Rb. Midden-Nederland – UTR 25/2541

4 February 2026

Jruw:

{{COURTdecisionBOX

|Case_Number_Name=UTR 25/2541
|ECLI=ECLI:NL:RBMNE:2026:70

|Date_Decided=14.01.2026
|Date_Published=02.02.2026
|Year=2026

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Initial_Contributor=jruw
|
}}

A data subject appeals access request response by Ministry of Justice and Security for missing departments/employee titles of recipients, why data was shared and whited out information.

== English Summary ==

=== Facts ===
The data subject filed an access request to the National Coordinator for Counterterrorism and Security (NCTV). The Ministry of Justice is the controller for the NCTV. The data subject got a response to their access request from the Ministry of Justice and Security. The data subject received an overview of their personal data per process. It included the goal for which data was processed, the source and with whom it was shared. The data subject received an explanation of the context of the processed data. The data subject also received some copies of documents that were partly whited out. The data subject appealed the decision. They believe more detail should be given such as names or departments of the organisations their data was shared with, why data was shared internationally and they disputed whether the whited out information was legitimately whited out.

=== Holding ===
The court found that the information received by the data subject was sufficient. The information why data was shared internationally has to do with the legitimacy of the processing. The legitimacy of processing is not included in [[article 15 GDPR]]. [[Article 15 GDPR]] holds that information must make it possible for the data subject to use his GDPR rights. The personal data must be reproduced accurately and completely. The court held that the data subject is now able to contest the legitimacy of the data sharing by using his GDPR rights.

The court referred to [[CJEU – C-154/21 – Österreichische Post (Information regarding the recipients of personal data)]], for the amount of detail on the recipients. It found that the controller must make know the recipients of personal data, unless it is impossible to identify them. The GDPR definition [[Article 4 GDPR#(9) Recipient|Article 4 GDPR]] of recipient is ‘a natural person or legal person, a public authority, agency or another body’. The Ministry has named the legal persons/public authorities. The case law does not require information such as departments, names or job titles to be given. The court also found support for this argument in the decision of the RvS, the Highest General Administrative Court of the NL: ECLI:NL:RVS:2025:2316.

Last but not least, the personal data of the data subject was named in e-mail conversations. The emails were exchanged after a request for information from a municipality. Municipalities may request information about trends, phenomena, or developments seen in their municipality by the National Coordinator for Counterterrorism and Security. The data subject’s name came up in an internal email conversation. The data subject has received whited out versions of the emails. They wonder if their personal data were shared with this municipality, as it was not listed in the recipients, but was mentioned in the emails. The court reviewed the whited out information and confirmed the personal data of the data subject were not shared with or by the municipality. Their personal data did come up in an internal email exchange as a result of the request for information from this municipality.

The court holds that the Ministry of Justice fulfilled its obligations following [[Article 15 GDPR#3]]

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

<pre>
Authority
Central Netherlands District Court
Date of judgment
January 14, 2026
Date of publication
February 2, 2026
Case number
UTR 25/2541
Areas of law
Administrative law
Specific characteristics
First instance – multiple
Content indication
GDPR access request to NCTV. With the overview provided and the partially redacted documents, the Minister has provided all the information that enables the claimant to exercise his rights under the GDPR. There is no need for the Minister to further specify the recipients by department or official. Appeal dismissed.

Sources
Rechtspraak.nl
Enriched judgment
Judgment
COURT OF MIDDEN-NEDERLAND
Heading location: Utrecht

Administrative law

Case number: UTR 25/2541

Judgment of the multi-judge chamber of January 14, 2026, in the case between
[claimant], from [place], claimant

and

the Minister of Justice and Security

Summary
1. In this judgment, the court assesses the claimant’s appeal against the partial granting of his request for access to his personal data as referred to in Article 15 of the General Data Protection Regulation (GDPR). The request concerns his personal data processed by the National Coordinator for Security and Counterterrorism (NCTV). The claimant believes that the Minister has provided insufficient information about the (context of the) processing of that personal data. To this end, he raises several grounds for appeal. Based on these grounds, the court assesses the partial rejection of the application.

1.1.
In this ruling, the court finds that the insight provided by the Minister into the processing of the plaintiff’s personal data by the NCTV meets the requirements of Article 15 of the GDPR. The plaintiff is therefore wrong, and the appeal is therefore unfounded. Below, the court explains how it reached this conclusion and its consequences.

Procedural history
2. The plaintiff submitted a request for access to his personal data processed by the NCTV. The Minister partially granted this request in a decision dated November 7, 2023. In the contested decision of September 30, 2024, in response to the plaintiff’s objection, the Minister upheld that decision.

2.1.
The plaintiff filed an appeal against the contested decision.

2.2.
On January 28, 2025, the Minister submitted the procedural documents. Invoking Article 8:29 of the General Administrative Law Act (Awb), the Minister stated that only the administrative court may examine some of these documents. The administrative court acts as if the restriction of examination is justified, as the documents are part of proceedings under the GDPR and are therefore relevant to the case. The plaintiff granted the court permission, as referred to in Article 8:29, paragraph 5, of the Awb, to examine the confidential information during the assessment of this appeal.

