T-Mobile – Court Ruling (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court found that T-Mobile had to provide a customer with access to personal data used in a research project. The court ruled that anonymized location data still counts as personal data under GDPR. This decision highlights the importance of transparency in data processing, even when data is anonymized.
What happened
T-Mobile was ordered by a Dutch court to provide a customer with access to personal data used in a research project, as anonymized data was still considered personal data.
Who was affected
T-Mobile customers whose anonymized location data was used in a research project by the Central Bureau of Statistics.
What the authority found
The court ruled that T-Mobile had to comply with a customer's request for access to personal data, as anonymized data still constituted personal data under GDPR.
Why this matters
This case underscores the need for companies to be transparent about data processing activities, even when data is anonymized. It serves as a reminder that anonymization does not exempt companies from GDPR obligations.
GDPR Articles Cited
National Law Articles
T-Mobile is the controller and the data subject a customer. In March 2021, a Dutch newspaper (NRC) published an article about the controller and the Central Bureau of Statistics (CBS), in which it was stated that the CBS conducted statistical research with large datasets, acquired from controller. The goal of this research was to look for solutions against urban congestion in large cities. The controller issued a press statement on its website on 11 March 2021, in which it stated that no personal data was shared since all data had been anonymised. On 12 March 2021, the subject requested access to the personal data the controller processed on him for the CBS’s research, pursuant to Article 15 GDPR. The controller, however, rejected the request since it claimed that it had not processed any of the data subject’s personal data. Since the data subject was convinced that the controller had to comply with his request, he brought the issue before court. The District Court Oost-Brabant managed the case. The Court partially upheld the claim. First, it considered that the controller did process personal data when providing datasets to the CBS, since the anonymisation of their customers’ location data, is processing personal data. Hence, the Court found that the controller had to comply with the data subject’s access request pursuant to Article 15. The Court stipulated that the controller had to indicate the exact nature and origin of the processed’ personal data, i.e., by providing GPS or customary coordinates, IMSI numbers etc. Although the controller claimed that it had deleted that data, it submitted no proof of this. Hence, the Court gave the controller the opportunity to “submit a statement by their Board”. The Court also required the controller to provide the essence of the joint-controllership arrangement with CBS pursuant to Article 26(2). Second, the Court found that it was competent to assess whether the controller should be ordered to comply with the obligations
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for T-Mobile in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. T-Mobile - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: