Data Subject versus Stichting Regiecentrum Bescherming en Veiligheid (RBV - Foundation for the Center for Protection and Safety) – Court Ruling (Netherlands, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller is the Management Centre for Protection and Security, a center offering protection to children, young people and adults in Friesland (Stichting Regiecentrum Bescherming en Veiligheid-RBV). Between 2015 and 2018, several departments of RBV were involved in the data subject's life and therefore created and maintained a file containing his personal data. On 10 June 2024, the data subject, invoking Article 17 GDPR, requested the destruction of the file. RBV agreed, confirming in writing on 26 November 2024 that the file would be destroyed within six weeks. Before the scheduled deletion, on 6 December 2024, the data subject filed a case before the court of first instance (District Court of North Netherlands) seeking immediate destruction of the file. RBV subsequently destroyed the file on 7 January 2025. The court of first instance dismissed the data subject's claim on 5 February 2025 because the RBV had already agreed to and completed the data erasure. The data subject, appealed the decision of the court of first instance before the court of appeal (Court of Appeal Arnhem-Leeuwarden), requesting the court to order RBV to notify other "processors" of his file about its destruction, based on Article 17(2) GDPR. First, the Court held that Article 17(2) GDPR applies only when data have been made public, for instance, published online or in publicly accessible register in a way where others may view or reuse them. Ordinary exchanges of information with authorities or institutions do not amount to “making public,” and thus RBV had no duty to notify other controllers of the deletion of the data under this provision. Second, the Court pointed that Article 19 GDPR requires controllers to communicate the erasure of personal data to each recipient to whom the personal data have been disclosed, and not just processors, without further or specifically directed request from the data subject, unless doing so is impossible or disproportionate. In this case, the
GDPR Articles Cited
The controller is the Management Centre for Protection and Security, a center offering protection to children, young people and adults in Friesland (Stichting Regiecentrum Bescherming en Veiligheid-RBV). Between 2015 and 2018, several departments of RBV were involved in the data subject's life and therefore created and maintained a file containing his personal data. On 10 June 2024, the data subject, invoking Article 17 GDPR, requested the destruction of the file. RBV agreed, confirming in writing on 26 November 2024 that the file would be destroyed within six weeks. Before the scheduled deletion, on 6 December 2024, the data subject filed a case before the court of first instance (District Court of North Netherlands) seeking immediate destruction of the file. RBV subsequently destroyed the file on 7 January 2025. The court of first instance dismissed the data subject's claim on 5 February 2025 because the RBV had already agreed to and completed the data erasure. The data subject, appealed the decision of the court of first instance before the court of appeal (Court of Appeal Arnhem-Leeuwarden), requesting the court to order RBV to notify other "processors" of his file about its destruction, based on Article 17(2) GDPR. First, the Court held that Article 17(2) GDPR applies only when data have been made public, for instance, published online or in publicly accessible register in a way where others may view or reuse them. Ordinary exchanges of information with authorities or institutions do not amount to “making public,” and thus RBV had no duty to notify other controllers of the deletion of the data under this provision. Second, the Court pointed that Article 19 GDPR requires controllers to communicate the erasure of personal data to each recipient to whom the personal data have been disclosed, and not just processors, without further or specifically directed request from the data subject, unless doing so is impossible or disproportionate. In this case, the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data Subject versus Stichting Regiecentrum Bescherming en Veiligheid (RBV - Foundation for the Center for Protection and Safety) in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data Subject versus Stichting Regiecentrum Bescherming en Veiligheid (RBV - Foundation for the Center for Protection and Safety) - Netherlands (2025). Retrieved from cookiefines.eu
Last updated: