Anisuzmeyan: Created page with “{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Midden-Nederland |Court_Original_Name=Rechtbank Midden-Nederland |Court_English_Name=District Court Midden-Nederland |Court_With_Country=Rb. Midden-Nederland (Netherlands) |Case_Number_Name=UTR 23/4785 |ECLI=ECLI:NL:RBMNE:2024:7801 |Original_Source_Name_1=Rechtspraak.nl |Original_Source_Link_1=https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBMNE:2024:…”
|Jurisdiction=Netherlands
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=Rb. Midden-Nederland
|Court_Original_Name=Rechtbank Midden-Nederland
|Court_English_Name=District Court Midden-Nederland
|Court_With_Country=Rb. Midden-Nederland (Netherlands)
|Case_Number_Name=UTR 23/4785
|ECLI=ECLI:NL:RBMNE:2024:7801
|Original_Source_Name_1=Rechtspraak.nl
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBMNE:2024:7801&showbutton=true&keyword=avg&idx=5
|Original_Source_Language_1=Dutch
|Original_Source_Language__Code_1=NL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Date_Decided=31.12.2024
|Date_Published=04.02.2026
|Year=2024
|GDPR_Article_1=Article 86 GDPR
|GDPR_Article_Link_1=Article 86 GDPR
|GDPR_Article_2=
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_Link_3=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=Article 5(1) Woo
|National_Law_Link_1=https://wetten.overheid.nl/BWBR0045754/2022-05-01/0
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=
|Party_Name_1=Claimant
|Party_Link_1=
|Party_Name_2=Dutch Data Protection Authority (AP)
|Party_Link_2=https://www.autoriteitpersoonsgegevens.nl/
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Appeal_From_Body=AP (The Netherlands)
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Link=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Not appealed
|Appeal_To_Link=
|Initial_Contributor=Anias
|
}}
Data subject appealed AP’s decision after the municipality published his address online. Court upheld AP, finding national law consistent with [[Article 86 GDPR|Article 86 GDPR]] in balancing public access and privacy. AP was ordered to pay the procedural costs.
== English Summary ==
=== Facts ===
The data subject filed an access request for his personal data related to a legal dispute. The municipality of Utrecht (“controller”) published the data online, including the addresses of the data subject and his neighbours. The data subject lodged a complaint with the Dutch Data Protection Authority (AP) on 24 July 2021.
Following the complaint, the controller removed some of the personal data, making the infringement of privacy minor. The AP concluded that there was no violation of the GDPR and emphasized that the controller had discretion under Article 5(1) of the Woo (Wet open overheid) to disclose information contained in public documents.
The data subject appealed the AP’s decision on both procedural and substantive grounds. While the initial claim concerned the AP’s failure to decide on time, he also raised legal arguments, including that the authority had not investigated sufficiently, that the publication of address data violated the GDPR, and that the AP should have conducted an independent GDPR assessment separate from the Woo framework.
=== Holding ===
The appeal was found manifestly inadmissible, and the court issued its judgment without a hearing.
The court pointed out that the matter at hand had already been decided in a previous judgment (ECLI:NL:RBMNE:2023:6538). That case, decided under the Woo, had already balanced privacy interests against the public interest in transparency, concluding that disclosure of the address data was lawful.
In the present case, the court declined to re-examine the issue because the data subject requested the same balancing to be repeated under the GDPR, without introducing any new facts or legal grounds. As the Woo is recognised as applicable national law under [[Article 86 GDPR|Article 86 GDPR]], the previous assessment sufficed. The AP was therefore entitled to rely on the prior Woo-based judgments, and no separate GDPR investigation was required.
The court ordered the AP to pay the €437,50 procedural costs because the AP had issued the decision too late.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
<pre>
ECLI:NL:RBMNE:2024:7801
Share judgment
Authority
Central Netherlands District Court
Date of judgment
December 31, 2024
Publication date
February 4, 2026
Case number
UTR 23/4785
Areas of law
Administrative law
Specific characteristics
First instance – single-judge
Content indication
The Dutch Data Protection Authority has conducted an appropriate investigation.
References
Rechtspraak.nl
Enriched judgment
Judgment
Court of Central Netherlands District Court
Administrative law
Case number: UTR 23/4785
Judgment of the single-judge chamber of December 31, 2024, in the case between
[plaintiff], plaintiff
(attorney: DAS, Mr. M.M. Breukers),
and
Dutch Data Protection Authority
(attorney: Mr. O.S. Nijveld).
Introduction
1. In this judgment, the court rules on the plaintiff’s appeal against the contested decision of the Dutch Data Protection Authority (DPA) of September 14, 2023.
1.1.
Because the appeal is manifestly inadmissible with regard to the failure to decide on time and manifestly unfounded in all other respects, the court will issue a judgment without a hearing. Article 8:54 of the General Administrative Law Act (Awb) allows for this.
Decision by the court
2. On July 24, 2021, the plaintiff reported a data breach to the DPA. In this report, he stated that the municipality of Utrecht had posted documents online regarding a legal dispute, while the plaintiff had requested that the documents be sent only to him. The plaintiff’s complaint included address data.
3. On January 25, 2023, the DPA decided not to process the complaint (any further). Regarding the municipality’s refusal to remove address data, the DPA sees no clear violation of the General Data Protection Regulation (GDPR). She points out the considerations the municipality itself must make regarding whether or not to disclose (personal) data and the scope it has for doing so within the context of the Open Government Act. The claimant has the opportunity to defend itself against disclosure in the relevant proceedings.
