On February 5, 2018, the Dutch Central Board of Appeal (Centrale Raad van Beroep, CRB) ruled that travel data indeed qualify as personal data, but that under certain circumstances, a supervisory body – such as the Education Executive Agency (Dienst Uitvoering Onderwijs, DUO) – is allowed to obtain such personal data. gency permitted to obtain travel data of students.
The case concerns a student who was receiving an additional scholarship on the basis of living independently from his or her parents. Another requirement for this scholarship is that the student must be living within the same municipality as where it has registered itself. DUO regularly checks whether students meet these requirement in order to ensure that students are not receiving more scholarship than that they are entitled to. For this purpose, DUO occasionally checks the travel data of students to see whether they are often travelling within the area that they are registered in.
The CRB ruled that such travel data qualifies as personal data, and that it therefore enjoys protection under privacy regulation. It however also ruled that supervisory bodies are within their right to request access to such data taking into account the purpose for such requests (i.e. combatting fraud), and considering that the travel data reveals limited information about the students.
This standpoint of the CRB did however not make DUO’s case against the student at subject much stronger as travel data carries little evidentiary value. There may very well be alternative reasons for the student’s unusual travel behavior. In the absence of further supporting evidence, the CRB ruled that the student remains entitled to the scholarship that it has been receiving.
You can read the full judgement here (only available in Dutch).