Legal News

Judgement of 01/12/2021 regarding GDPR (General Data Protection Regulation / Dutch AVG) and the right to information about, and the inspection and rectification of personal data

Every person whose personal data is processed has the right to information about the processing of their personal data, and to access, rectify and restrict this. This is stated in the General Data Protection Regulation (GDPR or AVG) and has been in force since 2018.

This fundamental right is enshrined in the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union.

In a recent judgement dated 1 December 2021, however, the Markets Court ruled that this fundamental right does not have an absolute effect.

What had happened?
A complainant used her rights to information about, access to, and rectification and restriction of the processing of her personal data to obtain information about her tax file. She wanted to have data of a tax nature deleted, in which case the government could potentially prosecute her for tax violations.

According to the Court, the right to complain under the GDPR was being abused here. After all, the complainant in question had a different aim in mind than that for which the right to complain is intended.

In the same judgement, the Court also ruled on the scope of the statutory period under Articles 12.3 and 12.4 GDPR, within which the data controller must provide information to the respective party.

- Article 12.3 GDPR The data controller shall provide the respective party with information on the action taken with regard to the request without delay, and, in any event, within one month of receiving the request pursuant to Articles 15 to 22. Depending on the complexity of the requests and on the number of requests, this term can be extended by a further two months if necessary. The data controller shall notify the respective party of such an extension within one month of receipt of the request, stating the reasons for the delay. If the respective party submits his/her request electronically, the information shall be provided electronically, if possible, unless the respective party requests otherwise.

- Article 12.4 GDPR If the data controller does not act on the respective party's request, he/she shall inform the respective party without delay, and at the latest within one month of receipt of the request, of the reasons for the failure to act, and shall inform the respective party of the possibility of lodging a complaint with a supervisory authority and of lodging an appeal with the courts.

The Court stated that the failure to scrupulously comply with the time limits is in itself a breach, but that the "reasonable time" depends on the concrete circumstances under which the personal data are processed. The term "at the latest" is considered to be an end term if no reasonable justification is given for exceeding it.

The Defensis team is made up of specialised lawyers who will be happy to answer all your questions about your right to information about, access to, and the rectification and limitation of the processing of personal data. This also applies in cases in which you, as a data controller, are confronted with such a request.
We are here for you and your business.