RvS - 201905319/1/A3

From GDPRhub
Revision as of 10:08, 16 December 2020 by Mh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
RvS - 201905319/1/A3
Courts logo1.png
Court: RvS (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 12(6) GDPR
Decided: 09.12.2020
Published: 09.12.2020
Parties: Municipal Executive of Zundert
National Case Number/Name: 201905319/1/A3
European Case Law Identifier: ECLI:NL:RVS:2020:2927
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: de Rechtspraak (in Dutch)
Initial Contributor: n/a

The Dutch Council of State (RvS) ruled that a data subject's search for evidence that the Municipal Executive unlawfully processed personal data does not make their access request unlawful. This is the case even if the data subject does so in hope of getting compensation.

English Summary[edit | edit source]

Facts[edit | edit source]

The requester has submitted an access request to the Municipal Executive of Zundert. He wanted to know if the Municipal Executive was processing his data by posting messages on the Forum of the Association of Municipalities of the Netherlands (VNG) and have the content of those messages. The Municipal Executive has rejected this request because, among other reasons, the requester’s signature didn’t match the signature on the FOI request submitted by the person with the same name living at the same address as the requester. The Municipal Executive invited the requester to visit the town hall. Instead, the requester sent a letter with an explanation of why the signatures were not matching together with the copies of an ID card and a bank card. The Municipality did not accept the letter and refused to proceed with the access request. The requester sent a written objection and included a copy of his passport. The Municipal Executive rejected the objection on the basis that the requester was misusing his rights.

The requester took the Municipal Executive to court which agreed with the requester and ruled that a copy of passport was enough to establish the identity of the requester. The Municipality Executive is appealing this decision.

Dispute[edit | edit source]

1. Can the requester’s access requested be rejected on the basis that the requester is abusing the law? 2. Under these circumstances, is a copy of passport enough to establish the identity of the requester?

Holding[edit | edit source]

On the first question, the Council has no reason to rule that the requester is misusing his right of access. Finding out what information was posted on the VNG forum is in line with the purpose of the Personal Data Protection Act and, subsequently, the GDPR. Request for compensation in case his data is processed unlawfully is also in line with the GDPR. The facts that this may be the reason for the access request and that requests like this were submitted to other municipalities, do not mean that the purpose of the request is not in line with the purposes of the GDPR. The Council ruled that the mismatch in signatures does give the Municipal Executive a valid reason to doubt the identity of the requester. Since the requester refused to visit town hall and did not submit any other documents, like a certified copy of passport, the Municipal Executive could reasonably take the view that it did not have enough information to work on the request. Therefore, it could declare the requester’s objection unfounded. The Court was wrong to rule otherwise.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.



Authority
    Council of State 
Date of judgment
    09-12-2020 
Date of publication
    09-12-2020 
Case number
    201905319/1 / A3
Jurisdictions
    Administrative law
Special characteristics
    Appeal
Content indication

    By decision of 2 January 2018, the Mayor and Aldermen of Zundert did not process the request of the [other party] for access to its personal data. In a letter dated 30 July 2017, received by the Commission on 5 November 2017, the [other party] requested access to the processing of its personal data. According to [other party], his personal data has been processed for, among other things, requests submitted earlier on the basis of the Government Information (hereinafter: the Wob). He has also requested, insofar as the Commission has processed his personal data by posting messages on the forum of the Association of Netherlands Municipalities (hereinafter: VNG), to include the content of these messages in the overview.
Locations
    Rechtspraak.nl
    Enriched pronunciation 

Statement

201905319/1 / A3.

Date of judgment: 9 December 2020

SECTION

ADMINISTRATIVE LAW

Judgment on the appeal of:

the mayor and aldermen of Zundert,

appellant,

against the decision of the Zeeland-West-Brabant District Court of 11 June 2019 in case no.18 / 8047 in the proceedings between:

[other party], residing in Venray,

in

the lecture.

Process course

By decision of 2 January 2018, the Commission has not considered the request of the [other party] for access to its personal data.

By decision of 9 October 2018, the Commission declared the objection made by the [other party] inadmissible.

By judgment of 11 June 2019, the court declared the appeal lodged against this by the [other party] well-founded, quashed the decision of 9 October 2018, revoked the decision of 2 January 2018 and instructed the Board to decide on the request for inspection. This statement is attached.

The Board has lodged an appeal against this decision.

[other party] has given a written explanation.

By decision of September 25, 2019, the Board took a new decision on the request for inspection, following the decision of the court.

The Division heard the case in court on 3 August 2020, where the Board, represented by mr. CN van der Sluis and mr. CJB Dekker, lawyers in Rotterdam, and mr. SN van den Heykant, and [other party], assisted by mr. NGA Voorbach, legal aid provider, have appeared.

Considerations

Applicable law

1. For the text of the relevant provisions of Regulation 2016/979 (General Data Protection Regulation, hereinafter: the AVG) and the General Administrative Law Act (hereinafter: the Awb), reference is made to the appendix, which forms part of the judgment.

Decision

2. In a letter dated 30 July 2017, received by the Commission on 5 November 2017, the [other party] requested access to the processing of its personal data. According to [other party], his personal data has been processed for, among other things, requests submitted earlier on the basis of the Government Information (hereinafter: the Wob). He has also requested, insofar as the Commission has processed his personal data by posting messages on the forum of the Association of Netherlands Municipalities (hereinafter: VNG), to include the content of these messages in the overview.

2.1. On 22 November 2017, the Board announced that it cannot properly establish the identity of the applicant. The signature under the request does not correspond to the signature found by the Board on documents that may fall under the scope of the request. It has requested [other party] to personally visit the town hall. The Commission did not consider the sending of proof of identity to be sufficient to establish the identity irrefutably. [other party] has responded by e-mail that the difference in signature can be explained, because he initialed earlier documents and signed his request with his signature. He has enclosed a copy of an identity card and a bank card with his response. The Commission refused the e-mail because it did not open this way of sending documents and because it considered the confidentiality of the message insufficiently guaranteed. In the decision of 2 January 2018, it decided to set aside the request.

2.2. The [other party] has objected to that decision by letter. He has enclosed a copy of his passport with his notice of objection. The Commission has declared the objection inadmissible because it takes the position that [other party] is abusing the power to submit requests for inspection.

Attacked verdict

3. The court has ruled that [other party] has not abused its rights. Moreover, with the submitted copy of the passport, the Board was able to properly establish the identity of the applicant. The Commission wrongly declared the objection inadmissible. Subsequently, the court assessed what conclusion the Board should have reached if the objection had been declared admissible. With the submitted copy of the passport, the Commission could have properly established the identity of the [other party]. The fact that the signature under the request for inspection does not correspond to previously submitted Wob requests from [other party] should not have been a reason for the Commission to doubt the legitimacy of the request for inspection. The request for access was therefore wrongly set aside, according to the court.

Appeal

Admissibility

4. Contrary to what [other party] has argued, the appeal of the Board is admissible. Although the appeal is brief, it contains a ground as referred to in Article 6: 5, read in conjunction with Article 6:24 of the General Administrative Law Act. The appeal describes why the Board does not agree with the court's decision. The Board has explained this ground in more detail in the supplementary appeal. This document was not submitted so late that it is contrary to due process to include it in the appeal.

Abuse of law

5. The Commission argues that the court has wrongly ruled that [other party] does not abuse its rights. There are several aspects that, viewed together, must lead to the judgment that there has been an abuse of rights. For example, there is a consistent course of action on the part of [other party] and Voorbach. In the past, [other party] has submitted Wob requests in almost all municipalities. Many proceedings were conducted in this regard, which ultimately led to several rulings by the Division in which it was ruled that [the other party] abused the rights with those requests. Now [other party] has submitted a request for inspection to almost all municipalities. In addition, various aspects show that [other party] and Voorbach have a financial motive. For example, in a similar case Voorbach approached the board of another municipality to buy off procedures and the appeal is a virtually literal repetition of the appeal, which indicates minimal effort. Failure to appear at a hearing also indicates this. The financial interests of [other party] and Voorbach are also apparent from Voorbach's no-cure-no-pay practice. Finally, there is another way for the [other party] to obtain the personal data processed on the forum of the VNG. He had started legal proceedings against the VNG to view these data and could have continued those proceedings. There was also the option of submitting a new request for inspection, according to the Commission.

5.1. In its judgment of 23 January 2019, ECLI: NL: RVS: 2019: 184, the Department ruled that the Wob and the Wbp relate to different matters. This means that the judgment that an abuse of law has been made with regard to the Wob does not automatically mean that there is also abuse with regard to the Wbp. One of the purposes of the Wbp is to provide citizens with insight into the way in which administrative bodies, among others, process their personal data. In the judgment of 21 August 2019, ECLI: NL: RVS: 2019: 2797, which concerns a comparable case of [counterparty], the Division has ruled that there are insufficient leads for the opinion that [counterparty] submits the request for access and the use of legal remedies had abused the law. The circumstance that the authorized representative of the [other party] has previously been declared inadmissible in the context of Wob procedures, that [the other party] has submitted requests for inspection to various municipalities, that many proceedings are pending, that the [other party] is well within the decision period and if that period is exceeded after notice of default requests the determination of penalties and requests compensation, it was considered insufficient to conclude that [other party] did not intend to take cognizance of the personal data processed about him, but only tried sums of money charged to him to collect the government.

5.2. Contrary to the judgment of 21 August 2019, the Division sees no reason to rule that [other party] has misused the authority to submit requests for inspection. Finding out which municipalities have posted personal data of the applicant on the forum of the VNG is in line with the purpose of the Personal Data Protection Act and the subsequent GDPR. As [other party] explained at the hearing, the VNG has removed everything from him from the forum. A request for access to the VNG therefore makes no sense. He hopes that the college has taken screenshots of the forum or can find out in some other way what was posted on the forum. If the board has unlawfully processed his personal data, it will request compensation. The possibility exists under the GDPR. The fact that this is the underlying purpose of this request, and also of the other access requests that he has submitted, does not mean that the purpose of the request is no longer in accordance with the purpose of the GDPR. The Division also sees no reason to come to a different conclusion in the other arguments. This is because the arguments almost correspond to what was submitted in the case that led to the judgment of 21 August 2019. The court rightly ruled that the Board could not invoke abuse of law and wrongly declared the objection inadmissible.

5.3. The argument fails.

Establishing identity

6. The Commission argues that the court wrongly ruled that it could properly establish the identity of the [other party]. Because the signature was different from the signature on Wob requests submitted by a person with the same name, it could be in doubt about the identity of [other party]. Due to the lack of an adequate response from [other party], the Commission was able to declare the objection inadmissible and it was also allowed to set aside the request for inspection, according to the Commission.

6.1. Recital 64 of the GDPR states that the controller must take all reasonable steps to verify the identity of a data subject requesting access. If there is reason to doubt the identity, additional information may be requested, as follows from Article 12, sixth paragraph, of the GDPR.

6.2. [other party] has enclosed a copy of his passport with his notice of objection. Providing a copy of proof of identity may be sufficient to verify identity. Compare today's ruling, ECLI: NL: RVS: 2020: 2833. In this case, however, there was reason for the Commission to doubt the identity of [other party]. The Commission had noticed that the signature on the request for access and on the passport did not correspond with the signature on previously submitted Wob requests from a person with the same name who lives at the same address. It could therefore reasonably take the position that a copy of the passport alone was not sufficient in this case. According to the [other party], the request for access was submitted from the address with which he is registered in the basic register of persons and that the overview could be sent to that address, the Commission considered insufficient to be able to properly establish the identity. The Commission could require additional information to establish the identity of [other party].

6.3. The Municipal Executive has requested the [other party] to visit the town hall. For [other party] this means that he would have to travel a considerable distance. At the hearing, the Board indicated on request that sending a certified or legalized copy of a passport would also be considered sufficient to establish [other party] s identity. If he found it difficult to visit the town hall, the [other party] could be expected to notify the municipal executive that he would like to make use of such an alternative. [other party] has submitted many requests for information to municipalities throughout the country and has experienced problems with establishing his identity on several occasions. Other municipalities have offered the option of submitting a certified or authorized copy of his passport, precisely because it could have been a long journey for him to the town hall. [other party] was therefore aware of the existence of an alternative accepted by other municipalities. In addition, the [other party] had a copy of his passport certified on 8 January 2018.

Because the Commission could not consider the copy of the passport to be sufficient to establish [other party] s identity, [other party] did not visit the town hall to identify himself, and also did not submit any other documents with which the Commission could establish his identity, such as a certified copy of his passport, the Board could reasonably take the position that it had insufficient data to process the request. It should therefore have declared the objection unfounded. The court wrongly ruled otherwise.

6.4. The argument succeeds.

Conclusion

7. The appeal is well-founded. The attacked judgment must be quashed, insofar as the decision of 2 January 2018 has been revoked and the Board is instructed to decide on the request for inspection. For the rest, the attacked judgment must be confirmed. The Division will provide for the case in a manner to be notified and determine that this judgment will replace the quashed decision.

8. By decision of September 25, 2019, the mayor, in response to the attacked decision, again decided on the objection made by [other party]. Because this decision was taken to implement the decision of the court, and because of the nullification of the court's order to the board to decide on the request for inspection, the basis for that decision has become lost. For that reason alone, this decision must be quashed.

9. There is no reason for an order for costs.

Decision

The Administrative Law Division of the Council of State:

I. declares the appeal well-founded;

II. annuls the decision of the Zeeland-West-Brabant District Court of 11 June 2019 in case no. the access request;

III. declares the objection unfounded;

IV. otherwise confirms the ruling;

V. stipulates that this ruling will replace the decision of the Mayor and Aldermen of Zundert of 9 October 2018;

VI. cancels the decision of September 25, 2019, reference ZD19043100.

Thus adopted by mr. CJ Borman, chairman, and mr. SFM Wortmann and mr. J. Gundelach, members, in the presence of mr. P. Klein, registrar.

The chairman is unable to sign the decision.

because of small

registrar

Released in public on December 9, 2020

176-851.

 

APPENDIX

 

Regulation 2016/979

(64) The controller should take all reasonable steps to verify the identity of a data subject requesting access, in particular with regard to online services and online identifiers. A controller should not keep personal data for the sole purpose of responding to any requests.

Article 12

[…].

6. Without prejudice to Article 11, where the controller has reasons to doubt the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request additional information necessary to confirm the identity. of the data subject.

Article 15

1. The data subject has the right to obtain from the controller a decision as to whether or not personal data concerning him / her is being processed and, where this is the case, to access such personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d) if possible, the expected period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;

e) that the data subject has the right to request the controller to rectify or erase personal data, or to restrict the processing of personal data concerning him, as well as the right to object to such processing;

f) that the data subject has the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, all available information about the source of that data;

(h) the existence of automated decision-making, including the profiling referred to in Article 22 (1) and (4) and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the person concerned.

[…].