Court case LEE 22/1758 – Court Ruling (Netherlands, 2022)

A data subject received a letter from the Dutch Ministry of Finance (controller) stating that they (the data subject) had been included in the Fraud Identification Facility (FSV), a filing system used by the controller. In the letter the controller elaborated further that the FVS did no longer exist and informed the data subject of the possibility to access their data as well as the possibility of them having suffered damages due to inclusion in the FSV. The data subject filed an access request with the FSV. On 19 October 2022 the controller answered to the data subject’s request, providing an overview of all their personal data contained in the FSV in accordance with Article 15 GDPR. The data subject considered this answer as incomplete and appealed this decision stating that they want to know the reason for being included in the FSV as well as that they have suffered damages from being wrongly included. In its defence, the controller stated that the platform did no longer exist, it was therefore not possible to find out how the information ended up in the system. The court held that the data subject had to prove the existence of further information than what was included in the answer to the access request. In this case, the data subject did not sufficiently demonstrated the existence of further personal data than provided by the controller. The court found the appeal to be unfounded.