The Bottom Line
- GDPR Access Isn’t Absolute: Companies and executives undergoing integrity assessments for permits or public contracts cannot always rely on the GDPR to access all underlying intelligence and advisory reports, even if they contain their personal data.
- National Secrecy Laws Can Prevail: A Dutch court confirmed that specific national laws imposing strict confidentiality, such as the Public Administration Probity Screening Act (Bibob), can legally restrict the GDPR’s right of access to protect the integrity of investigations.
- Balancing Act Favors Investigation Integrity: Authorities can lawfully prioritize the confidentiality of their sources and methods over an individual’s right to see their data, particularly in contexts involving the assessment of criminal risk or financial misconduct.
The Details
The case arose after a business owner, whose company was applying for a liquor and catering license, became the subject of an integrity screening under the Dutch Bibob Act. This law is designed to prevent public authorities from unintentionally facilitating criminal activities by granting permits or contracts. As part of this process, the Mayor of Zwolle obtained an advisory report from a Regional Information and Expertise Center (RIEC), a body that facilitates information sharing between various government agencies to combat organized crime. When the business owner later filed a GDPR request to see the personal data contained within this RIEC report, the Mayor refused, citing a strict duty of confidentiality imposed by the Bibob Act.
The core of the dispute was a direct conflict between two powerful legal frameworks: the individual’s right of access under Article 15 of the GDPR and the Mayor’s confidentiality obligations under national law. The GDPR is not without limits. Article 23 allows EU member states to introduce legislation that restricts data access rights, but only if the restriction is a necessary and proportionate measure to safeguard important objectives, including the “rights and freedoms of others.” The Mayor argued that the Bibob Act’s confidentiality rules were exactly such a measure, essential for protecting the integrity of the screening process and the agencies involved.
The District Court of Overijssel sided with the Mayor, providing a clear precedent for businesses operating in the Netherlands. The court confirmed that the RIEC advisory report was an integral part of the Bibob investigation and therefore fell under its strict secrecy provisions. It ruled that maintaining the confidentiality of this type of intelligence is crucial for protecting the “rights and freedoms of others,” which in this context includes the public authority itself and the intelligence agencies it consults. The court concluded that the Mayor had correctly balanced the competing interests, finding that the need to ensure the effectiveness and integrity of the Bibob screening process outweighed the individual’s right to access the specific data in the report.
Source
Rechtbank Overijssel