4. In the contested decision, the Dutch Data Protection Authority maintained this assessment. Certain data have since been deleted, so remedial action is not reasonable. The Dutch Data Protection Authority considers the potential privacy infringement, which has since been resolved, to be relatively minor. Other data are still subject to ongoing legal proceedings. These proceedings will assess the balancing of the interests of protecting personal privacy against the importance of public access. The Dutch Data Protection Authority reiterates that, after appropriate investigation, it cannot determine that there has been a (clear) violation of the GDPR for which it is required to take enforcement action. 5. By notice of appeal dated September 8, 2023, received by the District Court of The Hague on September 12, 2023, the plaintiff appealed against the failure to issue a timely decision on the objection of March 4, 2023. Regarding the decision of September 14, 2023, the plaintiff believes that the Dutch Data Protection Authority should have conducted a further investigation because it cannot rule out a violation of the GDPR. It should have assessed whether the Municipality of Utrecht, under the known circumstances, violated the GDPR by publishing the address details of the plaintiff’s property and those of its neighbors online. This, in addition to considerations regarding the application of the Woo (Woo), is an independent authority of the Dutch Data Protection Authority.
6. In the court’s opinion, the plaintiff cannot achieve what he seeks with his appeal, namely that the publication of his address details or those of his neighbors is considered unlawful. For the (then) pending cases, the Dutch Data Protection Authority rightly refers to the judgments issued and subsequently issued in the objection and appeal procedures regarding the balancing of the interests of publicity and the interests of protecting personal data. On December 5, 2023, this court ruled that the address data could be disclosed.1 This ruling was upheld by the Administrative Jurisdiction Division of the Council of State.2 The court subsequently upheld this ruling.3 The plaintiff’s appeal was subsequently declared inadmissible because the Division had already ruled that the address data of the plaintiff’s property and surrounding properties could be disclosed in documents concerning the same legal dispute.4
7. Given the (at the time) ongoing proceedings before the municipality and judicial authorities concerning this dispute, the Dutch Data Protection Authority (DPA) correctly took the position that it had conducted an appropriate investigation regarding the plaintiff’s report. While some data had been deleted at the time, pending the proceedings on the merits, following the ruling of December 5, 2022 (ECLI:NL:RBMNE:2022:5670) referred to by the plaintiff, this interim measure has lapsed and is substantively outdated, given the final judgment in that case and others. This therefore does not constitute grounds for the DPA to conduct further investigation.
8. The Dutch Data Protection Authority was entitled to refer to its established procedure, as established in established case law. Partly in the context of the rulings in the Woo proceedings, the Dutch Data Protection Authority rightly took the position that an appropriate investigation had been conducted. The assessment of whether disclosure of the address was permitted was made in those legal cases, and the Dutch Data Protection Authority was entitled to refer to the rulings in the relevant proceedings.
9. The court disagrees with the plaintiff’s position that the Dutch Data Protection Authority should have independently assessed, after a more thorough investigation, whether the Municipality of Utrecht violated the GDPR. The court considers this and the relationship between the Woo and the GDPR as follows.
10. The Woo regulates the manner in which access to public information is provided. When applying this law, the government must make the relevant information public. In doing so, the relevant government body will also process personal data in some cases. Article 86 of the GDPR also takes this into account. This article stipulates that personal data in official documents held by an administrative body may be made public by the administrative body in question, in accordance with Union or Member State law applicable to the public body. This is to align the public’s right of access to official documents with the right to protection of personal data under this Regulation (the GDPR).
The Woo (and previously the Government Information (Public Access) Act) is an example of national law of the Member State referred to in Article 86 of the GDPR. It strikes a balance between the public access to information and the protection of privacy, as reflected in the exceptions in Article 5.1 of the Woo. The assessment made in the Woo cases also concluded that there was no processing of personal data contrary to the GDPR.
Therefore, the fact that the municipality violated the GDPR by publishing the address details of the plaintiff’s property and neighboring properties online is not relevant. The Dutch Data Protection Authority was not required to conduct any further investigation into this matter. 11. In view of the foregoing, the appeal is manifestly unfounded.
12. The appeal began with the appeal against the failure to make a timely decision. The claimant no longer has an interest in a ruling on this matter, as the Dutch Data Protection Authority issued a substantive decision shortly thereafter. This appeal is therefore inadmissible.
The Dutch Data Protection Authority has acknowledged that it decided the objection too late. The appeal was therefore properly filed. Therefore, the court will order the Dutch Data Protection Authority to pay the costs of the proceedings. These are the costs associated with filing the notice of appeal (1 point), €875 per point, with a weighting factor of 0.5.
Decision
The court
– declares the appeal against the failure to make a timely decision inadmissible;
– declares the remainder of the appeal unfounded;
– orders the Dutch Data Protection Authority to pay the claimant’s costs of the proceedings, amounting to €437.50.
This judgment was rendered by Mr. B. Fijnheer, judge, in the presence of Mr. L.M. Janssens-Kleijn, court clerk. This judgment was pronounced in open court on December 31, 2024.
court clerk
judge
A copy of this judgment was sent to the parties on:
Information about objections
If the parties disagree with this judgment, they can submit a notice of objection to the court explaining why they disagree. The notice of objection must be filed within six weeks of the date on which this judgment was sent. If the parties would like a hearing to explain the notice of objection, they must indicate this in the notice of objection.
1 ECLI:NL:RBMNE:2023:6538
2 UiECLI:NL:RVS::2024:2046
3 Judgment of April 11, 2024; ECLI:NL:RBMNE:2024:2451
4 Judgment of October 15, 2014; ECLI:NL:RVS:2024:5327 (202402553/3/A3)
</pre>