:5(1) of the General Administrative Law Act The administrative authority may decide not to process the application if: a. the applicant has not complied with any statutory requirement for the processing of the application, or[…]provided the applicant has had the opportunity to supplement the application within a period set by the administrative authority.Article 12, sixth paragraph, of the General Data Protection Regulation Without prejudice to Article 11, where the controller has reasons to doubt the identity of the natural person making the request as referred to in Articles 15 to 21, the controller may request additional information necessary to confirm the identity of the data subject.Article 15, paragraph 1, of the General Data Protection Regulation The data subject has the right to obtain from the controller whether or not personal data concerning him/her is processed and, if that is the case, to obtain access to those data. personal data and of the following information:a)       the processing purposes ;b)       the categories of personal data concerned;c)       the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;d)       if possible, the period during which the personal data are expected to be will be stored, or if that is not possible, the criteria for determining that period;e)       that the data subject has the right to request the controller to rectify or erase personal data, or to restrict the processing of personal data concerning him/her, and the right to object to such processing;f)        that the data subject has the right to lodge a complaint with a supervisory authority;g)       where the personal data are not collected from the data subject, any available information about the source of that data;h )       the existence of automated decision-making, including understanding of the profiling referred to in Article 22(1) and (4) and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of such processing for the data subject.