Rb. Zeeland-West-Brabant - C/02/387229

From GDPRhub
Revision as of 08:10, 6 October 2022 by Kv (talk | contribs)
Rb. Zeeland-West-Brabant - C/02/387229
Courts logo1.png
Court: Rb. Zeeland-West-Brabant (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32 GDPR
artikel 6:106(b) BW (Dutch Civil Code)
Decided: 21.09.2022
Published: 21.09.2022
Parties: Stichting Bravis Ziekenhuis (hospital)
National Case Number/Name: C/02/387229
European Case Law Identifier: ECLI:NL:RBZWB:2022:5457
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: rechtspraak.nl (in Dutch)
Initial Contributor: Jette

The Dutch Civil Court of Zeeland-West-Brabant held that a hospital was liable for the non-material damages of a patient, because one of its employees repeatedly and unlawfully accessed her medical file and subsequently published the contents in a book. The hospital was ordered to pay her €2,000.

English Summary

Facts

The data subject went through a turbulent divorce with her ex-partner. Afterwards, her ex wrote a book about it. Some parts of the book contained information on the data subject’s medical status. Coincidentally, the publisher of the book used to worked at the hospital (the controller) where the data subject was a patient. On top of that, the publisher was the ex’s new partner.

After the book was published, the data subject requested the controller for access to the logging data of her patient record. The logging data revealed that her ex’s new partner frequently accessed her patient file for four years. The data subject therefore filed a complaint with the controller, to which the controller replied in a letter. The controller stated that the ex's new partner's employment had been terminated. However it could not establish that she was the reason that the data subject's medical information was published in the book. The data subject was not satisfied with the content of the response and took the case to court.

The data subject claimed that the controller was liable for the (non-material) damages that she suffered because (1) the controller took insufficient measures to protect her medical data and (2) insufficiently investigated the data breach. In addition, the data subject argued that the controller was liable for damages caused by its employee (the ex’s new partner/publisher) who accessed her medical records and subsequently published those in the book.

Holding

The Court held that the controller's monitoring policy did not meet the necessary standard, as it was non-existent. As a result, logging by employees with unrestricted access (like the present case) was not monitored at all and only two patient files were randomly checked every month. The Court found that this fell short, given the amount of personal data processed by the controller. It therefore held that the controller violated Article 32 GDPR, as no appropriate measures were taken to protect the data subject's medical data.

The Court held that the controller sufficiently investigated the breach, however it noted that it could have been handled better (for example by personally contacting the data subject).

The Court noted that to allow the claim for non-material damages, the data subject's honour or reputation must have been harmed, or she had to have suffered in some other way pursuant to article 6:106(b) BW. The Court stated that it could not establish whether her honour or reputation were harmed. Hence, it investigated whether she suffered 'in some other way'. The Court assessed whether the nature and gravity of the violation would imply such obvious adverse consequences for the data subject, that notable harm to her could be assumed.

The Court considered that the data subject’s fundamental right to privacy and data protection were violated. Moreover, special categories of personal data (medical data) were involved. The Court stated that the data was frequently accessed, over a long period of time, and inadequately protected. The medical information was then shared with third parties and published in a book. The Court therefore held that it was obvious that the data subject suffered adverse consequences from the violation (e.g. anxiety).

In addition, the Court noted that the concept of 'damages' must be interpreted broadly pursuant to

Recital 146: Claim for Damages
The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.

. Furthermore, the importance of control over personal data and enforcement of the violated rule follows from the GDPR. The Court therefore held that a regulation-compliant interpretation of article 6:106(1) BW (also) implied that data subject was entitled to fair compensation for her non-material damages. Therefore, the Court ordered the controller to pay the data subject €2,000 in immaterial damages.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

verdict

COURT ZEELAND-WEST-BRABANT

Cluster II Businesses

Breda

case number / roll number: C/02/387229 / HA ZA 21-384

Judgment of September 21, 2022

in the case of

[plaintiff] ,

residing at [residence] ,

plaintiff,

lawyer mr. P.L. Tjiam in Amsterdam,

against

the foundation

BRAVIS HOSPITAL FOUNDATION,

based in Roosendaal,

defendant,

lawyer mr. L.A.P. Eagles in Nijmegen.

The parties will hereinafter be referred to as [plaintiff] and Bravis.

1 The procedure

1.1.

The course of the procedure is apparent from:

-

the interlocutory judgment of 8 September 2021, with the documents referred to therein;

-

the official report of the oral procedure of February 22, 2022, with the documents referred to therein;

-

the deed after oral hearing and submission of additional exhibits 49-59 of [plaintiff];

-

the Reply Act with additional Exhibit 20 from Bravis.

1.2.

Finally, verdict has been determined.

2 The facts

2.1.

[plaintiff] has been treated as a patient several times in the Bravis hospital from 1991 to 2018.

2.2.

The ex-partner of [plaintiff], Mr. [name of ex-partner] (hereinafter: [name of ex-partner]), has a book under the pseudonym [name 1] called “[name of book]” (hereinafter: the book ) written about the divorce and divorce troubles between [plaintiff] and [name of ex-partner]. The book also contains medical data. The book was published in May 2018 by the sole proprietorship “[name sole proprietorship]” of Mrs [name 2] (hereinafter: [name 2]), the current partner of [name ex-partner]. [name 2] worked at Bravis from January 2007 until (actually) August 2018.

2.3.

At the beginning of July 2018, [plaintiff] contacted Bravis and an appointment was made to inspect the logging data of her patient file. On 11 July 2018, [plaintiff] subsequently viewed the logging data of her patient file with Bravis' data protection officer, Mr. [name of official] (hereinafter: [name of official]).

2.4.

It appears from the logging data that [name 2] frequently consulted [plaintiff]'s patient file in the period from 24 June 2014 to 11 June 2018.

2.5.

[claimant] subsequently, after the finding under 2.4., on 11 July 2018, [name of official] (during the appointment) and [name of lawyer] - [name of lawyer] (hereinafter: [name of lawyer]), board secretary and lawyer from Bravis, (by phone in the evening) requested a copy of the logging data.

2.6.

On 12 July 2018, summary proceedings were held between [claimant] and [name of ex-partner], in which [claimant] demanded, among other things, a prohibition on further reproduction, distribution and disclosure of the book. In a judgment of 18 July 2018, the preliminary relief judge dismissed the claims of [plaintiff].

2.7.

By e-mail of 17 July 2018, [plaintiff] submitted an (official) complaint to Bravis.

2.8.

On July 18, 2018, Bravis provided [plaintiff] with a copy of the logging data.

2.9.

In a letter dated 14 August 2018, [name of lawyer] responded on behalf of Bravis to [plaintiff's] complaint. This letter states, among other things:

“(…)

Following the findings of 11 July, your letter of complaint and the requests from your mother and daughters, further investigation was then carried out into the circumstances and the way in which the employee [Rb: [name 2]] acted. This investigation took several weeks, partly in connection with her absence due to vacation. The investigation was completed yesterday, with the conclusion that the employee has illegally viewed your patient file for a long time and several times, as well as your mother's file once (in 2015) and your daughter's file [name of daughter] twice (in 2015).

(…)

We were unable to determine that the employee shared information from these patient files with her husband. The medical and other information about you contained in the book may also have become known to the author in other ways, although you believe that this information is from your patient record. Only if a copy from your patient file or a verbatim quotation were included in the book, would we consider that sufficient evidence for the unauthorized sharing (with her spouse) and publishing (as publisher) of medical information by the employee.

In view of the seriousness of the violation that had been established, the Board of Directors has decided on an appropriate sanction. Based on the findings, the Bravis hospital is forced to terminate the employment relationship with the employee with immediate effect.

(…)

We reported the violation of the employee as a data breach to the Dutch Data Protection Authority (…) We have not received a response and do not expect this, in view of the improvement measures mentioned below.

(…)

The Board of Directors has also instructed that the way in which the random checks of access to electronic patient records are now being improved, so that such a long-term violation of the privacy rules will come to light sooner.

(…)”

2.10.

By judgment of 11 February 2019, the Court of Appeal of ’s-Hertogenbosch annulled the judgment in summary proceedings of 18 July 2018 (see 2.6.) and, among other things, the further distribution/disclosure of the book is prohibited.

2.11.

[plaintiff] has held Bravis liable for the damage it has suffered. Bravis has denied liability. The parties have entered into consultations with a view to reaching an amicable settlement. This has not led to an agreement.

3 The Dispute

3.1.

