[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ft8QxzmXty8kcR8CbsXKuJ49wf0GX1GGylVb8DgOgoZI":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":28},"cbbef382-f633-46df-b7af-c91f0fcbf5a7","Rb. Noord-Nederland - 25\u002F2823","rb-noord-nederland-25-2823-af71ac","Created page with \"{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Noord-Nederland |Court_Original_Name=Rechtbank Noord-Nederland |Court_English_Name=District Court Noord-Nederland |Court_With_Country=Rb. Noord-Nederland (Netherlands) |Case_Number_Name=25\u002F2823 |ECLI=ECLI:NL:RBNNE:2026:1495 |Original_Source_Name_1=de Rechtspraak |Original_Source_Link_1=https:\u002F\u002Fuitspraken.rechtspraak.nl\u002Fdetails?id=ECLI:NL:RBNNE:2026:1495&sho...\" New page {{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Noord-Nederland |Court_Original_Name=Rechtbank Noord-Nederland |Court_English_Name=District Court Noord-Nederland |Court_With_Country=Rb. Noord-Nederland (Netherlands) |Case_Number_Name=25\u002F2823 |ECLI=ECLI:NL:RBNNE:2026:1495 |Original_Source_Name_1=de Rechtspraak |Original_Source_Link_1=https:\u002F\u002Fuitspraken.rechtspraak.nl\u002Fdetails?id=ECLI:NL:RBNNE:2026:1495&showbutton=true&keyword=avg&idx=2 |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Date_Decided=17.04.2026 |Date_Published=28.04.2026 |Year=2026 |GDPR_Article_1=Article 15 GDPR |GDPR_Article_Link_1=Article 15 GDPR |GDPR_Article_2= |GDPR_Article_Link_2= |GDPR_Article_3= |GDPR_Article_Link_3= |EU_Law_Name_1= |EU_Law_Link_1= |EU_Law_Name_2= |EU_Law_Link_2= |National_Law_Name_1= |National_Law_Link_1= |National_Law_Name_2= |National_Law_Link_2= |Party_Name_1= |Party_Link_1= |Party_Name_2= |Party_Link_2= |Appeal_From_Body=AP (the Netherlands) |Appeal_From_Case_Number_Name= |Appeal_From_Status= |Appeal_From_Link= |Appeal_To_Body= |Appeal_To_Case_Number_Name= |Appeal_To_Status=Unknown |Appeal_To_Link= |Initial_Contributor=ap | }} A court upheld a data subject’s appeal and ordered the DPA to reevaluate an access request case regarding the data subject’s bankruptcy proceedings. According to the court, the DPA had not balanced the parties’ rights and interests. == English Summary == === Facts === A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that [[Article 15 GDPR|Article 15 GDPR]] does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. The data subject appealed the decision to the court, arguing that the DPA had misinterpreted [[Article 15 GDPR|Article 15 GDPR]]. According to the data subject, the DPA had claimed the case fell out of the scope of [[Article 15 GDPR|Article 15 GDPR]], because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds. === Holding === The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety [FOOTNOTE]. The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fact that the DPA had not clarified which rights and freedoms of others are actually protected by the restriction of the data subject’s right to access. The court upheld the data subject’s appeal, and ordered the DPA to issue a new decision within six weeks. == Comment == ''Share your comments here!'' == Further Resources == ''Share blogs or news articles here!'' == English Machine Translation of the Decision == The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. Court District Court of Northern Netherlands Date of judgment 17-04-2026 Date of publication 28-04-2026 Case number 25\u002F2823 Areas of law Administrative law Special features First instance - single-judge chamber Summary of content This judgment concerns a complaint filed by the plaintiff with the AP. The plaintiff submitted a request for access to information pursuant to the GDPR to a law firm. Following the response to that request, the plaintiff filed a complaint with the AP. In this judgment, the court concludes that the AP could not reasonably have taken the position that the law firm had not violated the GDPR, because it had a duty of confidentiality. Legal references Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (General Data Protection Regulation) Sources Rechtspraak.nl Judgment Court location Groningen Administrative law case number: LEE 25\u002F2823 and (representatives: C. Beckers and J.M.A. Koster). ECLI:NL:RBNNE:2026:1495 DISTRICT COURT OF NORTH NETHERLANDS judgment of the single-judge chamber of 17 April 2026 in the case between [plaintiff], from [place of residence], plaintiff Dutch Data Protection Authority (the DPA), defendant Summary 1.1. 1.2. 1.3. 