In a decision handed down on December 1, 2021, the Brussels Market Court (Court of Appeal) had an opportunity to consider the GDPR right of access.  The Belgian Ministry of Finance appealed the Belgian Supervisory Authority’s recent decision requiring the Ministry to grant a complainant access to her financial file and make corrections to the file which described the complainant as a “straw man”.

The Market Court’s reasoning was interesting on two fronts:

  • First, the Court held the Supervisory Authority must consider, and conduct some level of investigation into, whether a complainant’s request constitutes an abuse. In this case, the Court found that the complainant used the GDPR right of access to obtain information about possible fiscal investigations being conducted against her (the Court used the term “fishing expedition”) and thereby abused the GDPR right of access.  The Supervisory Authority violated its duty of due care by not considering the complainant’s intention behind the exercise of her right of access.  This decision could be relevant in other contexts, such as HR processing, where the right of access is also often (ab)used for purposes other than preventing or rectifying GDPR violations.
  • In respect to the one-month deadline to respond to an access request (Art. 12(5) GDPR), the Court indicated that “there is no immediate textual argument that allows to state that not complying scrupulously with the deadline unambiguously constitutes a violation.”  Still, the Court indicated that the one-month deadline is an end time within which a response should be provided, unless there is a reasonable justification for exceeding it.  As the Ministry granted access to the file under the freedom of information regulations within one month, the Court decided that there was not violation of the GDPR, despite the Supervisory Authority’s argument that these regulations represent two distinct legal regimes with separate standards that should be considered independently.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.