RvS - 201903166/1/A3

From GDPRhub
RvS - 201903166/1/A3
CourtsNL.png
Court: RvS (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 2(2)(c) GDPR
Article 15(1) GDPR
Decided: 25.3.2020
Published: 25.3.2020
Parties: Anonymous
National Case Number/Name: 201903166/1/A3
European Case Law Identifier: ECLI:NL:RVS:2020:849
Appeal from: Rb. Limburg (Netherlands)
18/837
Appeal to:
Original Language(s): Dutch
Original Source: de Rechtspraak (in Dutch)
Initial Contributor: n/a

The Dutch Council of State (Raad van State) confirmed the decision of a mayor to not give the complainant access to personal data concerning him from the police. According to the Police Data Act, any personal data processed in the context of the performance of the police task must be regarded as police data, even if shared with the mayor.

English Summary[edit | edit source]

Facts[edit | edit source]

It was announced to the complainant that he will be placed on the Top-X list. This is a list compiled by the Safety House, a partnership between municipalities, the police, the Public Prosecution Service, the Custodial Institutions Service and a large number of civil society organizations, including names of persons or groups that cause nuisance or crime. In response to this, the complainant requested the mayor to remove him from the list and to give him access to all personal data relating to him under the Security House. The mayor has explained how the personal data of the complainant has been processed by the Safety House and has given access to his personal data from the Probation Service, Public Prosecution Service and the digital recording thereof by the Safety House for the Top-X registration. The mayor has also given partial access to his personal data in the Safety House Registration Form. The mayor has refused the access to what the mayor designates as him concerning police data and consultation reports from the Security House.

Dispute[edit | edit source]

The question was whether the mayor should have given the complainant access to the personal data concerning him from the police.

Holding[edit | edit source]

The Council of State confirmed that the mayor should not have given the complainant access to the personal data concerning him from the police. According to the Dutch Police Data Act, data protection rules do not apply to the processing of personal data for the purpose of performing the police task. The fact that the police have shared the personal data with the mayor in the context of the Security House does not mean that there is no longer any police data. It follows from the Police Data Act (Article 1 (a)) that any personal data processed in the context of the performance of the police task must be regarded as police data.

Comment[edit | edit source]

Add your comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


By letter of 11 October 2017, the Mayor of Maastricht responded to the request of [appellant] to inspect the personal data known to him by the Mayor. By letter of 6 July 2017, it was announced to [appellant] that he will be placed on the Top-X list. This is a list compiled by the Security House, a partnership between municipalities, the police, the Public Prosecution Service, the Custodial Institutions Agency and a large number of civil society organizations, of names of persons or groups that cause nuisance or crime. In response to this, [appellant] requested the mayor by letters of 23 August and 21 September 2017 to remove him from the list and to give him access to all personal data relating to him under the Security House. 
Locations
    Rechtspraak.nl
    Enriched statement 

Pronunciation

201903166/1 / A3.

Date of judgment: March 25, 2020

DEPARTMENT

ADMINISTRATION JURISDICTION

Judgment on appeal:

[appellant], residing in Maastricht,

against the judgment of the Limburg court of 13 March 2019 in the case

No 18/837 in the proceedings between:

[appellant]

and

the mayor of Maastricht.

Process flow

By letter of 11 October 2017, the Mayor responded to [appellant's] request for access to the personal data known to him by the Mayor.

By decision of 5 March 2018, the Mayor declared the objection lodged by [appellant] partially well-founded and supplemented the reasons for the decision of 11 October 2017.

By judgment of March 13, 2019, the court declared the appeal lodged by [appellant] unfounded. This statement is attached.

[Appellant] appealed against this judgment.

The mayor has made a written statement.

The Division heard the case at the hearing on October 21, 2019, where [appellant], represented by Mr. BNR Maenen, lawyer in Maastricht, and the Mayor, represented by Mr. MC van Doornik, appeared.

Considerations

preface

1. By letter of 6 July 2017, it was announced to [appellant] that he will be placed on the Top-X list. This is a list compiled by the Safety House, a partnership between municipalities, the police, the Public Prosecution Service (hereinafter: Public Prosecution Service), the Custodial Institutions Service (hereinafter: DJI) and a large number of civil society organizations, of names of persons or groups that cause nuisance or crime. . In response to this, [appellant] requested the mayor by letters of 23 August and 21 September 2017 to remove him from the list and to give him access to all personal data relating to him under the Security House. In the letter of October 11, 2017, the mayor refused to decide on the request for removal because placement on the list cannot be regarded as a decision. In addition, [appellant] was informed that his request for inspection still had to be decided. The mayor declared the objection to the decision of 5 March 2018 partially well-founded, classified the letter of 11 October 2017 as a decision and partially revoked, amended and explained the decision. The mayor has explained how his personal data has been processed by the Safety House and [appellant] has given access to his personal data from the Probation Service, Public Prosecution Service and the digital recording thereof by the Safety House for the Top-X registration. The mayor [appellant] has also given partial access to his personal data in the Safety House Registration Form. The mayor has refused [appellant] access to what the mayor designates as him concerning police data and consultation reports from the Security House.

Laws and regulations

2. On May 24, 2016, Regulation 2016/979 (General Data Protection Regulation) (hereinafter: GDPR ) entered into force. The GDPR has been applicable since 25 May 2018 and the Personal Data Protection Act (hereinafter: Wbp) has been repealed. The Wbp applies to this case. The relevant laws and regulations are included in the appendix to this decision. This appendix is part of the ruling.

Appeal

3. [Appellant] claims that the court wrongly dismissed the appeal. To this end, he argues that the Mayor only gave him access to incomplete information that underpinned his registration on the Top-X list. The court has failed to recognize that the mayor is ultimately responsible for the data held by the Safety House. Now that the Security House is authorized to consult the Digital Platform Connection Aftercare (hereinafter: Dpan), the system with which DJI works, for personal data, it would have been the mayor's path to allow him to inspect the personal data concerning him from Dpan, since it is obvious that the mayor received a report from Dpan when he returned to Maastricht after his release from detention and subsequently processed his data. Given the possibility for partners within the Security House to exchange police data with each other, the mayor should also have given access to the personal data concerning him that the Security House has received from the police. These data are no longer police data, now that the police have shared them with the Safety House. Given the large-scale exchange of information with and between public and private parties, it is contrary to Article 13 of the Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter: the ECHR) and Articles 8 and 47 of the Charter of the fundamental rights of the European Union (hereinafter: the EU Charter) to expect citizens to find out where data comes from and who they should address about data processing, according to [appellant].

Rating

4. At the hearing, the Division raised whether the decisions in question were rightly taken by the mayor, now that the mayor and aldermen have pursuant to Article 8.1. of the Covenant for cooperation and processing data for an integrated person / system-oriented approach Maastricht-Heuvelland (hereinafter: covenant) is ultimately responsible for the processing of data insofar as these are available within the Safety House and the cooperation on the basis of this covenant, and Article 8.2. determines that the Municipal Executive provides reliable and safe information. At the hearing, the mayor explained that he performs these tasks for the Municipal Executive when these tasks relate to data relating to the maintenance of public order. In view of the mayor's responsibility for maintaining public order, the Division considers this division of tasks within the Municipal Executive to be correct. Therefore, the Division is of the opinion that the mayor was authorized to decide at the request of [appellant].

5. The Division is then faced with the question whether [appellant] still has an interest in a substantive assessment of the appeal. The mayor has raised the question in his written statement whether this is still the case, now that the expired Wbp applies to this dispute and [appellant] in the objection has not requested a procedural cost reimbursement.

5.1. As the Division has previously ruled (including in the judgment of 3 October 2018, ECLI: NL: RVS: 2018: 3202), the administrative court is only obliged to assess the substance of an appeal against a decision of an administrative body submitted to it if the petitioner has a current and real interest in this. If that interest has lapsed, the administrative court is not called to make a decision solely because of its principal significance. The Division replied in the affirmative to the question raised under 5 above. Although the Wbp per

May 25, 2018 has lapsed, [appellant] still has an interest in a substantive assessment of the appeal. If the assessment results in a validation, the mayor must make a new decision on the objection, applying the corresponding provisions of the GDPR .

6. With regard to the question whether the mayor has been allowed to refer [appellant] for personal data from Dpan to DJI, the mayor has stated that [appellant's] personal data is not held by the Security House. Employees of the Safety House can consult Dpan, but according to the mayor, the starting point is that the data found is not added to a file and is therefore not processed. [appellant] it seems implausible that, in view of this procedure, no processing of his personal data has taken place. On appeal, the mayor has further explained that the Security House is cautious about retaining personal data, because this is not in itself the aim of the Security House. The mayor also noted that when data is stored from Dpan, it is done by means of the digital system Gcos (Case Consultation Support System). According to the mayor, this does not contain any personal data of [appellant].

In view of the explanation of the mayor on appeal, the statement by the mayor that the personal data of [appellant] from Dpan that has been brought to his attention has not been implausible to the Department. Furthermore, [appellant] has not made it plausible that processing of data from Dpan took place within the Safety House.

7. Like the court, the Division does not follow the view of [appellant] that the mayor should have given him access to the personal data concerning him from the police. The mayor has provided [appellant] with an overview of his mutation reports and an official report, which have been provided by the police. The personal data contained therein can be regarded as police data. As the court has considered, it follows from Article 2, second paragraph, preamble and under c of the Wbp that this Act does not apply to the processing of personal data for the purpose of performing the police task. The fact that the police have shared the personal data with the mayor in the context of the Security House does not mean that there is no longer any police data. It follows from Article 1, opening words and under a, of the Police Data Act (hereinafter: Wpg) that any personal data processed in the context of the performance of the police task must be regarded as police data. In Article 1, preamble and under b, of the Wpg, the police task is defined as the tasks referred to in Articles 3 and 4, first paragraph, of the Police Act 2012. Article 3 of the Police Act 2012 defines the police task as being subordinate to the competent authority to ensure effective enforcement of the legal order and to assist those in need. Article 11, first paragraph, of the Police Act states that if the police acts to maintain public order and to carry out the assistance task, it is under the authority of the mayor. From the Explanatory Memorandum to the amendment of the Wpg and the Judicial and Criminal Data Act implementing European regulations on the processing of personal data with a view to the prevention, investigation, detection and prosecution of criminal offenses or the execution of penalties , it appears that the actual enforcement of the legal order should also include the maintenance of public order (Parliamentary Papers II 2017/18, 34 889, no. 3, p. 9). In view of the above, the Division with the Mayor is of the opinion that the task of the mayor to maintain public order is part of the execution of the police task. When police data is shared by the police with the mayor in the context of the execution of the police task, this data remains police data. In view of Article 2, second paragraph and under c, of the Wbp, the Wbp does not apply to those data. The application of this provision ends where personal data are provided to partners of the Safety House who are not charged with the performance of the police task. However, this is not the case in this case. [appellant] will have to make a request for access as referred to in Article 25 of the Wpg in order to gain access to personal data concerning him that have been processed in the context of the execution of the police task. This must be decided in accordance with the rules of the Wbp. This is in accordance with Directive 95/46 / EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281; hereinafter: Privacy Directive) . Pursuant to Article 3, second paragraph, introductory sentence and first indent, of that Directive, the processing of personal data relating to public safety is exempted from the Privacy Directive. In its judgment of 27 September 2017, Puškár, ECLI: EU: C: 2017: 725, paragraphs 37 and 38, the Court of Justice of the European Union (hereinafter: the Court) ruled that the activities mentioned in the provision as an example serve to define the scope of the exception contained therein, so that the exception applies only to activities which are expressly mentioned there or which can be classified in the same category. Furthermore, in that judgment the Court considered that the exception should be interpreted narrowly. The processing of personal data that takes place within the framework of the Safety House for the purpose of keeping a list of names of persons or groups that cause nuisance or crime can be considered as processing relating to public safety. As the Division has previously ruled (including in the judgment of 6 June 2018, ECLI: NL: RVS: 2018: 1807), the Privacy Directive is therefore not, in view of Article 3, second paragraph, preamble and first indent of that directive. applicable to the processing of police records.

8. Finally, [appellant] argues that there is a conflict with Article 13 of the ECHR and Articles 8 and 47 of the EU Charter, because he believes that citizens should not be expected to find out where data comes from and who they are have to speak about data processing. [Appellant] is thus targeting the partial referral of the mayor to other administrative bodies or agencies. The Division does not follow this line of argument. In this case, both Article 35 of the Wbp and Article 25 of the Wpg provide the right of inspection for [appellant] regarding his personal data. The fact that [appellant] must turn to more than one administrative body or other governmental authorities for a request for inspection does not constitute a violation of Article 13 of the ECHR. In view of the above, the appeal by [appellant] to Articles 8 and 47 of the EU Charter cannot succeed either.

