[Verzoeker] – Court Ruling (Netherlands, 2024)

The claimant is the father of a child treated at Antonius Hospital (controller). During the treatment a social worker was involved with the child and the parents who performed social work for his family. In 2015, upon his request, the father received a copy of his child's medical record from the controller but claimed that several details were missing, including details about the social worker. In May 2022, the father exercised his right to access, pursuant to Article 15 GDPR, requesting information from the controller about the social worker, log data on his child's file and involved healthcare providers registration data. The controller provided limited data, arguing further records didn’t exist or weren’t covered by the request. The father filed a case before the Court of first instance which rejected the father's request. Before the Court of Appeal, the father explained that he had requested several times to obtain access to all personal data regarding himself and his child but the controller has not provided any data outside his child's medical record and that the controller has misunderstood his request. The controller claimed that they did not need to provide an overview of the complete log data, because the father is not entitled to this data under Article 15 GDPR, because it does not concern personal data of him or his child. The court of Appeal decided to overturn the decision of the Court of first instance and grant part of the fathers requests. First, the Court of Appeal held that the controller must provide the father with a copy of the personal data it processes about himself and his child in connection with the treatment that still has in his possession, pursuant to Article 15(1) and Article 15(3) GDPR, noting that the controller interpreted the father's access request too narrowly. As far as possible, the controller must choose to provide the personal data in a way that does not infringe the rights or freedoms of its employees and of the mothe