GRAYDON NEDERLAND B.V. – Court Ruling (Netherlands, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that GRAYDON NEDERLAND B.V. must provide a full list of who they share personal data with. The court found that the company's claim of confidentiality did not justify withholding this information from users. This decision emphasizes that users' rights to access their data are more important than a company's business secrets.
What happened
GRAYDON NEDERLAND B.V. did not fully respond to a user's request for access to their personal data and who it is shared with.
Who was affected
The user who requested access to their personal data and information about its recipients.
What the authority found
The court decided that GRAYDON NEDERLAND B.V. could not deny the user's access request based on confidentiality claims, violating GDPR's access rights.
Why this matters
This ruling highlights the importance of transparency in data sharing practices. Companies must prioritize user rights over claims of business confidentiality when handling access requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject made 9 access requests to the controller, two of the requests were not answered. On 8 April 2024, the data subject initiated legal proceedings against the controller before the district court. They argued that the controller violated Article 15(1)(c) GDPR because the controller did not give a full list of recipients of their personal data. The data subjects also wants access to who they share and will share personal data with in the future, especially recipients in third countries and international organisations. Second, the data subject argued that the controller must, under Article 15(1)(g) GDPR, reveal the source of the data. The data subject also claims the controller violated Article 12(1) until 12(4) GDPR. The controller argued that they have no obligation to share the identity of third parties because this is confidential business information. Therefore, the controller feels that they can partially restrict the data subject’s right of access based on Article 23 GDPR and Article 41(1)(e) of the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming – UAVG) The controller reacted to the second point and claims that all personal data is taken from one public source (de Kamer van Koophandel). First, the court assessed if the controller could rely on Article 41(1)(e) UAVG and Article 23 GDPR to deny an access request. The court did not find that a list of clients could damage the controller’s financial interests based on Article 41(1)(e) UAVG. The court found that the controller did not demonstrate why their customer base is a business secret. The controller did not explain how the size of the customer base and the identity of the third parties requested by the data subject negatively influenced its financial interests. Overall, the protection of business secrets is not a fundamental right and the rights of the data subject have priority over the rights of the controller. Furthermore, the controller does not
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for GRAYDON NEDERLAND B.V. in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. GRAYDON NEDERLAND B.V. - Netherlands (2024). Retrieved from cookiefines.eu
Last updated: