[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqWAM5KmmHrDFDRPkNxe7CTgLcdaNIfIk62eZpNHQNPU":3},{"article":4,"iocs":31},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":18,"category":19,"article_tags":23},"cccfce60-e808-4a55-90a2-67f50c4ff03d","Rb. Noord-Nederland - 25\u002F2823","rb-noord-nederland-25-2823-b69c9d","← Older revision Revision as of 14:24, 29 May 2026 Line 47: Line 47: |Party_Link_2= |Party_Link_2= |Appeal_From_Body=AP (the Netherlands) |Appeal_From_Body=AP (The Netherlands) |Appeal_From_Case_Number_Name= |Appeal_From_Case_Number_Name= |Appeal_From_Status= |Appeal_From_Status= Line 65: Line 65: === Facts === === Facts === A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that [[Article 15 GDPR|Article 15 GDPR]] does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that [[Article 15 GDPR]] does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. The data subject appealed the decision to the court, arguing that the DPA had misinterpreted [[Article 15 GDPR|Article 15 GDPR]]. According to the data subject, the DPA had claimed the case fell out of the scope of [[Article 15 GDPR|Article 15 GDPR]], because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds. The data subject appealed the decision to the court, arguing that the DPA had misinterpreted [[Article 15 GDPR]]. According to the data subject, the DPA had claimed the case fell out of the scope of [[Article 15 GDPR]], because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds. === Holding === === Holding === The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety [FOOTNOTE]. The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fact that the DPA had not clarified which rights and freedoms of others are actually protected by the restriction of the data subject’s right to access. The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety. See the ruling of the Administrative Law Division of the Council of State dated November 5, 2025, ECLI:NL:RVS:2025:5323, margin. 5.4. The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fact that the DPA had not clarified which rights and freedoms of others are actually protected by the restriction of the data subject’s right to access. The court upheld the data subject’s appeal, and ordered the DPA to issue a new decision within six weeks. The court upheld the data subject’s appeal, and ordered the DPA to issue a new decision within six weeks.","A data subject requested access to their data from a law firm related to bankruptcy proceedings, but the firm denied the request. The DPA dismissed the case, but the data subject appealed, arguing misinterpretation of Article 15 GDPR. The court upheld the appeal, stating the DPA should have investigated which rights and freedoms were protected by restricting access.","Dutch court ruled DPA insufficiently investigated a GDPR access request denial.","Help Rb. Noord-Nederland - 25\u002F2823: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 14:16, 29 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators661 edits Tag: submission [1.0] Latest revision as of 14:24, 29 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators661 editsmTag: Visual edit Line 47: Line 47: |Party_Link_2=|Party_Link_2= |Appeal_From_Body=AP (the Netherlands)|Appeal_From_Body=AP (The Netherlands) |Appeal_From_Case_Number_Name=|Appeal_From_Case_Number_Name= |Appeal_From_Status=|Appeal_From_Status= Line 65: Line 65: === Facts ====== Facts === A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that [[Article 15 GDPR|Article 15 GDPR]] does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that [[Article 15 GDPR]] does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. The data subject appealed the decision to the court, arguing that the DPA had misinterpreted [[Article 15 GDPR|Article 15 GDPR]]. According to the data subject, the DPA had claimed the case fell out of the scope of [[Article 15 GDPR|Article 15 GDPR]], because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds.The data subject appealed the decision to the court, arguing that the DPA had misinterpreted [[Article 15 GDPR]]. According to the data subject, the DPA had claimed the case fell out of the scope of [[Article 15 GDPR]], because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds. === Holding ====== Holding === The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety [FOOTNOTE]. The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fact that the DPA had not clarified which rights and freedoms of others are actually protected by the restriction of the data subject’s right to access. The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety.\u003Cref>See the ruling of the Administrative Law Division of the Council of State dated November 5, 2025, ECLI:NL:RVS:2025:5323, margin. 5.4.\u003C\u002Fref> The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fact that the DPA had not clarified which rights and freedoms of others are actually protected by the restriction of the data subject’s right to access. The court upheld the data subject’s appeal, and ordered the DPA to issue a new decision within six weeks.The court upheld the data subject’s appeal, and ordered the DPA to issue a new decision within six weeks. Latest revision as of 14:24, 29 May 2026 Rb. Noord-Nederland - 25\u002F2823 Court: Rb. Noord-Nederland (Netherlands) Jurisdiction: Netherlands Relevant Law: Article 15 GDPR Decided: 17.04.2026 Published: 28.04.2026 Parties: National Case Number\u002FName: 25\u002F2823 European Case Law Identifier: ECLI:NL:RBNNE:2026:1495 Appeal from: AP (The Netherlands) Appeal to: Unknown Original Language(s): Dutch Original Source: de Rechtspraak (in Dutch) Initial Contributor: ap A court upheld a data subject’s appeal and ordered the DPA to reevaluate an access request case regarding the data subject’s bankruptcy proceedings. According to the court, the DPA had not balanced the parties’ rights and interests. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject made an access request to a law firm (the controller), regarding the data it had processed in connection to their bankruptcy proceedings. The controller responded by stating it could not find any information related to the data subject, as it later realised the data subject was not a former client but the opposing party. The controller argued that Article 15 GDPR does not oblige it to collect data from the attorney of an opposing party. Finally, the controller argued that it could limit the access request on grounds of attorney-client confidentiality and to protect the rights and freedoms of others. The data subject filed a complaint with the DPA, arguing that the controller had not properly handled their access request. The DPA considered that the controller had not violated the GDPR, and dismissed the case. The data subject appealed the decision to the court, arguing that the DPA had misinterpreted Article 15 GDPR. According to the data subject, the DPA had claimed the case fell out of the scope of Article 15 GDPR, because the data subject could obtain court documents through the court. In addition, the data subject argued that the controller could not refuse the access request completely on duty of confidentiality grounds. Holding The court first noted that the data subject was involved in a public bankruptcy proceeding, meaning the data subject needed to know the other parties involved. The court then stated that the DPA should have investigated which rights and freedoms were protected by the restriction on the data subject’s right to access. The rights and freedoms of others are not a valid ground to deny the access request in its entirety.[1] The court considered that the DPA had not sufficiently investigated the case, as it had not carried out the balancing exercise of the interests involved. This was supported by the fact that the DPA had not clarified which rights and freed","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Rb._Noord-Nederland_-_25\u002F2823&diff=51771&oldid=51770","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-05-29T14:24:28+00:00","2026-05-29T16:00:14.040455+00:00",7,[],"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":18,"icon":20,"name":21,"slug":22},null,"GDPR","gdpr",[24,26],{"category":25},{"id":18,"icon":20,"name":21,"slug":22},{"category":27},{"id":28,"icon":20,"name":29,"slug":30},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",[]]