chronicle GDPR case law May 2018 – May 2020 in the Netherlands

Over the past two years, more than 300 judgments on the GDPR have been published on rechtspraak.nl. A number of rulings are interesting, others are predictable and in a number of cases the judge does not seem to apply the GDPR correctly. For anyone who may have missed a number of judgments, this chronicle lists the most important judgments.

Introduction

This chronicle provides an overview of the published case law on the General Data Protection Regulation (GDPR). Judges give substance to the open standards frequently used in the GDPR. This can provide guidance for the legal and advisory practice. It is also interesting to find out whether jurisprudence now interprets concepts differently from what was the case under the Dutch Personal Data Protection Act, de ‘Wet bescherming persoonsgegevens’(Wbp). In addition, the GDPR is introducing a number of new concepts and obligations on which, of course, case law has not yet appeared.

The chronicle deals only with rulings of the Dutch courts and the Court of Justice of the EU (ECJ EU). Foreign case law and the case law of the European Court of Human Rights may be equally interesting for the colouring of the GDPR in Dutch legal practice, but has not been taken into account just because of its size and accessibility. Judgements on art. 8 of the European Convention on Human Rights (ECHR), art. 10 of the Constitution and, for instance, the Police Data Act are also not discussed.[1] However, indirect reference is made to some decisions of the Personal Data Authority, de ‘Autoriteit Persoonsgegevens’ (AP).

The chronicle period runs from 26 May 2018 to 26 May 2020. For this period, www.rechtspraak.nl has been searched for judgments in which ‘personal data’ and ‘GDPR’ appear as keywords, supplemented by the relevant case law of the ECJ EU from this period. The authors are aware that only a limited part of all jurisprudence is published.

The layout of this chronicle is based as much as possible on the order in which the various subjects are discussed in the GDPR. This has led to the following classification: definitions, lawfulness, rights of data subjects, exceptions, liability and damages and, finally, procedural law and enforcement.

Definitions

Personal data

The GDPR only applies to personal data. Jurisprudence regularly discusses the question of whether personal data is involved. The GDPR defines the term as ‘all information about an identified or identifiable natural person’. According to the Council of State, data about dogs are therefore not personal data in the sense of the GDPR.[2] Nor is video footage of a villa without mention of the street or municipality.[3]

The Court of Amsterdam distinguishes between a (legal) assessment on the one hand and the personal data contained therein on the other hand.[4] The right of access is limited to the personal data included in the assessment. As a result, there is no right of full access to a credibility assessment drawn up by an official for the purpose of an asylum procedure. The line taken by the ECJ EU under the Privacy Directive[5] is thus continued.[6]

According to the Court of Appeal of The Hague, personal data should be understood to mean any information which, by virtue of its content, purpose or effect, is related to the data subject, irrespective of whether it is objective or subjective (opinions, judgements) and with which the data subject can reasonably be identified by the controller or any other person.[7] The District Court of The Hague holds that examinations, including the examiner’s comments, are personal data.[8]

In two judgments, the District Court of the North of the Netherlands found that the GDPR only provides access to factual personal data and drew the line too sharply. After all, the GDPR defines personal data as all information about an identifiable individual and makes no distinction between factual and subjective information.[9]

The District Court of Midden-Nederland is of the opinion that the fact that a no-risk policy applies to an employee does not constitute personal data relating to health, although it does indirectly inform the employer of the presence of a work restriction.[10]

Just before the GDPR came into force, the Amsterdam District Court ruled on the basis of the Wbp that disciplinary information falls under the regime of criminal information.[11] According to the same court, this is no longer the case under the GDPR.[12] The court justified this change of course by pointing out that the GDPR’s legal history contains no indication that disciplinary data qualify as special or criminal personal data.[13]

The Court of Appeal of Arnhem-Leeuwarden reiterates the Supreme Court’s starting point, which applies under the Wbp, that a heavier suspicion than a reasonable suspicion of guilt is required to qualify as personal data under criminal law.[14] According to the Court of Appeal it is relevant whether there are well-founded suspicions, concrete indications that someone has committed a criminal offence, or personal data that are related to a judicial prohibition because of unlawful or inconvenient behaviour.[15]

 

Controller or processor

The question of whether a party qualifies as a (joint) controller or processor is hardly ever litigated in the Netherlands, while in practice this question is regularly the subject of discussion and, moreover, does not always turn out to be easy to answer. Apparently, the judiciary also sometimes has difficulty with the correct application of these concepts. For example, the District Court of Oost-Brabant holds that a party is responsible for processing on the basis only of the fact that an overview containing personal data is in its possession and is used by that party.[16] One of the most remarkable judgments on the division of roles under the GDPR is perhaps the judgment of the preliminary relief judge of the District Court of Noord-Nederland that he himself qualifies as processor.[17]

The concept of joint controller has been clarified by the ECJ EU in a number of rulings.[18] A concept that is given more meaning under the GDPR than under the Privacy Directive, including the explicit obligation for joint controllers to be transparent to data subjects about their roles. The rulings of the ECJ EU give an important further interpretation of the joint and several liability that applies to joint controllers on the basis of Article 82 paragraph 4 of the GDPR. In the event of various interrelated processing operations, the responsibility of the controllers involved is limited to the processing of personal data for which he or she (co-)determines the purpose and means.[19]

The District Court of Midden-Nederland ruled that after the submission of personal data by the Sociale Verzekeringsbank (SVB) to the Tax and Customs Administration, also as the controller, there is no question of joint controller responsibility.[20] As a result, the person concerned cannot instruct the SVB to have their personal data removed by the Tax and Customs Administration. This is because the responsibility for processing has been transferred to the Tax and Customs Administration after it was issued.

Lawfulness

Many judgements concern the assessment of whether an actual data processing is lawful, in the sense that there is a valid legal basis as referred to in Art. 6 of the GDPR or a possibility of breaking the ban on processing special personal data as referred to in Art. 9 of the GDPR. This is important for practice in view of the closed system that the GDPR uses with these articles of the law for the processing of personal data and the choice that may have a certain basis for the conditions under which personal data may be processed.

 

Legal consent

The ECJ EU leaves no ambiguity that the concept of consent under the GDPR must be interpreted more strictly than it was under the Privacy Directive. In a case concerning consent in the context of the placing of cookies, the Court held that a valid consent under the GDPR requires an ‘unambiguous active act’. The use of a pre-checked box therefore does not constitute valid consent.[21]

The District Court of Noord-Nederland ruled that the provision of debtors’ health data to the debt counsellor and creditors in the context of a debt settlement is permitted on the basis of consent. The court states that the person concerned may invoke his privacy rights, but that this may have (negative) consequences for the debt settlement.[22] This raises the question of how voluntary consent is given when a person is in a hopeless financial situation.

The explicit consent of the patient is required for patient registration at the so-called National Switching Point for the Exchange of Patient Data (LSP). This does not always work in practice.

However, the District Court of Central Netherlands is of the opinion that it cannot be concluded from this that the processing of personal data for the LSP is intentional and unlawful. Express consent may be obtained and demonstrated by a set of control measures, including the duty for healthcare providers to register how consent was obtained and what information was provided.[23] A pharmacist making use of an opt-out scheme will have to change his procedure for registration with the LSP to an opt-in scheme.[24]

The District Court of Noord-Nederland upholds a claim seeking an injunction against the distribution to third parties of personal data of the plaintiff in the judgments to be given by the District Court with respect to her person. Spreading her personal data in a judgment without the consent of the plaintiff or without any other valid reason is deemed to be contrary to the GDPR.[25]

Necessary for the performance of the agreement

Health insurers may request personal data, including personal data relating to health, from a non-contracted healthcare provider, to the extent this is necessary for the performance of an insurance agreement with the data subject concerned.[26]

Necessary for legal duty

A judgment relevant to bankruptcy practice comes from the District Court of Central Netherlands. After the bankruptcy of a hospital, the trustees, in their role as a controller, decide to appoint another hospital as processor for the medical files of the patients treated in the bankrupt hospital. The court sees no grounds to rule that this arrangement is contrary to the GDPR, although the trustees acknowledge that they are not a care provider within the meaning of the Medical Treatment Contracts Act.[27]

The District Court of Oost-Brabant rules that a trustee in bankruptcy is entitled to inspect the e-mail correspondence of directors of the bankruptcy, with the exception of private correspondence, because this is necessary for the fulfilment of legal obligations incumbent on the trustee in the context of the settlement of a bankruptcy.[28] There is a proposal for consultation to better anchor the rights to processing of personal data by the trustee in the Bankruptcy Act.[29]

According to the District Court of Rotterdam, the GDPR does not oppose the submission of personal data in procedural documents, because Section 8:42 of the General Administrative Law Act obliges an administrative body to submit all documents relating to the case to the District Court in appeal proceedings. This can only be different if there are compelling reasons within the meaning of Article 8:29 of the General Administrative Law Act.[30]

The Board of Profession and Industry (Cbb) is of the opinion that the Consumer and Market Authority (ACM) cannot impose a mandatory disclosure of personal data on network operators by means of a so-called Information Code if the network operators concerned do not have a legal basis within the meaning of art. 6 GDPR for such a disclosure. The Information Code does not in itself provide a basis; it should, for example, be included in the Electricity Act or Gas Act.[31]

The District Court of Amsterdam ruled that the requesting of personal data about a museum visit to the Stichting Museumkaart by the Tax and Customs Administration is necessary in order to comply with a legal obligation in the context of taxation.[32]

The District Court of The Hague ruled that the use of the so-called ‘e-screener’ of the Ministry of Justice and Security – a digitised questionnaire for determining the risks associated with the granting of a hunting licence or firearms permit – is lawful data processing in order to comply with a legal obligation.[33]

Necessary for a public task

The Court of Appeal of The Hague ruled that data processing as a result of company visits by the ACM serves the public task of supervising compliance with the Competition Act, so that there is a valid legal basis, even if temporarily not necessary personal data are processed.[34]

The Tax Inspector may, among other things, have a will in his possession if this is necessary for the levying of inheritance tax. This information can also be used in the court case that is subsequently conducted about the imposed inheritance tax assessment.[35]

The questioning of training levels of hired personnel in a tender and the subsequent processing of these personal data by the municipality is necessary, among other things, within the framework of the municipality’s public duty as a care purchaser to guarantee the safety, health and welfare of those in need of care. It[36] is permitted for the municipality of Amsterdam to positively value parties who participate in a tender procedure and who pay attention to the role of informal care or membership of the LHBTI+ community. Although this information is proactively requested by tendering parties from informal carers in order to be able to take their situation into account, there is no questioning or recording of LHBTI+ data and this information is never shared with the municipality.[37]

Necessary in the context of a legitimate interest

The court has been asked several times to decide whether a legitimate interest of a party outweighs the privacy interests of data subjects. How judges assess this is particularly interesting now that the AP on 1 November 2019 states in a normative explanation of the ‘legitimate interest’ issued by the AP that the mere serving of purely commercial interests and profit maximisation cannot qualify as a legitimate interest.[38]

According to the Administrative Jurisdiction Division of the Council of State, de “Raad van State” (RvS), the justified interest in protecting property through the use of cameras, some of which are directed at the public road, outweighs the privacy interests of the persons concerned. In this respect it is also important to note that an incident has actually taken place before, that only a small part of the public road is in view and that less far-reaching security measures have proved insufficient.[39]

An investigation into an employee against whom an internal complaint had been lodged is lawful according to the Court of Amsterdam. Data processing in the context of that investigation could therefore take place on the basis of Article 6 paragraph 1 under f GDPR and the claim for a ban on the use of the investigation report fails in preliminary relief proceedings and in the proceedings on the merits.[40] The fact that the agency drawing up the report is not licensed as a private investigative agency is irrelevant here.

The privacy interests of advertisers do not stand in the way of the provision by Facebook of extensive account information to the clothing company Tommy Hilfiger. These are accounts of advertisers who offer, with a business purpose, infringing articles using ads on Facebook and Instagram.[41] In this case, the interests of Tommy Hilfiger and consumers are more important. Although the measure to provide the requested data is in accordance with Facebook’s advertising policy, Facebook ultimately does not want to provide further data without a court order to that effect. A conviction is therefore necessary.

According to the Court of Appeal of Arnhem-Leeuwarden, Dutch Filmworks is entitled to request name and address data in order to tackle illegal downloaders, subject to certain conditions. However, in this specific case no name and address details need to be provided, because Dutch Filmworks does not take sufficient account of the interests of the downloaders.[42]

In another IP case in which name and address details are claimed, the District Court of The Hague wrongly concludes that pursuant to Article 6 paragraph 1 opening words and under f GDPR there is a legal obligation to provide personal data to the claimant[43]. Compliance with one of the legal grounds in art. 6 GDPR (and other conditions from the GDPR) gives the possibility to process personal data, but never an obligation to provide it to third parties. Incorrect is also the way in which the court subsequently assesses whether the plaintiff carefully deals with the rights of the clients of the defendant, an important element in the judgments discussed above. The court is of the opinion that since the plaintiff is a foreign company and a transfer of personal data to a country outside the EU may be based on an exception in art. 49 GDPR, a further balancing of interests is not required. In so doing, the court disregards the requirement that there must first be lawful processing before it can be assessed, as a separate issue, whether a transfer to a country outside the EU is permitted.

The District Court of Limburg asked the parties to weigh up their interests again, but then under the GDPR. The[44] reason for this is that Article 6 paragraph 1 under f GDPR, unlike Article 8 under f Wbp, explicitly mentions the best interests of the child and privacy interests of a child play a role in this case.

Patients can leave their appreciation of a healthcare provider on the website of ZorgkaartNederland. When a doctor is said to be, among other things, a ‘terrible doctor’, the doctor requests that all of her personal data be removed from the website. After weighing up the interests, the District Court of Overijssel concludes that the interests of ZorgkaartNederland should prevail in this case and that it has a legitimate interest in processing the doctor’s details.[45] However, the court is of the opinion that the specific valuation is unlawful.[46]

A housing corporation registers whether tenancy agreements with tenants have been terminated in the past due to, among other things, hemp cultivation and shares this information with other housing corporations. The housing corporation is of the opinion that this is permitted on the basis of the legal basis ‘performance of contract’ or ‘compliance with a legal obligation’. The Court of Appeal of Arnhem-Leeuwarden disagrees with this, but ruled that ‘legitimate interest’ does provide a sufficient basis.[47]

If a hospital wishes to share health data with an external expert without the patient’s consent, this is permitted according to the District Court of Amsterdam on the grounds of the hospital’s legitimate interest in defending itself against the claim that the patient has not received the correct treatment. Due to the fact that the court only refers to article 9 paragraph 2 under f GDPR, it is not clear whether the court is aware that article 9 GDPR only concerns the breach of the ban on processing health data and that the assessment of the lawfulness of the processing requires its own assessment under article 6 paragraph 1 under f GDPR.[48]

Prohibition of processing of special personal data

The Rotterdam District Court ruled that health data may not be provided by the hospital to the professional liability insurer if the latter assesses a medical claim of a person involved. The exception to the ban on processing special personal data in connection with the substantiation of a legal claim does not apply, as these are parties who are still negotiating with each other.[49]

The content of the (Uitvoeringswet GDPR) (U)GDPR is unchanged from the Wbp, the strict requirement is that the Social Security Number, the Burgerservicenummer (BSN), a national identification number as referred to in the GDPR, may only be processed on the basis of an explicit legal basis. According to the District Court of Amsterdam, the State Secretary of Finance also has to respect this when using BSN in the VAT identification number of independent entrepreneurs.[50]

The Court of Amsterdam forbids a retail chain to introduce a fingerprint scanning authorisation system.[51] The exception introduced by the Dutch legislator in the UGDPR to the GDPR’s ban on processing biometric data (for the purpose of unique identification) is not considered applicable. The court attaches importance to the lack of documentation demonstrating that proportionality and subsidiarity have been carefully weighed up. This is necessary on the basis of the extensive accountability introduced in the GDPR.

Genetic personal data (for the purpose of unique identification) also constitute a new category under the GDPR where processing is prohibited in principle. According to the Rotterdam District Court, a hospital successfully invokes this processing ban when a woman requests genetic data from a deceased man who may be her father.[52]

A debt restructuring administrator may process special personal data on behalf of his client if this is necessary to substantiate an exemption from the obligation to work or apply for a job for this client.[53]

Rights of data subjects

Chapter 3 GDPR strengthens data subjects’ rights to achieve a higher level of data protection. Existing rights have been strengthened and new rights added.

The right to restrict data processing and the right to data portability are hardly addressed in case law. The District Court of Oost-Brabant almost unnecessarily devotes a consideration to the right to restrict processing by also assessing a request for the destruction of personal data on the basis of Article 18 GDPR.[54]

There is also little litigation on the rectification of data. In a dispute of principle about the application for an amended BSN, due to the processing of the BSN in the VAT identification number of self-employed, this right seems to be invoked although it is not explicitly requested. The District Court of The Hague ruled that there is no legal provision that would allow a request to amend the BSN in cases other than incorrect allocation.[55] This is despite the claimant’s reliance on the AP’s earlier opinion that the inclusion of the BSN in the VAT identification number of self-employed persons is contrary to the (U)GDPR.

Right of access

In his extensive analysis of the right of inspection under the Wbp, the Advocate General of the Supreme Court notes that the objective of the right of inspection under the GDPR has not changed compared to the Privacy Directive.[56] Continuity therefore characterizes the case law on the right of inspection under the GDPR. Several judges explicitly state that the case law on the right of inspection under the Privacy Directive also applies under the GDPR.[57]

The ‘old’ case law referred to includes the notion that the concept of personal data should be interpreted broadly,[58] but that this does not yet mean that internal notes containing the personal thoughts of staff members need to be made available for inspection [59]and that a legal analysis is not personal data. With regard to access to[60] internal notes, the Court of Appeal of The Hague notes that the GDPR has no exception in this respect and that, in principle, the person concerned is also entitled to access these documents.[61] Thus, internal memoranda are not categorically excluded from the right of inspection, but inspection must be restricted, for example by making them anonymous, insofar as this is necessary to protect the rights and freedoms of others.

With reference to previous case law and the intention of the legislator, the answer to the question whether the GDPR right of inspection entitles the holder to copies is in the negative.[62] The right to a ‘copy’ from Art. 15 paragraph 3 GDPR refers to a copy of the personal data and not to a copy of the document in which these personal data are contained.

What is interesting are the rulings on whether an applicant should specify his or her request for inspection. Recital 64 of the GDPR states that a data controller, who processes a large amount of personal data, must ‘be able to request the data subject to specify to which information or which processing activities the request relates‘. Is the data subject obliged to comply with this? The District Courts of Noord-Holland and Amsterdam thought so.[63] When complying with a request for inspection requires a great deal of effort, the data controller may sometimes suffice with selections from available data and a ‘random’ approach, because otherwise the search would be too costly.[64]

Another practical issue is whether the data controller should provide personal data that can be assumed to have already been received by the data subjects. The District Court of Rotterdam considers this to be the case (personnel file), because familiarity with data is not an exception to the right of inspection as referred to in article 41 (U)GDPR[65]. In short, the District Court of Noord-Nederland holds that the applicant is entitled to a copy (in italics authors) of the personnel file, even if the defendant argues that the applicant already has some documents at his disposal.[66] The District Courts of The Hague and Noord-Holland held that clarification may be requested (procedural files).[67]

When two separate requests for inspection by Volkert van der G. to the Minister for Legal Protection and to the Minister for Justice and Security are answered with a letter signed only by the former, the Council of State is of the opinion that this letter cannot (also) be regarded as a letter from the latter. In the absence of a timely decision, the Minister for Justice and Security, who, in addition to the Minister for Legal Protection, is to be regarded as independently responsible for processing, will be required to pay a penalty of EUR 1260.[68]

If an applicant makes an application for removal or correction for the first time during his appeal against the decision for access, the administrative authority need not include such new applications in its reconsideration. The data subject shall submit a separate application to that effect.[69]

If requests for inspection under the Wbp are insufficiently dealt with, the GDPR must be applied by a new decree after 25 May 2018.[70]

Under normal circumstances, the provision of personal data in response to a request for inspection should be free of charge.[71]

Right of data erasure and objection

The right to erasure of data is the subject of much litigation. The procedures often concern the removal of BKR registrations or search results from Google. With the exception of one request, all requests analysed are based on Article 17 paragraph 1 under c of the GDPR (data erasure due to an objection pursuant to Article 21 of the GDPR). In doing so, the court weighs up the interests involved, whereby only compelling legitimate grounds of the data controller can be grounds for refraining from removal.[72]

 

Lender registers

When assessing requests for removal of a BKR[73], EVR[74]or IVR[75]registration, almost all judges carry out a proportionality and subsidiarity test with reference to the Santander judgment of the Supreme Court.[76] This 2011 judgment states that any processing of personal data must be subject to a balancing of interests, irrespective of the ground on which the processing is based. This assessment must be made on the basis of the facts and circumstances known at the time of the assessment (ex-nunc). The breach of the data subject’s interests must be proportionate to the purpose of the processing (proportionality) and this purpose cannot reasonably be achieved by any other means, less harmful to the data subject (subsidiarity). Relevant circumstances to determine whether a record should be deleted are: the extent of the debt, compliance with the payment schedule, the reason for the debt and the degree of culpability, the current financial situation of the data subject and, if it is stable again, how long it has been so, any other debts, whether there is a serious or structural default, a particular interest in buying a house and the expiry of the time after the debt has been repaid.[77] Moreover, many courts consider that the latter circumstance – the lapse of time – takes precedence over other circumstances.[78]

If it is assumed that credit registration takes place on the basis of a statutory obligation, art. 17 GDPR (data erasure) and art. 21 GDPR (objection) do not apply at all. In such cases, the court will examine requests for deletion and objections to data processing solely on the basis of the proportionality and subsidiarity tests set out in the Santander judgment just cited.[79]

In cases where the lender was (deliberately) misinformed by the data subject, the removal claim was rejected.[80] Some courts, while rejecting the application for expulsion, limit the duration of the registration.[81] The Rotterdam District Court reviewed a request for removal from an incident register only in the light of the applicable protocol on the Incidents Alert System for Financial Institutions.[82]

Google judgements

Requests for removal of search results from an online search engine shall be subject to a balancing of the interests of the data subject’s privacy against the interests of the search engine operator and the public’s right to freedom of expression. Previously, the ECJ EU[83] and the Supreme Court ruled[84] that, in principle, the privacy interests of the data subject outweigh the economic interests of the search engine operator and the public interest in being informed. This may be different in special cases. Those special circumstances should be stated by the search engine operator. Many lower courts refer to these judgments. Review is ex-nunc.

Circumstances that may result in the interest of the search engine operator being overridden are the role of the data subjects in public life, his professional capacity, the interest of the public in being informed and the accuracy of the source publication.[85] The regime for unlawful publications is thus almost entirely incorporated in the assessment. In proceedings concerning publications concerning disputes with the municipality[86] and disputes concerning professional integrity[87], the interests of the search engine operator and the public are in any case more important. Case law also gives weight to the question of whether the processing of personal data is factually incorrect, incomplete or irrelevant when invoking the right to erroneous data.[88]

 

Although case law has ruled that disciplinary data as such does not fall under the regime of special or criminal personal data, a judgment of the District Court of Amsterdam draws a parallel with an earlier judgment of the Supreme Court[89] on the processing of criminal data by Google. According to the Supreme Court, the mere fact that someone has been convicted of a criminal offence and that this has been in the public domain does not yet justify the retrievability of those data via Google. According to the Court of Amsterdam, disciplinary data should in that respect be equated with criminal data. These circumstances, too, do not as such justify findability via Google.[90]

This is not to say that disciplinary information should not be published on the Internet at all, as two other rulings by the same court have shown. On the contrary, in those rulings, the court ruled that the nature of the disciplinary information contributes to the public’s interest in being informed.[91] Other relevant circumstances for the question whether search results concerning disciplinary information should be removed are the time elapsed since the imposition of the disciplinary measures and whether the publication period of the disciplinary decision has already expired.[92]

The District Court of Noord-Nederland[93] and the Court of The Hague[94] explicitly ruled – with reference to the ECJ EU GC/CNIL[95] – that the prohibition on processing special or criminal personal data only relates to the ‘own processing of special personal data by the search engine operator, in particular the display of a reference to a source page with personal data in the list of search results (…)’. The operator is therefore not responsible for the fact that special or criminal data are contained in source pages. It is for the operator to consider whether the inclusion of criminal data in the link is necessary in order to protect the freedom of information of internet users. If that is the case, the operator may process the special or criminal data and does not have to delete them by the operator as controller.

Other deletion requests

Other removal requests are directed against municipalities,[96] a housing association,[97] youth aid,[98] the Legal Aid Board,[99] banks[100] and insurers, among others.[101]

Despite the fact that the municipality of Bladel had incorrectly processed the plaintiff’s name, the plaintiff is not entitled to removal, because these data are used by the municipality to substantiate a legal claim.[102]

The forwarding of personal data to other administrative bodies in connection with possible misuse of PDB requests in combination with the collection of periodic penalty payments is not unlawful, because it can be based on a task of general interest.[103] The District Court of Central Netherlands ruled (under the Wbp) that the publication of personal data on the VNG Forum can also be based on this legal basis.[104] The municipalities concerned are not obliged to remove the personal data. In agreement with the municipality of Gemert-Bakel, the District Court of Oost-Brabant is of the opinion that the notice posted by the municipality on the VNG Forum did not contain any personal data of the claimant.[105]

Where insurers do not sufficiently substantiate a legitimate interest in the processing of personal data because of the suspicion of fraud, processing shall be deemed to have taken place without a valid basis. The data had to be removed without, incidentally, specifically indicating on which subsection of Art. 17, subsection 1 GDPR.[106]

If a mother claims that her mother should remove photos of the (grand)children from social media, the District Court of Gelderland ruled that it had not been established that this grandmother’s profiles were so shielded that she could invoke the household exception. The GDPR is therefore applicable. In the absence of permission from the legal representatives to process the personal data of their minor children, the photos of the profile in question must be removed.[107]

Abuse of data subjects’ rights

The right of inspection may be exercised freely and at reasonable intervals. This means that the applicant does not have to give a reason for an application for inspection. On the other hand, the GDPR does protect the controller against applications ‘which are manifestly unfounded or excessive, in particular because of their repetitive nature‘. Such requests may be refused by the data controller pursuant to Article 12(5)(b) of the GDPR. In practice, abuse of the GDPR is often based on Art. 3:13 of the Dutch Civil Code.

If the District Court of the Northern Netherlands finds it plausible that the right of inspection is not exercised for the purpose of verifying whether personal data are correct and are processed lawfully, but for conducting a defence in a court case, this constitutes an abuse of rights[108]. The District Court of Rotterdam ruled that there is an abuse of rights if the applicant frequently submits requests solely to prove his innocence and, if necessary, to start legal proceedings.[109] According to the same court, there is no abuse of rights if the applicant knows that his personal data have been shared by the data controller and the applicant wishes to inspect the content of the shared information and the ‘not imaginary possibility’ exists that the controller has shared more messages about the applicant.[110]

When a dismissed official frequently invokes his GDPR rights vis-à-vis his former employer, this constitutes an abuse of rights, because the requests only serve to clarify the dismissal and to conduct procedures to obtain rehabilitation. The applicant’s possibilities to exercise his GDPR rights are limited for two years.[111]

Although not explicitly labelled as an abuse of rights, the District Court of The Hague is of the opinion that requesting an e-mail in order to find out in whose order a bankruptcy petition has been filed does not fall within the scope of the GDPR.[112]

Proof

Because a controller can never prove that he does not (or no longer) process personal data, the burden of proof is on the data subject to prove that this is the case. If a data subject is in doubt as to whether his or her request for access has been complied with in full, it is not sufficient to do so without proof.[113] A similar argument applies to the argument that a data controller has not destroyed certain documents.[114] If an administrative body states that it does not (or no longer) have a certain document in its possession, the administrative court will assess whether or not this statement seems ‘implausible’ to it.[115] Sometimes it turns out in retrospect, upon further investigation by the AP, that controllers still have documents in their possession that were denied in a previous request for inspection.[116]

Exceptions

Privacy is an important fundamental right, but not an absolute right. The GDPR offers scope, especially through national law, to limit the protection of personal data in specific situations. Many of these exceptions are included in Chapter 4 of the (U)GDPR.

Art. 43 (U)GDPR (exceptions concerning journalistic or academic, artistic or literary forms of expression) has so far been the most widely used in case law.[117] This exception is successfully invoked to allow TV broadcasts to continue, to[118][119] successfully defend the publication of photographs in a magazine and to justify the use of a person’s voice fragment in a theatre show by Ali B.. After[120] all, each time the judge in these cases, after weighing up the interests, art. 5 and 6 GDPR simply apply, concluding that there is a lawful processing in which journalistic or artistic interests prevail.

Because article 43 paragraph 2 (U)GDPR stipulates that chapter 3 of the GDPR (rights of data subjects, including the right to erasure) does not apply to processing for exclusively journalistic purposes, the court in Amsterdam judges that the petition procedure pursuant to article 35 (U)GDPR is not open to a claimant who complains about the processing of his personal data for exclusively journalistic purposes.[121] After all, this petition procedure is aimed at safeguarding the rights of data subjects.

For the application of art. 24 (U)GDPR (exception to the prohibition to process special personal data for e.g. historical research) it is up to the applicant, who wants access to archive documents in the National Archive, “het Nationaal Archief”, to demonstrate that requesting explicit permission from the persons involved is impossible or requires a disproportionate effort or that it is not possible to obtain proof of death.[122]

Liability and compensation

The GDPR offers the possibility to recover pecuniary and immaterial damages. Recital 146 of the GDPR indicates that the concept of damage ‘must be interpreted broadly in the light of the case law of the ECJ EU in a way that fully reflects the objectives of the GDPR‘. What this means concretely is not yet clear in the absence of ECJ EU case law on this point. In the Netherlands, compensation for (immaterial) damage has already been granted under the GDPR on several occasions.

CaseCompensation awarded
RBOVE:2019:1827EUR 500

Annulment by Council of State:2020:899

RBAMS:2019:6490EUR 250
RBNNE:2020:247EUR 250
Council of State: 2020:898EUR 500

The District Court of Overijssel is the first to award damages under the GDPR. A person involved who has not been informed in time and in full in response to his or her request for inspection will be awarded 500 euros in damages.[123] On appeal, however, the Council of State ruled that there was no serious culpable behaviour with such serious consequences that it must be qualified as an infringement of a fundamental right. Since the plaintiff has not provided any concrete evidence to substantiate the damage he has claimed, his claim for compensation will still be rejected.[124] The Council of State then clarifies in a press release the possibility of claiming damages under the GDPR from the administrative court and at the same time rules in three other cases.[125] In addition to the case just discussed, EUR 500 in damages will be awarded to a claimant whose health records have been wrongly provided to a disciplinary court.[126] Two persons who have not been informed in time as a result of their request for access will not receive compensation. On the[127] basis of these rulings and the explanation given by the Council of State, it can be concluded that the District Court of Central Netherlands has wrongfully declared itself incompetent in a case concerning the rejection of a request for compensation for unlawful data processing by a municipality.[128] The District Court of Oost-Brabant, referring to the judgments of the Council of State, ruled in three cases that there was no right to compensation and also saw no reason to ask preliminary questions, as requested by the applicant.[129]

The District Court of Amsterdam awarded damages of EUR 250 if it appears that the UWV wrongfully sent information about the Illness history of the person concerned to her new employer during a period when her employment contract had to be extended.[130] The court concluded that there was damage as a result of fear and stress, for a period of six weeks, about the risk that her employment contract would not be renewed. It is noteworthy in this judgment that the data subject asks the court, if necessary for the delivery of the judgment, to refer questions to the ECJ EU for a preliminary ruling on the meaning and scope of the concept of damage. However, the court does not consider this to be necessary.

The District Court of the Northern Netherlands also awards damages if a landlord of real estate shares the name and address details of a journalist via Facebook.[131] The court is of the opinion that the data subject has not made it clear what the negative consequences consist of. However, because the concept of damages under the GDPR must be interpreted broadly and the court finds it plausible that there is fear and stress, it considers compensation of 250 euros to be reasonable and fair.

A notary who includes the secret residential address of the sellers of a house in the draft deed of delivery and sends it to the buyers of the house, among other things, does not act unlawfully and does not have to pay compensation under the GDPR.[132]

Procedural law and enforcement

Provisional provision

An urgent interest in the request for removal of a BKR registration is almost always assumed if the plaintiff/requester is hindered by that registration or if the plaintiff/requester has a special interest in the purchase of a house, for example a difficult housing situation.[133]

The District Court of Rotterdam applied a lower threshold and assumed an urgent interest, because registration could potentially have adverse consequences for, e.g. opening a bank account or taking out insurance.[134] However, according to the Arnhem-Leeuwarden Court of Appeal, the general assertion that the plaintiff cannot buy a house without further explanation is insufficient for assuming an urgent interest.[135]

Petition procedure

The petition procedure under Article 35(1) (U)GDPR only allows, according to the letter of the law to submit a limited number of requests. For example, it is not possible to claim an explanation of the law or compensation for damages. Nevertheless, in practice there appears to be a lack of clarity about the possibilities this procedure offers interested parties. As a result, some judges reject a claim on formal points, while others see scope to reach a substantive judgment.[136] Under the GDPR, the judge seems to have become more critical about what can be claimed through this special legal procedure, although the legislative text does not deviate from Section 46 of the Wbp in this respect.

It also appears that there is regular discussion in the courtroom about the period of six weeks that follows from the second paragraph of Article 35 (U)GDPR. Although at first sight this period seems to be a clear criterion, it is not always strictly adhered to by judges.[137] This is the case both in petition proceedings and in summons proceedings. In the latter case, some judges are of the opinion that this deadline does not apply in any case.[138] Other judges do apply this time limit strictly.[139] The Court of Appeal of Amsterdam has ruled that the six-week period also applies in summary proceedings.[140] The District Court of Oost-Brabant is of the opinion that failure to submit a petition or summons in time cannot mean that the rejection of a request can subsequently be challenged by means of summary proceedings.[141]

Both the Court of Appeal of Amsterdam and the Court of Appeal of Arnhem-Leeuwarden are of the opinion that, in principle, the petition procedure does not preclude summary proceedings.[142] This is different if the data subject has allowed the deadline for initiating the petition proceedings to lapse and therefore initiates subpoena proceedings. In that case, the claimant should, in principle, be declared inadmissible. The purpose of the system is to ensure that the parties first try to reach agreement themselves. Thereafter, the data subject has only limited time to submit a rejection to the court in order to prevent a controller from being summoned only after a long period of time. It should also be borne in mind that, in principle, the applicant can make a new request after which the time limit for initiating a petition procedure starts running again. If the data subject nevertheless opts for summary proceedings, he will have to substantiate his urgent interest against the background of art. 21 GDPR and art. 35 UGDPR.

Competence Cbb

In two proceedings the parties lodge an appeal with the Cbb against a decision of the Chamber of Commerce on a request for inspection. The Cbb concludes of its own motion that it has no jurisdiction to deal with the appeal. According to the Cbb, the legislator forgot to include decisions under the GDPR in the so-called ‘Bevoegdheidsregeling bestuursrechtspraak’ (‘competence regulation administrative law’) and referred both cases to the District Court of Rotterdam. The ruling of that court can then be appealed to the Council of State.[143]

Enforcement by AP

During the chronicle period, the AP imposed a fine under the GDPR on the Haga Hospital, the Dutch Tennis Association and the BKR. In respect of a fourth fine imposed by the AP, for unlawful processing of biometric personal data of employees, the Court in preliminary relief proceedings held that, for the time being, the applicant’s name, her address and her registration number with the Chamber of Commerce may not be disclosed in the decision imposing the fine.[144] The BKR appealed and the other parties objected (at least) to the fine imposed. With regard to the fine imposed on the BKR, the Court in preliminary relief proceedings ruled (provisionally) that there had been a breach of the GDPR and that there was no reason not to publish the decision imposing the fine.[145]

The AP has on a number of occasions been involved as a defendant in proceedings following decisions by the AP not to enforce. Three cases were brought before the District Court of Gelderland. This court concluded that the Administrative Court was able to lift the earlier order imposed on the municipality of Arnhem, subject to a penalty payment, because with its new waste registration system the infringement is (further) limited and therefore complies with the principles of proportionality and subsidiarity.[146] The AP has also carried out sufficient investigation into NS’s working method when paying out the balance of an anonymous chip card and does not need to take enforcement action.[147] If a bus company abolishes paying with cash in the bus for the sake of increased security, the court concludes that the measure is necessary and proportionate and that the AP does not have to take enforcement action against it.[148]

According to the District Court of Central Netherlands, the AP is also not obliged to take enforcement action against the manager of the Landelijk Schakelpunt because sufficient technical and organisational safeguards have been put in place, even though the AP found that in some cases no valid consent had been obtained before a patient was registered with the LSP.[149] In the context of the enforcement request against pharmacists, the AP could, in the opinion of the court, only take enforcement action against a pharmacist who reported patients to the LSP without valid authorisation. This was because the registration procedure was not on a large scale incorrect and unverifiable.[150]

Conclusion

The rich harvest of rulings makes it clear that the GDPR has made a flying start in court with much lower jurisdiction and some important rulings from Luxembourg. As is to be expected, many rulings are very case sensitive. For even more judgments of principle, we are waiting for rulings from the Supreme Court and the ECJ EU. During[151] the chronicle period, no use was made of the possibility of putting preliminary questions to the ECJ EU, although the interpretation of, for example, the concept of damages in the GDPR seems to give cause for this.[152] It is striking that especially lower courts sometimes seem to be struggling with the correct application of the GDPR.

What else stands out? The right to data erasure dominates the judiciary in absolute numbers, and there is a lot of litigation about the right of access as well. Other rights of those involved play little or no role in the administration of justice. There has also been little litigation to date about the GDPR’s broad accountability, including the stricter duty to provide information for the controller. A potentially interesting ruling on this point could follow the petition submitted by four Uber drivers to the District Court in Amsterdam. It[153] could also change just like that when the AP imposes a fine on this point. To date, only a few fines have been imposed and those fines have only led to very limited case law. That is bound to change in the coming period, because the fines are so high that objections and appeals are tempting for the parties who have been fined.

Finally, it is noteworthy that although the first judgments on damages under the GDPR have appeared, this has not yet led to the award of substantial damages. Perhaps the AP’s position – that a purely commercial interest does not constitute a legitimate interest within the meaning of the GDPR – will lead to a substantial increase in the number of applications for compensation. Certainly in combination with the further expansion of the possibility of bringing mass claims, this is not inconceivable.

What seems certain is that there will be plenty of news to report next time.

[1] For this reason, for example, the judgment on the System of Risk Indication (SyRI) of the District Court of The Hague is not discussed in this chronicle, see ECLI:NL:RBDHA:2020:865.

[2] Administrative Jurisdiction Division of the Council of State 22 January 2020, ECLI:NL:RVS:2020:174, para. 3.4.

[3] District court of Zeeland-West Brabant 5 July 2018, ECLI:NL:RBZWB:2018:4139, para. 4.7.

[4] District court of Amsterdam 13 June 2019, ECLI:NL:RBAMS:2019:4140, para. 12.

[5] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281).

[6] CJEU 17 July 2014, C-141/12 and C-372/12, ECLI:EU:C:2014:2081 (IND), following questions referred for a preliminary ruling by the Administrative Jurisdiction Division of the Council of State 24 December 2014, ECLI:NL:RVS:2014:4626 and Administrative Jurisdiction Division of the Council of State 24 December 2014, ECLI:NL:RVS:2014:4631.

[7] Court of The Hague 17 September 2019, ECLI:NL:GHDHA:2019:2398, para 4.13 with reference to the ECJ EU 20 December 2017, C-434/16, ECLI:EU:C:2017:994 (Peter Nowak/Data Protection Commissioner).

[8] District court of The Hague 2 May 2019, ECLI:NL:RBDHA:2019:5110, para. 4.2.

[9] District court of Noord-Nederland 23 April 2019, ECLI:NL:RBNNE:2019:3761, para. 6 and District court of Noord-Nederland 23 April 2019, ECLI:NL:RBNNE:2019:3762, para. 6.

[10] District court of Midden-Nederland 5 November 2019, ECLI:NL:RBMNE:2019:5275, para. 8.

[11] District court of Amsterdam 22 March 2018, ECLI:NL:RBAMS:2018:3355, para. 4.4 and District court of Amsterdam 19 July 2018, ECLI:NL:RBAMS:2018:8606, para. 4.5.

[12] Amsterdam 19 July 2018, ECLI:NL:RBAMS:2018:8606, para. 4.5; Amsterdam 25 September 2019, ECLI:NL:RBAMS:2019:8329, para. 6.3; Amsterdam 23 December 2019, ECLI:NL:RBAMS:2019:9887, para. 4.14-4.18.

[13] District court of Amsterdam 23 December 2019, ECLI:NL:RBAMS:2019:9887, para. 4.8.

[14] Supreme Court 29 May 2009, ECLI:NL:HR:2009:BH4720.

[15]Court of appeal Arnhem-Leeuwarden 28 April 2020, ECLI:NL:GHARL:2020:3374, para. 5.26.

[16] District court of Oost-Brabant 25 March 2019, ECLI:NL:RBOBR:2019:1647, para. 7.

[17] District court of Noord-Nederland 20 December 2018, ECLI:NL:RBNNE:2018:5385, para. 5.1.

[18] ECJ EU 5 June 2018, C-210/16, ECLI:EU:C:2018:388 (Wirtschaftsakademie Schleswig-Holstein); ECJ EU 10 July 2018, C-25/17, ECLI:EU:C:2018:551 (Jehovan todistajat); ECLI:EU 29 July 2019, C-40/17, ECLI:EU:C:2019:629 (Fashion ID).

[19] ECLI:EU:29 July 2019, C-40/17, ECLI:EU:C:2019:629 (Fashion ID), p.o. 70-74.

[20] District court of Midden-Nederland 3 April 2019, ECLI:NL:RBMNE:2019:2134, para. 5.

[21] ECLI:EU:C:2019:801 (Planet49), para.s 61-62.

[22] District court of Midden-Nederland 6 June 2018, ECLI:NL:RBMNE:2018:3788, para. 4.3.

[23] District court of Midden-Nederland 10 June 2020, ECLI:NL:RBMNE:2020:73, para. 8-9.

[24] District court of Midden-Nederland 10 January 2020, ECLI:NL:RBMNE:2020:74, para. 6.

[25] District court of Noord-Nederland 28 April 2020, ECLI:NL:RBNNE:2020:1828, para. 2.4.5-2.4.6.

[26] District court of Gelderland 19 December 2019, ECLI:NL:RBGEL:2019:5934, para. 4.14-4.15; Court of appeal Arnhem-Leeuwarden 17 December 2019, ECLI:NL:GHARL:2019:10906, para. 5.9.

[27] District court of Midden-Nederland 26 March 2020, ECLI:NL:RBMNE:2020:1107.

[28] District court of Oost-Brabant 10 July 2019, ECLI:NL:RBOBR:2019:4091, para. 4.13.

[29] Collective Act Data Protection (“Verzamelwet gegevensbescherming”), art. 68a Bankruptcy Act (“Faillisementswet”), internetconsultatie.nl 20 May 2020, internetconsultatie.nl/verzamelwetgegevensbescherming (consulted on 10 July 2020).

[30] District court of Rotterdam 27 August 2018, ECLI:NL:RBROT:2018:7943, para. 3.2.

[31] Board of Appeal and Industry 14 January 2020, ECLI:NL:CBB:2020:3, para. 4.3.

[32] District court of Amsterdam 15 November 2018, ECLI:NL:RBAMS:2018:8138, para. 4.11.

[33] District court of The Hague 11 February 2020, ECLI:NL:ISDHA:2020:1013, para. 4.25.

[34] Court of appeal The Hague 12 February 2019, ECLI:NL:GHDHA:2019:470, para. 4.59-4.60.

[35] District court of The Hague 8 March 2019, ECLI:NL:RBDHA:2019:2844, para. 15.

[36] District court of Noord-Nederland 13 December 2019, ECLI:NL:RBNNE:2019:5168, para. 4.21; District court of Noord-Nederland 16 December 2019, ECLI:NL:RBNNE:2019:5195, para. 4.6.

[37] District court of Amsterdam 30 July 2019,ECLI:NL:RBAMS:2019:5589, 4.13-4.23.

[38] Dutch Data Protection Authority, Guidance for lawful processing ‘Legitimate interest‘, 1 November 2019.

[39] The Dutch Data Protection Authority had also reached this conclusion earlier and therefore decided not to take enforcement action against it. This was the reason for the court case in the first instance (District court of Midden-Nederland 12 March 2019, ECLI:NL:RBMNE:2019:2725, para. 3). The assessment of the lawfulness of this camera surveillance and non-enforcement by the Dutch Data Protection Board was subsequently upheld on appeal: Administrative Jurisdiction Division of the Council of State 26 February 2020, ECLI:NL:RVS:2020:594, para. 5.1.

[40] District court of Amsterdam 10 October 2018, ECLI:NL:RBAMS:2018:7398, para. 4.9; District court of Amsterdam 21 March 2019, ECLI:NL:RBAMS:2019:2166, para. 4.8.

[41] District court of Amsterdam 21 December 2018, ECLI:NL:RBAMS:2018:9362, 4.16.

[42] District court of Midden-Nederland 8 February 2019, ECLI:NL:RBMNE:2019:423, para. 4.23, confirmed on appeal by Court of appeal Arnhem-Leeuwarden 5 November 2019, ECLI:NL:GHARL:2019:9352, para. 5.18-5.22.

[43] District court of The Hague 30 April 2020, ECLI:NL:ISDHA:2020:3980, 4.17.

[44] District court of Limburg 15 August 2018, ECLI:NL:RBLIM:2018:8016, para. 4.14-4.15.

[45] District court of Overijssel 9 October 2019, ECLI:NL:RBOVE:2019:3755, 4.17.

[46] District court of Overijssel 9 October 2019, ECLI:NL:RBOVE:2019:3754, 4.8.

[47] Court of appeal Arnhem-Leeuwarden 28 April 2020, ECLI:NL:GHARL:2020:3374, para. 5.28.

[48] District court of Amsterdam 18 March 2020, ECLI:NL:RBAMS:2020:2200, para. 4.5.

[49] District court of Rotterdam, 10 April 2020, ECLI:NL:RBROT:2020:3430, para. 4.6-4.9.

[50] District court of Amsterdam 28 March 2019, ECLI:NL:RBAMS:2019:2295, para. 10.3.

[51] District court of Amsterdam 12 August 2019, ECLI:NL:RBAMS:2019:6005, para. 26.

[52] District court of Rotterdam 12 December 2019, ECLI:NL:RBROT:2019:9757, para. 4.9.

[53] District court of Overijssel 17 December 2019, ECLI:NL:RBOVE:2019:5057.

[54] District court of Oost-Brabant 27 July 2018, ECLI:NL:RBOBR:2018:3609, para. 9.

[55] District court of The Hague 21 March 2020, ECLI:NL:RBDHA:2020:2918, para. 6.

[56] Opinion A-G B.J. Drijber ECLI:NL:PHR:2018:1273, para 3.10 and confirmed in Supreme Court 21 December 2018, ECLI:NL:HR:2018:2378.

[57] District court of The Hague 10 October 2019, ECLI:NL:RBDHA:2019:13029, para. 4.3; Amsterdam 20 June 2019, ECLI:NL:RBAMS:2019:4418, para. 4.6; Rotterdam 21 January 2020, ECLI:NL:RBROT:2020:483, para. 3.4.

[58] District court of Noord-Holland 23 May 2019, ECLI:NL:RBNHO:2019:4283, para. 4.5; District court of Amsterdam 20 June 2019, ECLI:NL:RBAMS:2019:4418, para. 4.7 in line with ECJ EU 20 December 2017, C-434/16, ECLI:EU:C:2017:994 (Peter Nowak/ Data Protection Commissioner).

[59] District court of The Hague 10 October 2019, ECLI:NL:RBDHA:2019:13029, para. 4.8; District court of Noord-Holland 23 May 2019, ECLI:NL:RBNHO:2019:4283, para. 4.10 in line with Supreme Court 29 June 2007, ECLI:NL:HR:2007:AZ4663.

[60] District court of Noord-Holland 23 May 2019, ECLI:NL:RBNHO:2019:4283, para. 4.10 in line with ECJ EU 17 May 2014, C-141/12 and C-372/12, ECLI:EU:C:2014:2081 (IND).

[61] Court of appeal The Hague 17 September 2019, ECLI:NL:GHDHA:2019:2398, para. 4.21.

[62]District court of The Hague 10 October 2019, ECLI:NL:RBDHA:2019:13029, para. 4.5; Court of appeal The Hague 17 September 2019, ECLI:NL:GHDHA:2019:2398, para. 4.19; District court of Rotterdam 21 January 2020, ECLI:NL:RBROT:2020:515, para. 4.5; District court of Noord-Holland 23 May 2019, ECLI:NL:RBNHO:2019:4283, para. 4.6; District court of Amsterdam 20 June 2019, ECLI:NL:RBAMS:2019:4418, para. 4.8; District court of Rotterdam 21 January 2020, ECLI:NL:RBROT: 2020:483, para. 3.5; District court of Amsterdam 20 June 2019, ECLI:NL:RBAMS:2019:4404, para. 4.8.

[63] District court of Noord-Holland 23 May 2019, ECLI:NL:RBNHO:2019:4283, para. 4.17; District court of Amsterdam 20 June 2019, ECLI:NL:RBAMS:2019:4404, para. 4.11; District court of Amsterdam 20 June 2019, ECLI:NL:RBAMS:2019:4418, para. 4.11.

[64] District court of Amsterdam 20 June 2019, ECLI:NL:RBAMS:2019:4418, 4.15-4.16.

[65] District court of Rotterdam 21 January 2020, ECLI:NL:RBROT:2020:515, 4.7.

[66] District court of Noord-Nederland 7 May 2020, ECLI:NL:RBNNE:2020:2048, para. 4.2 and 4.11.1.

[67] District court of The Hague 31 August 2018, ECLI:NL:RBDHA:2018:10910, para. 4.6.

[68] Administrative Jurisdiction Division of the Council of State 29 April 2020, ECLI:NL:RVS:2020:1149, para. 4-6.

[69] District court of Rotterdam 13 March 2020, ECLI:NL:RBROT:2020:2460, para. 5.

[70]District court of Rotterdam 24 January 2019, ECLI:NL:RBROT:2019:4928, para. 7.3 and Administrative Jurisdiction Division of the Council of State 22 January 2020, ECLI:NL:RVS:2020:180, para. 4.3.

[71] District court of The Hague 2 May 2019, ECLI:NL:RBDHA:2019:5110, 4.1, 4.3.

[72] Court of appeal Arnhem-Leeuwarden 14 January 2020, ECLI:NL:GHARL:2020:263, para. 4.7.

[73] The register of Stichting BKR (Bureau Krediet Registratie) in which every loan above a threshold amount granted by lenders in the Netherlands is recorded.

[74] The external referral register (EVR) maintained by financial institutions, in which it is recorded which (legal) persons are involved in an incident of such a nature that other financial institutions should also be able to take note of it.

[75] The internal referral register (IVR) maintained by financial institutions, in which it is recorded which (legal) persons are involved in an incident so that bank employees of the financial institution concerned can take note of it.

[76] Supreme Court 9 September 2011, ECLI:NL:HR:2011:BQ8097, para. 4.7-4.9 (Santander).

[77] District court of The Hague 7 March 2019, ECLI:NL:RBDHA:2019:4323, para. 4.9; District court of Zeeland-West-Brabant 2 April 2019, ECLI:NL:RBZWB:2019:1336, para. 4.8 et seq; District court of Amsterdam 30 May 2019, ECLI:NL:RBAMS:2019:3858, para. 4.8 and following; District court of Midden-Nederland, 15 July 2019, ECLI:NL:RBMNE:2019:3644, para. 2.8; District court of Amsterdam 7 June 2019, ECLI:NL:RBAMS:2019:4363, para. 4.7-4.10; District court of Amsterdam 18 July 2019, ECLI:NL:RBAMS:2019:5182, para. 4.6; District court of Amsterdam 20 November 2018, ECLI:NL:RBAMS:2018:8257, para. 4.7-4.9; District court of Midden-Nederland 30 November 2018, ECLI:NL:RBMNE:2018:6641, para. 4.5-4.14; Court of appeal Den Haag 24 September 2019, ECLI:NL:GHDHA:2019:2458, para. 3.2-3.15; District court of Amsterdam 26 September 2019, ECLI:NL:RBAMS:2019:7103, para. 4.1-4.5; District court of Zeeland-West-Brabant 21 October 2019, ECLI:NL:RBZWB:2019:4846, para. 3.16-3.22; District court of Amsterdam 31 October 2019, ECLI:NL:RBAMS:2019:8135, para. 4.10-4.14; District court of Midden-Nederland 6 November 2019, ECLI:NL:RBMNE:2019:5203, para. 3.8-3.16; The Hague 13 December 2019, ECLI:NL:RBDHA:2019:13444, para. 4.11-4.14; Amsterdam 17 October 2019, ECLI:NL:RBAMS:2019:7705, para. 4.11-4.12; District court of Noord-Nederland 11 March 2019, ECLI:NL:RBNNE:2019:5798, para. 4.7-4.11; Court of appeal Arnhem-Leeuwarden 28 April 2020, ECLI:NL:GHARL:2020:3464, para. 4.6.

[78] See for example District court of Amsterdam 17 October 2019, ECLI:NL:RBAMS:2019:7705, para. 4.12.

[79] See for example Court of appeal Arnhem-Leeuwarden 3 December 2019, ECLI:NL:GHARL:2019:10345, para. 4.9-4.15.

[80] Court of appeal Arnhem-Leeuwarden 14 January 2020, ECLI:NL:GHARL:2020:263, para. 4.1-4.8; District court of Amsterdam 8 January 2020, ECLI:NL:RBAMS:2020:62, para. 4.7-4.8.

[81] See for example District court of Noord-Nederland 11 March 2019, ECLI:NL:RBNNE:2019:5798, para. 4.11; Court of appeal Arnhem-Leeuwarden 14 January 2020, ECLI:NL:GHARL:2020:263, para. 4.11.

[82] District court of Rotterdam 6 January 2020, ECLI:NL:RBROT:2020:211, para. 4.5-4.15.

[83] ECLI:EU:C:2014:317 (Google Spain/AEPD and Mario Costeja González).

[84] Supreme Court 24 February 2017, ECLI:NL:HR:2017:316 (X/Google judgment).

[85] District court of Rotterdam 7 February 2019, ECLI:NL:RBROT:2019:948 para. 4.11-4.12; Court of appeal Den Haag 16 April 2019, ECLI:NL:GHDHA:2019:1472 para. 4.14-4.27; District court of The Hague 28 June 2019, ECLI:NL:RBDHA:2019:6302 para. 2.20-2.31; District court of Amsterdam 23 December 2019, ECLI:NL:RBAMS:2019:9887, para. 4.16-4.20.

[86] District court of Rotterdam 7 February 2019, ECLI:NL:RBROT:2019:948 para. 4.10-4.12; District court of The Hague 28 June 2019, ECLI:NL:RBDHA:2019:6302 para. 2.20-2.31.

[87] Court of appeal Den Haag 16 April 2019, ECLI:NL:GHDHA:2019:1472 para. 4.14-4.27; District court of Amsterdam 22 March 2018, ECLI:NL:RBAMS:2018:3355, para. 4.19; District court of Gelderland 22 October 2018, ECLI:NL:RBGEL:2018:5600, 4.12; District court of Midden-Nederland, ECLI:NL:RBMNE:2018:5594 para. 4.17.

[88] District court of Amsterdam 22 March 2018, ECLI:NL:RBAMS:2018:3355 para. 3.3; The Hague 28 June 2019, ECLI:NL:RBDHA:2019:6302, para. 2.21; Amsterdam 19 July 2018, ECLI:NL:RBAMS:2018:8606, para. 4.7-4.10; District court of Midden-Nederland 14 November 2018, para. 4.16, ECLI:NL:RBMNE:2018:5594; District court of Noord-Nederland 12 December 2019, ECLI:NL:RBNNE:2019:5169 para. 6.12.

[89] Supreme Court HR 24 February 2017, ECLI:NL:HR:2017:316 (X/Google judgment).

[90] District court of Amsterdam 19 July 2018, ECLI:NL:RBAMS:2018:8606, para. 4.12.

[91] District court of Amsterdam 25 September 2019, ECLI:NL:RBAMS:2019:8329, para. 6.3; District court of Amsterdam 23 December 2019, ECLI:NL:RBAMS:2019:9887, para. 4.14 to 4.18.

[92] District court of Amsterdam 23 December 2019, ECLI:NL:RBAMS:2019:9887, para. 4.20.

[93] District court of Noord-Nederland 12 December 2019, ECLI:NL:RBNNE:2019:5169, para. 6.8 and 6.13.

[94] Court of appeal The Hague 24 December 2019, ECLI:NL:GHDHA:2019:3539, para. 4.4.

[95] ECLI:EU:C:2019:772 (Google/CNIL).

[96] District court of Oost-Brabant 25 March 2019, ECLI:NL:RBOBR:2019:1647; District court of Oost-Brabant 27 July 2018, ECLI:NL:RBOBR:2018:3609; District court of Midden-Nederland 15 November 2019, ECLI:NL:RBMNE:2019:5430.

[97] District court of Noord-Holland 22 August 2019, ECLI:NL:RBNHO:2019:7724.

[98] Court of appeal Arnhem-Leeuwarden 10 September 2019, ECLI:NL:GHARL:2019:7410.

[99] Rotterdam 18 March 2020, ECLI:NL:RBROT:2020:2256; Rotterdam 18 March 2020, ECLI:NL:RBROT:2020:2257.

[100] Court of appeal Amsterdam 3 September 2019, ECLI:NL:GHAMS:2019:3232; The Hague Court of Appeal 2 April 2020, ECLI:NL:RBDHA:2020:3139.

[101] District court of Midden-Nederland 3 April 2019, ECLI:NL:RBMNE:2019:2134; District court of Rotterdam 7 August 2019, ECLI:NL:RBROT:2019:6448.

[102] District court of East Brabant 25 March 2019, ECLI:NL:RBOBR:2019:1647, para. 8; District court of East Brabant 27 July 2018, ECLI:NL:RBOBR:2018:3609, para. 8.

[103] District court of Midden-Nederland 9 April 2020, ECLI:NL:RBMNE:2020:1487, para. 10-12; District court of Oost-Brabant 28 April 2020, ECLI:NL:RBOBR:2020:2729, para. 2-4; District court of Oost-Brabant 28 April 2020, ECLI:NL:RBOBR:2020:2437, para. 6.3.

[104] District court of Midden-Nederland 15 November 2019, ECLI:NL:RBMNE:2019:5430, para. 6.4

[105] District court of Oost-Brabant 28 April 2020, ECLI:NL:RBOBR:2020:2730, para. 5-6.

[106] Court of appeal The Hague 7 April 2020, ECLI:NL:GHDHA:2020:559, para. 2.14-2.28; Rotterdam Court of Appeal 7 August 2019, ECLI:NL:RBROT:2019:6448, para. 4.20; Amsterdam Court of Appeal 13 February 2020, ECLI:NL:RBAMS:2020:838, para. 3.2 and 4.3.

[107] District court of Gelderland 13 May 2020, ECLI:NL:RBGEL:2020:2521, para. 4.5 and 4.6.

[108] District court of Noord-Nederland 23 April 2019, ECLI:NL:RBNNE:2019:3761, para. 6; District court of Noord-Nederland 23 April 2019, ECLI:NL:RBNNE:2019:3762, para. 6 hereby referring to a judgment of the Administrative Jurisdiction Division of the Council of State 6 February 2019, ECLI:NL:RVS:2019:347 (a similar issue under the Wbp).