2.3.
The Minister filed a statement of defense on November 20, 2025.

2.4.
The court heard the appeal on December 3, 2025. The plaintiff, the plaintiff’s representative, and the Minister’s representatives participated.

Assessment by the court
What did the Minister consider in the contested decision?

3. In the contested decision, the Minister refers to the primary decision because it provides an overview of the claimant’s processed personal data, presented per process. This overview indicates the purpose for which the personal data was processed, to whom the personal data was provided, and the source of the data. A further explanation of the context of the processing was also provided, and the Minister additionally provided partially redacted copies of the underlying documents. In the contested decision, the Minister considers that he has thereby provided (more than) a complete overview of the claimant’s processed personal data in accordance with the GDPR. According to the Minister, all questions the claimant had regarding the context of the processing of this personal data were answered in the primary decision. A list of the specific recipients of the personal data was provided with the primary decision. With this information, the claimant is considered sufficiently capable of exercising his rights under the GDPR. He was informed about the unlawful processing of the claimant’s personal data in the context of process 4. The claimant’s personal data has been removed from the relevant document in the NCTV archive. According to the Minister, the (un)lawfulness of the processing in processes 1, 2, and 3 is not part of the current request for access. If the claimant wishes to object to the storage or further processing of his personal data, other legal remedies are available.
Does the contested decision meet the requirements of Article 15 of the GDPR?

4. The claimant argues that the Minister wrongly failed to grant him full access to the personal data processed in relation to him. According to the claimant, the purpose of the processing is formulated too generally by referring only to the statutory powers and general tasks of the NCTV (National Coordinator for Security and Counterterrorism). The claimant specifically wants to know why his data was processed and shared with third parties in the relevant context. In that sense, the claimant argues that the Minister has not sufficiently answered questions 2 and 4 posed in his application and in the notice of objection (namely (question 2) on what basis the personal data was stored and shared and (question 4) why the personal data was processed, stored, and shared). The claimant also wants clarification as to why his data was shared with foreign authorities. The claimant also believes that too much information has been redacted from the copies. The claimant wants to be able to access everything, with the exception of the personal data of third parties. According to the claimant, the personal data has been processed unlawfully and full access is necessary to exercise his other rights under the GDPR.

Furthermore, the claimant wants to know, for several of the recipients listed in processes 2 and 3, which departments or officials the NCTV data has been shared with. According to the claimant, obtaining this information is necessary because a request for access to these agencies without specifying which departments is involved will not be processed. Finally, the claimant wants to know which municipality submitted the request that led to the processing of his personal data by the NCTV as mentioned in process 4.

5. Regarding the claimant’s first point – that he was not granted full access – the court considers that, pursuant to Article 15 of the GDPR, an applicant has the right to access personal data concerning him and to obtain information about, among other things, the processing purposes and the categories of personal data. A copy of the processed personal data is also provided.1 According to established case law2, the right of access does not mean that an administrative body is obligated to provide a copy of the documents containing those personal data. An administrative body may do so, but may also choose another method of providing the copy of the personal data, provided that the chosen method of provision meets the purpose of Article 15, paragraph 3, of the GDPR. This copy must display all the necessary characteristics to enable the applicant to effectively exercise the rights they derive from the GDPR and must therefore reproduce the personal data completely and faithfully.3 Furthermore, the right of access is not intended to guarantee access to administrative documents; a request for access to documents concerning administrative matters can be submitted under the Open Government Act. The purpose of the right of access is to enable individuals to be informed about the processing of their personal data and to verify its lawfulness.4

5.1
The court does not agree with the claimants’ argument that questions 2 and 4 have not been answered sufficiently. In the primary decision, the overview per process includes a description of the personal data and provides insight into the context in which that personal data was processed. The processing purposes are also listed for each group of processing operations and the organizations with which the personal data was shared. The objection decision further answered the questions regarding the purpose of the processing. Given the case law discussed above, the Minister was satisfied with this. The court does not find it incomprehensible that the claimant would have liked more context regarding the reasons why his personal data was processed, but the grounds for opposing this actually relate to the lawfulness of the processing of those personal data. This is a test that does not fall within the scope of the assessment of the access request. Therefore, the court cannot rule on this. The claimant can have this test (and that of other rights) performed under the GDPR.5

5.2
Insofar as the claimant requests clarification regarding the sharing of his personal data with foreign organizations, the court refers to the preceding considerations. The Minister was entitled to confine himself to stating the purposes of these processing operations and the given context. Furthermore, the lawfulness of this data sharing is not in dispute in these proceedings.

5.3
The court therefore finds that the overview provided by the Minister and the redacted copies of documents provided with it contain all the necessary information to enable the claimant to actually exercise the rights he derives from the GDPR. Furthermore, the Minister has provided further transparency by submitting partially redacted copies. The Minister rightly redacted the copies.

