Since May 25, 2018, the General Data Protection Regulation (AVG) has applied.1 This means that the same privacy laws apply throughout the European Union (EU). Since then, the Personal Data Protection Act (Wbp) no longer applies. Privacy is a hot topic now more than ever. Today's information society offers increasing opportunities for unbridled collection, processing and dissemination of personal data, which is at odds with the protection of privacy. At the same time, people are becoming increasingly aware of their privacy and their rights when it comes to the processing of their personal data. Increasingly, people are invoking their right of inspection or the right to be forgotten, and this (sometimes) results in high-profile case law.
Authors: Thomas van Essen, Lora Mourcous
In this article, we cover the most notable rulings of the past year since the AVG. Rulings regarding the right to be forgotten and search engines are covered in another post and are therefore not included here.
The first ruling considered is a case in the Rotterdam District Court dated Aug. 27, 2018.3 This case involved an individual who was reported to the Bureau Krediet Registratie (BKR) foundation by ING in connection with payment arrears. Because the individual did not fully comply with (repeatedly made) payment agreements, a negative code was placed in the BKR's Central Credit Information System as a result of a notification from ING. Over time, the data subject requested the collection agency engaged by ING to remove the BKR registration. This request was denied on October 13, 2017.
Such discussions about removal of negative BKR registrations are not new; several similar court cases have been filed under both the AVG and the Wbp. What is interesting about this case is whether the data subject started the legal proceedings in a timely manner. Article 35 of the AVG Implementation Act (UAVG).4 provides that legal proceedings to delete personal data, such as a BKR registration, must be initiated within six weeks after the data controller (in this case: ING) rejects the deletion request, by filing a petition with the court.
ING took the position that since the individual served the subpoena on ING almost a year after the rejection of the removal request, the six-week deadline had been exceeded. ING refers to a 2015 Amsterdam court ruling in this regard.5 That case also involved a request to remove a negative BKR registration. The difference, however, is that the 2015 case did not involve summary proceedings, but rather an application procedure within the meaning of Article 46 Wbp (the predecessor of Article 25 UAVG). Because the petition was not filed within six weeks of the rejection of the removal request, the petitioner was declared inadmissible by the District Court of Amsterdam.
In the Rotterdam District Court, however, things were different. This was not a petition filed pursuant to Article 35 UAVG, but an interlocutory writ of summons, seeking an order against ING to remove the negative BKR registration, which, according to the party concerned, had been wrongly not removed by ING. The case could therefore still be heard in court.
In another ruling, which also involved removal of negative BKR registrations, the same occurred.6 The data subject argued that under Article 79 (1) AVG he has the right to take an effective remedy in court against an - in his view - unjustified BKR registration, which right - under Article 21 (1) AVG - he must be able to use at all times. The term of six weeks included in Article 35 UAVG is therefore in violation of the AVG and, according to the data subject, concerns a "woeful error. This period is insufficient to prepare civil proceedings for the protection of fundamental rights, so that the procedure prescribed in that article cannot be regarded as an effective remedy within the meaning of Article 79 (1) of the AVG, according to the data subject. Moreover, the application of that time limit prevents the data subject from being able to challenge an (allegedly) wrongful BKR registration at any time.
The court does not address the contention that there is a woeful error. The court did rule that the legislator had created a special procedure with Article 35 UAVG and that this legal procedure could not be circumvented by relying (only) on the general regulation concerning unlawful acts. The party concerned was therefore declared inadmissible after all. The court thus assumes a closed system of remedies.
However, this ruling is not compatible with an earlier ruling by the Court of Appeal of The Hague: "It is true that Article 46 Wbp provides a special legal remedy for the data subject who objects to the processing of his personal data. However, this does not alter the fact that a processing that violates the Wbp constitutes an unlawful act towards the data subject and that the data subject in any case also has the general power to turn to the civil court with a claim for damages or to stop or undo the alleged unlawful act."7
The Wbp had a procedure under Article 46 that is almost identical to that of Article 35 UAVG. As under the Wbp, the application procedure under the UAVG is open to the data subject and to other interested parties who wish to challenge through the courts a decision of the controller on a request under Articles 15 to 22 AVG. If the controller has responded to the data subject's request within the time limit, the data subject then has six weeks, if he or she does not agree with the controller's decision, to file a petition with the civil court (Article 35(2) UAVG and Article 46(2) Wbp). Since the provision remained unchanged under UAVG, the dissenting ruling of the District Court of The Hague does not seem to be due to a difference of interpretation under the UAVG.
In a case surrounding a so-called compulsory settlement as referred to in the Bankruptcy Act, the District Court of Northern Netherlands answered the question of whether medical records may be provided to a creditor.8 The parties involved in this case have debts with a number of creditors. In connection with these debts, the individuals were admitted to statutory debt restructuring (WSNP). However, this was terminated prematurely without a clean slate. An amicable settlement, enforced by a compulsory settlement if necessary, is still a possibility in this situation.
In that context, Kredietbank Nederland (KBNL) made a proposal to the creditors whereby they will receive a certain percentage of the amount of their claim. In doing so, KBNL indicated that those involved had medical problems which meant that there were no real opportunities for paid work. One of the creditors, ABN AMRO, has indicated that it does not agree because it does not believe that the offer is the maximum feasible.
The case revolves around the question of whether KBNL may provide medical data of those involved to ABN AMRO. In the court's opinion, a creditor may rely on concrete information, especially if that information serves to substantiate the claim that savings capacity is completely lacking. If the information is of a medical nature, in principle a debtor's right to privacy comes into play. If a debtor wishes to reach an agreement with his creditors, a debtor must therefore make a personal assessment as to whether the interest in an agreement outweighs his interest in privacy. Many times it will not be necessary for a debtor to provide complete medical records. The mere disclosure of medical restrictions that interfere with work capacity is not, in the court's view, sufficient to convince a creditor that the agreement is attractive. In the first instance, according to the court, KBNL (with the consent of the person concerned) could suffice by stating the nature of the limitation, that the limitation is structural in nature, as evidenced by medical report(s).
The court ruled that it must at least be clear to a creditor such as ABN AMRO that KBNL based its estimate on available information that KBNL has accessed, to which a debtor has imposed the restriction that KBNL may not distribute that information to a third party under the AVG. The amount of the claim must also be taken into account, considering whether a creditor's interest outweighs the interest in privacy. The court emphasized that a debtor is free to invoke his right to privacy under the AVG and/or the UAVG. On the other hand, the absence of medical data may have consequences for the assessment of the soundness of the agreement in the context of the balancing of interests to be made (agreement or no agreement).
Thus, although based on the above, the data subject may decide for himself whether his medical data will be provided, failure to give such consent may result in the consent being refused. The question can be raised whether consent under Article 4(11) AVG can then still be freely given. After all, consent is deemed not to be freely given if the data subject does not have a real or free choice or cannot refuse or withdraw his consent without adverse consequences (recital 42 AVG).
This article can also be found in the file AVG and Privacy in the Social Domain
