plaintiff 1 – Court Ruling (Netherlands, 2022)

The data subject had a car insurance and suffered an incident. They reported the incident to the insurance company, the controller. The controller alleged that they provided incorrect information about the collision and considered the report as a fraud. It then registered the data subject in two databases: the CBV of the Dutch Association of Insurers (used by insurers to coordinate investigations and perform analyses) and the external referral register (used by financial institutions when assessing insurance applications and claims). The data subjects sought to cancel both registrations, but the controller denied to do deregister them, so they filed an action before the Court. The Court had to determine whether these registrations should be cancelled under the provisions of the GDPR, namely Articles 21(1), 17(1), and Article 6(1) (e) and (f). First, the court referred to the provisions of the Protocol Incident Warning System Financial Insitutions 2021, specifically Article 5(2)1 which lists the requirements for deletion of registers. In the present case, tt concluded that a fraud was indeed committed and stated that this qualified as a criminal offence under Article 350 of the CPS. Therefore, the Court considered that the principles of proportionality and subsidiarity were respected and that the controller had a legitimate interest in protecting the financial sector from fraud. No violation was found and the data processing was considered as legal.