DFW – Court Ruling (Netherlands, 2019)

DFW (a Dutch movie distributor) applies a protocol to its processing of personal data which was approved by the Dutch DPA before the GDPR came into force. DFW asked Ziggo (an internet service provider) to provide IP addresses of customers who according to DFW shared movies illegally. Ziggo refused to provide this information. Τhe Court had to assess whose interests prevail in this case: DFW's interest in the protection of its intellectual property rights or Ziggo's interest in the protection of the personal data of its customers. The Court found that any processing needed to be based on legitimate interests according to Article 6(1)(f) GDPR and that Ziggo had to comply with Article 6(4)(d) GDPR. The Court found that DFW had a legitimate interest and that the processing was necessary. However, the Court pursued a balancing exercise between the interests of DFW and the interests of the data subjects and found that the approved protocol was not transparent enough. Thus, the possible consequences for the data subjects of providing their data to DFW could not be estimated. DFW failed to make clear which action it would take, under which circumstances and in which manner it would inform the data subjects of their rights. The Court is of the opinion that the interests of Ziggo's customers are still insufficiently safeguarded, and it, therefore, rejected DFW’s claims confirming the ruling of the Court of First Instance. The Court based its ruling on the national civil code, Articles 4(2) and 6 GDPR, Articles 17 and 47 of the Charter of Fundamental Rights (CFR), and Articles 8 and 13 ECHR.