The controller is responsible for ensuring compliance with the principles applicable to the processing of personal data. Personal data must be processed in a way that is lawful, proper and transparent with respect to the data subject (an identified or identifiable natural person). To ensure this, the General Data Protection Regulation (AVG) gives various rights to the data subject. These rights are set out in Articles 15 to 22 AVG.
The data subject may exercise these rights against the controller. The AVG defines a "controller" as a natural or legal person, a public authority, an agency or another body which, alone or jointly with others, determines the purposes and means of processing personal data.
Art. 34 and 35 UAVG elaborate the legal protection of Art. 79 AVG for the cases mentioned in Art. 15 to 22 AVG. This is explained below.
The possibility of filing a complaint against the AP (Art. 77 AVG) is covered in checklist 55.
The possibility of claiming material or immaterial damages is addressed in Art. 82 AVG (see checklist 52 and 53).
To enforce compliance with these rights, legal protection is available before judicial authorities. If the controller is an administrative body, the administrative court has jurisdiction. In all other cases, including those involving a public authority other than an administrative body, the civil court (civil judge) has jurisdiction.
The AVG has no definition of "public authority" and, in addition, has different terms to designate the "government". It is therefore generally assumed that for Dutch law the (no longer valid) Personal Data Protection Act (Wbp) must be followed, now that the (legislative history to the) UAVG does not provide any further explanation of the concept of governmental body either.
The written decision of an administrative body (in its capacity as a data controller) in response to a data subject's request based on the AVG - for example, refusing a request for inspection or correction - is considered a decision within the meaning of the General Administrative Law Act (Awb) (Art. 34 UAVG).
Pursuant to rules of administrative procedure, the Awb, such a decision can be appealed to the administrative body. If the objection is rejected, the decision on the objection can be appealed to the administrative court.
Administrative proceedings do not require the individual and/or interested party to hire a lawyer.
If the decision on the request has not been made by an administrative body, the interested party may turn to the civil court with a written request to order the controller to still grant or deny the request.
The rules of civil procedure (Rv) apply to this petition procedure.
The petitions procedure is open not only to an interested party, but also to interested parties. In addition, it involves the possibility of submitting non-written decisions to the civil court. The procedural difference is that the civil procedure does not require a prior objection to the data controller. After receiving the controller's response to the request, the interested party can go to court immediately.
As with administrative proceedings, civil proceedings do not require the individual and/or interested party to hire a lawyer.
Data subject's rights arising from art. 15 to 22 AVG (art. 12 AVG and art. 34, 35 and 36 UAVG)
Art. 12 AVG stipulates that the controller shall take appropriate measures so that the data subject receives the communications referred to in Art. 15 to 22 AVG in connection with the processing in a concise, transparent, understandable and easily accessible form and in clear and simple language, in particular when the information is specifically addressed to a child.
The controller must additionally facilitate the exercise of these rights. A controller may refuse to comply with the data subject's request only if the controller demonstrates that it is unable to identify the data subject.
Checklists 25 through 28 address what these rights mean in substantive terms for data subjects. This chapter explains the procedural rules for exercising those rights through checklists.
□ the controller shall provide the data subject with information on the follow-up given to the request without delay and in any event within one month of receipt of the request;
□ depending on the complexity of the requests and the number of requests, the one-month period may be extended, if necessary, for an additional two months. In addition, the controller must notify the data subject of such an extension within one month of receiving the request;
□ if the controller does not comply with the request, the controller must also communicate, without delay and in any case within one month of receiving the request, the reasons why the request has remained without effect, and the controller must also point out the possibility of submitting a complaint to AP and the possibility of appeal to the courts;
This is a checklist from the publication Checklist Privacy AVG: privacy policies in 57 checklists
