Access Rights under the Dutch Data Protection Act


Facts of the case

Dexia Bank Nederland N.V (“Dexia”) offered consumers a stock lease plan, called the ‘profit-redoubler’ or ‘winstverdubbelaar’. In this scheme the consumers borrowed money from the bank, which the bank used to buy stock for them. This resulted in profits as long as the rises of stock prices exceeded the interest to be paid for the money borrowed.

In the first year after the introduction of this speculative product the profits were indeed significant and they continued to be, all the time the stock prices on the market went up. However, when the stock markets collapsed in 2000 and 2001, hundreds of thousands of customers suffered losses. Instead of the profits that were promised to them, many customers suddenly came to realise that they owed huge debts to the bank. Naturally, they complained that they had never realised the risks involved and that Dexia should have given better information about the plan and the risks involved.

The matter got a lot of attention from the media, particularly from a consumer television feature on Dutch public television, called TROS Radar. The producers of this feature posted a standard letter for Dexia clients on the programme’s website, which could be used to request an overview of the personal data that were processed by the bank. The legal basis for such a request was the access right laid down in the Dutch Data Protection Act (“Wet Bescherming Persoonsgegevens’).

The applicant in this case had downloaded the standard letter and sent it to Dexia. After Dexia had refused to submit the overview and mediation through the Data Protection Authority (“College Bescherming Persoonsgegevens”) had failed, the applicant requested a court order for Dexia to supply the data. In short, he demanded to be provided with a complete overview of all processed personal data, including information about the purposes of the processing, the recipients of the data and the sources of the data. Further, the applicant demanded copies of: the lease contract; the risk profile; certificates of the shares referred to in the contract; certificates of dividend payments; the credit-worthiness survey (‘credit-score’); written reports about telephone calls and every other document that concerned him.

The court’s decision

The judgment in this case is, for a substantial part, dedicated to the question as to what extent the requested information falls within the definition of “personal data”. The court was of the opinion that the applicant had no right to obtain a copy of the contract. However, Dexia had to give information about the contract data, to the extent that they could be defined as personal data. The same was true for the requested copies of the dividend payments.

The court stressed that Dexia had to submit information about all personal data, irrespective of the existence of a legal obligation to process these data. There was for example, no obligation for Dexia to set up a risk profile. But if data are processed to construct such a profile, they have to be included in the overview provided to the data subject.

The certificates of the stock that Dexia bought and sold further to the contract did not fall within the definition of personal data, because this information does not relate to an identified or identifiable natural person. Only information about the shares that are specifically mentioned in the contract had to be included in the overview. The same was true for dividends that were paid out for these shares.

In addition the court found that the Data Protection Act does not apply to the tape recordings of telephone calls. The reason for this being that the relevant personal data are not processed by automatic means, nor form part of a filing system or are intended to form part of such filing system, i.e. a structured set of personal data. However, the Act does apply to telephone calls that are recorded digitally or in writing. So this information has to be included in the overview that the bank has to provide to the data subjects.

However, the court decided that Dexia could make use of one of the exemptions provided by the Act, namely that a controller is not obliged to provide an overview of the personal data if this implies a disproportionate administrative burden for him. Dexia demonstrated to the court that the processing of all standard letters had seriously upset it’s organisation and has already cost more than a hundred thousand euros. For this reason the court rejected the applicant’s request and decided that in this instance Dexia would not have to provide the overview of the personal data.

The decision (in Dutch) is published on under number LJN AS2127.