6. Regarding the claimant’s second point – that the recipients of the personal data should have been specified further by department or official – the court considers the following.Article 15, paragraph 1(c), of the GDPR stipulates that the right of access also includes the right to information about “the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations.” The GDPR defines the term “recipient” as “a natural or legal person, a public authority, an agency or another body, whether a third party or not, to whom the personal data are disclosed.”6 In the Österreichische Post judgment, the Court of Justice of the European Union (ECJ) explained that the controller is obliged to communicate the identity of the recipients, unless it is impossible to identify them or it is demonstrated that the requests for access are manifestly unfounded or excessive. In that case, the controller is only required to communicate the categories of recipients.7

6.1
The court finds that, in light of this judgment, the Minister, if able, must name the specific recipients of the processed personal data. The court finds that the Minister also did this by listing the names of the government organizations with which the plaintiff’s personal data was shared. The identity of the recipient was thus revealed to the plaintiff. The Minister did not confine herself to merely mentioning a category of recipients. To illustrate, the court randomly cites “the Tax and Customs Administration” as a specific recipient (making it clear which organization received data), while “the government” is an example of a category of recipients (making it clear only that an organization within this category received data, but not which organization). In this respect, the court follows the distinction also made in the Österreichische Post judgment. In that judgment, the ECJ held that if the names of the specific recipients of the personal data are known, a general category of recipients cannot suffice (in the case of the judgment: advertisers active in mail order and physical retail, IT companies, address brokers, and associations such as charities, NGOs, and political parties). Therefore, the Minister did not do so. The court finds that the judgment does not imply that the Minister, in addition to the name of the receiving agency, should also provide insight into the departments or officials who received the product. The court also finds support for this finding in the ruling of the Division of the Dutch Data Protection Authority of May 21, 2025. The judgment also does not imply that the names of the specific officials must be shared, and the claimant further indicated during the hearing that he is not seeking this information.

6.2
The court understands from the claimant’s statements during the hearing that it is difficult in practice to submit access requests to some of the government agencies listed in the overview without naming the specific departments that received the personal data. However, the claimant has not substantiated that it is impossible to exercise his rights under the GDPR with the information provided to him. In this context, the court finds it relevant that the plaintiff stated during the hearing that he has not yet submitted the documents he received from the NCTV to the relevant government organizations, nor has he reported them to them, even though this could provide clarity to the organizations about the processing of his personal data. While the court understands the plaintiff’s concern about a potential “snowball effect,” this does not in itself mean that the Minister should have provided him with more information. If the plaintiff does not receive answers from the government agencies, he also has the option of indicating which personal data (or part thereof) those agencies received from the NCTV, without submitting the relevant documents. He can also object to or appeal a decision in this regard. In the latter case, he has the option of submitting the NCTV documents as procedural documents with a request for confidentiality pursuant to Article 8:29 of the General Administrative Law Act (Awb). This way, the “snowball effect” the plaintiff fears can be limited.

7. Finally, the court considers the undisclosed name of the municipality that submitted the request leading to the processing mentioned in process 4 as follows. The Minister explained that municipalities have the option to submit a request to the NCTV to clarify certain developments, phenomena, or trends occurring in the municipality in question. According to the Minister, the municipality in question did not include the claimant’s personal data in the request, but internal emails were sent between NCTV employees in response to that request, in which the claimant was mentioned. The claimant requested the court to examine the unedited email exchanges to verify the Minister’s assertion that the claimant was not mentioned in the request.

7.1
The court has examined the confidential documents and finds that the Minister did not submit the relevant request from the municipality. The court was, however, able to examine the unedited email exchanges between the relevant NCTV employees in response to the request. During the hearing, the Minister stated that the application in question did not contain any personal data of the claimant, and the court, given the unedited version of the email exchange that followed, found no reason to doubt this or to request the application. Everything in the confidential documents indicates that the claimant’s name emerged in response to the request from the municipality in question, which pertains to another person or organization. The documents do not show that the claimant’s name or any other personal data of the claimant were shared with the municipality. Therefore, the municipality is not a recipient of this personal data. For these reasons, the court finds that the Minister was right not to disclose the name of the municipality to the claimant. Furthermore, the name of the municipality is not personal data of the claimant, and the email exchange does not indicate that the municipality was the source of the subsequent processing of the claimant’s personal data by the NCTV. These processing operations were communicated to the claimant and a copy was provided. The fact that the Minister himself deemed these processing operations unlawful does not mean that the name of the municipality must subsequently be made public. Conclusion and consequences
8. The appeal is unfounded. This means that the plaintiff is not in the right. Therefore, the plaintiff will not receive a refund of the court fees. He will also not receive reimbursement of his legal costs.

Decision
The court declares the appeal unfounded.
</pre>

VDSS – VDS00089378

KHO – 391/2024