Dutch Supreme court on GDPR civil enforcement of data subjects’ rights, repeating requests and the six-week deadline

In a recent judgment, the Dutch Supreme Court ruled (available in Dutch only) on a number of procedural aspects for the exercise of data subjects’ rights under the General Data Protection Regulation Act (“GDPR“) and the national implementation thereof. This regards the civil enforcement of data subjects’ rights, “repeated” requests and what effect is of the expiration of the six-week period for filing a petition.

Requests from data subjects: Article 12 GDPR and Article 35(2) GDPR Implementation Act

The case concerns a summary proceedings claim for removal of a BKR registration. This is an interesting ruling, as it explains a number of procedural aspects when dealing with requests from data subjects under the (Implementation) GDPR.

Article 12 GDPR explains how requests from data subjects must be dealt with by the controller. The article shows, among other things, a response time (paragraphs 3 and 4) and how to deal with requests that are ‘manifestly unfounded or excessive’ (paragraph 5). A decision by a data controller (not being an administrative body, for which Article 34 GDPR Implementation act applies) can be appealed within six weeks under Article 35(2) of the GDPR Implementation Act.

These cassation proceedings essentially deal with three questions.

  1. Is a repeated application in which no new facts and circumstances are presented manifestly unfounded or excessive by definition?
  2. Can a data subject enforce his or her rights only through a the petition process?
  3. What options does the data subject have after the expiry of the six-week period in Article 35(2) GDPR Implementation Act?

The proceedings at first and second instance

The respondent took out a student loan from ING, but failed to meet her payment obligations. The loan and three particularity codes (including on arrears) are registered with the BKR. She eventually fulfils her debt in full and its registered end date in the BKR is 24 March 2017. 

  • 27 June 2018, the individual requests ING to remove the BKR registration.
  • 23 July 2018 ING rejects the removal request.
  • 7 August 2018, SNS Bank rejected an application for a mortgage loan from the person concerned due to BKR registration.
  • September 4, 2018, the six-week period expires.
  • 30 October 2018, the person concerned claimed removal of the BKR registration in summary proceedings.

The interim relief judge declared the person concerned inadmissible in her claim because the six-week period had expired after 23 July 2018. The court upheld this ruling and considered that after the six-week period had expired, a new objection must in principle first be made. The Court explicitly weighed in that the data subject can object to the processing activities at any time, and thus several times. Should the data subject nevertheless choose the route of summary proceedings after the expiry of the time limit, then – against the background of the purpose of the six-week time limit and the legislative history – an aggravated obligation to put forward evidence applies to the data subject, according to the Court of Appeal.

This judgment is appealed in cassation in the interest of the law. The Supreme Court does not go along with the court and rules as follows.

In short

With this judgment, the Supreme Court explains a number of procedural aspects for implementing data subjects’ rights. In summary, it follows that a repeated request, in which no new facts and circumstances are presented, is not by definition manifestly unfounded or excessive. It becomes different when the controller can demonstrate that the request is manifestly unfounded or excessive.

Moreover, an interested party is free to seek interim relief before, during or after an application procedure. Petition proceedings are coextensive with summary proceedings and therefore do not exclude them.

The expiry of the six-week period in Article 35(2) GDPR Implementation act does not alter the foregoing. If the data subject repeats a request and the controller rejects this request, the six-week period starts again. Moreover, after the expiry of the time limit, no aggravated burden of proof arises for the urgency of a preliminary injunction in summary proceedings.

The various questions are discussed in more detail below.

1. Is a repeated application in which no new facts and circumstances are presented manifestly unfounded or excessive by definition?

It follows from case law that there was uncertainty about how to deal with repeated requests on which the data subject does not establish new facts and circumstances. This came up in particular in the context of the right to object (see more on this in the ‘ chronicle exercise of GDPR rights by data subjects (May 2020-October 2022) ‘). The Supreme Court removes (in part) this uncertainty. Moreover, the Supreme Court rules not only on the right to object, but on the procedural aspects of all data subjects’ rights under Articles 15 to 22 GDPR.

First, based on the recitals, the Supreme Court considers that the GDPR must provide a consistent and high level of protection (ov. 10). Moreover, arrangements must be in place to facilitate data subjects’ exercise of their rights (ov. 59).

The Supreme Court then addresses the specific rights and considers that none of the articles contain a limitation as to the frequency of requests. In any case, it follows from ‘at any time’ in Article 21 GDPR that objections can be made more than once. Moreover, it follows from Article 12(5) GDPR that data subjects can make requests more than once. Indeed, the controller may charge costs or refuse to comply with a request if it is manifestly unfounded or excessive, in particular due to its repetitive nature.

On this basis, the Supreme Court finds that a repeated request by the person concerned, without being based on changed facts or circumstances, is not already manifestly unfounded or excessive.

2. Civil enforcement of data subjects’ rights: summary proceedings vs. Petition proceedings

It follows from Article 261 of the Code of Civil Procedure (“Rv“) that a case must be dealt with as a petition when it follows from the law. When it does not follow from the law, proceedings on the merits should be initiated with a writ of summons. Under Article 254 Rv, an interim relief judge is authorised to grant interim relief when the parties’ interests so require. By its nature, this procedure is not interchangeable with proceedings on the merits (by petition or writ of summons).

The application procedure in Article 35 GDPR Implementation Act is thus exclusive in that, in order to stand up for his rights, the party concerned may not swap the application procedure for proceedings on the merits initiated by a writ of summons. However, this does not alter the fact that the party concerned is free, if it has an urgent interest in doing so, to apply for interim relief in summary proceedings.

3. What options does the data subject have after the expiry of the six-week period in Article 35(2) GDPR Implementation Act?

It follows from the above that repeated applications are thus not necessarily manifestly unfounded or excessive. Moreover, an interested party can choose either the route of an application procedure or summary proceedings. The question then remains as to the effect of the fact that the six-week period has now expired. The Supreme Court discusses two possibilities.

  1. First of all, as explained above, the data subject is free to re-submit the request to the controller. If this is rejected then a new period starts pursuant to Article 35(2) GDPR Implementation Act and the data subject can still start petition proceedings within six weeks of this (second) decision.
  2. In addition, the party concerned is also free to seek interim relief. The substantiation of urgency in this case is not subject to any higher requirements than those normally applicable to interlocutory proceedings.

The data subject thus has the option of bringing an interlocutory application after the six-week period has expired. Of course, the controller is free to argue against this before the interim relief judge that the data subject’s request is manifestly unfounded or excessive. This would then only require more than the mere fact that it is a repeated request.