Over the past two years, more than 300 judgments on the GDPR have been published on rechtspraak.nl. A number of rulings are interesting, others are predictable and in a number of cases the judge does not seem to apply the GDPR correctly. For anyone who may have missed a number of judgments, this chronicle lists the most important judgments.
This chronicle provides an overview of the published case law on the General Data Protection Regulation (GDPR). Judges give substance to the open standards frequently used in the GDPR. This can provide guidance for the legal and advisory practice. It is also interesting to find out whether jurisprudence now interprets concepts differently from what was the case under the Dutch Personal Data Protection Act, de ‘Wet bescherming persoonsgegevens’(Wbp). In addition, the GDPR is introducing a number of new concepts and obligations on which, of course, case law has not yet appeared.
The chronicle deals only with rulings of the Dutch courts and the Court of Justice of the EU (ECJ EU). Foreign case law and the case law of the European Court of Human Rights may be equally interesting for the colouring of the GDPR in Dutch legal practice, but has not been taken into account just because of its size and accessibility. Judgements on art. 8 of the European Convention on Human Rights (ECHR), art. 10 of the Constitution and, for instance, the Police Data Act are also not discussed. However, indirect reference is made to some decisions of the Personal Data Authority, de ‘Autoriteit Persoonsgegevens’ (AP).
The chronicle period runs from 26 May 2018 to 26 May 2020. For this period, www.rechtspraak.nl has been searched for judgments in which ‘personal data’ and ‘GDPR’ appear as keywords, supplemented by the relevant case law of the ECJ EU from this period. The authors are aware that only a limited part of all jurisprudence is published.
The layout of this chronicle is based as much as possible on the order in which the various subjects are discussed in the GDPR. This has led to the following classification: definitions, lawfulness, rights of data subjects, exceptions, liability and damages and, finally, procedural law and enforcement. For this reason, for example, the judgment on the System of Risk Indication (SyRI) of the District Court of The Hague is not discussed in this chronicle, see ECLI:NL:RBDHA:2020:865.
the entire GDPR-chronicle can be found here in pdf format.