In late December 2019, the Court of The Hague (Netherlands) published a preliminary reference procedure (see here, in Dutch).  The Court was asked to decide on the scope of the right of access under the GDPR.

The defendant in this case was a bailiff involved in the bankruptcy procedure.  The individual who was target of the bankruptcy procedure requested access to his/her data and a copy of several e-mails.  In response, the bailiff only offered an overview of the e-mails concerned and the personal data they contained, but refused to provide a copy.

The Court decided in favor of the bailiff.  The Court indicated that the right of access under the GDPR is not materially different than under the prior Data Protection Directive, so any precedent under the prior regime was still relevant.  The Court also pointed out that the GDPR does not grant a right to obtain a copy of documents; it only grants a right to obtain a copy of personal data.  The information provided should be sufficient to allow the data subject to verify the correctness of the data and its lawful processing.

In relation to documents that do not contain much personal information, such as the e-mails in question, the court held that it suffices to describe the data they contain.  It is not necessary to provide a copy of the e-mails, although the Court acknowledged that this approach may be less practical for documents that contain higher volumes of personal data.  The Court did not accept the individual’s argument that this does not allow him/her to verify that the documents do not contain more personal data than indicated by the bailiff, as there was no indication from the documents provided that they might contain more data.

In addition, the Court highlighted derogations under Dutch law to the right of access, for example, in the context of judicial procedures.  Moreover, the Court noted that the request for access appeared to be triggered by a desire to know the origin of the e-mails rather than to verify the personal data they contained.

In many respects, this decision mirrors earlier guidance from German authorities on which we reported previously (see our prior blog post here).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws…

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide.  Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements related to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer registered on the B-List of the Brussels Bar, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.