In a decision handed down on December 1, 2021, the Brussels Market Court (Court of Appeal) had an opportunity to consider the GDPR right of access. The Belgian Ministry of Finance appealed the Belgian Supervisory Authority’s recent decision requiring the Ministry to grant a complainant access to her financial file and make corrections to the file which described the complainant as a “straw man”.
The Market Court’s reasoning was interesting on two fronts:
- First, the Court held the Supervisory Authority must consider, and conduct some level of investigation into, whether a complainant’s request constitutes an abuse. In this case, the Court found that the complainant used the GDPR right of access to obtain information about possible fiscal investigations being conducted against her (the Court used the term “fishing expedition”) and thereby abused the GDPR right of access. The Supervisory Authority violated its duty of due care by not considering the complainant’s intention behind the exercise of her right of access. This decision could be relevant in other contexts, such as HR processing, where the right of access is also often (ab)used for purposes other than preventing or rectifying GDPR violations.
- In respect to the one-month deadline to respond to an access request (Art. 12(5) GDPR), the Court indicated that “there is no immediate textual argument that allows to state that not complying scrupulously with the deadline unambiguously constitutes a violation.” Still, the Court indicated that the one-month deadline is an end time within which a response should be provided, unless there is a reasonable justification for exceeding it. As the Ministry granted access to the file under the freedom of information regulations within one month, the Court decided that there was not violation of the GDPR, despite the Supervisory Authority’s argument that these regulations represent two distinct legal regimes with separate standards that should be considered independently.