9. The arguments fail.

Finally

10. The appeal is unfounded. The attacked statement is confirmed.

11. There is no reason for a court order against costs.

Decision

The Administrative Jurisdiction Division of the Council of State:

confirms the attacked statement.

Adopted by AWM Bijloos, chairman, and JJ van Eck and EJ Daalder, members, in the presence of P. Klein, registrar.

wg Bijloos wg Small

chairman clerk

Spoken in public on March 25, 2020

176-898.

APPENDIX

Law for the protection of personal information

Article 2

1 This Act applies to the fully or partially automated processing of personal data, as well as the non-automated processing of personal data contained in a file or intended to be included therein.

2 This Act does not apply to the processing of personal data:

[…]

c. for the implementation of the police task, as referred to in Articles 3 and 4, first paragraph, of the Police Act 2012;

[…]

Article 35

1 The data subject has the right to contact the controller freely and at reasonable intervals with a request to inform him whether personal data concerning him are being processed. The controller will inform the data subject in writing within four weeks whether personal data concerning him are being processed.

2 If such data are processed, the communication shall contain a complete overview in an intelligible form, a description of the purpose or purposes of the processing, the categories of data to which the processing relates and the recipients or categories of recipients, as well as the available information about the origin of the data.

[…]

Police Data Act

Article 1

In this Act and the provisions based on it the following terms have the following meanings:

police data: any personal data that is processed in the context of the performance of the police task;

Article 25

1 The controller will inform everyone, at his written request, within six weeks whether, and if so, which person is undergoing processing regarding police data. In addition, he shall also provide on request information on whether the police data concerning this person were provided for a period of four years prior to the request and on the recipients or categories of recipients to whom the information was provided. The person responsible may postpone his decision for a maximum of four weeks, or for a maximum of six weeks if it appears that police data about the applicant are being processed by various regional or national police units. The adjournment will be notified in writing.

[…]

Police Act 2012

Article 3

The task of the police, in subordination to the competent authority and in accordance with the applicable legal rules, is to ensure the effective enforcement of the legal order and to provide assistance to those who need it.

Covenant for cooperation and processing of data for an integrated person / system-oriented approach to Maastricht-Heuvelland

taking into account that:

V. The (new) forms of cooperation between covenant partners also require cooperation agreements, also in the field of the exchange of personal data, accountable for the applicable laws and regulations;

[…]

VIII. The processing and exchange of personal data is determined by the applicable legal framework under which the Personal Data Protection Act (Wbp) and the covenant partners continue to comply with this;

[…]

Article 2 Objective

2.1 The objective of the cooperation between the covenant partners is to increase the safety, liveability and well-being of citizens within the working area of the municipality of Maastricht and the Heuvelland municipalities.

[…]

Article 6 Recipients

6.1 Only the covenant partners who are specifically involved in a specific case receive information about a data subject;

[…]

Article 8 Rights of data subjects

8.1 The ultimate responsible for the processing of data insofar as it is available within the Safety House and the cooperation on the basis of this covenant is the Municipal Executive of the Municipality of Maastricht.

In concrete terms, this means that the person involved in this college can check how his / her data is used within the manifestations based on this covenant.

The person concerned can request the person responsible in writing:

a. provide information about the processing of his / her personal data so that he / she can check what happens to the data;

b. provide insight into which personal data of him / her are registered;

c. correct his or her personal data (correction, addition, deletion or shielding);

d. to stop processing his or her personal data on the basis of special circumstances.

8.2 The Commission ensures reliable and safe information and does not charge any costs for this.

Convention for the Protection of Human Rights and Fundamental Freedoms

Article 13. Right to an effective remedy

Anyone whose rights and freedoms as set out in this Convention have been violated shall have an effective remedy before a national authority, even if the violation has been committed by persons who perform their official functions.

Charter of Fundamental Rights of the European Union

Article 8

The protection of personal data

1. Everyone has the right to protection of his personal data.

2. This data must be processed fairly, for certain purposes and with the consent of the data subject or on any other justified basis provided by law. Everyone has the right to inspect and rectify the data collected about him.

3. An independent authority shall monitor compliance with these rules.

Article 47

Right to an effective remedy and to a fair trial

Anyone whose rights and freedoms have been violated by Union law has the right to an effective remedy, subject to the conditions laid down in this Article.

Everyone has the right to a fair and public hearing of his case, within a reasonable time, by an independent and impartial tribunal established in advance by law. Everyone has the opportunity to be advised, defended and represented.