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 1. This ruling concerns a complaint filed by the plaintiff with the AP. The plaintiff submitted a request for access to a law firm based on the General Data Protection Regulation (GDPR). Following the response to that request, the plaintiff filed a complaint with the AP. She disagrees with the AP's decision regarding her complaint and puts forward a number of grounds for appeal to that end. Based on these grounds for appeal, the court assesses the plaintiff's appeal. In this ruling, the court concludes that the AP could not reasonably have taken the position that the law firm had not violated the GDPR. The plaintiff is therefore vindicated, and the appeal is well-founded. Below, the court explains how it arrived at this judgment and what consequences this judgment entails. Section 2 describes the course of the proceedings in this case. Section 3 lists the relevant facts and circumstances that led to the contested decision. The court's assessment follows from section 4. In doing so, the court addresses the question of whether the AP could reasonably have taken the position that the law firm did not violate the GDPR. At the end, the court's decision and its consequences are stated. The statutory rules relevant to this case are included in the annex to this ruling. 2. The plaintiff submitted a request to [the law firm] for access to her personal data pursuant to the GDPR. Following the law firm's response to her request, the plaintiff filed a complaint with the AP on 10 February 2025. With the decision of 4 April 2025, the AP concluded that the law firm did not violate the GDPR. Therefore, the AP is not imposing any measure on the law firm. The plaintiff lodged an objection against that decision. With the contested decision of 8 July 2025, the AP declared the plaintiff's objection unfounded. The plaintiff lodged an appeal against the contested decision. The AP responded to the appeal with a statement of defence. The plaintiff responded to this in writing. The court heard the appeal at a hearing on 9 March 2026. The representatives of the AP participated in this. The plaintiff excused herself from the hearing. 3. On 5 February 2025, the plaintiff submitted a request to [the law firm] for access to her personal data as referred to in Article 15 of the GDPR. She requests access to all personal data that the law firm has processed regarding her in the context of her bankruptcy proceedings. Course of proceedings Formation of the contested decision 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. 3.7. On February 6, 2025, the law firm informed the plaintiff in an email that her name is unknown to the firm. In response, the plaintiff further explained her request, including by mentioning a file and underlying clients. On February 7, 2025, the law firm once again informed the plaintiff that it could not find anything regarding the submitted data. On February 10, 2025, the plaintiff filed a complaint with the AP. She argues that there is no substantive response to her request, even though the law firm possesses the file. With the decision of April 4, 2025, the AP decided not to impose any measure on the law firm, because it concluded that the law firm had not violated the GDPR. The plaintiff lodged an objection against that decision. In response to the objection, the AP asked the law firm for a written response to the complaint and the plaintiff's objection. The law firm has put forward a statement of views. In it, the firm states that at the time of contact with the plaintiff, it was unclear who the plaintiff was. According to the firm, it can now be inferred from the plaintiff's objection that the firm assisted a litigant in the past, but Article 15 of the GDPR is not intended to collect information from the lawyer of a former opposing party. The firm also states that, in view of professional secrecy and the duty of confidentiality of lawyers, it neither confirms nor denies the position it held in this matter. This limits the right of access to protect the rights and freedoms of others. When asked, the plaintiff informed the AP that this statement of views does not constitute grounds for withdrawing her notice of objection and that she maintains her objection. With the contested decision of July 8, 2025, the AP declared the plaintiff's objection unfounded, because the law firm did not violate Article 15 of the GDPR. 4.1. 4.1.1. Does the AP misunderstand the scope and operation of Article 15 of the GDPR? 4. The plaintiff argues that the right of access under the GDPR is autonomous and cannot be replaced by civil- procedural access options. The AP misunderstands the scope and operation of Article 15 of the GDPR by stating that it can obtain procedural documents via the court, as a result of which its complaint would not fall under Article 15 of the GDPR. In the contested decision, under point 6, the AP takes the position that, insofar as the plaintiff wishes access to the procedural documents of the bankruptcy proceedings, it can request these from the court that declared the bankruptcy. Therefore, according to the AP, the GDPR complaint is not eligible for granting. At the hearing, the AP explained that point 6 of the contested decision is intended to indicate that the GDPR does not apply to a request by the plaintiff to obtain procedural documents