Case summary

Deciding Body
Council of State
Raad van State
National case details
Date of decision: 02.10.19
Registration ID: 201802949/1/A3
Instance: Cassation (review)
Case status: Final
Area of law
Data protection

Mass media
Relevant principles applied
In judicial dialogue
Judgement of the CJEU (Grand Chamber), 5 June 2018, Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH

Identification of the case

Fundamental rights involved
  • Respect for private and family life (art. 7 CFREU)
  • Protection of personal data (art. 8 CFREU)
National law sources
  • Art. 35 Wet bescherming persoonsgegevens (Wbp)
EU law sources
  • Directive 95/46/EC

Summary of the case

Facts of the case

The appellant requested a copy of his personal data which had been processed by the Mayor and Municipal executive (College). The College had used his data to send three letters, and shared this information with the appellant as requested. The Association of Dutch Municipalities (VNG) posted a copy of the access request made by the appellant on their forum, as an example to show municipalities how to deal with such requests. This forum post was wrongly not anonymized. The appellant requested the College to provide a list of people who had received his information, which was denied. The College argued that it lacked the authority to share details of the people who had received the appellants information. Instead, the appellant should request VGN to provide this information. The Court of first instance ruled that the College could not be held responsible. The appellant appealed this decision, claiming that the College should be held to be responsible.

Type of enforcement
  • Administrative judicial enforcement
Measures, actions, remedies claimed/applied

Annulment of the administrative decision, suspensive effect.

Reasoning (legal principles applied)

The Court is tasked with deciding whether the College, in their capacity as data controller, is responsible for the appellant’s data becoming available on the VGN forum. If they are found to be responsible, the Court must determine whether they have to provide a list of recipients to the appellant.

Firstly, the Court notes that responsibility for processing personal data must be interpreted widely under Directive 95/46/EC. Furthermore, although VGN is responsible for the VGN forum, this does not preclude the Court from finding that the College was also responsible. The Court refers here to a previous decision made by the Supreme Court which dictates that the College is responsible for personal data made available on the VGN forum.

Secondly, having established that the College is responsible for the applicant’s data on the VNF forum, the Court determines whether the College should have provided the appellant with a list of the recipients of his personal data. The Court notes that the College, as data controller, as well as the VNF, as owner of the forum, are responsible for the appellant’s data. The Court follows the CJEU’s reasoning in Holstein that joint responsibility does not mean that both parties have the same responsibility, as the parties may be involved in different stages of the data processing. Thus, the level of responsibility must be assessed in light of all the relevant circumstances of the case. The Court then goes on to cite the CJEU’s reasoning in Fashion ID that parties only have the same responsibility under art. 2(d) of Directive 95/46 if they jointly determine the purpose of the processing of the data. A party is not responsible for operations which took place later or earlier in the processing chain.

In light of these judgments, the Court considers that the College had the authority to post messages on the forum, as well as delete them. VGN managed access and provided the general accounts and passwords. The College did not have the requisite control over the forum and did not have insight into the recipients of the applicant’s data. The Court concludes that for these reasons the College does not have the responsibility to provide a list of recipients to the applicant; he should instead submit a request VGN for this list.

Role of the Charter and role of the general principles on enforcement

Relation to scope of the Charter

This case concerns the applicant’s rights to privacy and protection of personal data under articles 7 and 8 of the CFREU. In this case, the applicant’s personal data had been shared on a forum without his consent. The Court had to decide which parties bore responsibility for this unlawful data sharing and what recourse the applicant could seek.

Relevant principles applied
  • Proportionality
Principle of proportionality

In this case the Court had to determine whether it would be proportional for a data controller to be responsible for personal data that was used for operations which took place later in the processing chain, which it was no longer involved with. The Court considered that, whilst the data controller was responsible, it could not be requested to provide a remedy to which it had no access.

Elements of judicial dialogue

Vertical dialogue type
  • Dialogue between high court - lower instance court at national level
Cited CJEU
  • CJEU C-210/16 Holstein
Dialogue techniques

Conform interpretation with EU law as interpreted by the CJEU.

Purposes of using judicial dialogue

To solve a conflict between different trends of national caselaw.

Expected effects of judicial dialogue

Judicial reform.

Case author

Silvester van Kordelaar, University of Groningen

Published by Chiara Patera on 29 January 2020