RvS - 202305323/1/A3: Difference between revisions

RvS - 202305323/1/A3
Court:	RvS (Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 9(1) GDPR Article 12(6) GDPR Article 17 GDPR Article 82 GDPR
Decided:	28.05.2025
Published:	28.05.2025
Parties:	Minister of Health, Welfare, and Sport Appellant A Appelant B
National Case Number/Name:	202305323/1/A3
European Case Law Identifier:	ECLI:NL:RVS:2025:2468
Appeal from:	RBNH (Netherlands) ECLI:NL:RBNHO:2023:8912, 22-2413 & 22-2369
Appeal to:	Unknown
Original Language(s):	Dutch
Original Source:	ECLI:NL:RVS:2025:2468 (in Dutch)
Initial Contributor:	Eleonora van Koppen

The Council of State upheld the decision that the Minister could dismiss a request for deletion of data related to COVID-19 if the data subjects do not identify themselves through the provided options.

English Summary

Facts

In 2021, two data subjects requested the deletion of their personal data related to their Covid-19 vaccination records and Covid-19 personal data held at the National Institute of Public Health and the Environment (hereinafter RIVM). The controller, the Minister of Public Health, Welfare and Sport, provided two options to confirm their identity: by sending either a scan of their passport or by physically identifying themselves before the Ministry. The data subjects did not use either option and the controller subsequently rejected their requests.

The data subjects filed a complaint before the court of first instance. The court ruled that the minister was justified in dismissing the objections as unfounded. It ruled that the minister was entitled to disregard the requests on the ground that the identity of the persons concerned could not be established. Plus, while the Covid-19 measures were still in effect, deletion of the vaccination data would make it impossible for an individual to prove that they where vaccinated via the government application for Covid-19.

The data subjects appeal the decision of the court of first instance before the Council of State.

The data subjects argued that the identification options given by the minister were unreasonable since by sharing a copy of their passports they incurred many risks. Second, physical identification at the Ministry r unreasonably burdens the data subject. Third, they proposed the alternative to be identified with the last three digits of their BSN, combined with telephone verification.

Holding

First, the court stated that the controller should take all reasonable measures to verify the identity of a data subject who requests access (Recital 64 GDPR) and therefore the measures proposed by the minister valid, especially considering that they are special category of personal data (Article 9(1) GDPR).

Second, the court disagreed with the data subject that the proposed identification method was effective. The proposed method entailed verification through the last digits of the data subject's BSN and mobile phone verification. The court agreed with the controller that the alternative means of identification provided substantive certainty of their identity.

Third, the court decided that the controller provided reasonable identification options for the data subject. Based on Article 12(6) and Recital 64, the controller should take reasonable measures to identify the data subject. If there is a reason to doubt the identity of the data subject, the controller is allowed to request further provision of information from data subjects. However, the controller can request further information regardless of whether he has doubts about the identity of the data subject because the controller must take all reasonable measures to verify the identity of the data subject. Previous case law (ECLI:NL:RVS:2020:2833) has determined that options for identification were reasonable in light of the data subject's rights.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

ECLI:NL:RVS:2025:2468
Share judgment
Instance
Council of State
Date of judgment
28-05-2025
Date of publication
28-05-2025
Case number
202305323/1/A3
Areas of law
Administrative law
Special characteristics
Appeal
Content indication
By decisions of 7 December 2021, the Minister of Health, Welfare and Sport dismissed the requests for erasure of personal data of [appellants] on the basis of Article 17 of the General Data Protection Regulation. By letters of 31 May 2021, [appellants] requested the Minister to erase their Covid-19 vaccination data and Covid-19 personal data held by the National Institute for Public Health and the Environment. The Minister dismissed the requests in the decisions of 7 December 2021 because [appellants] refused to identify themselves in a manner requested by the Minister, namely by sending a copy of their passport or identifying themselves in person at the RIVM office. The court ruled that the Minister was right to declare the objections unfounded. According to the court, the Minister was allowed to dismiss the requests on the grounds that the identity of the persons concerned could not be established.

Sources
Rechtspraak.nl
Verrijkte decision
Judgment
202305323/1/A3.

Date of judgment: 28 May 2025

DIVISION

ADMINISTRATIVE LAW

Judgment on the appeal of:

[appellant A] and [appellant B], residing in [place of residence],

appellants,

against the judgment of the Noord-Holland District Court of 4 July 2023 in cases nos. 22/2413 and 22/2369 in the proceedings between:

[appellants]

and

the Minister of Health, Welfare and Sport.

Procedural history

By decisions of 7 December 2021, the Minister dismissed the requests for erasure of personal data of [appellants] on the basis of Article 17 of the General Data Protection Regulation (hereinafter: GDPR).

By decision of 21 March 2022, the Minister declared the objection lodged against it by [appellant B] to be unfounded.

By decision of 4 April 2022, the Minister declared the objection lodged against it by [appellant A] to be unfounded.

By judgment of 4 July 2023, the court declared the appeals lodged against it by [appellants] to be unfounded and dismissed the requests for compensation.

[Appellants] appealed against this judgment and requested the Division for compensation.

The Minister provided a written explanation.

The Minister submitted a further document.

[Appellants] submitted a further document.

The Division heard the case at a hearing on 24 February 2025, at which [appellants], represented by Mr I. Brouwer, lawyer in Amsterdam, and the Minister, represented by Mr R. Kroes, assisted by Mr E.E. Schaake and Mr S. Moll, appeared.

Considerations

Legal framework

1. The legal framework is included in the appendix to this judgment.

Introduction

2. By letters dated 31 May 2021, [appellants] requested the Minister to erase their Covid-19 vaccination data and Covid-19 personal data held by the National Institute for Public Health and the Environment (hereinafter: RIVM). The Minister dismissed the requests by decisions of 7 December 2021 because [appellants] refused to identify themselves in a manner requested by the Minister, namely by sending a copy of their passport or identifying themselves in person at the RIVM office.

Judgment of the court

3. The court ruled that the Minister was right to declare the objections unfounded. According to the court, the Minister was allowed to dismiss the requests on the grounds that the identity of the persons concerned could not be established. To this end, the court considered that this concerns medical data, which are special personal data as referred to in Article 9, paragraph 1, of the GDPR. Furthermore, according to the court, the consequences of deleting this data could be significant, because the corona measures were still in effect at the time of the decision of 7 December 2021. Deleting the vaccination data would mean that a data subject would no longer be able to demonstrate via the corona app that he has been vaccinated. In addition, the court considered that it is plausible that the alternative proposed by [appellants], in which they provide the last three digits of their BSN, in combination with a telephone verification code, does not provide the same degree of certainty as the methods proposed by the minister.

Appeal

4. [appellants] argue that the court wrongly declared the appeals unfounded.

They argue that the minister was not allowed to ask for additional information, because the minister did not doubt their identity.

They also argue that the court ignored the fact that there are major objections to sending a copy of a passport. The passport can be forged or misused by third parties. In addition, administrative bodies are sensitive to data leaks. According to [appellants], the alternatives they have proposed are safer, because no new documents containing their personal data can enter into circulation.

According to [appellants], the proposed alternative of identifying themselves in person is also very onerous. The location mentioned by the Minister is too far away, too cumbersome to reach by public transport, and the journey there is also too expensive. The Minister has also not proposed any other safe alternatives, such as a check via DigiD or with secondary security questions.

Assessment of the appeal

5. Recital 64 of the GDPR states that the controller must take all reasonable measures to verify the identity of a data subject who requests access. If there is reason to doubt the identity, additional information may be requested, as follows from Article 12, paragraph 6, of the GDPR.

5.1. [Appellants]'s argument that the Minister was not allowed to request additional information because he did not doubt their identity lacks a factual basis. The Minister's request was not a request for additional information. The Minister must take all reasonable measures to establish the identity of the applicant. This means that the Minister was first allowed to request a copy of their passport. Any doubts about the identity of the applicant did not play a role in this.

5.2. As the Division previously considered, the administrative body in principle has discretionary power with regard to the manner in which it establishes the identity of the applicant. Providing a certified and authorised copy of a valid identity document is considered a reasonable measure to verify identity. This guarantees a proper establishment of identity without prejudice to the right of the persons concerned to freely contact the Minister. Compare the judgment of 9 December 2020, ECLI:NL:RVS:2020:2833, under 5.1 and 5.2.

5.3. In this case, this means that the Minister was allowed to determine the manner in which he establishes the identity of the applicant. The Minister offered [appellants] two ways to establish their identity. In view of the aforementioned case law, it does not appear that the two options given by the Minister are unreasonably onerous.

5.4. What [appellants] have stated on appeal about the proposed alternative for establishing identity is virtually a repetition of what they stated on appeal. The court has responded to that ground with reasons. [appellants] have not provided any reasons why the reasoned assessment of the ground in the contested judgment would be incorrect or incomplete. The Division agrees with the judgment of the court and with the consideration included under 7, on which that judgment is based. At the hearing before the Division, the Minister explained that since 11 May 2022, it has been possible to submit a request for erasure via DigiD. That is after the decision of 21 March 2022. The Minister could therefore not yet offer that possibility at the time of the decision.

5.5. The foregoing means that the Minister was entitled to take the position that he had not been able to establish the identity of the applicants. The court therefore correctly ruled that the minister was allowed to dismiss the requests and correctly declared the objections unfounded.

The argument fails.

Conclusion

6. The appeal is unfounded. The contested judgment must be confirmed. [appellants] also requested compensation. It follows from the confirmation of the court's judgment that none of the circumstances listed in article 8:88, first paragraph, of the General Administrative Law Act apply on the basis of which a judgment to pay compensation can be pronounced. There is also no infringement as referred to in article 82 of the GDPR. The request will therefore be rejected.

7. The minister does not have to reimburse any legal costs.

Decision

The Administrative Law Division of the Council of State:

I. confirms the contested judgment;

II. rejects the request for compensation.

Thus established by Mr. C.J. Borman, chairman, and Mr. J. Schipper-Spanninga and Mr. C.M. Exchanges, members, in the presence of Mr. T. Hartsuiker, clerk.

w.g. Borman

chairman

w.g. Hartsuiker

clerk

Pronounced in public on 28 May 2025

620-1114

ANNEX

Legal framework

General Data Protection Regulation

Recital 64

The controller must take all reasonable steps, in particular with regard to online services and online identifiers, to verify the identity of a data subject requesting access. A controller may not retain personal data solely for the purpose of responding to any requests.

Article 12, paragraph 6

Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request additional information necessary to confirm the identity of the data subject.

Article 17, paragraph 1

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

Article 82, first paragraph

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.