The Bottom Line
- GDPR Has Clear Limits: A company’s obligation to provide personal data under the GDPR’s right of access does not extend to creating new information, such as complex financial calculations or future projections, upon request.
- Procedure is Paramount: Individuals must first make a formal data access request directly to the organization before they can take the matter to court. Bypassing this step will render a legal claim inadmissible.
- Misuse Carries Costs: Attempting to use GDPR requests for purposes beyond their scope can backfire. In this case, the individual who brought the improper claim was ordered to pay the company’s full legal costs of €2,120.
The Details
The case involved a pensioner who wanted his pension fund, Stichting Pensioenfonds ABP, to provide detailed calculations underlying his current pension and a projection for his future pension under the new Dutch Pensions Act. Instead of requesting this information through normal channels, he filed a legal claim invoking his right of access under the GDPR, arguing that these complex calculations constituted his “personal data.” The goal was to legally compel the pension fund to generate and verify this analytical information.
The District Court of Noord-Holland dismissed the claim on two key grounds. First, it was procedurally flawed. Under the Dutch GDPR Implementation Act (UAVG), an individual must first submit a formal access request to the data controller (in this case, the pension fund) and receive a decision. Only after this step can they turn to the courts if they are unsatisfied. The petitioner had skipped this crucial initial engagement, making his court request premature and therefore inadmissible. This reinforces a critical procedural safeguard that allows companies to manage and respond to data requests before litigation becomes necessary.
More importantly for businesses, the court clarified the substance of the GDPR’s right of access. It ruled that even if the correct procedure had been followed, the request would have been denied. The court drew a sharp distinction between personal data—information about an identifiable person, such as their name, date of birth, or years of service—and a calculation, which it defined as a process or methodology. While a calculation might use personal data, the calculation itself is not personal data. The court noted that the petitioner already possessed all the relevant personal data used by the fund and was, in reality, trying to force the creation of new analytical information. This was deemed a misuse of the GDPR, which is intended to provide transparency about data already being processed, not to serve as a tool for compelling business analytics on demand.
Source
Rechtbank Noord-Holland
