Autoriteit Persoonsgegevens – Court Ruling (Netherlands, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Dutch Data Protection Authority ordered the municipality of Arnhem to stop storing personal data from waste disposal card readers. This decision matters because it emphasizes the need for companies to handle personal data responsibly and transparently. The municipality is now allowed to use a new system that complies with data protection rules.
What happened
The municipality of Arnhem was ordered to stop storing personal data from waste disposal card readers and delete existing data.
Who was affected
Residents and businesses in Arnhem who used the underground waste containers were affected.
What the authority found
The authority found that the municipality's new waste card system could process data lawfully under GDPR since it serves a public interest.
Why this matters
This case highlights that companies must ensure their data processing practices align with legal requirements. It also shows that public entities can implement new systems that respect privacy while serving community needs.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Dutch DPA (the Autoriteit Persoonsgegevens, or 'AP') imposed an order subject to a periodic penalty payment on the municipality of Arnhem ('the Municipality'). The Municipality had infringed the then applicable Personal Data Protection Act (Wet bescherming persoonsgegevens or 'Wbp') by storing and retaining the personal data of individuals who disposed their waste in underground containers on the card readers attached to the containers. The order required the Municipality to open all underground containers without the use of a card, and to delete all personal data already stored and retained no later than 1 October 2017. On 14 March 2019, the AP decided to lift the order subject to penalty payments imposed on the Municipality at the request of the Municipality. The Municipality wanted the underground containers to be accessible only to residents and businesses of the Municipality, and therefore wanted to open a new waste card system. With the new system, residents are given a card with an internal chip code which is linked to their residential address. When the card is held in front of the card reader, the chip code is processed and compared to a whitelist of chip codes. To do this, the chip code is stored on the card reader's volatile memory. It is then converted almost instantly into a generic 9999 number, and removed from the whitelist when the container is closed. The AP could not foresee any violation of the GDPR by this new system, namely because data may be processed on the basis of Article 6(1)(e) GDPR, which states that a controller may process personal data which is lawful and necessary for the performance of a task carried out in the public interest. In a decision of 16 July 2019, the AP dismissed an objection made by an appellant against the decision to lift the order as unfounded as unfounded. In a judgment of 5 September 2019, the District Court of Gelderland ('the District Court') declared an appeal lodged by the appellant against the decision
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (10)
Other cases involving Autoriteit Persoonsgegevens in NL
Court Ruling
Details
About this data
Cite as: Cookie Fines. Autoriteit Persoonsgegevens - Netherlands (2021). Retrieved from cookiefines.eu
Last updated: