Every professional online shop has a proper privacy statement. This reports, among other things, what company is behind the online shop, what is done with personal data and who the customer can contact with questions about his privacy. It is also often stated that the customer has all sorts of rights, such as the right of inspection. This sounds wonderful, of course, but what must you do in practical terms if a customer actually invokes his right of inspection? Many online shops will not (yet) have any experience with this. It is expected that more and more consumers will be discovering this right of inspection, however (in the event of guarantee claims, for instance). In this article I have therefore set out the main points of the right of inspection.
Why a privacy statement?
Before I go into the right of inspection in further detail, I will first briefly outline the reasons behind the privacy statement. Why does an online shop’s website have to contain this kind of document?
All kinds of personal data are collected and further processed via an online shop. Some online shops only process the customer’s name and address details in order to be able to ship the order. Others go much further than this and maintain a (sizeable) customer profile containing all sorts of interests, click data, review data, creditworthiness, etc.
The collection and further processing of personal data must take place in compliance with the requirements from the Personal Data Protection Act (Wbp). This law gives all sorts of rules (some of which are quite far-reaching) for handling personal data. It goes beyond the scope of this article to go into these statutory requirements in much detail; for an idea of the requirements, see our free privacy check. What I would like to address in more detail is the transparency requirement.
What must a privacy statement contain?
One of the key principles of the Wbp is transparency. Section 33 of the Wbp states that the following information must be given to the data subject in advance (the italics denote my paraphrasing):
- the identity of (the company behind) the online shop (who is going to use these data?);
- the purposes of the processing (what will these data be used for?)
- further information, insofar as necessary in order to guarantee proper and careful processing (to what further information is the data subject reasonably entitled?)
This is where the privacy statement enters the picture. On most websites this information is provided in the privacy statement. As such, the privacy statement is the practical implementation of the statutory requirement to provide the information mentioned above. It has developed this way in practice and is therefore very recognisable to visitors to the website.
According to the letter of the law, it is not mandatory that the privacy statement must state that every visitor to the website has the right to inspect his personal data. Nonetheless, many online shops do include this information in their privacy statement. This seems wise to me. The Privacy Directive – on which the Dutch law is based – contains the following examples of further information (see point 3 above) which could also be provided:
– the particular data categories;
– the recipients or categories of recipients;
– the existence of a right to access his own personal data and right to correct these data,
You can (cautiously) conclude from this that a privacy statement must therefore also (virtually) always contain information on:
- the type of data being processed;
- the parties to which the data are provided; and
- information on the right of inspection and right of correction.
What does the right of inspection entail?
On grounds of section 35 of the Wbp, everyone has the right ‘to contact the controller with the request to inform him whether personal data concerning him [the subject] are being processed’. Everyone therefore has the right to know what data relating to him/her are being processed. This information must be provided by the ‘controller’. This is the party that decides what happens with the personal data, so for an online shop this will usually be the underlying company.
There can be all sorts of reasons to submit a request to inspect data. This could range from simply wanting to check whether the correct address is being used (for example after moving house) to wanting to build a dossier for legal reasons (for instance, on what date a guarantee claim was registered or what credit rating has been assigned to the particular customer). The data subject may also want to figure out to what parties his personal data have been passed on (for instance in the context of spam or fraud). The data subject does not need to give a reason for his request, according to the Supreme Court.
How should you respond to a request to inspect data?
A request to inspect data must, according to the law, in principle be answered with a ‘full overview’ of the personal data processed, stating ‘a description of the object or purposes of the processing, the categories of data to which the processing relates and the recipients or categories of recipients, as well as the information available on the origin of the data’ (section 35 of the Wbp).
If you dissect this legislative section, you see that the data subject has the right to the following information:
- the personal data processed;
- the purposes of the processing operations;
- the categories of data to which the processing relates (‘which data are used for what purposes?’, which will mainly be relevant if the data are processed for different purposes);
- the recipients or categories of recipients of the data (please note: in an online environment don’t overlook all the external tools/APIs that also collect data!);
- information about the origin of the data.
How full is full?
The data subject has the right to a ‘full overview’. This means in principle all the personal data that are collected. The fact that the data are, in practice, stored in different systems or managed by different departments is entirely irrelevant in this respect. This has even been explicitly decided in a court case (albeit in administrative law).
That raises the bar for the owner of an online shop. After all, the data will not only have to be called up in the shop’s own systems, but in principle also in systems of external parties that are used by the online shop owner (for statistical purposes, for instance).
This could potentially mean a great volume of data. After all, besides the ‘traditional’ name and address details, an online shop also deals with statistical data, tracking data and other data on customers’ click behaviour, possible reviews from/by customers, data on the customer’s payment method (and perhaps his/her creditworthiness), guarantee/RMA requests, returns, etc.
The law does contain a few exceptions in section 43 of the Wbp. For instance, an inspection request does not need to be complied with if this would be at odds with ‘protecting the data subject or the rights and freedoms of others’. This means, for example, that an inspection request must not result in privacy-sensitive information relating to someone else becoming public. It has also been regularly found that data contained in notes intended purely for internal discussion fall under this exception. After all, the right of inspection is not intended to make all internal consultation impossible.
It must not be concluded too hastily that an exception applies, however; the right of inspection is in essence a significantly far-reaching right.
Copies of documents as well?
Another question which often arises in practice is whether the customer has a right to inspect the documents in which his personal data are contained. In other words: can a customer demand that he be given a copy of all e-mails, log files, CRM data, etc in which data on him are contained? Or is he only entitled to an overview of his personal data that are processed in all these systems? Dutch courts have long had very divergent views on this.
The highest European court recently gave a decision on this: it suffices, in principle, to provide an overview of the personal data processed; copies of documents do not need to be given.
But… according to the European court, the overview must enable the recipient to check whether the data (a) are accurate and (b) have been processed in accordance with the directive. It is doubtful whether that is possible if the data subject is not also shown in what context the data are processed (*). And almost the only way to do this is by also giving a copy of the documents in which the personal data are contained. It is therefore a matter of waiting to see how this doctrine continues to develop.
(*) A brief example of why this is so difficult: the privacy directive requires that data that are processed must be ‘sufficient, relevant and not excessive’. This is difficult to test without looking at how the data are used in practice, or in other words: by looking at the documents in which these data appear. This would mean, therefore, that the data subject does have a right to a copy of the documents in which his personal data are processed.
The question is therefore one with many nuances. In this sense you are faced with two choices:
- either you only provide an overview of the personal data which you process in relation to the data subject, with the exception of the personal data that fall under the exception of section 43 Wbp (see above);
- or you provide the overview mentioned in 1, including a copy of all documents in which these data are contained, with the exception of (passages from) documents which fall under the exception of section 43 Wbp (see above).
My expectation is that many online shop owners will take option 1 and only provide an overview. The question then is whether the data subject will be satisfied with this.
What if you do not comply (fully)?
If you do not respond to an inspection request or do not respond adequately or on time (i.e. within four weeks), the data subject can take the matter to court. This could take place either via preliminary relief proceedings or application proceedings.
The application must be filed by the data subject within six weeks after your response to the inspection request (or within 10 weeks after the inspection request, if you send no response whatsoever). There have already been a few decisions in which it was found that the failure to file the application within this period results in inadmissibility. For preliminary relief proceedings, the data subject will have to demonstrate that there is an urgent interest and that the application procedure cannot be waited on.
If the judge finds in the data subject’s favour, you will most likely be ordered to provide the data subject with certain data. The court may attach a penalty payment to this order (a financial penalty that is incurred per day/week/month from a certain point in time until the order has been complied with). The parties can appeal the district court’s decision. An appeal in cassation could be filed after that; a famous case which made it that far is the Supreme Court’s Santander decision.
It is also conceivable that the Data Protection Authority may intervene. That is not very likely in individual cases, given its enforcement policy, but if you systematically fail to obey the law, this could prompt the CBP to intervene. The CBP could then impose an order subject to a penalty payment that you improve your policy in relation to inspection requests. This seems somewhat theoretical for the time being, however.
The right of inspection is being discovered by an increasing number of people and is therefore something that online shops should be seriously taking into account. If an inspection request is received, this must be responded to adequately. And relatively quickly (within four weeks). This demands quite a bit from your organisation. Can you manage to unearth all the data and have it clearly presented for the data subject within that time period? It could also be wise to consider in advance what is needed at your organisation in order to be able to adequately comply with an inspection request and draw up a strategy for this. This could prevent you from ending up in difficult discussions with the customer or even being taken to court.
By Mark Jansen