Mayor of Maastricht – Court Ruling (Netherlands, 2023)

The data subject in question received official communication from the Mayor of Maastricht, indicating their placement on the "Top-X" list. This list is composed of individuals or groups identified as causing disturbances or engaging in criminal activities. Subsequently, the mayor denied the data subject’s request to be removed from this list. There were two main grounds for the refusal: firstly, the data subject was not actively cooperating with law enforcement agencies and continued causing a nuisance. Secondly, the individual was not partaking in the necessary mental health services that could potentially prevent future disturbances. As such, the Mayor deemed it appropriate to maintain the individual's listing as a precautionary measure to mitigate potential future disruptions. The Court assessed whether the Mayor's processing of personal data constituted a violation of the principle of legality, and whether the Mayor was obligated to delete the data subject's personal data. In its assessment of the potential principle of legality violation, the Court highlighted that data processing is one of the responsibilities of a Mayor for fulfilling a task in the public interest, as specified by Section 172 of the Municipalities Act. Therefore, the public interest exception to the lawful processing of data under Article 6 (1) (e) of the GDPR is fulfilled. The Court further reasoned that the safeguards, which ensure data processing does not exceed what is necessary, established under Articles 8 (1), 5 (4, 5), 6 (1), and 11 (1) of the Covenant ICOV, comply with the requirement of collection of data for specific, explicit and legitimate purposes in Article 5 (1) (b) GDPR. The Court held that the Mayor was not obligated to delete the data subject's personal data, based on the exception provided in Article 17 (3) (e), which allows a rejection of a data deletion request when the data is being processed for a task of public interest.