In late December 2019, the Court of The Hague (Netherlands) published a preliminary reference procedure (see here, in Dutch).  The Court was asked to decide on the scope of the right of access under the GDPR.

The defendant in this case was a bailiff involved in the bankruptcy procedure.  The individual who was target of the bankruptcy procedure requested access to his/her data and a copy of several e-mails.  In response, the bailiff only offered an overview of the e-mails concerned and the personal data they contained, but refused to provide a copy.

The Court decided in favor of the bailiff.  The Court indicated that the right of access under the GDPR is not materially different than under the prior Data Protection Directive, so any precedent under the prior regime was still relevant.  The Court also pointed out that the GDPR does not grant a right to obtain a copy of documents; it only grants a right to obtain a copy of personal data.  The information provided should be sufficient to allow the data subject to verify the correctness of the data and its lawful processing.

In relation to documents that do not contain much personal information, such as the e-mails in question, the court held that it suffices to describe the data they contain.  It is not necessary to provide a copy of the e-mails, although the Court acknowledged that this approach may be less practical for documents that contain higher volumes of personal data.  The Court did not accept the individual’s argument that this does not allow him/her to verify that the documents do not contain more personal data than indicated by the bailiff, as there was no indication from the documents provided that they might contain more data.

In addition, the Court highlighted derogations under Dutch law to the right of access, for example, in the context of judicial procedures.  Moreover, the Court noted that the request for access appeared to be triggered by a desire to know the origin of the e-mails rather than to verify the personal data they contained.

In many respects, this decision mirrors earlier guidance from German authorities on which we reported previously (see our prior blog post here).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.