THE BOTTOM LINE
- GDPR Has Limits: A Dutch court has ruled that an individual’s right of access under the GDPR does not extend to internal calculations or the logic behind them, only to the underlying personal data used as inputs.
- Protection for Processes: This decision allows companies, particularly in finance and insurance, to push back on data access requests that demand explanations or validations of their internal models, algorithms, and business logic.
- Clarity on “Access”: The ruling clarifies that providing access to personal data (e.g., salary history, years of service) through regular channels like a standardized overview can fulfill a company’s GDPR obligations, even if that overview itself is not legally binding.
THE DETAILS
In a significant ruling for data controllers, a Dutch court has drawn a clear line on the scope of the GDPR‘s right of access. The case involved a participant in the Dutch Notary Pension Fund who, concerned about the upcoming transition to a new national pension system, sought full transparency into his pension accrual. He filed a request under Article 15 of the GDPR demanding not only the personal data used to determine his pension (such as salary and employment history) but also the complete calculations, a detailed explanation of the methodology, and a formal confirmation of the data’s accuracy. The pension fund refused, arguing this went beyond the scope of the GDPR.
The District Court of Zeeland-West-Brabant sided with the pension fund, delivering a crucial interpretation of what constitutes “personal data.” The court reasoned that while inputs like salary figures and employment dates are clearly personal data, the complex calculations and formulas used to process that data are not. These calculations are considered internal processes, not information about an identifiable individual in the sense intended by the GDPR. The court further clarified that requests for an “explanation” or a “confirmation of correctness” fall outside the right of access, which is limited to providing a copy of the personal data being processed.
This judgment provides important guidance for businesses and their legal counsel. It reinforces that the GDPR is a regulation focused on data transparency, not a tool for individuals to audit a company’s internal business operations or algorithms. While organizations must provide individuals with a copy of their personal data, they are not obligated to deconstruct their proprietary models or validate their internal logic in response to a data access request. For individuals seeking certainty about such matters, the court indicated that the proper legal avenues lie within sector-specific regulations or contract law, not data protection law.
SOURCE
Source: Rechtbank Zeeland-West-Brabant
