University of Utecht – Court Ruling (Netherlands, 2023)

On 2 December 2022, the data subject made an access request to the University of Utrecht (the controller), under Article 15 GDPR. In the request, the data subject asked for all information about my [their] records'. On 11 January 2023, the controller responded asking the data subject to clarify their request, as the original request was too general and not specific enough. On 13 January 2023, the data subject replied, noting that they did not need to provide the controller with any more information. On 10 February 2023, the controller set aside the data subject's request due to their lack of response and notified them thereof. The data subject subsequently brought a claim against the controller in the Central Netherlands District Court for the lack of response to their access request. The Court held that the controller was in violation of Article 12(3) GDPR, as they had failed to respond to the data subject's access request within the one-month deadline. The Court noted that, while the controller did respond with a request for more information, this response was after the one-month deadline established by Article 12(3) GDPR. Usually, a request for more information would have suspended the one-month deadline. However, in this case it was not suspended, as the response was done after the deadline had passed. The Court further held that there was no infringement of Article 15 GDPR, as the data subject did not respond to the controller's request for more information. As such, the controller was entitled to set aside the access request on 10 February 2023. As a result, the Court held that the controller was liable for damages for their violation of Article 12(3) GDPR, and awarded the data subject €707 in damages. The amount awarded was calculated on the basis of domestic administrative law, as the controller (the University of Utrecht) is an administrative body.