THE BOTTOM LINE
- Scope is Key: A GDPR Right of Access request (DSAR) obligates you to provide an individual’s personal data, not to answer broad questions about your company’s policies, procedures, or the legal justification for your actions.
- Redirect, Don’t Ignore: When a DSAR includes other grievances or policy questions, you can handle the data access portion and correctly guide the individual to other channels (e.g., your DPO, a formal complaints procedure) for their other concerns.
- No Breach, No Damages: Correctly fulfilling a data access request, even if the individual remains dissatisfied with your underlying business actions, is a strong defense against claims for GDPR-related damages.
THE DETAILS
In a recent ruling, the District Court of Amsterdam provided a crucial clarification on the scope of the GDPR’s Article 15, the “Right of Access.” The case involved an individual who filed a data access request with the City of Amsterdam following an incident where the city, after accidentally disclosing the location of a sensitive meeting, informed the police as a precaution. The individual was subsequently stopped by the police. In her access request, she not only asked for her personal data but also demanded a legal explanation for the decision to involve the police and the handling of a separate complaint against a city official.
The court sided squarely with the city, ruling the appeal unfounded. It drew a sharp distinction between the right to receive a copy of one’s personal data and the right to question an organization’s underlying decisions or policies. The court affirmed that Article 15 is a tool for transparency and control over one’s data—allowing individuals to verify its accuracy and the lawfulness of its processing. It is not, however, a general-purpose mechanism to demand legal justifications, internal policy documents, or to force an organization to process unrelated complaints. The city had fulfilled its duty by providing the personal data it held.
This judgment reinforces a critical boundary for businesses. The court noted that while the individual’s questions were valid, the GDPR access request was the wrong tool. It pointed her toward other established legal avenues to get the answers she sought: a Freedom of Information request (Wet open overheid) for policy information and the municipal ombudsman for her specific complaint. Consequently, her claim for damages for stress and procedural delays was dismissed. The court found no unreasonable delay and, more importantly, concluded that since there was no breach of the GDPR’s access provisions, there was no legal basis for awarding damages under Article 82 of the GDPR.
SOURCE
Source: Rechtbank Amsterdam (District Court of Amsterdam)
