Data subject โ Court Ruling (Netherlands, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A person asked for access to their personal data from the National Coordinator for Counterterrorism and Security in the Netherlands. The court decided that the Ministry of Justice provided enough information about the data processing, even if the person wanted more details. This ruling shows that organizations don't have to share every detail about how they handle personal data.
What happened
A person appealed a decision about the access they received regarding their personal data from the NCTV.
Who was affected
The individual who requested access to their personal data held by the National Coordinator for Counterterrorism and Security.
What the authority found
The court ruled that the Ministry of Justice provided sufficient information under Article 15 of GDPR and did not need to disclose more details.
Why this matters
This case highlights that organizations can limit the amount of detail they provide when individuals request access to their data. It suggests that businesses should be clear about what information they can share without over-disclosing.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject filed an access request to the National Coordinator for Counterterrorism and Security (NCTV). The Ministry of Justice is the controller for the NCTV. The Ministry of Justice decided to grant access, but partly. What the data subject received, was an overview of their personal data, including the aim for which data was processed, the source and with whom it was shared. After their first appeal to the decision, the Ministry decided to grant more access and explained more context of the processed data. The data subject also received some copies of documents that were partly redacted. The data subject then appealed that decision to the court, because they believed more detail should be given about why their data were processed and shared with other parties. The data subject found the legal grounds mentioned in the overview to be too vague as they referred solely to the law, or the tasks of NCTV exercising its official authority. Furthermore, the data subject requested information, such as empolyee names, titles or departments of the organisations their data was shared with and why data was shared internationally. They also disputed the accuracy of the overview, because emails containing their personal information had a lot of redacted parts. This meant they were unable to review if their personal information was shared. The court rejected the appeal and found that the information received by the data subject was sufficient. The data subject's first complaint was that the information given to them was insufficient. The court held that Article 15 GDPR does not require the Ministry to provide more specific detail on why the data subject's data were processed. It is clear from case law that Article 15 GDPR does not require an organisation to provide full copies of all documents containing the data subject's data. It does require organisations to provide sufficient information to fulfil the goal of the right of access, i.e. to make it possible for the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data subject in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data subject - Netherlands (2026). Retrieved from cookiefines.eu
Last updated: