Autoriteit Persoonsgegevens – Court Ruling (Netherlands, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Dutch court rejected an appeal to force the Dutch DPA to investigate the decommissioning of a transportation system. The applicant wanted the DPA to act, but the court found no GDPR violations by the transportation company. This case underscores the limits of DPA enforcement powers.
What happened
The court dismissed an appeal to compel the Dutch DPA to investigate a transportation system's decommissioning.
Who was affected
The applicant seeking enforcement against the Dutch public transportation company.
What the authority found
The court ruled that the Dutch DPA was correct in not pursuing enforcement as there were no GDPR violations.
Why this matters
This decision highlights that DPAs have limited powers and cannot be forced to investigate without clear evidence of privacy violations. Businesses should understand that not all complaints will lead to investigations.
On 12 November 2018 Autoriteit Persoonsgegevens (Dutch DPA) rejected the applicant’s request for enforcement. On 12 June 2019 the DPA declared applicant’s objection invalid. On 4 February 2020 the court dismissed the applicant’s appeal. Applicant is now appealing this Court decision before the preliminary relief judge of the Council of State. Applicant is asking the preliminary relief judge to urgently order DPA to: a) Notify relevant transportation companies in the European Union that they can start an investigation into the decommissioning of the ATB system and request these companies to continue supporting the system; b) Investigate the historical and current facts behind the decommissioning; c) Prevent further decommissioning if the investigation shows that the ATB system is being dismantled; d) Report the outcome of the investigation for the Court to use in the main proceedings. Dutch DPA is of the opinion that NS (Dutch public transportation company the applicant complained about) did not violate GDPR, so the enforcement is rejected. Moreover, according to the DPA, the applicant’s enforcement request only concerns cases where NS acts as a controller, which means it only applies to situations where NS sells its own tickets and not international tickets of other companies. The preliminary relief judge cannot order DPA to investigate the decommissioning of the ATB system because the judge cannot be sure that the DPA will get the same order as the result of the main proceedings. The judge founds it important that the ATB system stayed in use until the end of 2019, so it was possible to buy such ticket at the time of the applicant’s objection to the DPA. Also, Dutch DPA’s enforcement powers regarding foreign transportation companies would need to be considered separately as NS is indeed acting as a processor to those companies. Lastly, the preliminary relief judge did not agree that the dissemination of the ATB system would be irreversible. If at any point NS i
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Autoriteit Persoonsgegevens in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Autoriteit Persoonsgegevens - Netherlands (2020). Retrieved from cookiefines.eu
Last updated: