Rb. Noord-Nederland - 25/2823

Summary

A Dutch court upheld a data subject's appeal, ordering the DPA to reevaluate an access request case related to bankruptcy proceedings. The court found that the DPA had not adequately balanced the rights and interests of the parties involved when dismissing the data subject's complaint against a law firm. The DPA must now issue a new decision within six weeks.

Full text

Help Rb. Noord-Nederland - 25/2823: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 14:16, 29 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators661 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 14:16, 29 May 2026 Rb. Noord-Nederland - 25/2823 Court: Rb. Noord-Nederland (Netherlands) Jurisdiction: Netherlands Relevant Law: Article 15 GDPR Decided: 17.04.2026 Published: 28.04.2026 Parties: National Case Number/Name: 25/2823 European Case Law Identifier: ECLI:NL:RBNNE:2026:1495 Appeal from: AP (the Netherlands) Appeal to: Unknown Original Language(s): Dutch Original Source: de Rechtspraak (in Dutch) Initial Contributor: ap A court upheld a data subject’s appeal and ordered the DPA to reevaluate an access request case regarding the data subject’s bankruptcy proceedings. According to the court, the DPA had not balanced the parties’ rights and interests. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that Article 15 GDPR does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. The data subject appealed the decision to the court, arguing that the DPA had misinterpreted Article 15 GDPR. According to the data subject, the DPA had claimed the case fell out of the scope of Article 15 GDPR, because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds. Holding The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety [FOOTNOTE]. The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fact that the DPA had not clarified which rights and freedoms of others are actually protected by the restriction of the data subject’s right to access. The court upheld the data subject’s appeal, and ordered the DPA to issue a new decision within six weeks. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. Court District Court of Northern Netherlands Date of judgment 17-04-2026 Date of publication 28-04-2026 Case number 25/2823 Areas of law Administrative law Special features First instance - single-judge chamber Summary of content This judgment concerns a complaint filed by the plaintiff with the AP. The plaintiff submitted a request for access to information pursuant to the GDPR to a law firm. Following the response to that request, the plaintiff filed a complaint with the AP. In this judgment, the court concludes that the AP could not reasonably have taken the position that the law firm had not violated the GDPR, because it had a duty of confidentiality. Legal references Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Sources Rechtspraak.nl Judgment Court location Groningen Administrative law case number: LEE 25/2823 and (representatives: C. Beckers and J.M.A. Koster). ECLI:NL:RBNNE:2026:1495 DISTRICT COURT OF NORTH NETHERLANDS judgment of the single-judge chamber of 17 April 2026 in the case between [plaintiff], from [place of residence], plaintiff Dutch Data Protection Authority (the DPA), defendant Summary 1.1. 1.2. 1.3. 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 1. This ruling concerns a complaint filed by the plaintiff with the AP. The plaintiff submitted a request for access to a law firm based on the General Data Protection Regulation (GDPR). Following the response to that request, the plaintiff filed a complaint with the AP. She disagrees with the AP's decision regarding her complaint and puts forward a number of grounds for appeal to that end. Based on these grounds for appeal, the court assesses the plaintiff's appeal. In this ruling, the court concludes that the AP could not reasonably have taken the position that the law firm had not violated the GDPR. The plaintiff is therefore vindicated, and the appeal is well-founded. Below, the court explains how it arrived at this judgment and what consequences this judgment entails. Section 2 describes the course of the proceedings in this case. Section 3 lists the relevant facts and circumstances that led to the contested decision. The court's assessment follows from section 4. In doing so, the court addresses the question of whether the AP could reasonably have taken the position that the law firm did not violate the GDPR. At the end, the court's decision and its consequences are stated. The statutory rules relevant to this case are included in the annex to this ruling. 2. The plaintiff submitted a request to [the law firm] for access to her personal data pursuant to the GDPR. Following the law firm's response to her request, the plaintiff filed a complaint with the AP on 10 February 2025. With the decision of 4 April 2025, the AP concluded that the law firm did not violate the GDPR. Therefore, the AP is not imposing any measure on the law firm. The plaintiff lodged an objection against that decision. With the contested decision of 8 July 2025, the AP declared the plaintiff's objection unfounded. The plaintiff lodged an appeal against the contested decision. The AP responded to the appeal with a statement of defence. The plaintiff responded to this in writing. The court heard the appeal at a hearing on 9 March 2026. The representatives of the AP participated in this. The plaintiff excused herself from the hearing. 3. On 5 February 2025, the plaintiff submitted a request to [the law firm] for access to her personal data as referred to in Article 15 of the GDPR. She requests access to all personal data that the law firm has processed regarding her in the context of her bankruptcy proceedings. Course of proceedings Formation of the contested decision 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. 3.7. On February 6, 2025, the law firm informed the plaintiff in an email that her name is unknown to the firm. In response, the plaintiff further explained her request, including by mentioning a file and underlying clients. On February 7, 2025, the law firm once again informed the plaintiff that it could not find anything regarding the submitted data. On February 10, 2025, the plaintiff filed a complaint with the AP. She argues that there is no substantive response to her request, even though the law firm possesses the fi

Entities