Greetings from Holland.
Now that the first GDPR storm has blown over, we have also seen the first court cases here in Holland. As you may know, the Dutch love their money, so it is no surprise that several Dutch have tried their chances in court to be forgotten in the Central Debt Register … and failed.
The Dutch are also known for their pragmatism. So, it should also not be a surprise that the Dutch District Courts have produced some very pragmatic and useful guidance this summer with regard to the application of the GDPR, especially on the topic of accountability.
The first case that warrants our attention was a case where an employer – claiming obligations under the GDPR – refused to provide personal data to a judicial officer (which, in Holland, is a court-appointed private company), who had requested information about an employee in order to execute a court order. The employer, probably afraid of a data breach, insisted on verifying the court order first; the judicial officer refused to cooperate, pointing to the legal obligation to provide the data in the Code of Civil Procedure. The court decided in favor of the judicial officer, also pointing to the trust mechanisms that surround the profession of the judicial officer, such as disciplinary measures. In other words, the GDPR does not require a controller to verify the competency of the party requesting the data if there is a legal obligation to disclose the data. Misuse of powers would be the problem of the party requesting the data, not of the disclosing party acting in good faith.