Court case 25/2823 – Court Ruling (Netherlands, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a law firm did not violate privacy rules when it couldn't find data requested by a person involved in a bankruptcy case. The law firm argued it wasn't required to gather information about the opposing party. This decision highlights the importance of understanding access rights in legal situations.
What happened
A person made a data access request to a law firm regarding their bankruptcy case, but the firm could not find any related information.
Who was affected
The person involved in the bankruptcy proceedings who requested access to their data from the law firm.
What the authority found
The court decided that the law firm did not violate privacy rules because it was not obligated to collect data from the opposing party's attorney.
Why this matters
This ruling clarifies the limits of data access requests in legal contexts. It reminds businesses to understand their obligations when handling access requests, especially in legal matters.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that Article 15 GDPR does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. The data subject appealed the decision to the court, arguing that the DPA had misinterpreted Article 15 GDPR. According to the data subject, the DPA had claimed the case fell out of the scope of Article 15 GDPR, because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds. The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety.See the ruling of the Administrative Law Division of the Council of State dated November 5, 2025, ECLI:NL:RVS:2025:5323, margin. 5.4. The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fac
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 25/2823 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 25/2823 - Netherlands (2026). Retrieved from cookiefines.eu
Last updated: