The Board of the Eindhoven University of Technology – Court Ruling (Netherlands, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The court ruled that Eindhoven University of Technology must provide clearer access to personal data after a student claimed their request was not fully met. This case is significant because it emphasizes the right to access personal data and the need for institutions to respond adequately.
What happened
Eindhoven University of Technology was challenged for not providing a complete and clear overview of a student's personal data upon request.
Who was affected
A student who requested access to their personal data held by Eindhoven University of Technology.
What the authority found
The court held that the university's response to the data access request was inadequate due to its lack of clarity and completeness.
Why this matters
This ruling highlights the importance of providing clear and comprehensive responses to data access requests. Institutions should ensure they understand and fulfill the scope of such requests to comply with data protection laws.
GDPR Articles Cited
The dispute is between the data subject and the Board of the Eindhoven University of Technology (the controller). In December 2017, the data subject requested access to his personal data pursuant to Article 35 of the Personal Data Protection Act, the predecessor of the GDPR. The controller provided an overview of all personal data concerning the data subject that it had processed. According to the data subject, however, this overview was not complete. After objecting to the decision, the case ultimately ended up in Court. However, the case was suspended to provide the controller the opportunity to carry out a further search for the data subject’s personal data. On 7 January 2021, the controller submitted an additional list containing 101 emails. According to the data subject, however, this list was provided too late, and was not sorted in a way to provide a coherent overview. Moreover, the data subject claimed that a mere overview of the emails was not enough, since it was plausible that the content of these emails contained more personal data, especially considering that opinions regarding the data subject by the authors of these emails must also be regarded as personal data. In order to be able to exercise his other rights (such as rectification, erasure, or restriction of processing) he wanted copies of these emails. First, the Court considered the data subject's claim that the overview was too vague and provided too late. It stated that the formulation of the access request determines the scope of the search to be performed by the administrative body: if the request is (very) general (and not too specific), the administrative body can facilitate the request by searching for the most commonly used personal data (such as name and address details). Because the data subject formulated his request very generally and did not specify it during the objection procedure but waited until the procedure in Court, the Court concluded that the controller’s initial search fo
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for The Board of the Eindhoven University of Technology in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Board of the Eindhoven University of Technology - Netherlands (2021). Retrieved from cookiefines.eu
Last updated: