The term ‘’personal data’’ is interpreted broadly
August 8th 2022 / in Nieuws / door Daisy Brugman
Published in Sdu Opmaat Privacyrecht on June 29th 2022
The term ”personal data” is interpreted broadly
The plaintiff in this case does not agree that the ‘RMC Region Gooi en Vechtstreek’ is processing personal data of her and her son. She requested that these personal data schould be deleted. With a reference to a judgment of the Court of Justice of the European Union, the court opts for a broad interpretation of the concept of ‘personal data’.
The plaintiff’s son received a card in the mailbox from the youth team of the RMC Region Gooi and Vechtstreek (Region; a collaboration of a number of municipalities). As a result of this card, the claimant requested the executive board of the Region to erase the personal data of the son (as his administrator) and herself.
This request was denied by the Region in the primary decision. The claimant disagreed with this decision and objected to it. In addition, she requested, among other things, access to the personal data in the son’s file and repeated the request to erase the personal data of the son and herself. In the contested decision, the Region upheld the claimant’s objection insofar as it related to the request to erase her own personal data. In all other respects, the Region dismissed the objection as unfounded. The claimant filed an appeal against this decision with the court.
Is the Region the processor or the controller?
The College has delegated certain tasks to the Region. Among other things, the execution of the regulations concerning the reporting and combating of early school leaving has been transferred to the Region. This means that the data processing in this connection also takes place at the Region.
The next question is whether the Region has thus become the processor or the controller. In the opinion of the Court, the Region is competent to decide on these requests – and by extension the objections – because the Region is to be regarded as a processor in the sense of the GDPR. Thus, the implementation of the regulations regarding the reporting and combating of ESL has been delegated by the College. And there is no evidence that the colleges still have any involvement in this. In addition, the Region has indicated that it maintains the processing register and determines the purpose of data processing and the means within the framework of the laws and regulations.
Should the son’s personal data be erased?
Next, the court addresses the question of whether the personal data of the plaintiff’s son should be erased. The court distinguishes two moments of data processing: the processing in the context of registration and the processing in connection with the subsequent tracking and monitoring of the minors in question.
(i) Processing in the context of registration
In the court’s view, the erasure request was rightly rejected by the Region because the data processing is necessary for compliance with a legal obligation (Article 17(3)(b) of the AVG).
The court stated that it is necessary to have a view on the target group for the implementation of the regulations regarding the reporting and combating of early school leaving. As a result, certain personal data of these young people must be registered. This follows from article 162b paragraph 1 WEC, article 21 paragraph 1 Wet register onderwijsdeelnemers and article 31 paragraph 1 Besluit register onderwijsdeelnemers. Thus, by processing the data in a register, the Region is implementing a legal obligation. The Court therefore concludes that the Region was right to take the position that the exception ground in Article 17 (3) (b) AVG applies.
(ii) Processing in the context of tracking and monitoring
A second question is whether the further data processing in the context of tracking and monitoring the minors is also necessary to comply with a legal obligation. The court is of the opinion that such data processing is in fact necessary, because the Region is obliged on the basis of the legal provisions mentioned above to track and monitor the minors in the target group. The Region was therefore also entitled to rely on the exception ground in Article 17 (3) (b) AVG in the contested decision.
Is the name of the father a personal data?
The plaintiff wants access to all the data recorded in her son’s file, including (and especially) the part that the Region has omitted. This concerns the name entered under ‘father’ under the heading ‘family’. The court put first and foremost that the claimant, as administrator of son, has the right to inspect his personal data. The question is whether the omitted name filled in under ‘father’ is a personal data of the son.
The court finds that it is and motivates this as follows: ”According to the Court of Justice of the European Union (the Court of Justice), a broad interpretation should be given to the concept of ‘personal data’. According to the Court of Justice, the concept of personal data potentially extends to any kind of information, both objective and subjective, that concerns the data subject. This is the case if the information is linked to a natural person by reason of its content, purpose or effect.”
The court ruled that the plaintiff should be allowed to inspect the name entered under ‘father’ because this is a personal data of her son. The plaintiff’s appeal is therefore well-founded on this point. The court also points out that at the hearing there was a discussion about removing this name from the personal file of the son, since – as in the case of the claimant – there is no basis for processing it. The Region has promised to remove the name. Naturally, this does not affect the plaintiff’s right to inspect the file.
Rechtbank Oost-Brabant 12 mei 2022, ECLI:NL:RBMNE:2022:1821 (datum publicatie: 1 juni 2022)