Court case 200.290.520_01 – Court Ruling (Netherlands, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that a former bank customer could not get certain personal data because the bank no longer had it. The court found the bank had met its obligation to provide information by giving the customer a report. This case shows the importance of data retention policies and how they affect access rights.
What happened
A former bank customer asked for all documents containing their personal data, but the court ruled the bank no longer had them.
Who was affected
A former bank customer who wanted access to personal data that might have been stored in a fraud prevention system and security reports.
What the authority found
The court decided the bank had fulfilled its duty to provide information and no longer had the requested data due to expired retention periods.
Why this matters
This case highlights the impact of data retention policies on access rights under GDPR. Businesses should ensure they have clear data retention schedules and understand how these affect customer requests for information.
GDPR Articles Cited
The data subject requested the District Court Limburg to order their former bank to hand them all documents that contain their personal data that have been processed. The District Court considered that the dispute mainly focuses on the personal data of the data subject that are or may have been included in the so-called EVA registration (a Dutch fraud prevention system) and in the report of the security affairs department of the bank. The bank stated that it had no longer had these documents, but offered to conduct internal investigation. The District Court gave the bank the opportunity to conduct this investigation and to hand over a report to the data subject which he had not yet received. The district court rejected the data subject's request because it considered that their former bank had fulfilled its obligation to provide information by handing over the report. Furthermore, the court concluded that the data subject no longer objected the bank's position that the internal security report is no longer available. The data subject only requested a copy of their personal data concerning the EVA registration, but the court ruled that the bank had sufficiently substantiated its claim that it no longer has this data. The data subject disagreed with the ruling of the District Court and filed a request with the Court of Appeal. The data subject claimed that the bank had conducted several investigations into them, at least in 2015 and 2018. The data subject also claimed that Article 15 GDPR gives them the right to access complete copies of the entire documentation in which their personal data are or may be contained, such as underlying documents and personal notes made by others. The bank also argued in appeal that they no longer have the data which the data subject is requesting, since the relation between the data subject and the bank ended in 2012 and all data is from the period 2009-2011. The retention period of 7 years has been exceeded already by several years.
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 200.290.520_01 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 200.290.520_01 - Netherlands (2021). Retrieved from cookiefines.eu
Last updated: