THE BOTTOM LINE
- Broad Search Obligation: Your duty to respond to a GDPR data access request doesn’t end with current employees. A Dutch court confirmed that organizations must search the data carriers (like emails and hard drives) of relevant former employees if that data is still available.
- Document Your Process: The police ultimately prevailed on the substance of the case by demonstrating a thorough and reasonable search methodology. Businesses must be able to prove they used comprehensive search terms and looked in all plausible locations to defend against claims of an incomplete search.
- Procedural Failures Are Costly: A flawed process can be expensive, even if the final decision is correct. Here, an initial failure to search properly resulted in the police’s decision being annulled and an order to pay the claimant over €5,600 in court fees and legal costs.
THE DETAILS
This case involved a former police officer who submitted comprehensive data access requests under both the GDPR and the specific Dutch Police Data Act (Wpg). The claimant believed the police held sensitive data about him, including a “radicalization report.” While the police provided some information, they initially failed to search the digital records of a key manager who had since left the organization. In an interim ruling, the court flagged this as a significant flaw in the police’s handling of the GDPR request, ordering them to go back and conduct a proper search of the ex-employee’s data.
Following the court’s order, the police conducted a new, more extensive search of the former manager’s H-drive and email account using a wide array of search terms, including the claimant’s name, personnel number, and even specific phrases from allegedly withheld documents. The court found this follow-up search to be sufficiently thorough, establishing a key principle: the obligation to search is extensive but not limitless. It dismissed the claimant’s arguments that the search should have been even broader, for instance, by looking for a physical postbox for an employee who had left two years prior, deeming such measures unreasonable. This clarifies that while organizations must look beyond active systems, they can defend their process if it is comprehensive and logical.
In its final judgment, the court delivered a nuanced but clear message for businesses. The claimant’s appeal regarding the GDPR request was declared well-founded due to the initial procedural failure—the incomplete search. The court formally annulled the police’s decision. However, because the police had since corrected the error by performing the required search, the court left the legal consequences of the decision intact, meaning no further data had to be disclosed. The crucial takeaway is the financial penalty: for their initial oversight, the police were ordered to cover the claimant’s significant legal costs. This serves as a powerful reminder that in the world of data privacy, a procedurally flawed victory is a costly one.
SOURCE
Rechtbank Zeeland-West-Brabant
