Raad van State
National case details
Registration ID: 201802949/1/A3
Instance: Cassation (review)
Case status: Final
Area of law
Relevant principles applied
In judicial dialogueJudgement of the CJEU (Grand Chamber), 5 June 2018, Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH
Identification of the case
- Respect for private and family life (art. 7 CFREU)
- Protection of personal data (art. 8 CFREU)
- Art. 35 Wet bescherming persoonsgegevens (Wbp)
- Directive 95/46/EC
Summary of the case
The appellant requested a copy of his personal data which had been processed by the Mayor and Municipal executive (College). The College had used his data to send three letters, and shared this information with the appellant as requested. The Association of Dutch Municipalities (VNG) posted a copy of the access request made by the appellant on their forum, as an example to show municipalities how to deal with such requests. This forum post was wrongly not anonymized. The appellant requested the College to provide a list of people who had received his information, which was denied. The College argued that it lacked the authority to share details of the people who had received the appellants information. Instead, the appellant should request VGN to provide this information. The Court of first instance ruled that the College could not be held responsible. The appellant appealed this decision, claiming that the College should be held to be responsible.
- Administrative judicial enforcement
Annulment of the administrative decision, suspensive effect.
The Court is tasked with deciding whether the College, in their capacity as data controller, is responsible for the appellant’s data becoming available on the VGN forum. If they are found to be responsible, the Court must determine whether they have to provide a list of recipients to the appellant.
Firstly, the Court notes that responsibility for processing personal data must be interpreted widely under Directive 95/46/EC. Furthermore, although VGN is responsible for the VGN forum, this does not preclude the Court from finding that the College was also responsible. The Court refers here to a previous decision made by the Supreme Court which dictates that the College is responsible for personal data made available on the VGN forum.
Secondly, having established that the College is responsible for the applicant’s data on the VNF forum, the Court determines whether the College should have provided the appellant with a list of the recipients of his personal data. The Court notes that the College, as data controller, as well as the VNF, as owner of the forum, are responsible for the appellant’s data. The Court follows the CJEU’s reasoning in Holstein that joint responsibility does not mean that both parties have the same responsibility, as the parties may be involved in different stages of the data processing. Thus, the level of responsibility must be assessed in light of all the relevant circumstances of the case. The Court then goes on to cite the CJEU’s reasoning in Fashion ID that parties only have the same responsibility under art. 2(d) of Directive 95/46 if they jointly determine the purpose of the processing of the data. A party is not responsible for operations which took place later or earlier in the processing chain.
In light of these judgments, the Court considers that the College had the authority to post messages on the forum, as well as delete them. VGN managed access and provided the general accounts and passwords. The College did not have the requisite control over the forum and did not have insight into the recipients of the applicant’s data. The Court concludes that for these reasons the College does not have the responsibility to provide a list of recipients to the applicant; he should instead submit a request VGN for this list.
Role of the Charter and role of the general principles on enforcement
This case concerns the applicant’s rights to privacy and protection of personal data under articles 7 and 8 of the CFREU. In this case, the applicant’s personal data had been shared on a forum without his consent. The Court had to decide which parties bore responsibility for this unlawful data sharing and what recourse the applicant could seek.
In this case the Court had to determine whether it would be proportional for a data controller to be responsible for personal data that was used for operations which took place later in the processing chain, which it was no longer involved with. The Court considered that, whilst the data controller was responsible, it could not be requested to provide a remedy to which it had no access.
Elements of judicial dialogue
- Dialogue between high court - lower instance court at national level
- CJEU C-210/16 Holstein
Conform interpretation with EU law as interpreted by the CJEU.
To solve a conflict between different trends of national caselaw.