RvS - 202100213/1/A3
|RvS - 202100213/1/A3|
|Relevant Law:||Article 12(3) GDPR|
Article 16 GDPR
Artikel 34 UAVG
|National Case Number/Name:||202100213/1/A3|
|European Case Law Identifier:||ECLI:NL:RVS:2022:230|
|Appeal from:||Rb. Oost-Brabant (Netherlands)|
|Appeal to:||Not appealed|
|Original Source:||uitspraken.rechtspraak.nl (in Dutch)|
|Initial Contributor:||Martijn Staal|
The Council of State confirmed their earlier decision that a data subject must plausibly demonstrate that a violation of the GDPR resulted in damages, before they are entitled to compensation pursuant to Article 82 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Controller is the municipality of Eindhoven. The data subject found out that an email that they sent to the municipality on 15 January 2017 (in which they complained about their neighbours), had been forwarded and had ended up with their neighbours, without blacking out their email-address. Because they had not given consent for this, and the processing for personal data was not necessary to fulfil a public interest, the data subject requested the municipality to (1) rectify personal data mentioned in letters of 7 April 2016 and 14 November 2018, and (2) compensation for damages caused by forwarding their personal data without a legal basis.
After the municipality had rejected the request, the data subject brought the issue before court. The District Court of Oost-Brabant dismissed this appeal, after which the data subject appealed this judgement before the Council of State. On appeal, the data subject argued that (1) The municipality had exceeded the decision period of one month as per Article 12(3) GDPR for their request to rectify the personal data, (2) the municipality should have also rectified personal data in the letter of 14 November 2018, and (3) The District Court had wrongly considered that the data subject was not entitled to compensation.
Holding[edit | edit source]
The Council of State rejected the appeal.
First, the Council stated that the municipality complied with the data subject's access request within the decision time of one month as per Article 12(3) GDPR. Second, the Council of State held that the right to rectification of personal data pursuant to Article 16 GDPR only applies to inaccuracies that can be easily and objectively ascertainable. Since the letter of 14 Novemer 2018 concerned impressions and conclusions with which data subject did not agree, the Council found that the rejection of the request for rectification was well-founded.
Lastly, although it is not disputed between parties that the forwarding of email of 13 January 2017 without removing data subject's email address was unlawful, the Council of State had previously considered that a violation of the GDPR does not automatically entitle the data subject to compensation. Because the data subject could not plausibly demonstrate that the infringement caused damages, this ground of appeal was also rejected.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
202100213/1/A3. Judgment date: January 26, 2022 DEPARTMENT ADMINISTRATIVE JURISDICTION Decision on the appeal of: [appellant], living in Eindhoven, against the judgment of the East Brabant District Court of 11 December 2020 in case no. 20/2006 in the proceedings between: [appellant] and the college of mayor and aldermen of Eindhoven. Process sequence In a letter dated September 25, 2019, the Board informed [appellant] that her request for rectification of her personal data and for the award of compensation had already been communicated and that therefore no further response would be given. By decision of 7 November 2019, the Board rejected [appellant]'s request for correction of her personal data. By decision of 11 June 2020, supplemented by decision of 26 June 2020, the Board declared the objection lodged by [appellant] to be well-founded and revoked the decision of 7 November 2019, insofar as the personal data of [appellant] was included in a letter from have not been rectified by the Board of 7 April 2016. The Board declared the objection inadmissible in so far as [appellant] requested compensation and declared the objection unfounded in all other respects. By judgment of 11 December 2020, the court dismissed the appeal lodged by [appellant] against it. This statement is attached. The appellant appealed against this decision. The college has issued a written statement. [Appellant] has submitted a further document. The college has also submitted a further document. The Division dealt with the case on December 13, 2021 at the hearing, where the Board, represented by M.L.M. Lammerschop, has appeared. [Appellant] participated in the hearing via a video link. Considerations Legal framework 1. The legal framework is included in the appendix that is part of the decision. Introduction 2. By letter dated 30 August 2019, on the basis of Article 16 of the General Data Protection Regulation (hereinafter: the GDPR), [appellant] requested the rectification of her personal data, which were stated in a letter from the Board of 7 April 2016 and in a letter with attachment from the Commission dated 14 November 2018. She states that the Commission forwarded an e-mail message of 15 January 2017 from her to third parties, without making her e-mail address illegible, and that it ended up with her neighbors. She holds the college liable for the damage she has suffered. In the letter dated September 25, 2019, the Board informed [appellant] that extensive communication had already been given about her request and that therefore no further response would be given. By letter dated 27 October 2019, received by the Board on 29 October 2019, [appellant] gave the Board notice of default and requested that it take a decision on her request within two weeks. In the decision of November 7, 2019, the Board provided a further explanation of the letter of September 25, 2019 and rejected the request. 