Court case ROT 19/3036 – Court Ruling (Netherlands, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that a company did not violate GDPR when it used a third-party service for managing membership data. The court found that the company had a valid reason to process personal data and had complied with requests to remove data. This decision is important for businesses using third-party services to manage customer information.
What happened
A company used DEX Online Services to manage membership data without violating GDPR rules.
Who was affected
Members whose personal data was managed by the company using DEX Online Services.
What the authority found
The court found that the company had a valid legal basis for processing personal data and complied with GDPR requirements.
Why this matters
This ruling reassures businesses that using third-party services for data management can comply with GDPR if they have a valid legal basis. Companies should ensure they have clear reasons for data processing and comply with removal requests.
GDPR Articles Cited
The controller engaged DEX Online Services to automate its membership administration, which contained personal data of the plaintiff. He also offered its members the opportunity to use the Yogibit app to gain access to their own data, so that they can, for example, deregister and register for lessons. On January 30, 2019, the plaintiff filed a complaint with the Dutch DPA against the controller. The DPA rejected the complaint by decision of 27 February 2019, because it found no obvious violation of the GDPR . Plaintiff has objected to this rejection. According to the DPA, both the controller and DEX Online Services have complied with the claimant's request for removal within the meaning of Article 17 of the GDPR. The controller has a valid basis for the processing of the plaintiff's personal data and it has not been shown that his personal data has been processed in the YogiBit app. In appeal, the plaintiff argues that the controller should have first explicitly requested permission from him before his personal data would be provided to DEX Online Services. According to the plaintiff, the defendant has forgotten to look at the definition of 'consent', as set out in Article 4 (11) of the GDPR . Additionally, it was not necessary for the controller to enable DEX Online Services for its student administration. According to the plaintiff, the controller could also have chosen to hire a secretary. In addition, the plaintiff stated that as a free EU citizen he has the right to choose whether he wants to go along with the choice of the controller for that third party. Plaintiff argued that it was up to DEX Online Services to ascertain that the controller complied with the conditions set out in Article 6 of the GDPR . In his view, on the basis of Article 5(2) GDPR the controller has an accountability obligation and must be able to demonstrate compliance with Article 5, first paragraph, of the GDPR . The plaintiff argued that the decision did not provide evidence of such com
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case ROT 19/3036 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case ROT 19/3036 - Netherlands (2021). Retrieved from cookiefines.eu
Last updated: