Data subject – Court Ruling (Netherlands, 2026)

The data subject filed an access request to the National Coordinator for Counterterrorism and Security (NCTV). The Ministry of Justice is the controller for the NCTV. The Ministry of Justice decided to grant access, but partly. What the data subject received, was an overview of their personal data, including the aim for which data was processed, the source and with whom it was shared. After their first appeal to the decision, the Ministry decided to grant more access and explained more context of the processed data. The data subject also received some copies of documents that were partly redacted. The data subject then appealed that decision to the court, because they believed more detail should be given about why their data were processed and shared with other parties. The data subject found the legal grounds mentioned in the overview to be too vague as they referred solely to the law, or the tasks of NCTV exercising its official authority. Furthermore, the data subject requested information, such as empolyee names, titles or departments of the organisations their data was shared with and why data was shared internationally. They also disputed the accuracy of the overview, because emails containing their personal information had a lot of redacted parts. This meant they were unable to review if their personal information was shared. The court rejected the appeal and found that the information received by the data subject was sufficient. The data subject's first complaint was that the information given to them was insufficient. The court held that Article 15 GDPR does not require the Ministry to provide more specific detail on why the data subject's data were processed. It is clear from case law that Article 15 GDPR does not require an organisation to provide full copies of all documents containing the data subject's data. It does require organisations to provide sufficient information to fulfil the goal of the right of access, i.e. to make it possible for the