or a public file. 5. In the court's judgment, it appears from point 7 of the contested decision that, according to the AP, Article 15 of the GDPR is applicable insofar as the plaintiff's request and complaint relate to access to her personal data. The fact that the plaintiff could request the procedural documents from the court was therefore not used by the AP as the basis for the judgment that the law firm did not violate Article 15 of the GDPR. The court rules that the AP did not thereby misinterpret the scope of Article 15 of the GDPR. Consequently, this ground of appeal by the plaintiff fails. Could the AP reasonably have taken the position that there was no violation of the GDPR? 6. The plaintiff argues that the law firm demonstrably processed her personal data, in view of the (public) bankruptcy case. Therefore, the AP should have ruled that there was indeed processing of her personal data. In addition, the claimant argues that a controller has an obligation under Article 15, paragraph 1, of the GDPR to inform the data subject about the existence of processing, the categories of personal data, and the purposes. This obligation to inform also applies when (parts of) documents are subject to a duty of confidentiality. This duty of confidentiality is, in fact, not absolute and does not categorically prohibit the disclosure of information. Because the processing of her personal data took place in a public procedure, in which the recipients of her personal data are known, a refusal based on professional secrecy constitutes an unjustified restriction of Article 15 of the GDPR. That article has direct effect, and the effective exercise of rights under that article may not be restricted by the duty of confidentiality. The claimant also argues that the inconsistent attitude of the law firm is contrary to the accountability obligation of Article 5, paragraph 2, of the GDPR and the principle of transparency of Article 12 of the GDPR. The law firm initially stated factually incorrectly that it did not know the plaintiff and only later invoked professional secrecy. Furthermore, the plaintiff argues that the AP conducted insufficient investigation into the actual role of the firm in the bankruptcy and the evident inconsistency in the firm's statements. Assessment by the court 6.1. Because the right of access to personal data is an essential part of the right to privacy, a careful and balanced balancing of interests is required. The AP takes the position that the law firm did not violate the GDPR in responding to the plaintiff's request for access. According to the AP, the right of access under Article 15 of the GDPR is not absolute. Pursuant to Article 23 of the GDPR, Article 41 of the UAVG applies in the Netherlands. Paragraph 1, subparagraph i, of that article stipulates that the controller may waive the right of access for the protection of the data subject or of the rights and freedoms of others. This exception applies to the duty of confidentiality of a lawyer. That duty of confidentiality also extends to the question of whether someone has approached a particular lawyer and, if so, regarding what matters. Because the plaintiff named alleged clients by name in her request, any confirmation or denial by the law firm regarding the processing of her personal data would reveal whether these parties had approached the law firm. Even merely mentioning categories of information would reveal that information. Therefore, the refusal by the law firm was justified to protect the rights of others. In addition, Article 15, paragraph 4, of the GDPR, which stipulates that the right to obtain copies must not prejudice the rights and freedoms of others, applies to the right of access in its entirety.According to the AP, the firm's initial statement that it could find nothing does not alter this. In fact, the documents submitted by the firm show that the firm was initially under the impression that the plaintiff was a former client. When it became known that the plaintiff was not a client but the opposing party, the firm rightly took the position that it could not comply with the request for access due to the duty of confidentiality. The firm could suffice with the statement that it neither confirms nor denies having held a position in this matter. Therefore, there is no violation of Article 5, paragraph 2, or Article 12 of the GDPR. The AP takes the position that it has investigated the plaintiff's complaint to an appropriate degree, as referred to in Article 57, paragraph 1, sub f, of the GDPR. At the hearing, the AP explained that the plaintiff's request concerns the processing of her personal data in the context of her private bankruptcy in the files of the creditors named by her. According to the AP, the plaintiff's request thus relates to the relationship between client and lawyer. A further investigation into the actual role of the law firm in the bankruptcy would not alter the outcome of the investigation, because it does not affect the duty of confidentiality. 