Summary
Hoge Raad (Dutch Supreme Court), February 8, 20132013/11 Notes intended solely for internal use excluded from scope of Data Protection Act (NL)
Summary
An employee who was involved in a dispute with her employer applied for an order of the court for access to all documents containing her personal data including correspondence exchanged between the legal department of her employer and line managers on the subject of the dispute. The courts declined to make the order.
Facts
The plaintiff was employed by a bank, originally ABN AMRO, later Royal Bank of Scotland. There was an employment dispute between the parties. In the course of the dispute the plaintiff asked the bank to give her access to all documents it had that included personal data relating to her. This request was based on Article 35(1) of the Dutch Data Protection Act, which is the Dutch transposition of Article 12(a) of Directive 95/46/EC:
“Member States shall guarantee every data subject the right to obtain from the controller: (a) without constraint at reasonable intervals and without excessive delay or expense: - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data concerned,
-communication to him in an intelligible form of the data undergoing processing and of any available information as to their source […..].”
Dutch law has specified “without excessive delay” as meaning that the controller (in this case, the bank) must respond to a request for data within four weeks.
Judgment
The bank failed to respond within four weeks, whereupon the plaintiff brought legal proceedings. She asked the court to order the bank to inform her in writing, within four weeks of the court order, whether personal data relating to her had been or were being processed, such written information to include a full list of all such data. The bank complied with this request with the exception of a number of internal notes containing the personal views of certain of its employees. The bank based this exception on (i) the fact that such notes are excluded from the scope of the Data Protection Act and (ii) case law pursuant to Article 43(b) of the said Act, which is the transposition of Article 13(1)
(g) of the Directive:
“Member States may adopt legislative measures to restrict the scope of the obligations […..] when such a restriction constitutes a necessary
measure to safeguard […..] the protection of the data subject or of the
rights and freedoms of others”.
The court of first instance and the Court of Appeal turned down the plaintiff’s application. The Court of Appeal held that the provisions of Dutch law at issue must be construed in line with the Directive and that internal notes intended for internal consultation are excluded from the scope of the Data Protection Act, regardless whether they are in electronic or in paper form.
The plaintiff appealed to the Supreme Court, which declined to overturn the Court of Appeal’s judgment.
Commentary
Article 3(1) of Directive 95/46 determines the directive’s scope as follows: “This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system”. In other words, personal data are covered by the Directive either (i) if they are processed by a computer or (ii) if they form part or a “filing system”. A filing system is defined as “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.
Unfortunately the plaintiff does not seem to have litigated very well, as a result of which the Supreme Court had no need to go into the issue of whether the internal notes at issue constituted “a necessary measure to safeguard the rights and freedoms of others” as provided in Article 13(1)(g) of the Directive. This is because the Court of Appeal considered those notes to be excluded from the Data Protection Act.
The plaintiff wanted to see (i) all correspondence between the bank’s legal department and line management, (ii) all correspondence between the bank and its external legal counsel and (iii) an email from the Chair of the works council to the Chair of the bank’s Board of Directors containing her personal data. Clearly, a court order against an employer to disclose to its employees internal memoranda relating to on-going litigation could be disastrous for the employer, even if one were to accept the doctrine of legal privilege (which is not as institutionalised in most continental countries as it is in Anglo Saxon jurisdictions).
The Court of Appeal in this case distinguished between, on the one hand, internal notes containing other employees’ personal views and destined to be used exclusively for internal discussions and, on the other, the final report resulting from those discussions. The latter falls within the scope of the Data Protection Act, the former do not.
Comments from other jurisdictions
Germany (Klaus Thönißen): The outcome of this case might have been the same in a German court. That court would need to apply section 34(1) of the Federal Data Protection Act, which applies to employees and is in the following terms:
“At the request of the data subject, the controller shall provide information
1.on stored data about the data subject, including where they refer to the origin of these data ;
2.on the recipient or type of recipients to whom the data are provided; and
3.on the reason for storage.”
The understanding in German law is that “stored data” under this rule necessarily requires a “filing system” within the meaning of Article 3(1) of Directive 95/46. It seems that the internal letters referred to would not have formed part of a “filing system” and thus the employer would not have to provide them. Further, the employer might have a right to refuse to provide information under section 33(1)(3) of the Federal Data Protection Act. This section restricts employees’ rights to information for reasons of confidentiality or third party protection (in this case: co- workers and supervisors). On the available facts, it is not clear whether this exception applies, but if the documents in question did not form part of a “filing system”, the issue would not have arisen.
That said, on the facts presented, it is not known whether the relevant internal letters formed part of the employee’s personnel file. If they did, the employee may well have the right to the information since a personnel file is considered to be a “filing system” under German law. When it comes to a personnel file, the court would also need to consider section 83(1) of the Works Council Constitution Act. This provision gives employees very comprehensive rights to examine their personnel files and review every document contained in it. This is an individual employee right that does not require the existence of a works council. The only requirement is that the Works Council Constitution Act must apply – and this will be the case if the employer has at least five employees. Therefore, in the case at hand, the employee would have the right to review the internal letters if they formed part of her personnel file.
Subject: Privacy
Parties: Employee - v - Royal Bank of Scotland N.V. and ABN AMRO Bank N.V.
Court: Hoge Raad der Nederlanden (Supreme Court of The Netherlands)
Date: 8 February 2013
Case number: 11/04410
Hard copy publication: -
Internet publication: www.rechtspraak.nl > uitspraken en registers > LJN > BY 4196