Rb. Den Haag - C/09/689833
Dutch court rules Kindred Group and Risepoint must provide data access to users.
Summary
A Dutch court has ruled that Kindred Group PLC and Risepoint Limited are controllers under GDPR and must provide data access to users who requested information about their transaction data and game participation. The companies had argued they were not controllers and that the requests were abusive, but the court found these arguments invalid, citing CJEU case law.
Full text
Help Rb. Den Haag - C/09/689833: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 11:42, 30 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators704 edits Tag: submission [1.0] Latest revision as of 11:46, 30 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators704 editsmTag: Visual edit Line 77: Line 77: === Facts ====== Facts === Kindred Group PLC and Risepoint Limited (the controllers) are companies that provide online gambling products. Several companies within Kindred Group PLC (Risepoint was initially in this group) offered online gambling products before a national law requiring a license entered into force. In response, several lawsuits were filed before courts regarding the validity of the gambling agreements between players and unlicensed online gambling providers. Several data subjects later requested access (Article 15 GDPR, or in the alternative, the right to portability under [[Article 20 GDPR|Article 20 GDPR]]) to the controller to receive information on specific transaction data and the types of games they participated in. Kindred Group PLC and Risepoint Limited (the controllers) are companies that provide online gambling products. Several companies within Kindred Group PLC (Risepoint was initially in this group) offered online gambling products before a national law requiring a license entered into force. In response, several lawsuits were filed before courts regarding the validity of the gambling agreements between players and unlicensed online gambling providers. Several data subjects later requested access ([[Article 15 GDPR]], or in the alternative, the right to portability under [[Article 20 GDPR]]) to the controller to receive information on specific transaction data and the types of games they participated in. The data subjects did not receive access and brought a claim to the court. The data subjects requested the court to hold both companies liable (jointly or separately) The court initially dismissed the claim based on the code of civil procedure, but allowed the data subjects to amend their arguments regarding the GDPR. Both companies argued that they were not controllers, and that the requests made by the data subjects were abusive. According to the companies, the data subjects requested access for the sole purpose of bringing legal actions against them. Finally, the companies argued that they did not have the obligation to comply with the requests under [[Article 15 GDPR#4|Article 15(4) GDPR]].The data subjects did not receive access and brought a claim to the court. The data subjects requested the court to hold both companies liable (jointly or separately) The court initially dismissed the claim based on the code of civil procedure, but allowed the data subjects to amend their arguments regarding the GDPR. Both companies argued that they were not controllers, and that the requests made by the data subjects were abusive. According to the companies, the data subjects requested access for the sole purpose of bringing legal actions against them. Finally, the companies argued that they did not have the obligation to comply with the requests under [[Article 15 GDPR#4|Article 15(4) GDPR]]. === Holding ====== Holding === The court first clarified that both Kindred Group PLC and Risepoint Limited were controllers. Kindred Group PLC argued that it did not exercise any decisive influence over the purpose and means of processing. The court took into consideration the functional definition of “controller” under [[Article 4 GDPR#7|Article 4(7) GDPR]] and CJEU case law, rather than a formal definition [FOOTNOTE 1]. The court found that Kindred Group PLC was a controller for access made between May and October 2024, but not for requests made after October 2024. This is because Kindred had a unified privacy policy for companies under its group, and answered the access request from an email address containing its name. However, after October 2024, Risepoint was no longer a part of the group, and the data from Kindred had been transferred to Risepoint. The court first clarified that both Kindred Group PLC and Risepoint Limited were controllers. Kindred Group PLC argued that it did not exercise any decisive influence over the purpose and means of processing. The court took into consideration the functional definition of “controller” under [[Article 4 GDPR#7|Article 4(7) GDPR]] and CJEU case law, rather than a formal definition.<ref>See cases C-40/17 ''(Fashion ID''), margin 65; C-210/16 (''Wirtschaftsakademie'' Schleswig-Holstein), margins 26 and 27</ref> The court found that Kindred Group PLC was a controller for access made between May and October 2024, but not for requests made after October 2024. This is because Kindred had a unified privacy policy for companies under its group, and answered the access request from an email address containing its name. However, after October 2024, Risepoint was no longer a part of the group, and the data from Kindred had been transferred to Risepoint. The court then dismissed the controllers’ arguments, and stated that the access requests were not abusive under [[Article 12 GDPR#5|Article 12(5) GDPR]]. Under [[Article 12 GDPR#5|Article 12(5) GDPR]], a controller may refuse a request for access if it is manifestly unfounded or excessive. However, the CJEU has clarified that a data subject does not need to justify an access request, and a controller cannot refuse a request for access on the sole ground that it serves a purpose other than obtaining information about the processing of personal data and verifying its lawfulness [FOOTNOTE 2]. In any case, the court stated that the controller bears the burden in proving that a request is manifestly unfounded or excessive. Similarly, the controllers could not rely on [[Article 15 GDPR#4|Article 15(4) GDPR]] to refuse the data subjects’ requests. The court stated that the controllers’ interest in not granting information that data subjects could use against them in court is not recognised under EU law as a basis to refuse access. While the GDPR allows for national law to restrict specific rights under [[Article 23 GDPR|Article 23 GDPR]], the court stated that the restriction must be necessary and proportionate. This, however, does not apply for hypothetical situations. The court then dismissed the controllers’ arguments, and stated that the access requests were not abusive under [[Article 12 GDPR#5|Article 12(5) GDPR]]. Under [[Article 12 GDPR#5|Article 12(5) GDPR]], a controller may refuse a request for access if it is manifestly unfounded or excessive. However, the CJEU has clarified that a data subject does not need to justify an access request, and a controller cannot refuse a request for access on the sole ground that it serves a purpose other than obtaining information about the processing of personal data and verifying its lawfulness.<ref>See case C-307/22 (''FT/DW''), margin 43</ref> In any case, the court stated that the controller bears the burden in proving that a request is manifestly unfounded or excessive. Similarly, the controllers could not rely on [[Article 15 GDPR#4|Article 15(4) GDPR]] to refuse the data subjects’ requests. The court stated that the controllers’ interest in not granting information that data subjects could use against them in court is not recognised under EU law as a basis to refuse access. While the GDPR allows for national law to restrict specific rights under [[Article 23 GDPR]], the court stated that the restriction must be necessary and proportionate. This, however, does not apply for hypothetical situations. The court upheld the data subjects’ claim, and ordered the controllers to provide them with a copy of their transaction data. The court specified that the controllers had the obligation to provide a complete copy, in accordance with CJEU ca