7. The court considers that the right of access under Article 15 of the GDPR is not absolute. Pursuant to Article 41, paragraph 1, subparagraph i, of the UAVG, the controller may waive the right of access for the protection of the data subject or of the rights and freedoms of others. 8. The AP requested a statement of views from the law firm. In it, the firm takes the position that professional secrecy and the duty of confidentiality of lawyers mean that no information can be provided. According to the firm, the plaintiff's right of access is thereby restricted to protect the rights and freedoms of others. 9. In the court's opinion, it was incumbent upon the AP to investigate which rights and freedoms of others are protected, according to the law firm, by the restriction of the plaintiff's right of access. In this regard, the court considers that this concerns a public bankruptcy procedure. In such a procedure, a creditor files a bankruptcy petition which is submitted by a lawyer. Furthermore, a supporting claim is required for a bankruptcy. This supporting claim also forms part of the bankruptcy petition. The defendant in a bankruptcy procedure, later the bankrupt, receives that bankruptcy petition and thereby also the name of the creditors and the lawyer or lawyers. This means that the plaintiff cannot help but know who the requesting creditors and the lawyer or lawyers in her bankruptcy procedure were. The assertion that any confirmation or denial by the law firm regarding the processing of her personal data would reveal whether these parties addressed the law firm 14.1. 14.2. the argument that she has become accustomed to this does not apply with regard to these bankruptcy proceedings. 10. Furthermore, the court does not follow the AP in the assertion that the plaintiff's request relates solely to the processing of her data in the files of the creditors she mentioned. After all, the plaintiff's initial request was formulated broadly. The plaintiff specifies several examples of information for which she seeks access, but explicitly states that her request is not limited to the examples mentioned. She also does not mention any names of creditors in this regard. Only in response to the firm's statement that it had been unable to find any information did the plaintiff name several creditors to clarify her request. In the court's opinion, this clarification does not constitute a limitation of her earlier request to merely the files of the mentioned creditors. 11. The Court further considers that it follows from Recital 63 of the preamble to the GDPR that if there is a conflict between, on the one hand, the full exercise of the right of access to personal data and, on the other hand, the rights or freedoms of others, the rights concerned must be weighed against each other. As far as possible, a choice must be made to provide the personal data in a manner that does not prejudice the rights or freedoms of others. In doing so, account must be taken of the fact that these considerations must not lead to the data subject being denied all information.1 12. This means that, in this case, the AP must weigh the plaintiff's interest in knowing whether the law firm is processing her personal data against the rights and freedoms of others which, according to the law firm, are protected by the restriction of the right of access. In the Court's judgment, it does not appear that the AP has made this balancing of interests. This applies all the more since the AP has not made clear which rights and freedoms of others are actually protected by the restriction. In view of what the court has considered above, the AP has conducted insufficient investigation into these rights and freedoms of others. 13. In view of the foregoing, the contested decision is contrary to Article 3:2 and Article 3:46 of the General Administrative Law Act (Awb). Therefore, the court will annul the contested decision. 14. The appeal is well-founded because the contested decision is contrary to Article 3:2 and Article 3:46 of the Awb. The court therefore annuls the contested decision. Applying Article 8:72, paragraph 4, of the General Administrative Law Act, the court orders the AP to take a new decision in accordance with this ruling. The court grants the AP six weeks to do so. Because the appeal is well-founded, the AP must reimburse the court fees to the plaintiff. The plaintiff has not incurred any reimbursable litigation costs. Conclusion and consequences Decision The court: - declares the appeal well-founded; - annuls the decision of July 8, 2025; - orders the AP to take a new decision on the objection within six weeks after the day of dispatch of this ruling, taking into account this ruling; - orders the AP to reimburse the plaintiff the court fee of 194.-. This ruling was made by Mr. A.S. Broere, judge, in the presence of E.D.M. Nijbroek, registrar. Pronounced in public on April 17, 2026. registrar judge A copy of this ruling was sent to the parties on: A party that disagrees with this ruling may send a notice of appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party disagrees with this ruling. The notice of appeal must be submitted within six weeks after the day on which this ruling was sent. If the applicant cannot await the handling of the appeal because the case is urgent, the applicant may request the preliminary relief judge of the Administrative Jurisdiction Division of the Council of State to grant a preliminary injunction (a temporary measure). General Data Protection Regulation Right of access by the data subject 1. The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed and, if so, to obtain access to those personal data and to the following information: Information regarding appeal Appendix: legislation and regulations relevant to this ruling Article 15 a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the period during which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period; e) that the data subject has the right to request the controller to rectify or erase personal data, or to restrict the processing of personal data concerning him, as well as the right to object to such processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; 3. The controller shall provide the data subject with a copy of the personal data being processed. If the data subject requests additional copies, the controller may charge a reasonable fee based on administrative costs. Where the data subject submits his request electronically and does not request any other arrangement, the information shall be provided in a commonly used electronic format. 4. The right to obtain a copy referred to in paragraph 3 shall not prejudice the rights and freedoms of others. 1. The scope of the obligations and rights referred to in Articles 12 to 22 and Article 34, as well as in Article 5, may, insofar as the provisions of those Articles correspond to the rights and obligations referred to in Articles 12 to 20, be limited by means of provisions of Union law or Member State law applicable to the controller or processor, provided that such limitation does not affect the essential content of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society for the safeguarding of: a) national security; b) national defence; c) public safety; d) the prevention, investigation, detection and prosecution of criminal offences or the execution of sentences, including protection against and prevention of dangers to public safety; e) other important objectives of general interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and fiscal matters, public health and social security; f) the protection of the independence of the judiciary and judicial proceedings; g) the prevention, investigation, detection and prosecution of breaches of the codes of conduct for regulated professions; h) a task in the field of supervision, inspection or regulation which is related, even if only incidentally, to the exercise of public authority in the cases referred to in points (a) to (e) and (g); i) the protection of the person concerned or of the rights and freedoms of others; Article 23 Limitations j) the recovery of civil claims.2. The statutory measures referred to in paragraph 1 shall contain, in particular, specific provisions regarding, where appropriate, at least: a) the purposes of the processing or of the categories of processing, b) the categories of personal data, c) the scope of the restrictions introduced, d) the safeguards to prevent abuse or unlawful access or transmission, e) the specification of the controller or the categories of controllers, f) the retention periods and the applicable safeguards, taking into account the nature, scope and purposes of the processing or of the categories of processing, g) the risks to the rights and freedoms of the data subjects, and h) the right of data subjects to be informed of the restriction, unless this would impair the purpose of the restriction. 1. Without prejudice to other tasks established under this Regulation, each supervisory authority shall perform the following tasks within its territory: (.) f) it shall handle complaints from data subjects, or from bodies, organisations or associations in accordance with Article 80, investigate the substance of the complaint to the extent appropriate and inform the complainant within a reasonable time of the progress and result of the investigation, in particular if further investigation or coordination with another supervisory authority is necessary; 1. Without prejudice to other possibilities of administrative appeal or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State where he habitually resides, has his workplace or where the alleged infringement has taken place, if he considers that the processing of personal data concerning him infringes this Regulation. 2. The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, as well as of any possible remedy in accordance with Article 78. General Data Protection Regulation Implementation Act Article 41. Exceptions to rights of the data subject and obligations of the controller 1. The controller may waive the obligations and rights referred to in Articles 12 to 21 and Article 34 of the Regulation insofar as this is necessary and proportionate to safeguard: a. national security; b. national defence; Article 57 Tasks Article 77 Right to lodge a complaint with a supervisory authority 1 c. public safety; d. the prevention, investigation, detection and prosecution of criminal offences or the execution of sentences, including protection against and prevention of dangers to public safety; e. other important objectives of general interest of the European Union or of the Netherlands, in particular an important economic or financial interest of the European Union or of the Netherlands, including monetary, budgetary and fiscal matters, public health and social security; f. the protection of the independence of the judiciary and judicial proceedings; g. the prevention, investigation, detection and prosecution of breaches of professional codes for regulated professions; h. a task in the field of supervision, inspection or regulation which is related, even if only incidentally, to the exercise of public authority in the cases referred to in parts a, b, c, d, e and g; i. the protection of the data subject or of the rights and freedoms of others; or j. the collection of civil claims. 2. When applying the first paragraph, the controller shall take into account, in any event, where applicable: a. the purposes of the processing or of the categories of processing; b. the categories of personal data; c. the scope of the restrictions introduced; d. safeguards to prevent abuse or unlawful access or transmission; e. the specification of the controller or the categories of controllers; f. the storage periods and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing; g. the risks to the rights and freedoms of the data subjects; and h. the right of data subjects to be informed of the restriction, unless this could prejudice the purpose of the restriction. Compare the judgment of the Administrative Jurisdiction Division of the Council of State of 5 November 2025, ECLI:NL:RVS:2025:5323, paragraph 5.4.","A Dutch court upheld a data subject's appeal, ordering the DPA to reevaluate an access request case related to bankruptcy proceedings. The court found that the DPA had not adequately balanced the rights and interests of the parties involved when dismissing the data subject's complaint against a law firm. The DPA must now issue a new decision within six weeks.","Dutch court orders DPA to reevaluate access request case, citing insufficient balancing of interests.","Help Rb. Noord-Nederland - 25\u002F2823: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 14:16, 29 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators661 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 14:16, 29 May 2026 Rb. Noord-Nederland - 25\u002F2823 Court: Rb. Noord-Nederland (Netherlands) Jurisdiction: Netherlands Relevant Law: Article 15 GDPR Decided: 17.04.2026 Published: 28.04.2026 Parties: National Case Number\u002FName: 25\u002F2823 European Case Law Identifier: ECLI:NL:RBNNE:2026:1495 Appeal from: AP (the Netherlands) Appeal to: Unknown Original Language(s): Dutch Original Source: de Rechtspraak (in Dutch) Initial Contributor: ap A court upheld a data subject’s appeal and ordered the DPA to reevaluate an access request case regarding the data subject’s bankruptcy proceedings. According to the court, the DPA had not balanced the parties’ rights and interests. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that Article 15 GDPR does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. The data subject appealed the decision to the court, arguing that the DPA had misinterpreted Article 15 GDPR. According to the data subject, the DPA had claimed the case fell out of the scope of Article 15 GDPR, because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds. Holding The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety [FOOTNOTE]. The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fact that the DPA had not clarified which rights and freedoms of others are actually protected by the restriction of the data subject’s right to access. The court upheld the data subject’s appeal, and ordered the DPA to issue a new decision within six weeks. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. Court District Court of Northern Netherlands Date of judgment 17-04-2026 Date of publication 28-04-2026 Case number 25\u002F2823 Areas of law Administrative law Special features First instance - single-judge chamber Summary of content This judgment concerns a complaint filed by the plaintiff with the AP. The plaintiff submitted a request for access to information pursuant to the GDPR to a law firm. Following the response to that request, the plaintiff filed a complaint with the AP. In this judgment, the court concludes that the AP could not reasonably have taken the position that the law firm had not violated the GDPR, because it had a duty of confidentiality. Legal references Regulation (EU) 2016\u002F679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (General Data Protection Regulation) Sources Rechtspraak.nl Judgment Court location Groningen Administrative law case number: LEE 25\u002F2823 and (representatives: C. Beckers and J.M.A. Koster). ECLI:NL:RBNNE:2026:1495 DISTRICT COURT OF NORTH NETHERLANDS judgment of the single-judge chamber of 17 April 2026 in the case between [plaintiff], from [place of residence], plaintiff Dutch Data Protection Authority (the DPA), defendant Summary 1.1. 1.2. 1.3. 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 1. This ruling concerns a complaint filed by the plaintiff with the AP. The plaintiff submitted a request for access to a law firm based on the General Data Protection Regulation (GDPR). Following the response to that request, the plaintiff filed a complaint with the AP. She disagrees with the AP's decision regarding her complaint and puts forward a number of grounds for appeal to that end. Based on these grounds for appeal, the court assesses the plaintiff's appeal. In this ruling, the court concludes that the AP could not reasonably have taken the position that the law firm had not violated the GDPR. The plaintiff is therefore vindicated, and the appeal is well-founded. Below, the court explains how it arrived at this judgment and what consequences this judgment entails. Section 2 describes the course of the proceedings in this case. Section 3 lists the relevant facts and circumstances that led to the contested decision. The court's assessment follows from section 4. In doing so, the court addresses the question of whether the AP could reasonably have taken the position that the law firm did not violate the GDPR. At the end, the court's decision and its consequences are stated. The statutory rules relevant to this case are included in the annex to this ruling. 2. The plaintiff submitted a request to [the law firm] for access to her personal data pursuant to the GDPR. Following the law firm's response to her request, the plaintiff filed a complaint with the AP on 10 February 2025. With the decision of 4 April 2025, the AP concluded that the law firm did not violate the GDPR. Therefore, the AP is not imposing any measure on the law firm. The plaintiff lodged an objection against that decision. With the contested decision of 8 July 2025, the AP declared the plaintiff's objection unfounded. The plaintiff lodged an appeal against the contested decision. The AP responded to the appeal with a statement of defence. The plaintiff responded to this in writing. The court heard the appeal at a hearing on 9 March 2026. The representatives of the AP participated in this. The plaintiff excused herself from the hearing. 3. On 5 February 2025, the plaintiff submitted a request to [the law firm] for access to her personal data as referred to in Article 15 of the GDPR. She requests access to all personal data that the law firm has processed regarding her in the context of her bankruptcy proceedings. Course of proceedings Formation of the contested decision 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. 3.7. On February 6, 2025, the law firm informed the plaintiff in an email that her name is unknown to the firm. In response, the plaintiff further explained her request, including by mentioning a file and underlying clients. On February 7, 2025, the law firm once again informed the plaintiff that it could not find anything regarding the submitted data. On February 10, 2025, the plaintiff filed a complaint with the AP. She argues that there is no substantive response to her request, even though the law firm possesses the fi","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Rb._Noord-Nederland_-_25\u002F2823&diff=51770&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-05-29T14:16:48+00:00","2026-05-29T16:00:14.040455+00:00",7,[18,21],{"name":19,"type":20},"Dutch Data Protection Authority","vendor",{"name":22,"type":23},"GDPR","technology","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":24,"icon":26,"name":22,"slug":27},null,"gdpr",[29,34,39],{"category":30},{"id":31,"icon":26,"name":32,"slug":33},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":35},{"id":36,"icon":26,"name":37,"slug":38},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":40},{"id":41,"icon":26,"name":42,"slug":43},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[]]