RvS - 202000948/1/A3: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by one other user not shown)
Line 35: Line 35:
|Party_Link_5=
|Party_Link_5=


|Appeal_From_Body=District Court of Amsterdam
|Appeal_From_Body=Rb. Amsterdam (Netherlands)
|Appeal_From_Case_Number_Name=19/2788
|Appeal_From_Case_Number_Name=19/2788
|Appeal_From_Status=
|Appeal_From_Status=

Latest revision as of 12:37, 16 September 2021

RvS - 202000948/1/A3
Courts logo1.png
Court: RvS (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 12(6) GDPR
Decided: 09.12.2020
Published: 09.12.2020
Parties: Council of Mayor and Aldermen of Uithoorn
National Case Number/Name: 202000948/1/A3
European Case Law Identifier: ECLI:NL:RVS:2020:2915
Appeal from: Rb. Amsterdam (Netherlands)
19/2788
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: n/a

The Dutch Council of State (RvS) held that if there are easier methods of verifying an identity, it is disproportionate to ask the data subject requesting access to his data to visit the town hall to identify himself in person. The presentation of a copy of a passport is, in principle, sufficient.

English Summary

Facts

The Council of Mayor and Aldermen of Uithoorn (which exercises the executive power of the municipal government) rejected the request of appellant to erase his personal data. He attached a certified copy of his passport to this request, but it was deemed insufficient to establish the applicant's identity properly and irrefutably. The Council of Mayor and Aldermen of Uithoorn requested the appellant to visit the town hall in person. Subsequently, the appellant requested that a DigiD link be e-mailed to enable him to identify himself, but such identification via DigiD was not yet possible at the municipality.

By decision of 10 February 2020, the District Court of Amsterdam dismissed the appellant’s appeal against that decision as unfounded. The Court ruled that the Council of Mayor and Aldermen of Uithoorn could reasonably request the appellant to come and identify himself personally at the town hall, in order to prevent fraud. Such requirement was not deemed disproportionate, considering the irreversibility of the erasure of data and the importance of proper identification in this respect.

The appellant lodged an appeal against this decision.

Dispute

Does the presentation of a copy of a passport provide sufficient information to verify the data subject's identity?

Holding

Recital 64 of the GDPR states that the data controller should take all reasonable steps to verify the identity of a data subject requesting access. If there is reason to doubt the identity, additional information may be requested, as follows from Article 12(6) of the GDPR.

In this case, the Council of State as of the opinion that there were other possibilities for establishing identity, which raised a lower threshold. The presentation of a copy of a passport, for example, is in principle considered a reasonable measure to verify identity.

The fact that it is possible to falsify the copy of a passport and that it is impossible to check whether the document that has been scanned is authentic, as argued by the Council, does not make this any different. The Council itself indicated that it did not suspect that the copy had been falsified or that there might be another person behind the request. Therefore there was no reason to ask for additional information or to impose additional requirements.

Comment

This decision should be compared to: RvS - 201907720/1/A3

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


Statement

202000948/1 / A3.

Date of judgment: 9 December 2020

SECTION

ADMINISTRATIVE LAW

Judgment on the appeal of:

[appellant], residing in [residence],

against the decision of the Amsterdam District Court of 10 February 2020 in case no. 19/2788 in the proceedings between:

[appellant]

in

the board of mayor and aldermen of Uithoorn.

Process course

By decision of 19 November 2018, the Commission has not considered the request of [appellant] to delete personal data.

By decision of 4 April 2019, the Board declared the objection made by [appellant] unfounded.

By judgment of 10 February 2020, the court declared the appeal lodged against this by [appellant] unfounded. This statement is attached.

[Appellant] has lodged an appeal against this decision.

The college has given a written presentation.

The Division heard the case in court on 3 August 2020, where [appellant], assisted by [attorney], legal aid provider, and the Board, represented by AGCM Lucassen-Olijhoek and WF Vianen, appeared.

Considerations

Applicable law

1. For the text of the relevant provisions of Regulation 2016/979 (General Data Protection Regulation, hereinafter: the AVG ) and the General Administrative Law Act (hereinafter: the Awb), reference is made to the appendix, which forms part of the judgment.

Decision

2. In a letter dated 16 September 2018, [appellant] informed the Board that it appeared to him that it had processed his personal data on the forum of the Association of Netherlands Municipalities (hereinafter: VNG) and forwarded it to other administrative bodies by email. He has requested the Commission to delete his personal data and to pay compensation. He has enclosed with this request a copy of a certified copy of his passport.

2.1. On October 2, 2018, the Board announced that it cannot properly establish the identity of the applicant with a copy of a certified copy. It has requested [appellant] to visit the town hall in person. Subsequently, [appellant] submitted the copy again and, if this was not considered sufficient, requested that he e-mail a DigiD link so that he can identify himself.

2.2. Subsequently, the Board decided by decision of 19 November 2018 to not consider the request. [appellant] has objected to this. The committee for the handling of notices of objection has recommended that the objection should be declared unfounded, because the identity cannot be established beyond doubt. A certified copy indicates that the copy matches the original, but it cannot be verified whether the document that has been scanned has security features. It is also indicated on the copy of the passport that the signature is legalized, but the stamps on the signature are missing, so that the legalization of the signature is not valid. The copy that was made is dated January 8, 2018, while the request was submitted some time later. Identification via DigiD is not yet possible at the municipality. The Board has adopted the advice and declared the objection unfounded by decision of 4 April 2019.

Attacked verdict

3. The court ruled that the Board could reasonably demand that [appellant] came to identify himself personally at the town hall. This identification is aimed at preventing fraud, to which the Commission is entitled to attach great importance. [appellant] has requested that data be deleted. This is irreversible, so identification is very important. The requirement is not disproportionate. Insofar as the waiver would be an obstacle, it is important that there is a transition period and that stakeholders requests based on the via DigiD in the course of 2020 GDPR can make , according to the court.

Appeal

4. [appellant] argues that the court wrongly ruled that the board could require him to visit the town hall. With the copy of a certified copy of his passport, the Board was able to properly establish his identity. The signature on the request matches the signature on the passport. In addition, the request to delete his personal data was submitted from the address at which he is registered in the Personal Records Database, which is an important factor in determining the identity, according to [appellant].

Appeal assessment

5. Recital 64 of the GDPR states that the controller must take all reasonable steps to verify the identity of a data subject requesting access. If there is reason to doubt the identity, additional information may be requested, as follows from Article 12, sixth paragraph, of the GDPR .

5.1. By default, the Commission asks people who submit a request for the deletion of personal data to come to the town hall to identify themselves. For [appellant], who lives on the other side of the country, this means that he would have to travel very far. In this case there were also other possibilities to establish identity, which raise a lower threshold. For example, submitting a copy of a passport is, in principle, considered a reasonable measure to verify identity. Compare today's ruling, ECLI: NL: RVS: 2020: 2833. [appellant] had submitted a copy of a certified copy of his passport. The college was able to verify his identity on this basis. As the Board explained at the hearing, it did not doubt the identity of [appellant]. There was therefore no reason to request additional information or to impose additional requirements. The fact that it is possible to forge a copy and that the certified copy is not certified in the correct manner, as the Commission has argued, does not change this, because the Commission itself indicated that it did not suspect that the copy was forged. or that there may be another person behind the request. The commission's requirement was therefore not a reasonable measure in this case. The court wrongly ruled that the Board was reasonably allowed to require [appellant] to visit the town hall.

5.2. The argument succeeds.

Finally

6. The appeal is well-founded. The attacked ruling must be quashed. In doing what the court should do, the Division will still declare the appeal against the decision of April 4, 2019 of the board to be well-founded. This decision qualifies for annulment due to violation of article 4: 5, first paragraph, of the Awb. The Board must make a new decision with due observance of the considerations in this decision. The Department will set a term for this.

7. The Board must be ordered to pay the costs of the proceedings in a manner to be stated below.

The Administrative Law Division of the Council of State:

I. declares the appeal well-founded;

II. sets aside the decision of the Amsterdam Court of 10 February 2020 in case no. 19/2788;

III. declares the appeal lodged with the court well-founded;

IV. annuls the decision of the Mayor and Aldermen of Uithoorn of 4 April 2019, reference 2018-084131;

V. instructs the mayor and aldermen of Uithoorn to take a new decision within six weeks after the dispatch of this decision, taking into account what has been considered therein;

VI. orders the Municipal Executive of Uithoorn to pay the costs incurred by [appellant] in connection with the handling of the appeal and the appeal to an amount of € 2,234.53 (in words: two thousand two hundred and thirty four euros and fifty-three cents);

VII. orders the Municipal Executive of Uithoorn to reimburse [appellant] the court fee paid by him in the amount of € 439.00 (in words: four hundred and ninety-three euros) for the handling of the appeal and the appeal.

Thus adopted by mr. CJ Borman, chairman, and mr. SFM Wortmann and mr. J. Gundelach, members, in the presence of mr. P. Klein, registrar.

The chairman is unable to sign the decision.

because of small

registrar

Pronounced in public on

176-851.

 

APPENDIX

 

Regulation 2016/979 ( AVG )

(64) The controller should take all reasonable steps, in particular with regard to online services and online identifiers, to verify the identity of a data subject requesting access. A controller should not keep personal data for the sole purpose of responding to any requests.

Article 12

[…].

6. Without prejudice to Article 11, where the controller has reasons to doubt the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request additional information necessary to confirm the identity. of the data subject.

Article 17

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him without unreasonable delay and the controller is obliged to erase personal data without unreasonable delay where one of the following applies:

[…].