Court case HAA 21/6573 – Court Ruling (Netherlands, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that the Inland Revenue unlawfully registered a person in its fraud database. The court found that too many employees had access to personal data and that the data retention period was too long. This case shows that organizations must handle personal data carefully and limit access to protect individuals' privacy.
What happened
The Dutch Inland Revenue unlawfully registered a person in its Fraud Signalling Facility database.
Who was affected
Individuals whose data was included in the Fraud Signalling Facility, including the claimant.
What the authority found
The court found that the Inland Revenue violated GDPR by allowing too many employees access to personal data and not properly handling erasure requests.
Why this matters
This ruling highlights the need for organizations to manage access to personal data and comply with data retention rules. It serves as a reminder for public agencies to protect individuals' privacy rights.
GDPR Articles Cited
On 20 May 2021, the data subject (claimant) received a letter from the Dutch Inland Revenue, notifying him that he had been unlawfully registered in the Dutch Inland Revenue's (Belastingdienst) database - the Fraud Signalling Facility (FSV). The controller in this case was the minister of Finance, as the Dutch Inland Revenue is under the administration of the ministry of Finance Overall, the use of this facility did not comply with the GDPR, as too many employees had access to the data and the data retention period was too long. Some individuals’ data was wrongly included and wrongly used. The controller attempted to rectify this by revoking tax employees' access to the FSV on 27 February 2020 and removing it as a point of use from the Tax Administration's implementation of (tax) legislation. In a letter dated 25 June 2021, the data subject objected to the recording of his data in the FSV. In this letter, he made an access request under Article 15 GDPR, a data rectification request under Article 16 GDPR, and an erasure request under Article 17 GDPR. The controller responded on 22 July 2021, partially responding to the access request (Article 15 GDPR), but refusing the requests made under Articles 16 and 17 GDPR. The data subject brought claims against the incomplete response to his data access request, and refusal of data rectification and erasure requests. The court found no violation of Article 15 GDPR, but found a violation of Articles 16 and 17 GDPR. Firstly, the controller’s response was GDPR-compliant for the purposes of Article 15 GDPR. An incomplete response to an access request was not inherently a violation of Article 15(3) GDPR. The controller had provided a summary of the data subject’s personal data, along with an explanatory note outlining the processing purposes. In reaching its conclusion, the court referenced CJEU judgment of 4 May 2023 (ECLI: EC: C: 2023: 369), wherein it was established that Article 15(3) GDPR does not confer the right to obta
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case HAA 21/6573 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case HAA 21/6573 - Netherlands (2023). Retrieved from cookiefines.eu
Last updated: