RvS - 202107090/1/A3: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by one other user not shown)
Line 51: Line 51:
|Party_Link_3=
|Party_Link_3=


|Appeal_From_Body=RBNHO
|Appeal_From_Body=Rb. Noord-Holland (Netherlands)
|Appeal_From_Case_Number_Name=20/4820
|Appeal_From_Case_Number_Name=20/4820
|Appeal_From_Status=
|Appeal_From_Status=
Line 64: Line 64:
}}
}}


The Dutch Council of State confirmed that if there is a legal obligation to retain files in the exercise of a legal obligation vested in the controller, then the right to erasure under [[article 17 GDPR|Article 17]] is not applicable as stated in [[article 17 GDPR#3b|Article 17(3)(b)]].
The Dutch Council of State confirmed that personal data deletion is prevented when processing is necessary for the exercise of official authority vested in the controller in accordance with [[article 17 GDPR#3b|Article 17(3)(b)]] GDPR.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject requested the Employee Insurance Agency (a governmental organisation, controller), to delete her phone number because she no longer wanted to be contacted by them. She also requested the erasure of her phone number from two messages which were stored in the digital 'mailbox' of the controller.  
The data subject requested the Employee Insurance Agency (a governmental organisation, controller), to delete her phone number because she no longer wanted to be contacted by them. She also requested the erasure of her phone number from two messages stored in the digital 'mailbox' of the controller.  


The controller deleted her number for contacting purposes, but refused to delete her number from the digital mailbox. It argued that these documents were part of their social security files and must be stored on the basis of a legal obligation arising from the Archiefwet (Archive Law).   
The controller deleted her number for contacting purposes, but refused to delete her number from the digital mailbox. It argued that these documents were part of its social security files and had to be stored on the basis of a legal obligation arising from the Archiefwet (Archive Law).   


The data subject brought an action with the Court of Noord-Holland (case 20/4820), which considered that the controller was not obligated to delete the phone number from their files. She appealed this decision with the Council of State, claiming that the controller unlawfully processed her data and that it was not necessary to store it. In her view, the Archiefwet did not provide a legal basis for processing and it breached the principles of minimisation, lawfulness and necessity.  
The data subject brought an action with the Court of Noord-Holland (case 20/4820). The Court considered that the controller was not obligated to delete the phone number from its files. She appealed this decision with the Council of State, claiming that the controller unlawfully processed her data and that it was not necessary to store it. In her view, the Archiefwet did not provide a legal basis for processing in the specific case and it breached the principles of minimisation, lawfulness and necessity.  


=== Holding ===
=== Holding ===
The Dutch Council of State (CoS) considered that the data subject did not bring additionnal arguments than in first instance and that the Court of Noord-Holland adequately motivated its decision.
The Dutch Council of State considered that the data subject did not bring additional arguments than in first instance and that the Court of Noord-Holland adequately motivated its decision. The Council of State also held that if there is a legal obligation to store files in the exercise of official authority vested in the controller, then the right to erasure under [[article 17 GDPR|Article 17]] is not applicable as long as the retention period runs, as stated in [[article 17 GDPR#3b|Article 17(3)(b)]]. Archiving as such does not breach the GDPR. Consequently, the Council declared the appeal unfounded.
 
The CoS also stated that if there is a legal obligation to store files in the exercise of official authority vested in the controller, then the right to erasure under [[article 17 GDPR|Article 17]] is not applicable as long as the retention period runs, as stated in [[article 17 GDPR#3b|Article 17(3)(b)]]. Archiving as such does not breach the GDPR.  
 
Consequently, the CoS declared the appeal unfounded.


== Comment ==
== Comment ==

Latest revision as of 11:45, 4 October 2023

RvS - 202107090/1/A3
Courts logo1.png
Court: RvS (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 17(3)(b) GDPR
Archiefwet
Decided: 12.07.2023
Published: 12.07.2023
Parties: Uitvoeringsinstituut Werknemersverzekeringen
National Case Number/Name: 202107090/1/A3
European Case Law Identifier: ECLI:NL:RVS:2023:2681
Appeal from: Rb. Noord-Holland (Netherlands)
20/4820
Appeal to:
Original Language(s): Dutch
Original Source: Raad van State (in Dutch)
Initial Contributor: Enzo Marquet

The Dutch Council of State confirmed that personal data deletion is prevented when processing is necessary for the exercise of official authority vested in the controller in accordance with Article 17(3)(b) GDPR.

English Summary

Facts

The data subject requested the Employee Insurance Agency (a governmental organisation, controller), to delete her phone number because she no longer wanted to be contacted by them. She also requested the erasure of her phone number from two messages stored in the digital 'mailbox' of the controller.

The controller deleted her number for contacting purposes, but refused to delete her number from the digital mailbox. It argued that these documents were part of its social security files and had to be stored on the basis of a legal obligation arising from the Archiefwet (Archive Law).

The data subject brought an action with the Court of Noord-Holland (case 20/4820). The Court considered that the controller was not obligated to delete the phone number from its files. She appealed this decision with the Council of State, claiming that the controller unlawfully processed her data and that it was not necessary to store it. In her view, the Archiefwet did not provide a legal basis for processing in the specific case and it breached the principles of minimisation, lawfulness and necessity.

Holding

The Dutch Council of State considered that the data subject did not bring additional arguments than in first instance and that the Court of Noord-Holland adequately motivated its decision. The Council of State also held that if there is a legal obligation to store files in the exercise of official authority vested in the controller, then the right to erasure under Article 17 is not applicable as long as the retention period runs, as stated in Article 17(3)(b). Archiving as such does not breach the GDPR. Consequently, the Council declared the appeal unfounded.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.