THE BOTTOM LINE
- Past conclusions are not present-day “facts”: Companies are not required to “correct” professional opinions or conclusions in historical investigation reports, even if new information later comes to light. The accuracy of data under the GDPR is assessed based on the purpose and context at the time it was recorded.
- GDPR access rights are not a discovery tool: Individuals cannot use the GDPR’s right of access (Article 15) to force a company to answer extensive lists of questions to justify its data processing methods. These rights are for accessing your data, not for conducting a legal cross-examination.
- Distinction between fact and opinion is key: The right to rectification (Article 16) primarily applies to objectively incorrect factual data (e.g., a wrong address). It is not a tool to compel a company to change its professional judgments or assessments that an individual disagrees with.
THE DETAILS
A Dutch Court of Appeal has delivered a significant ruling for any company that conducts internal or external investigations, reinforcing that the GDPR cannot be used to retroactively rewrite history. The case involved a former civil servant who, years after being the subject of a fraud investigation by KPMG, filed a request under the GDPR to have the firm’s 2015 report altered. He demanded that KPMG rectify five key conclusions about his conduct and answer a list of 46 detailed questions proving the lawfulness of their entire investigation process. The court rejected his claims, providing crucial clarity on the boundaries of data subject rights.
The court’s decision hinged on the purpose of the data processing. It ruled that the “correctness” of personal data under the right to rectification (Article 16) must be evaluated in the context of why it was collected. The purpose of the KPMG report was to document the investigators’ professional findings and conclusions based on the evidence available in 2015. The individual’s attempt to use information that emerged years later to argue the original conclusions were “factually incorrect” was dismissed. The court made a sharp distinction between objective facts and professional assessments; while an incorrect date of birth must be rectified, an investigator’s conclusion, properly formed at the time, is not an “inaccuracy” that can be changed on demand years later.
Furthermore, the court firmly shut the door on using GDPR rights as a tool for legal discovery. The individual’s long list of questions was not a simple request for his personal data but a strategic attempt to compel KPMG to defend the legality of its actions. The court clarified that the right of access (Article 15) does not extend this far. The GDPR’s accountability principle—the duty to demonstrate compliance—is owed to the Data Protection Authority, not to individuals launching broad inquiries through data subject requests. This decision provides welcome assurance to businesses that while they must honor legitimate access requests, they are not obligated to engage in wide-ranging legal justifications disguised as GDPR queries.
SOURCE
Source: Arnhem-Leeuwarden Court of Appeal
