This blog discusses two recent judgments concerning the right of access. The Arnhem-Leeuwarden Court of Appeal held that the right to obtain information about recipients of personal data may be restricted where disclosure would reveal trade secrets and commercially sensitive information. The Administrative Jurisdiction Division of the Council of State clarified that the concept of personal data under the Police and Judicial Data Act must be interpreted broadly and that the Public Prosecution Service cannot limit itself to providing only name and address details in response to an access request.
Access ends where the customer database begins
In this judgment, the Arnhem-Leeuwarden Court of Appeal considered whether a business information specialist was required to provide a data subject with an overview of the recipients of business information containing personal data.
What were the facts?
The claimant is a business information specialist that collects, compiles and provides credit information on companies in the Netherlands to its clients. A substantial part of the information it processes is obtained from the Dutch Trade Register of the Chamber of Commerce.
The defendant is a director and shareholder of two private limited companies registered in the Trade Register. For the purposes of its services, the claimant included data relating to these companies in its database. This database contained personal data, such as the defendant’s name and date of birth. The claimant acted as controller for these data.
After the defendant’s data had been included in the database, the claimant informed him of the processing. The defendant then submitted an access request under Article 15 of the General Data Protection Regulation (GDPR). The claimant’s response largely complied with the requirements of Article 15 but did not specify the exact recipients of the personal data. Instead, it provided a list of categories of recipients, such as banks, insurers, leasing companies and wholesalers. The claimant refused to disclose the names of individual recipients, referring to the confidentiality of the data and its competitive interest in keeping this information undisclosed. The defendant disagreed and brought proceedings. At first instance, the court held that under Article 15(1)(c) GDPR the claimant had to disclose all recipients of the personal data. The claimant appealed to the Arnhem-Leeuwarden Court of Appeal.
The Court’s balancing exercise
The Court examined whether the defendant was entitled to a complete list of all recipients of his personal data or whether the claimant could limit itself to categories of recipients, as it had done. The Court held that, in principle, a controller must provide the identities of recipients. This enables the data subject to verify the lawfulness of the processing.
However, in line with the GDPR, the GDPR Implementation Act and European case law, the Court emphasised that the right of access is not absolute. It must not adversely affect the rights and freedoms of others. A balancing exercise is therefore required between the interests of the data subject and those of the controller. The Court expressly confirmed that trade secrets fall within the rights and freedoms of others.
The claimant argued that its list of recipients constituted a trade secret within the meaning of the Trade Secrets Protection Act. It also relied on the confidentiality agreements concluded with its clients. Disclosure would reveal its customer database and show which clients purchased which credit information and when. This would provide competitors with insight into its commercial position. Moreover, the personal data concerned were sourced from the public Trade Register, which does not record who consults it. A director cannot obtain that information from the Chamber of Commerce either. There was therefore no imbalance in access to information if the claimant did not disclose which of its clients had requested the defendant’s data.
The Court attached weight to the fact that the claimant had responded to all other questions under Article 15 GDPR. It had provided copies of the business reports in which access had occurred, enabling the defendant to understand how his personal data had been processed and shared. It had also provided an overview of categories of recipients. The Court found that the defendant had not been deprived of all relevant information.
Turning to the claimant’s interests, the Court held that it had a sufficiently weighty interest in protecting the confidentiality of its business information. Disclosure of the customer database created a real risk of competitive harm. The defendant’s argument that the claimant should assess confidentiality for each individual recipient was rejected. The case concerned protection of the customer database as a whole, not the position of individual third parties.
On the basis of this balancing exercise, the Court concluded that restricting access to protect trade secrets and competitive interests was necessary and proportionate within the meaning of Article 23 GDPR and Article 41(1)(i) of the GDPR Implementation Act. The Court set aside the lower court’s decision insofar as it required disclosure of a complete list of recipients and dismissed the defendant’s claim on that point.
Practical implications
Although European case law interprets the right of access to recipients under Article 15 GDPR broadly, this judgment shows that in specific circumstances the right may be limited to protect business interests. Where an access request effectively requires disclosure of a customer database, the right of access may be restricted.
The organisation responding to the request must still answer all other Article 15 questions correctly and transparently. It must also be able to substantiate that disclosure would cause genuine harm if the names of recipients were revealed. The data subject must always receive sufficient information about the processing to exercise their other GDPR rights effectively.
Greater transparency in criminal case files: the Public Prosecution Service must look beyond name and address details
In this judgment, the Administrative Jurisdiction Division of the Council of State considered the concept of personal data in the context of an access request relating to criminal procedural data and examined the scope of the Public Prosecution Service’s access obligation under the Police and Judicial Data Act.
What happened in this case?
The appellants asked the Board of Procurators General, the governing body of the Public Prosecution Service, for access to the criminal procedural data processed about them. They sought to verify whether their personal data had been processed lawfully and accurately.
The Board ultimately provided an inventory list with general descriptions of document types and documents containing their personal data. Many parts of the documents were redacted because they largely contained personal data relating to third parties. At first instance, the District Court of The Hague held that sufficient access had been granted and that the redacted information did not constitute the appellants’ personal data.
The Division’s assessment
The Division first clarified the applicable legal framework. It held that the District Court had incorrectly assessed the case under both the Police and Judicial Data Act and the GDPR. The GDPR does not apply to the processing of personal data for the purposes of criminal investigation and prosecution. Such processing falls outside Article 2(2)(d) GDPR and within the scope of Directive (EU) 2016/680, implemented in the Netherlands in the Police and Judicial Data Act. That Act therefore forms the correct legal framework.
The Division then addressed the scope of the concept of personal data under the Police and Judicial Data Act. The appellants argued that the Board had interpreted this concept too narrowly by limiting disclosure to name and address details. In their view, it also included contextual information, charges, descriptions and investigation names linked to them.
The Division agreed. Referring to the Court of Justice’s Nowak judgment, it confirmed that the concept of personal data must be interpreted broadly. It may include subjective and contextual information, provided it relates to a person by reason of its content, purpose or effect. For the sake of consistent interpretation of EU law concepts, this broad understanding also applies under the Police and Judicial Data Act.
On that basis, the Division held that an indictment against a person constitutes personal data, that an investigation name linked to a person also qualifies as personal data, and that providing only name and address details does not enable a person to exercise their rights effectively. The District Court had therefore applied an unduly restrictive interpretation.
The Division also found that the inventory list provided by the Board lacked sufficient detail. A bare list of document types and numbers does not allow a person to verify which personal data are being processed, for what purpose and whether the processing is lawful. The appeal was upheld and the contested decision was annulled. The Board must adopt a new decision granting access to all personal data of the appellants and supplement the inventory list accordingly.
Practical implications
This judgment clarifies that the concept of personal data under the Police and Judicial Data Act must be interpreted as broadly as under the GDPR. This expands the scope of the data to which the Public Prosecution Service must grant access upon request. Access requests cannot be handled with minimal disclosure. Transparency is the starting point, unless overriding interests demonstrably justify a restriction.
Would you like to read more case law? View last month’s privacy case law blog.
