Rb. Den Haag - 22/2601: Difference between revisions
(Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Den Haag |Court_Original_Name=Rechtbank Den Haag |Court_English_Name=District Court Den Haag |Court_With_Country=Rb. Den Haag (Netherlands) |Case_Number_Name=22/2601 |ECLI=ECLI:NL:RBDHA:2023:14359 |Original_Source_Name_1=Rechtbank Den Haag |Original_Source_Link_1=https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBDHA:2023:14359&showbutton=true&keywor...") |
mNo edit summary |
||
Line 71: | Line 71: | ||
=== Facts === | === Facts === | ||
On 16 | On 16 July 2021, the controller (the Institute for Employee Insurance, part of the government), informed the data subject about a data breach. Five letters meant for the data subject were sent to the the wrong address. After a complaint made by the data subject to the controller, the controller offered €250 in compensation. The data subject did not agree with the amount offered and demanded €3000. In addition, she made an access request under [[Article 15 GDPR|Article 15]]. The controller rejected the claim of €3000. | ||
The data subject | The data subject made a separate claim for compensation under Article 1:3 Awb (General Administrative Law Act). The data subject argued that a compensation request can be pursued through an administrative procedure, citing four rulings by the Division for Administrative Jurisdiction of the Council of State. These rulings established that there is no requirement for an unlawful decision when applying certain legal provisions. It is enough to have a connection to a relevant decision, like a request for data access, which the plaintiff claimed to have made. | ||
The controller argued that the decision on compensation following a data breach is not a public law decision but stems from private law. The controller claimed that the compensation request and the request for access to information are unrelated and separately handled. The controller also contended that Article 8:88 Awb does not apply because the matter involved sending letters to the wrong address, which is a factual action, not a formal decision with legal implications, and it did not prepare for an unlawful decision. | The controller argued that the decision on compensation following a data breach is not a public law decision but stems from private law. The controller claimed that the compensation request and the request for access to information are unrelated and separately handled. The controller also contended that Article 8:88 Awb does not apply because the matter involved sending letters to the wrong address, which is a factual action, not a formal decision with legal implications, and it did not prepare for an unlawful decision. | ||
Line 88: | Line 88: | ||
== Comment == | == Comment == | ||
The data subject cited the following Dutch cases: | The data subject cited the following Dutch cases: | ||
ECLI:NL:RVS:2020:898; ECLI:NL:RVS:2020:899; ECLI:NL:RVS:2020:900 en ECLI:NL:RVS:2020:901. | ECLI:NL:RVS:2020:898; ECLI:NL:RVS:2020:899; ECLI:NL:RVS:2020:900 en ECLI:NL:RVS:2020:901. | ||
Revision as of 13:48, 16 October 2023
Rb. Den Haag - 22/2601 | |
---|---|
Court: | Rb. Den Haag (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 15 GDPR Article 82 GDPR Article 8:88 Algemene wet bestuursrecht |
Decided: | 21.09.2023 |
Published: | 03.10.2023 |
Parties: | Uitvoeringsinstituut werknemersverzekeringen |
National Case Number/Name: | 22/2601 |
European Case Law Identifier: | ECLI:NL:RBDHA:2023:14359 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | Rechtbank Den Haag (in Dutch) |
Initial Contributor: | Enzo Marquet |
The Dutch Court of Den Haag determined that €500 compensation is fair and appropriate for sending letters to the wrong address. The Court considered pre-existing psychiatric issues of the data subject, but did not consider the fact that the letters were returned unopened.
English Summary
Facts
On 16 July 2021, the controller (the Institute for Employee Insurance, part of the government), informed the data subject about a data breach. Five letters meant for the data subject were sent to the the wrong address. After a complaint made by the data subject to the controller, the controller offered €250 in compensation. The data subject did not agree with the amount offered and demanded €3000. In addition, she made an access request under Article 15. The controller rejected the claim of €3000.
The data subject made a separate claim for compensation under Article 1:3 Awb (General Administrative Law Act). The data subject argued that a compensation request can be pursued through an administrative procedure, citing four rulings by the Division for Administrative Jurisdiction of the Council of State. These rulings established that there is no requirement for an unlawful decision when applying certain legal provisions. It is enough to have a connection to a relevant decision, like a request for data access, which the plaintiff claimed to have made.
The controller argued that the decision on compensation following a data breach is not a public law decision but stems from private law. The controller claimed that the compensation request and the request for access to information are unrelated and separately handled. The controller also contended that Article 8:88 Awb does not apply because the matter involved sending letters to the wrong address, which is a factual action, not a formal decision with legal implications, and it did not prepare for an unlawful decision.
Holding
The Court held that the controller correctly declared the data subject's appeal inadmissible due to changes in the law. The Court nullified the decision but maintained the legal consequences. The data subject's case was now treated as a request for compensation under Article 8:88 Awb in connection with Article 82
The Court stated that the data subject has fulfilled the requirement by contacting the controller in writing at least eight weeks before submitting the compensation request. The controller admitted to sending five letters to the wrong address, which breached the GDPR. The immaterial harm to the plaintiff was not disputed.
The Court concluded that the dispute revolves solely around the amount of compensation.
The Court determined that a compensation of €500 is fair and appropriate. The Court considered the psychological impact of the data breach on the data subject. The fact that the five letters were returned in sealed envelopes and that no evidence of third-party use of the information was presented did not diminish the data subject's experience of an exacerbation of her pre-existing severe psychiatric issues. Therefore, these considerations were not of decisive significance for the court.
Comment
The data subject cited the following Dutch cases:
ECLI:NL:RVS:2020:898; ECLI:NL:RVS:2020:899; ECLI:NL:RVS:2020:900 en ECLI:NL:RVS:2020:901.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.