A recent ruling by the Arnhem-Leeuwarden Court of Appeal has made clear that one has to be careful when submitting a request for access personal data processed by a partnership. As the Court of Appeal itself noted, the case concerned whether RIEC NN, as a data “controller” within the meaning of the GDPR, could be held responsible by applicants (also referred to as “data subjects”) for the obligations that such a controller has towards persons whose data are processed. In the view of the Court of Appeal, that was not the case.
Co-operation by means of a “covenant” (and partnership)
Parties that cooperate in data processing for a specific purpose often enter into a cooperation agreement with one another. This type of agreement is then referred to as a “covenant” [in Dutch, a convenant], especially when public‑domain bodies are concerned. In such a covenant, the parties make working arrangements regarding how the exchange of data between them is to be implemented in accordance with the legal bases of each of the parties individually. Some parties to a covenant engage in an intensive form of cooperation and then present their partnership externally as a separate organisation with its own name. This can mean that there is then an organisation with its own formal legal status, and therefore legal personality within the meaning of the law; however, that may also not be the case, as with RIEC NN.
According to the Court of Appeal, a partnership without legal personality was not a controller within the meaning of the GDPR
The RIEC NN (Regional Information and Expertise Centre North Netherlands) is a partnership [samenwerkingsverband] between various government organisations (“covenant partners”) for the purpose of an integrated administrative approach to tackling organised crime, combating enforcement problems, and promoting integrity assessments. It forms part of a nationwide network organisation. The organisation of these RIECs is laid down in a covenant. The RIEC NN is a contractual partnership without legal personality in the sense of the relevant legislation. Their website gives an idea of the nature and activities of the RIEC.
In the proceedings before the Court of Appeal, the core issue was whether the RIEC NN is a controller within the meaning of Article 4(7) of the GDPR, i.e. a “ natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” That was not the case.
After analysing this definition of the controller in the GDPR, the case law on the subject (including that of the European Court of Justice), and the specific arrangements between the covenant partners, such as the covenant and the privacy protocol, as well as the actual situation during cooperation, the Court of Appeal found insufficient grounds for concluding that RIEC NN exercises influence on the purpose and means of processing. Merely being involved in data processing is insufficient for such a conclusion. The (collective) controller in this case are the covenant partners that process data from the applicants.
Misunderstandings quickly arise about the status of a covenant and a partnership
Misunderstandings sometimes arise about the role of a covenant and a partnership.
- Take, for example, the issue of identifying a lawful basis for the exchange of data: if exchanging data between parties is unlawful when there is no covenant, then entering into a covenant or even having a partnership will not change that. After all, the covenant and the partnership itself do not provide any legal basis for the exchange of data, and in that sense are only a useful means of implementing cooperation.
- A misunderstanding may also arise if the parties have assigned formal roles to each other in the covenant and their partnership: the parties may believe that they have correctly determined in the covenant who the (collective) controller(s) is/are and who the processor(s) is/are, but legal assessment of the actual situation by a court or supervisory authority may well produce a different outcome. This is because an agreement is not decisive for the outcome of such an assessment, because the assessment framework in the legislation (such as the GDPR) remains decisive for a judgment based on the facts.
- Furthermore, a third party – for example a data subject whose personal data is being exchanged – may be given the wrong impression about the role of the partnership. That was clearly the case in the recent proceedings against RIEC NN before the Arnhem-Leeuwarden Court of Appeal. That resulted in proceedings being instituted against the wrong party, namely the RIEC NN instead of the underlying covenant partners. That was inefficient for everyone involved.
Take care: a thorough legal and factual analysis of the partnership is worthwhile
For proper implementation of the cooperation arrangements in a covenant, a prior legal and factual analysis based on the GDPR is essential. The outcome of that careful analysis can then be laid down in the covenant. Do not rely on your first impression of the role of an organisation, because the recent proceedings against RIEC NN show that that impression may turn out to be wrong.
Ensure transparent information and communication about the controller
It is then up to the covenant partners to always communicate clearly and transparently about the role of the partnership and the content of the covenant. This will reduce the risk of misunderstand the legal status of a partnership, and will then – hopefully – ensure that parties can address the correct data processing controller. This will also fulfil the GDPR obligations of transparent information and communication to data subjects regarding the identity and contact details of the controller, for example Articles 12, 13, and 14 GDPR. It follows from the recent proceedings against RIEC NN that this is in everyone’s interest..
For those interested in data processing by the RIEC: a much-discussed parliamentary bill is pending (the Data Processing by Partnerships Act [Wet gegevensverwerking door samenwerkingsverbanden]) which aims to provide a legal basis for the processing of personal data by, among others, this partnership. Given the wide-ranging powers that the proposed legislation assigns to government organisations and private parties to share personal data with one another with potentially far-reaching consequences, such as the risk of mass surveillance, the Dutch Data Protection Authority (Dutch DPA) has advised the Senate not to adopt the bill. This is definitely a legislative development that you should keep track of.
A recent ruling by the Arnhem-Leeuwarden Court of Appeal has made clear that one has to be careful when submitting a request for access personal data processed by a partnership. As the Court of Appeal itself noted, the case concerned whether RIEC NN, as a data “controller” within the meaning of the GDPR, could be held responsible by applicants (also referred to as “data subjects”) for the obligations that such a controller has towards persons whose data are processed. In the view of the Court of Appeal, that was not the case.
Co-operation by means of a “covenant” (and partnership)
Parties that cooperate in data processing for a specific purpose often enter into a cooperation agreement with one another. This type of agreement is then referred to as a “covenant” [in Dutch, a convenant], especially when public‑domain bodies are concerned. In such a covenant, the parties make working arrangements regarding how the exchange of data between them is to be implemented in accordance with the legal bases of each of the parties individually. Some parties to a covenant engage in an intensive form of cooperation and then present their partnership externally as a separate organisation with its own name. This can mean that there is then an organisation with its own formal legal status, and therefore legal personality within the meaning of the law; however, that may also not be the case, as with RIEC NN.
According to the Court of Appeal, a partnership without legal personality was not a controller within the meaning of the GDPR
The RIEC NN (Regional Information and Expertise Centre North Netherlands) is a partnership [samenwerkingsverband] between various government organisations (“covenant partners”) for the purpose of an integrated administrative approach to tackling organised crime, combating enforcement problems, and promoting integrity assessments. It forms part of a nationwide network organisation. The organisation of these RIECs is laid down in a covenant. The RIEC NN is a contractual partnership without legal personality in the sense of the relevant legislation. Their website gives an idea of the nature and activities of the RIEC.
In the proceedings before the Court of Appeal, the core issue was whether the RIEC NN is a controller within the meaning of Article 4(7) of the GDPR, i.e. a “ natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” That was not the case.
After analysing this definition of the controller in the GDPR, the case law on the subject (including that of the European Court of Justice), and the specific arrangements between the covenant partners, such as the covenant and the privacy protocol, as well as the actual situation during cooperation, the Court of Appeal found insufficient grounds for concluding that RIEC NN exercises influence on the purpose and means of processing. Merely being involved in data processing is insufficient for such a conclusion. The (collective) controller in this case are the covenant partners that process data from the applicants.
Misunderstandings quickly arise about the status of a covenant and a partnership
Misunderstandings sometimes arise about the role of a covenant and a partnership.
- Take, for example, the issue of identifying a lawful basis for the exchange of data: if exchanging data between parties is unlawful when there is no covenant, then entering into a covenant or even having a partnership will not change that. After all, the covenant and the partnership itself do not provide any legal basis for the exchange of data, and in that sense are only a useful means of implementing cooperation.
- A misunderstanding may also arise if the parties have assigned formal roles to each other in the covenant and their partnership: the parties may believe that they have correctly determined in the covenant who the (collective) controller(s) is/are and who the processor(s) is/are, but legal assessment of the actual situation by a court or supervisory authority may well produce a different outcome. This is because an agreement is not decisive for the outcome of such an assessment, because the assessment framework in the legislation (such as the GDPR) remains decisive for a judgment based on the facts.
- Furthermore, a third party – for example a data subject whose personal data is being exchanged – may be given the wrong impression about the role of the partnership. That was clearly the case in the recent proceedings against RIEC NN before the Arnhem-Leeuwarden Court of Appeal. That resulted in proceedings being instituted against the wrong party, namely the RIEC NN instead of the underlying covenant partners. That was inefficient for everyone involved.
Take care: a thorough legal and factual analysis of the partnership is worthwhile
For proper implementation of the cooperation arrangements in a covenant, a prior legal and factual analysis based on the GDPR is essential. The outcome of that careful analysis can then be laid down in the covenant. Do not rely on your first impression of the role of an organisation, because the recent proceedings against RIEC NN show that that impression may turn out to be wrong.
Ensure transparent information and communication about the controller
It is then up to the covenant partners to always communicate clearly and transparently about the role of the partnership and the content of the covenant. This will reduce the risk of misunderstand the legal status of a partnership, and will then – hopefully – ensure that parties can address the correct data processing controller. This will also fulfil the GDPR obligations of transparent information and communication to data subjects regarding the identity and contact details of the controller, for example Articles 12, 13, and 14 GDPR. It follows from the recent proceedings against RIEC NN that this is in everyone’s interest..
For those interested in data processing by the RIEC: a much-discussed parliamentary bill is pending (the Data Processing by Partnerships Act [Wet gegevensverwerking door samenwerkingsverbanden]) which aims to provide a legal basis for the processing of personal data by, among others, this partnership. Given the wide-ranging powers that the proposed legislation assigns to government organisations and private parties to share personal data with one another with potentially far-reaching consequences, such as the risk of mass surveillance, the Dutch Data Protection Authority (Dutch DPA) has advised the Senate not to adopt the bill. This is definitely a legislative development that you should keep track of.