3. In the decision of 11 June 2020, the Board declared the objection made by [appellant] well-founded and revoked the decision of 7 November 2019, insofar as her personal data were not corrected in the letter of 7 April 2016. Insofar as it is directed against the refusal to rectify its personal data in the letter from the Board of 14 November 2018, the Board has declared the objection unfounded. The Commission takes the position that the list accompanying this letter does not contain any personal details of [appellant]. The Board disregarded [appellant]'s request to rectify the decisions of the Ombuds Committee, because it was the first time she requested this in objection. Furthermore, the Board has taken the position that it is not competent to decide on the request for compensation. Incidentally, the Board states that [appellant] is not eligible for compensation, because it has not been demonstrated what adverse consequences she experienced from forwarding the e-mail message of 15 January 2017. By decision of June 26, 2020, the Board amended the decision on the objection of June 11, 2020 because it contains inaccuracies. The Commission has therefore replaced a phrase in the decision of 11 June 2020 . 4. The court dismissed the appeal lodged by [appellant] as unfounded. Appeal Has the decision period been exceeded? 5. [appellant] argues that her personal data were only corrected after submitting a notice of objection and that the decision period has therefore been exceeded. It takes the view that the letter of 25 September 2019 is only an acknowledgment of receipt of the request it submitted. This letter does not contain a remedy clause, so it has not regarded this letter as a decision. Furthermore, it takes the position that it has the right under Article 16 of the GDPR to obtain the rectification of incorrect personal data without undue delay. That only happened on June 11, 2020. 5.1. The Division understands that [appellant]'s argument is directed against the District Court's consideration that the Board on September 25, 2019, timely decided on the request submitted by [appellant] on August 30, 2019 for the rectification of her personal data and that there is therefore is no reason for awarding compensation. 5.2. Article 12(3) of the GDPR provides that the controller informs the requester in any case within one month of the follow-up given to a request as referred to in Article 16 of the GDPR. [Buyer]'s request for rectification of her personal data dates from August 30, 2019 and was received by the Board on September 3, 2019. In a letter dated September 25, 2019, sent on September 26, 2019, the Board informed [appellant] that communication about her request has already been made and that there will therefore no longer be a substantive response. The Board thus informed [appellant] within one month of the follow-up given to her request. 5.3. Contrary to what [appellant] argues, the Board's response to the request, in view of Article 34 of the GDPR Implementation Act, is a decision within the meaning of the General Administrative Law Act, against which objections and appeals are open. This decision entails that the request will not be considered because the Board no longer wishes to communicate with [appellant]. The fact that it also states that it is an acknowledgment of receipt does not change that. Insofar as no legal remedies clause is included in this decision, [appellant]'s interests have not been harmed as a result. On November 7, 2019, the Board again made a decision, rejecting the request. The appellant timely appealed against this decision. The court rightly considered that there is no reason to award damages for exceeding the term laid down in Article 12(3) of the GDPR. Contrary to what [appellant] argues, the Board immediately corrected the personal data of [appellant] after taking the decision on the objection of 11 June 2020, having read the letter accompanying the Board to that decision. 5.4. The argument fails. Corrigendum letter of 14 November 2018 6. [appellant] argues that the court wrongly considered that she had not put forward any grounds for appeal against the rejection of the request for rectification of her personal data in the letter of 14 November 2018. Furthermore, the court wrongly ignored that in In this letter it is stated that this is not a decision that can be appealed against. 6.1. In her appeal, [appellant] argued that she had requested the Board for an overview of all reports she made in 2016 about the nuisance caused by her neighbours' caravan. The reason for this was that the Executive Board stated to the Ombuds Committee that it would have made many reports about this in 2016. The letter from the Commission of 14 November 2018 states that reports are not registered in the name of the reporter. Therefore, according to [appellant], the Board was unable to make a statement about her reports. 6.2. Article 16 of the GDPR gives the data subject the right to rectify or supplement if the personal data is incorrect or incomplete. The inaccuracies must, however, be easily and objectively identifiable. [appellant] disputes the correctness of the statement in the letter of 14 November 2018, that it made many reports and that this is not a decision against which objection is open. The right of correction laid down in Article 16 of the GDPR is not intended to correct or delete impressions, opinions, research results and conclusions with which the data subject cannot agree. The correctness of these statements can be discussed in the appropriate procedure. The court rightly considered that [appellant] did not put forward any grounds for appeal against the rejection of the request for rectification of her own personal data in the list accompanying the letter of 14 November 2018. The grounds for appeal do not relate to rectification of her personal data, but to impressions. and conclusions with which [appellant] cannot agree. The argument fails. Forwarding email from January 15, 2017 7. [appellant] argues that the court erroneously considered that a victim of 'stalking' cannot claim protection of personal data under the GDPR. The college forwarded her e-mail message with e-mail address for no reason, so that it ended up with the neighbors. In this e-mail she announced that she was going to report vandalism. The college got her into trouble because of this. 7.1. The Division understands the argument in such a way that the court wrongly rejected [appellant's] request for compensation as a result of forwarding the e-mail message of 15 January 2017. 7.2. It is not in dispute between the parties that forwarding the e-mail of 15 January 2017, without making the e-mail address of [appellant] illegible, must be regarded as unlawful. 7.3. As the Division has previously considered in the judgment of 1 April 2020, case no. 201905087/1/A2, ECLI:NL:RVS:2020:899, under 31, the loss of control over personal data is an infringement of a personality right. Everyone has the right to the protection and correct, lawful processing of their personal data (see, inter alia, Article 8, paragraph 1, Charter of Fundamental Rights of the European Union). As the Division further considered in that ruling, under 33, there is no ground for the opinion that an infringement of the GDPR automatically implies an infringement of the integrity of a person and thus leads to compensable damage. The fact that a breach of personal data can result in (im)material damage and that a data subject must receive full and effective compensation for the damage suffered by him, does not mean that a violation of standards by definition leads to damage. 7.4. The starting point of the assessment is that [appellant] must demonstrate the damage to the person and must substantiate the damage alleged by her with concrete data. [Appellant] was given the opportunity to do so by letter dated March 18, 2020. 7.5. The court has rightly ruled that [appellant] has not made it plausible that the infringement led to the harm to her person and that the consequences of the infringement affected her directly. She has not made it plausible what adverse consequences for her resulted from the forwarding of her e-mail address. Contrary to what [appellant] argues, the court did not consider that a victim of 'stalking' could not claim protection of personal data under the GDPR. The court only considered that [appellant] was 'stalked' before her e-mail address became known to the neighbors and that this circumstance is therefore not a consequence of the loss of control over her e-mail address. 7.6. The court rightly rejected the claim for damages. The argument fails. Argument for the rest 8. [appellant] argues that the municipal official did not refer to the letter of 24 January 2019. Due to the situation caused by the outbreak of the coronavirus, she proposed to the official concerned to settle the matter without judicial intervention and pointed out the errors in the decision on objection. The official has agreed to settle the matter without going to court and has asked her to put the proposal and the errors on paper. According to [appellant], this has resulted in a substantive response to cases about which correspondence had previously been made and she received an amended decision on the objection. 8.1. In her argument, [appellant] has not explained that and why the court's considerations are incorrect or incomplete. This cannot therefore lead to annulment of the judgment under appeal. The argument fails. Conclusion 9. The appeal is unfounded. The impugned verdict must be affirmed. 10. The Board does not have to reimburse legal costs. Decision The Administrative Jurisdiction Division of the Council of State: confirms the attacked statement. Adopted by mr. A.W.M. Bijloos, member of the single chamber, in the presence of mr. T.E. Larsson-van Reijsen, Registrar. The member of the single chamber is unable to sign the decision. The clerk is unable to sign the decision. Pronounced in public on January 26, 2022 978 APPENDIX GDPR Article 4 Definitions For the purposes of this Regulation: 1) "personal data" means any information relating to an identified or identifiable natural person ("the data subject"); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements specific to the physical, physiological, genetic , psychological, economic, cultural or social identity of that natural person; […]. Article 12 Transparent information, communication and detailed rules for exercising the rights of the data subject […] 3. The controller shall provide the data subject with information on the action taken on the request without undue delay and in any event within one month of receipt of the request pursuant to Articles 15 to 22. Depending on the complexity of the requests and the number of requests, that period may be extended by a further two months if necessary. The controller shall notify the data subject of such extension within one month of receipt of the request. Where the data subject submits their information electronically, the information will be provided electronically if possible, unless the data subject requests otherwise. 4. Where the controller does not comply with the request of the data subject, it shall inform the data subject without undue delay and within one month of receipt of the request why the request has not been pursued and shall inform him of the possibility to lodge a complaint with a supervisory authority and appeal to the courts. […]. Article 16 Right to rectification The data subject has the right to obtain from the controller the rectification of incorrect personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement. Article 82 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. 2. Any controller involved in processing shall be liable for damage caused by processing in breach of this Regulation. A processor shall only be liable for damage caused by processing where the processing has not complied with the obligations of this Regulation specifically addressed to processors or has acted outside or contrary to the lawful instructions of the controller. […]. Implementation Act General Data Protection Regulation Article 34. Applicability of the General Administrative Law Act by decision of administrative authorities A written decision on a request as referred to in Articles 15 to 22 of the Regulation shall be taken within the period referred to in Article 12(3) of the Regulation and, insofar as it has been taken by an administrative authority, shall be regarded as a decision within the meaning of the General Administrative Law Act.