Back to Feed
GDPRJun 30, 2026

Rb. Den Haag - C/09/689833

Dutch court upholds data subjects' access requests against online gambling companies.

Summary

A Dutch court ruled that online gambling companies Kindred Group PLC and Risepoint Limited must comply with data subjects' requests for access to their transaction data. The companies argued the requests were abusive, as data subjects intended to use the information in legal actions. However, the court found the requests were not abusive under GDPR Article 12(5), stating data subjects do not need to justify their requests and controllers cannot refuse access solely because it serves a purpose other than verifying data processing.

Full text

Help Rb. Den Haag - C/09/689833: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 11:42, 30 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators704 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 11:42, 30 June 2026 Rb. Den Haag - C/09/689833 Court: Rb. Den Haag (Netherlands) Jurisdiction: Netherlands Relevant Law: Article 4(7) GDPR Article 12(5) GDPR Article 15 GDPR Article 15(4) GDPR Article 23 GDPR Decided: 27.05.2026 Published: 24.06.2026 Parties: Kindred Group PLC Risepoint Limited National Case Number/Name: C/09/689833 European Case Law Identifier: ECLI:NL:RBDHA:2026:15919 Appeal from: Appeal to: Unknown Original Language(s): Dutch Original Source: de Rechtspraak (in Dutch) Initial Contributor: ap A court upheld several data subjects’ request for access against two online gambling companies. The court stated that the companies could not refuse to provide access solely on grounds that the data subjects could use the information against them in court. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Kindred Group PLC and Risepoint Limited (the controllers) are companies that provide online gambling products. Several companies within Kindred Group PLC (Risepoint was initially in this group) offered online gambling products before a national law requiring a license entered into force. In response, several lawsuits were filed before courts regarding the validity of the gambling agreements between players and unlicensed online gambling providers. Several data subjects later requested access (Article 15 GDPR, or in the alternative, the right to portability under Article 20 GDPR) to the controller to receive information on specific transaction data and the types of games they participated in. The data subjects did not receive access and brought a claim to the court. The data subjects requested the court to hold both companies liable (jointly or separately) The court initially dismissed the claim based on the code of civil procedure, but allowed the data subjects to amend their arguments regarding the GDPR. Both companies argued that they were not controllers, and that the requests made by the data subjects were abusive. According to the companies, the data subjects requested access for the sole purpose of bringing legal actions against them. Finally, the companies argued that they did not have the obligation to comply with the requests under Article 15(4) GDPR. Holding The court first clarified that both Kindred Group PLC and Risepoint Limited were controllers. Kindred Group PLC argued that it did not exercise any decisive influence over the purpose and means of processing. The court took into consideration the functional definition of “controller” under Article 4(7) GDPR and CJEU case law, rather than a formal definition [FOOTNOTE 1]. The court found that Kindred Group PLC was a controller for access made between May and October 2024, but not for requests made after October 2024. This is because Kindred had a unified privacy policy for companies under its group, and answered the access request from an email address containing its name. However, after October 2024, Risepoint was no longer a part of the group, and the data from Kindred had been transferred to Risepoint. The court then dismissed the controllers’ arguments, and stated that the access requests were not abusive under Article 12(5) GDPR. Under Article 12(5) GDPR, a controller may refuse a request for access if it is manifestly unfounded or excessive. However, the CJEU has clarified that a data subject does not need to justify an access request, and a controller cannot refuse a request for access on the sole ground that it serves a purpose other than obtaining information about the processing of personal data and verifying its lawfulness [FOOTNOTE 2]. In any case, the court stated that the controller bears the burden in proving that a request is manifestly unfounded or excessive. Similarly, the controllers could not rely on Article 15(4) GDPR to refuse the data subjects’ requests. The court stated that the controllers’ interest in not granting information that data subjects could use against them in court is not recognised under EU law as a basis to refuse access. While the GDPR allows for national law to restrict specific rights under Article 23 GDPR, the court stated that the restriction must be necessary and proportionate. This, however, does not apply for hypothetical situations. The court upheld the data subjects’ claim, and ordered the controllers to provide them with a copy of their transaction data. The court specified that the controllers had the obligation to provide a complete copy, in accordance with CJEU case law [FOOTNOTE 3]. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. Judgments A portion of all judicial decisions is published on rechtspraak.nl. This is done pseudonymously. Found search terms (1) Turn off highlighting GDPR This judgment has been pseudonymized in accordance with the pseudonymisation directive ECLI:NL:RBDHA:2026:15919 Share judgment Institution District Court of The Hague Date of judgment 27-05-2026 Date of publication 24-06-2026 Case number C/09/689833 Areas of law European civil law Special features First instance - single-judge chamber Content indication GDPR; right of access; controller. Art. 4 paragraph 7 GDPR, Art. 15 GDPR, Art. 23 GDPR. The court partially grants the requests for access because there is no abuse of rights and the defendants cannot invoke the grounds for refusal mentioned in the GDPR. Sources Rechtspraak.nl Enriched judgment Judgment DISTRICT COURT The Hague Commercial Team Case number: C/09/689833 / HA ZA 25-699 Judgment of 27 May 2026 in the case of 1 . [claimant 1] in [place of residence 1] , 2. [claimant 2] in [place of residence 2] , 3. [claimant 3] in [place of residence 3] , 4. [claimant 4] in [place of residence 4] , 5. [claimant 5] in [place of residence 5] , 6. [claimant 6] in [place of residence 6] , 7. [claimant 7] in [place of residence 7] , 8. [claimant 8] in [place of residence 8] , 9. [claimant 9] in [place of residence 8] , 10. [claimant 10] in [place of residence 9] , 11. [claimant 11] in [place of residence 10] , claimants, attorney: mr. B.Z. Loonstein, against 1 KINDRED GROUP PLC in Valetta (Malta), attorney: Mr. R.E. van Schaik, 2. RISEPOINT LIMITED in Birkirkara (Malta), attorney: Mr. J.G. Reus defendants. 1 In brief: what is this case about? 1.1. In these proceedings, the plaintiffs seek that the court order the defendants, pursuant to the GDPR1, to grant each of them access to transaction data relating to the Unibet online gambling games in which they participated. The defendants refuse the plaintiffs access to this data because they believe that the plaintiffs are abusing their right of access; in any case, the defendants believe that they are entitled to refuse access because the plaintiffs are seeking access for a purpose other than that for which the right of access is intended. 1.2. In this judgment, the court partially grants the plaintiffs' claims, because there is no abuse of rights and the defendants cannot invoke the grounds for refusal mentioned in the GDPR. 2 The proceedings 2.1. These proceedings were initiated by a petition. In short, this petition contained a request for the provision of certain transaction data by Kindred and Risepoint to the plaintiffs, primarily on the basis of the GDPR and the UAVG2 and subsidiarily on the basis of Article 195 in conjunction with Article 194 of the Code of Civil Procedure (Rv); an oral hearing took place on 19 June 20

Entities

Kindred Group PLC (vendor)Risepoint Limited (vendor)