Commission communication with the Dutch data protection authority

8.8.2022

Question for written answer  E-002791/2022
to the Commission
Rule 138
Sophia in 't Veld (Renew)

On 3 July 2022, it was reported that the Commission had sent a letter to the Autoriteit Persoonsgegevens (the Dutch data protection authority) in March 2020, expressing its concern over the Dutch DPA’s ‘strict interpretation’ of the General Data Protection Regulation (GDPR), which ‘severely limits businesses’ possibilities of processing personal data for commercial interests’. The Commission invited the Dutch DPA to ‘readjust the language of the standard explanation note to clearly reflect that commercial interests can be regarded as ‘legitimate’ interests when (subject to a concrete balancing) they are not overridden by the fundamental rights and freedoms of the data subject.’[1]

Against this background:

• 1.Can the Commission explain the grounds for its intervention in this case?
• 2.Has the Commission also intervened in other cases of alleged misinterpretation of the GDPR by DPAs, for example when the GDPR was used against journalists? If so, can it provide a list? If not, why not?
• 3.What are the objective criteria for such a Commission intervention, and can the Commission provide a list of other cases where it intervened concerning data protection?

• [1] ^{https://www.nrc.nl/nieuws/2022/07/03/beschermt-de-ap-privacy-of-verstoort-het-de-vrije-markt-a4135384?t=1658149418}