GRAYDON NEDERLAND B.V. – Court Ruling (Netherlands, 2024)

The data subject made 9 access requests to the controller, two of the requests were not answered. On 8 April 2024, the data subject initiated legal proceedings against the controller before the district court. They argued that the controller violated Article 15(1)(c) GDPR because the controller did not give a full list of recipients of their personal data. The data subjects also wants access to who they share and will share personal data with in the future, especially recipients in third countries and international organisations. Second, the data subject argued that the controller must, under Article 15(1)(g) GDPR, reveal the source of the data. The data subject also claims the controller violated Article 12(1) until 12(4) GDPR. The controller argued that they have no obligation to share the identity of third parties because this is confidential business information. Therefore, the controller feels that they can partially restrict the data subject’s right of access based on Article 23 GDPR and Article 41(1)(e) of the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming – UAVG) The controller reacted to the second point and claims that all personal data is taken from one public source (de Kamer van Koophandel). First, the court assessed if the controller could rely on Article 41(1)(e) UAVG and Article 23 GDPR to deny an access request. The court did not find that a list of clients could damage the controller’s financial interests based on Article 41(1)(e) UAVG. The court found that the controller did not demonstrate why their customer base is a business secret. The controller did not explain how the size of the customer base and the identity of the third parties requested by the data subject negatively influenced its financial interests. Overall, the protection of business secrets is not a fundamental right and the rights of the data subject have priority over the rights of the controller. Furthermore, the controller does not