RvS - 202001651/1/A3
From GDPRhub
| RvS - 202001651/1/A3 | |
|---|---|
 | |
| Court: | RvS (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 9(2)(b) GDPR Article 15(1) GDPR Article 17(1)(c) GDPR Article 17(1)(c) GDPR Article 21(1) GDPR |
| Decided: | 27.01.2021 |
| Published: | 27.01.2021 |
| Parties: | The municipal executive of Leiden |
| National Case Number/Name: | 202001651/1/A3 |
| European Case Law Identifier: | ECLI:NL:RVS:2021:154 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | rechtspraak.nl (in Dutch) |
| Initial Contributor: | n/a |
The Dutch Council of State (RvS) ruled that the municipal executive of Leiden did not have to delete the appellant’s performance, appraisals, and absence (including health data) data from the HRM system YouForce.
English Summary
Facts
The appellant is a civil servant at the municipality of Leiden. He does not want the municipality to share his personal data with third parties because he fears he would lose control over his data. The municipality of Leiden outsources its HR administration to Service71; Service71 uses YouForce as the HRM tool which is offered by RAET B.V. On 15 January 2018 the municipality denied appellant’s request to delete his performance reports and assessments from YouForce. Appellant has also objected to the processing of his data by the company Mindtree in India. In the appealed decision the Court of First Instance of the Hague considered that the municipality had compelling and legitimate grounds for the data processing, which override the interests of the appellant. The Court found no evidence that the appellant’s personal data was processed in India by the employees of Mindtree.
Dispute
The appellant argues that: 1. The Court failed to recognize that his request should also be considered as an access request because it was not possible for him to make sure that the data processing in question was lawful. 2. The municipality has no legal basis for sharing his data with Service71 and RAET B.V. and that the data processing itself is excessive. 3. Personal data of employees, including the appellant, can be accessed by the company Mindtree in India.
Holding
On the first point, the Council ruled that the appellant had already had direct access to his data via the YouForce personnel file, which means his request should not have been considered as access request.
On the second point, the Council established that the appellant did not object to the performance reports and assessments as such. He also did not object to having these reports digitalized, provided that the storage would take place on the premises of the municipality, for example on the computer of his supervisor. However, appellant did not want the reports to be stored by third parties, such as Servicepunt71 and RAET B.V. It was not made clear during the hearing which legal basis applied to this personal data processing by the municipality, but the Council considered the circumstances and came to the conclusion that the interest of the municipality for centralizing and streamlining HR administration while giving employees access to the information outweighs the interest of the appellant to have his data stored inside of the municipality. The Council took into account that the municipality had all contracts in place to ensure that Service71 complies with the GDPR and RAET B.V. was a reliable data processor. The appellant also did not clarify why the processing of his health data must be seen as illegal under Article 9(2)(b) of the GDPR, so this argument was skipped by the Council.
On the third point, the municipality explained that the company Mindtree was engaged by RAET B.V. for monitoring and technical management of the HRM tool, including the disk capacity monitoring, backup processes and system availability checks. No personal data of employees of the municipality of Leiden in general and personal data of the appellant in particular were processed by Mindtree. The appellant did not challenge these statements. The Council agreed with the Court in that there was no reason to assess the lawfulness of the personal data processing by Mindtree.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Statement 202001651/1 / A3. Date of judgment: 27 January 2021 SECTION ADMINISTRATIVE LAW Judgment on the appeal of: [appellant], residing in [residence], against the decision of the District Court of The Hague of 17 September 2019 in case no. 19/244 in the proceedings between: [appellant] and the mayor and aldermen of Leiden. Process course By decision of 15 January 2018, the Commission rejected [appellant] 's request to remove the reports of his performance and appraisal interviews from the digital personnel system YouForce. By decision of 20 November 2018, the Board declared the objection made by [appellant] to this unfounded. By judgment of 17 September 2019, the court declared the appeal lodged against this by [appellant] unfounded. This statement is attached. [Appellant] has lodged an appeal against this decision. The college has given a written explanation. The Division heard the case in court on 2 December 2020, where [appellant], assisted by mr. P. Le Heux, attorney in Amsterdam, and the board, represented by mr. AM van de Laar, attorney in Leiden, mr. RG Kroes and D. Brussee have appeared. Considerations preface 1. [appellant] is a civil servant at the municipality of Leiden and in that capacity works at Museum De Lakenhal. He does not want digital personal data about him to be shared with third parties by the municipality of Leiden, because he fears that as a result he will no longer be able to control his data himself. The Municipality of Leiden has outsourced its personnel administration to the joint Service Point 71 scheme. Service point71 uses the personnel administration system YouForce offered by RAET BV and stores in YouForce, among other things, the reports of performance interviews and assessments. In the decision of 15 January 2018, the Commission rejected [appellant] 's request for the removal of the reports of his performance interviews and assessments from YouForce.This decision was upheld by decision of 20 November 2018. In the attacked judgment, the court considered that the decision-making of the Board only pertains to the request of [appellant] for the removal of data regarding his performance interviews and assessments and the addition made in the objection that he specifically opposes inclusion in YouForce of absenteeism data and performance data, which includes data about his health status. According to the court, this means that the proceedings are not about whether [appellant] has been informed about which personal data are shared with which parties, nor about the right of inspection of [appellant]. In addition, according to the court, [appellant] can see in YouForce which of his data has been processed in the digital personnel file.The court also considered that the General Data Protection Regulation (hereinafter: the GDPR) does not prevent the processing of performance and assessment interviews and that the processing of reports of these interviews is lawful. The court finds that the Commission has put forward compelling, legitimate grounds for data processing that outweigh the interests of [appellant]. Finally, according to the court, it has not emerged that data from [appellant] are processed by employees of the Mindtree company in India.The court finds that the Commission has put forward compelling, legitimate grounds for data processing that outweigh the interests of [appellant]. Finally, according to the court, it has not emerged that data from [appellant] are processed by employees of the Mindtree company in India.The court finds that the Commission has put forward compelling, legitimate grounds for data processing that outweigh the interests of [appellant]. Finally, according to the court, it has not emerged that data from [appellant] are processed by employees of the Mindtree company in India. Legal framework 2. The relevant regulations are included in the appendix that forms part of this decision. The size of the request 3. [appellant] argues that the court did not recognize that the request should also have been regarded as a request for access as referred to in Article 15, first paragraph, of the GDPR. According to him, it was made clear in his notice of objection that the documents available in the objection file did not make it possible to check whether the data processing is lawful. In addition, the wish has been expressed that the file could be supplemented in good consultation with documents that would give him insight into which personal data is being processed and how this processing takes place. It was also indicated during the hearing in objection that [appellant] wishes to have insight into the processing of his data. 3.1. The court rightly considered that [appellant] 's request only relates to the removal of his performance and assessment reports and to the removal and discontinuation of the recording of performance and absenteeism data in YouForce. On 21 November 2017, [appellant] asked his supervisor to ensure that information about his performance and appraisal interviews is available. In an email message dated 28 November 2017, [appellant] indicated that he has been trying to have his data removed online for almost five years. He indicates: "I have the right to be forgotten, and my performance and assessment interviews are certainly included. The municipality of Leiden will not be given the right by me to make these accessible online."The court has rightly established that, in view of this, [appellant] 's request is only aimed at removing the reports of his performance and appraisal interviews. The court also rightly considered that the objection request was extended to include absenteeism data and performance data in YouForce, in which data about his health status have been processed. In view of these requests, neither the decision of 15 January 2018 nor the decision on objection of 20 November 2018 has been decided on a request for inspection as referred to in Article 15, first paragraph, of the GDPR.The court also rightly considered that the objection request had been extended to include absenteeism data and performance data in YouForce, which include data on his health status. In view of these requests, neither the decision of 15 January 2018 nor the decision on objection of 20 November 2018 made a decision on a request for inspection as referred to in Article 15, first paragraph, of the GDPR.The court also rightly considered that the objection request had been extended to include absenteeism data and performance data in YouForce, which include data on his health status. In view of these requests, neither the decision of 15 January 2018 nor the decision on objection of 20 November 2018 has been decided on a request for inspection as referred to in Article 15, first paragraph, of the GDPR. In the circumstance that [appellant] has requested completion of the file in the objection and has indicated that he wishes to have insight into the processing of his data, the court has rightly found no reason for the decision that a request for inspection as referred to in Article 15, first paragraph, of the GDPR has been done on which the board wrongly failed to make a decision. [appellant] has indicated in his objection that he wishes to have insight into which of his data are being processed and the Commission has subsequently pointed out to him the possibility of viewing his own digital personnel file. The court has rightly considered that the Board has thus sufficiently met [appellant] 's wish for insight into the data processed about him.The Board did not have to interpret this wish as a request for access as referred to in Article 15, first paragraph, of the GDPR. The argument fails. The processing of the personal data of [appellant] 4. [appellant] argues that the court wrongly considered that the Board has a legitimate interest in the processing of reports of performance and appraisal interviews by Servicepunt71 and RAET BV in a digital file. He argues that there is no legal basis for these parties to process the data about his health that appear in performance and assessment reports. Moreover, it was not carefully considered which data may be processed and the court wrongly rejected its request for erasure or at least its objection to the processing, according to [appellant]. 4.1. At the hearing of the Division it was established that [appellant] has no objection to the preparation of reports of performance interviews and assessments by the Board. He also does not object to these reports being stored digitally, provided that this takes place within the municipality, for example on the computer of his manager. However, [appellant] does not want the reports to be kept by third parties, such as in this case by Servicepunt71 and RAET BV The Department will only include that processing in its assessment. [Appellant] has not further clarified why the processing of the data about his health as such cannot be based on obligations in the field of employment law in accordance with Article 9, second paragraph, under b, of the GDPR. The Division will therefore not go into this part of its argument. 4.2. Pursuant to Article 21, paragraph 1, [appellant] has the right to object to the processing of his personal data if this takes place on the basis of Article 6, paragraph 1, under e or f, of the GDPR. At the hearing it remained unclear on what basis the processing takes place according to the parties. Because, in the opinion of the Department, the processing of the personal data of [appellant] by Servicepunt71 and RAET BV can in any case be understood under one of these paragraphs of Article 6 of the GDPR, the Department will, on the basis of Article 21, first paragraph, of the GDPR to assess whether there are compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of [appellant]. When such compelling legitimate grounds do not exist or when the interests,rights and freedoms of [appellant] outweigh the interest of the Commission in the processing of the personal data by Servicepunt71 and RAET BV, the Commission must cease the processing of the personal data pursuant to Article 21 and the personal data pursuant to Article 17, first paragraph, preamble and under c, without unreasonable delay, the latter unless there is an exception as referred to in Article 17, third paragraph, of the GDPR.the latter unless there is an exception as referred to in Article 17, third paragraph, of the GDPR.the latter unless there is an exception as referred to in Article 17, third paragraph, of the GDPR. 4.3. The advice of the Appeals Committee on which the decision on the objection is based states that the Board is no longer equipped to independently perform the HRM tasks resting on it. For this reason, cooperation was sought with three other municipalities, among other things to promote the quality of the work processes and a more efficient use of available labor, which has been given shape within the Joint Service Point Regulation71. The four municipalities have assigned the management and support of their HRM support and implementation tasks to this joint scheme. This led to the necessity to transfer personnel files to this joint scheme. At the initiative of Servicepunt71, the municipality of Leiden uses an electronic HRM system, YouForce.This system was chosen because it has several advantages, such as the possibility that employees themselves can inspect the personal data stored about them. Another advantage of the electronic system is that it enables HRM employees authorized to do so in a simple manner to keep track of the conversation cycle and offers the possibility to monitor and optimize the performance on the basis of stored conversation reports. This method of processing also prevents managers from keeping their own shadow files and files from wandering. The retention period can also be easily managed electronically.Partly in view of the number of employees whose personnel files must be kept (1300 for the municipality of Leiden), the Department is of the opinion that there are compelling legitimate grounds as referred to in Article 21, first paragraph, of the GDPR for the electronic storage of data at Service Desk71. The legitimate interest of the Board is offset by the interest alleged by [appellant], which in short means that no data about him is kept outside the organization of the municipality itself and ends up with unauthorized persons. The Division is of the opinion that the interest of the Board outweighs the interest of [appellant]. To this end, it is important that the 2018-2020 service agreement contains rules to ensure that Service Point71 complies with the GDPR, that the HRM employees who are charged with the processing work as civil servants at Service Point71 and have a duty of confidentiality and that the Commission has not contradicted it. assuming that RAET BV is a reliable processor, which works on the basis of the ISAE 3402, type 2 report,with which the security and confidentiality of data can be guaranteed. The foregoing leads to the conclusion that the court has rightly concluded that Article 21, first paragraph, of the GDPR did not oblige the Commission to cease data processing by Servicepunt71 and RAET BV. The Commission was therefore not obliged to delete the data as referred to in Article 17, first paragraph, opening words and under c, of the GDPR. The third paragraph of Article 17 of the GDPR is therefore not addressed. The argument fails. Does Mindtree process personal data? 5. [appellant] argues in vain that the court has not recognized that his personal data can be consulted by employees of the Mindtree company in India and that the court has wrongly failed to assess whether this processing of his personal data is lawful. The Commission has explained in its written presentation that the company Mindtree is engaged by RAET BV for monitoring and technical management activities, including monitoring disk capacity, backup processes and the availability of systems. No personal data of employees of the municipality of Leiden in general or personal data of [appellant] in particular are processed by the company Mindtree, according to the commission. In view of this explanation, which has not been contradicted by [appellant],the court rightly saw no reason to assess the lawfulness of the processing of personal data by Mindtree. New ground for appeal 6. [appellant] argues for the first time on appeal that pay slips containing special personal data are sent by RAET BV to PostNL and printed there, so that PostNL also processes personal data. Since the appeal is directed against the decision of the court and there is no reason why this argument could not already be submitted to the court, and [appellant] should have done so from the point of view of careful and efficient use of legal remedies, this argument should be disregarded. Conclusion 7. The appeal is unfounded. The attacked decision needs to be confirmed. 8. There is no reason for an order for costs. Decision The Administrative Law Division of the Council of State: confirms the attacked statement. Thus adopted by mr. CJ Borman, chairman, and mr. HG Sevenster and mr. JML Niederer, members, in the presence of mr. M. Duifhuizen, registrar. The chairman is unable to sign the decision. The registrar is unable to sign the decision. Released in public on January 27, 2021 724. APPENDIX General Data Protection Regulation Article 6 1. The processing is only lawful if and insofar as at least one of the following conditions is met: a) […] c) the processing is necessary for compliance with a legal obligation incumbent on the controller; d) […]. Article 15 1. The data subject has the right to obtain from the controller a decision as to whether or not personal data concerning him / her is being processed and, where that is the case, to have access to such personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; d) if possible, the expected period for which the personal data will be stored or, if that is not possible, the criteria for determining that period; e) that the data subject has the right to request the controller to rectify or erase personal data, or to restrict the processing of personal data concerning him or her, as well as the right to object to such processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, all available information about the source of that data; (h) the existence of automated decision-making, including the profiling referred to in Article 22 (1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the person concerned. 2. […]. Article 17 1. The data subject has the right to obtain from the controller the erasure of personal data concerning him / her without unreasonable delay and the controller is under an obligation to erase personal data without unreasonable delay where one of the following applies: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based in accordance with point (a) of Article 6 (1) or point (a) of Article 9 (2) and there is no other legal basis for the processing; (c) the data subject objects to the processing in accordance with Article 21 (1), and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article 21 (2); d) the personal data have been processed unlawfully; (e) the personal data must be erased in order to comply with a legal obligation imposed on the controller by Union or Member State law; f) the personal data have been collected in connection with an offer of information society services referred to in Article 8 (1). 2. […] 3. Paragraphs 1 and 2 do not apply insofar as processing is necessary: a) […] (b) for the fulfillment of a legal processing obligation imposed on the controller by Union or Member State law, or for the performance of a task carried out in the public interest or exercising official authority conferred on the controller; c. […]. Article 21 1. The data subject shall at any time have the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her on the basis of Article 6 (1) (e) or (f) of Article 6 (f). 1, including profiling based on those provisions. The controller will cease processing the personal data unless he can demonstrate compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subject or that are related to the establishment, exercise or defense of legal claims. 2. […].
