THE BOTTOM LINE
- Client Lists Can Be Protected: A Dutch appellate court has ruled that companies, particularly B2B information providers, can refuse to disclose specific client names in response to a GDPR access request, successfully arguing that the list constitutes a protected business secret.
- GDPR Rights Are Not Absolute: This decision reinforces that an individual’s right of access under Article 15 of the GDPR is not unlimited. It must be balanced against other fundamental rights and freedoms, including a company’s right to protect its commercial interests and confidentiality.
- Context is Crucial: The ruling was heavily influenced by the specific facts: the personal data was minimal (name and date of birth), publicly sourced from the Trade Register, and the data subject had already been provided with the content of the data shared and the categories of recipients.
THE DETAILS
The case involved a director who filed a GDPR access request with a corporate credit information specialist. He demanded to know the specific identity of every client that had received a credit report on his companies, which included his name and date of birth as personal data. The information provider refused to supply a list of named clients, citing its client list as a confidential business secret vital to its competitive position. It instead provided the director with the categories of recipients, such as banks, insurers, and wholesale traders. While a lower court initially sided with the director, the Arnhem-Leeuwarden Court of Appeal has now overturned that decision, siding with the business.
The Court of Appeal engaged in a critical balancing act, weighing the director’s right to information under GDPR Article 15 against the company’s right to protect its “rights and freedoms”—a recognized exception under Article 23 GDPR and Dutch implementing law. The court emphasized that data protection rights are not absolute. It found that the personal data in question was limited to information already available in the public Chamber of Commerce register, a source that does not reveal who accesses its information. This significantly weakened the director’s claim for needing the specific recipient list to verify the lawfulness of the processing.
Ultimately, the court concluded that the company’s commercial interest in keeping its client list confidential was a sufficiently weighty and legitimate reason to restrict the director’s access right. The court deemed the client list a valuable business asset, and its disclosure could expose the company to targeted competition and breach confidentiality undertakings with its customers. Since the director had already received copies of the reports and information on the categories of recipients, he was not left entirely in the dark. Therefore, the refusal to provide the specific client list was ruled a necessary and proportionate measure to protect the company’s business secrets.
SOURCE
Gerechtshof Arnhem-Leeuwarden