[109] District court of Rotterdam 21 January 2020, ECLI:NL:RBROT:2020:483, para. 3.7; District court of Rotterdam 21 January 2020, ECLI:NL:RBROT:2020:515, para. 4.8.

[110] District court of Rotterdam 27 May 2019, ECLI:NL:RBROT:2019:4265, para. 8.3.

[111] District court of Limburg 5 September 2019, ECLI:NL:RBLIM:2019:10535, para. 4.4 and 5.2. For the administrative settlement of this case, see Administrative Jurisdiction Division of the Council of State 6 November 2019, ECLI:NL:RVS:3750 and Administrative Jurisdiction Division of the Council of State 6 November 2019, ECLI:NL:RVS:3754.

[112] District court of The Hague 31 August 2018, ECLI:NL:RBDHA:2018:10910, para. 4.9.

[113] District Court of Amsterdam 20 June 2019, ECLI:NL:RBAMS:2019:4418, para. 4.18; District Court of Amsterdam 21 March 2019, ECLI:NL:RBAMS:2019:2166, para. 4.35.

[114] Administrative Jurisdiction Division of the Council of State 13 November 2019, ECLI:NL:RVS:2019:3848, para. 5.

[115] District Court of Amsterdam Rotterdam 19 March 2020, ECLI:NL:RBROT:2020:2460, para. 7; Administrative Jurisdiction Division of the Council of State 26 February 2020, ECLI:NL:RVS:2020:591, para. 5.1.

[116] District court of Zeeland-West Brabant 20 March 2020, ECLI:NL:RBZWB:2020:1326, para. 3.1.

[117] Art. 43 UGDPR (“Uitvoeringswet AVG”) implements art. 85 GDPR. Art. 17.3.a GDPR also contains an exception to the right to erasure to the extent that such processing is necessary for the exercise of the right to freedom of expression and information.

[118] District court of Zeeland-West Brabant 5 July 2018, ECLI:NL:RBZWB:4139; Court of appeal Amsterdam 27 September 2018, ECLI:NL:GHAMS:2018:3546; District court of Amsterdam 26 June 2019, ECLI:NL:RBAMS:2019:4533; District court of Amsterdam 13 March 2020, ECLI:NL:RBAMS:2020:1728.

[119] District court of Amsterdam 12 October 2018, ECLI:NL:RBAMS:2018:7397.

[120] District court of Midden-Nederland 9 January 2020, ECLI:NL:RBMNE:2020:24.

[121] District court of Amsterdam 31 January 2019, ECLI:NL:RBAMS:2019:645, 4.3.

[122] Administrative Jurisdiction Division of the Council of State 29 January 2020, ECLI:NL:RVS:2020:251, para. 4.2.

[123] District court of Overijssel 28 May 2019, ECLI:NL:RBOVE:2019:1827, para. 5-9.

[124] Administrative Jurisdiction Division of the Council of State 1 April 2020, ECLI:NL:RVS:2020:899, para. 26-33.

[125] Administrative Jurisdiction Division of the Council of State ‘Bestuursrechter kan vaker schadevergoeding geven bij schending privacywetgeving door bestuursorganen’, raadvanstate.nl 1 april 2020, raadvanstate.nl/actueel/nieuws/@120666/bestuursrechter-kan-vaker/ (consulted on 26 May 2020).

[126] Administrative Jurisdiction Division of the Council of State 1 April 2020, ECLI:NL:RVS:2020:898. This is an appeal case in which the judgment at first instance was not published. It appears that compensation of EUR 300 was awarded at first instance under the Wbp.

[127] Administrative Jurisdiction Division of the Council of State 1 April 2020, ECLI:NL:RVS:2020:900 and Administrative Jurisdiction Division of the Council of State 1 April 2020, ECLI:NL:RVS:2020:901.

[128] District court of Midden-Nederland 15 November 2019, ECLI:NL:RBMNE:2019:5430, para. 7.2.

[129] District court of Oost-Brabant 28 April 2020, ECLI:NL:RBOBR:2020:2437, para. 7.3-7.4; District court of Oost-Brabant 28 April 2020, ECLI:NL:RBOBR:2729, para. 6.3-6.4; District court of Oost-Brabant 28 April 2020, ECLI:NL:RBOBR:2730, para. 8.3-8.4.

[130] District court of Amsterdam 2 September 2019, ECLI:NL:RBAMS:2019:6490, para. 18.

[131] District court of Noord-Nederland 15 January 2020, ECLI:NL:RBNNE:2020:247, para. 4.104-4.107.

[132] District court of Limburg 26 February 2020, ECLI:NL:RBLIM:2020:1761, para. 4.5.12.

[133] District court of Amsterdam 29 May 2019, ECLI:NL:RBAMS:2019:3857, para. 4.12.4; District court of Amsterdam 7 June 2019, ECLI:NL:RBAMS:2019:4363, para. 4.10-4.13; District court of Amsterdam 18 July 2019, ECLI:NL:RBAMS:2019:5182, para. 2.8, 4.1-4.6; District court of Midden-Nederland 30 November 2018, ECLI:NL:RBMNE:2018:6641, para. 4.14.

[134] District court of Rotterdam, 6 January 2020, ECLI:NL:RBROT:2020:211, para. 4.2.

[135] Court of appeal Arnhem-Leeuwarden 7 January 2020,ECLI:NL:GHARL:2020:126, para. 5.9.

[136] District court of Overijssel 9 October 2019, ECLI:NL:RBOVE:2019:3755; Court of appeal Amsterdam 5 November 2019, ECLI:NL:GHAMS:2019:3966; District court of Den Haag 28 February 2018, ECLI:NL:RBDHA:2019:1988.

[137] District court of Noord-Nederland 13 March 2017, ECLI:NL:RBNNE:2017:877, para. 4.1-4.4; District court of Midden-Nederland 29 May 2019, ECLI:NL:RBMNE:2019:2434, para. 3.3.; District court of Overijssel 9 October 2019, ECLI:NL:RBOVE:3755, para. 4.5.

[138] District court of Rotterdam 27 August 2018, ECLI:NL:RBROT:2018:7070, para. 4.5, following the Court of appeal The Hague 15 December 2015, ECLI:NL:GHDHA:2015:3815.

[139] District court of The Hague 28 February 2019, ECLI:NL:RBDHA:1988, para. 4.9.

[140] Court of appeal Amsterdam 19 December 2017, ECLI:NL:GHAMS:2017:5289, para. 3.5-3.6; Court of appeal Amsterdam 5 November 2019, ECLI:NL:GHAMS:2019:3966, para. 3.4.5.

[141] District court of Oost-Brabant 7 May 2020, ECLI:NL:RBOBR:2020:2534, para. 4.4.

[142] Court of appeal Arnhem-Leeuwarden, 7 January 2020, ECLI:NL:GHARL:2020:126 para. 5.8 and 5.9 and Court of appeal Amsterdam, 5 November 2019, ECLI:NL:GHAMS:2019:3966, para. 3.4.4-3.4.6.

[143] Board of Appeal for Industry 21 April 2020, ECLI:NL:CBB:2020:297 and Board of Appeal for Industry 21 April 2020, ECLI:NL:CBB:2020:298.

[144] District court of Limburg 4 March 2020, ECLI:NL:RBLIM:2020:1795, para. 7.

[145] District court of Gelderland 29 June 2020, ECLI:NL:RBGEL:2020:3159, para. 9.5-9.7, 10.

[146] District court of Gelderland 5 September 2019, ECLI:NL:RBGEL:2019:4012, 9.1-9.5.

[147] District court of Gelderland 5 February 2020, ECLI:NL:RBGEL:2020:622, item 4.2.

[148] District court of Gelderland 5 February 2020, ECLI:NL:RBGEL:2020:619, item 7.1.

[149] District court of Midden-Nederland 10 January 2020, ECLI:NL:RBMNE:2020:73, para. 7-9.

[150] District court of Midden-Nederland 10 January 2020, ECLI:NL:RBMNE:2020:74, para. 15.

[151] For example, outside the chronicle period, transfers based on an adequacy decision (specifically the EU-US Privacy Shield) and transfers based on EU model contracts were judged by the Court of Justice of the European Union in ECLI:EU:16 July 2020, C-311/18, ECLI:EU:C:2020:559 (Schrems II).

[152] Just outside the chronicle period is District court of Midden-Nederland 29 May 2020, ECLI:NL:RBMNE:2020:2028 in which the court decides to submit preliminary questions to the Court of Justice of the European Union on the interpretation of the concept of ‘judicial capacity’ in article 55 para. 3 of the GDPR.

[153] ekker.legal/wp-content/uploads/2020/07/Verzoekschrift-Uber-art.-35-UAVG-200720.pdf (consulted on 31 July 2020).