[plaintiff] claims – after amendment of the claim – that the court, by judgment, provisionally enforceable as much as possible:

i. declares in court that Bravis has acted unlawfully towards [plaintiff] and is liable for the damage suffered by [plaintiff] because:

the hospital has taken insufficient measures to protect the medical data and secret address details of [plaintiff] in the period from June 2014 to June 2018;

the hospital wrongly refused to provide the logging data to [plaintiff] prior to the summary hearing on 12 July 2018 at 14:00;

the hospital did not conduct sufficient research into the data breach and the question of what happened to [plaintiff]'s medical data.

ii. declares in court that Bravis is liable for the damage as a result of the wrongful act by its employee [name 2] towards [plaintiff], which wrongful act consists of the 347 unauthorized inspections of the medical records of [plaintiff] and the publication of the medical data in the book published by [name 2];

iii. Bravis orders to compensate the damage suffered by [claimant] as a result of the above under i. and ii. mentioned, namely compensation for non-material damage of € 15,000.00, the costs of securing the house of € 3,000,00, and removal costs of € 20,000.00,

and specifically with regard to sub i. under b, the costs of the appeal of € 20,000 (minus the liquidation rate) and immaterial damage of € 50,000 (because the entire book has been published);

iv. Orders Bravis to pay the costs of the proceedings, plus the statutory interest from the day of the summons until the date of full payment.

3.2.

Bravis defends itself.

3.3.

In so far as relevant, the arguments of the parties are discussed in more detail below.

4 The assessment

4.1.

In summary, this case concerns the following. [name 2], a (former) employee of Bravis, frequently consulted the patient file of [plaintiff] in the period from 24 June 2014 to 11 June 2018. The registration of the logging data of Bravis shows, among other things, that during this period [name 2] viewed [plaintiff]'s patient file on 79 different moments, that a total of at least 345 log lines were written, and that they were entered six times. has applied the emergency procedure. Further investigation has shown that [plaintiff] also consulted the patient file of [plaintiff] under the authorizations of colleagues. It has also been established that [name 2] had access to the patient file of the mother and daughter of [plaintiff]. [claimant] states that [name 2] passed on medical information, which she obtained through unlawful inspection of [claimant]'s patient file, to [claimant]'s ex-partner and that this data was subsequently published in the [name of claimant]'s 2] published book. As a result, she suffered damage. It bases its claims that Bravis, as employer, must be held liable for the wrongful acts of [name 2] . In addition, it bases its claims on the fact that Bravis itself acted unlawfully towards [plaintiff] . Bravis defends and disputes any liability, both as an employer and on the basis of tort. The court will then proceed to the assessment point by point.

liability subordinate

4.2.

Article 6:170 paragraph 1 of the Dutch Civil Code provides that for damage caused to a third party by an error of a subordinate, the person in whose service the subordinate performs his task is liable if the risk of the error due to the instruction to perform this task has been enlarged and the person in whose service he was employed, by virtue of their respective legal relationship, had control over the conduct in which the error was located.

4.3.

On the basis of this article, Bravis can only be held liable if the damage was caused by a 'mistake' by [name 2] . An error in this sense is an attributable wrongful act (Article 6:162 of the Dutch Civil Code).

4.4.

It is not in dispute between the parties that [name 2] consulted the patient file of [plaintiff] for a long time and frequently, without her being authorized to do so. [name 2] was not directly involved in the treatment of [plaintiff] as a patient in the Bravis hospital, nor was he involved in the management of the settlement thereof. The fact that the inspection of [name 2]'s patient file in itself already constitutes unlawful conduct within the meaning of Article 6:162 of the Dutch Civil Code is also not in dispute in that regard. Although Bravis argues in these proceedings that it is not established that [name 2] has actually viewed substantive passages from the file, the court also infers from Bravis' statements that Bravis considers the inspections (consultations) of [name 2] unlawful. This is also apparent from the correspondence submitted between the parties, Bravis' position in the employment law proceedings against [name 2] before the subdistrict court, and the fact that the inspections were reason for Bravis to terminate the employment contract with [name 2] with immediate effect. . It is therefore established that the access by [name 2] to the patient file of [plaintiff] is unlawful towards [plaintiff].

4.5.

[claimant] not only states that [name 2] (in violation of a social standard of care) has often unlawfully viewed [claimant]'s patient file, but also that she has shared medical data from this patient file with [name of ex-partner ] and has published in the book (written by [name of ex-partner] and) published by her.

4.6.

Bravis argues that access to the patient file and publication of medical data in the book are two different things and that [plaintiff] does not comply with her obligation to provide information in this context. [plaintiff] has not demonstrated that [name 2] has misused medical data from the patient file. It is not clear which information was viewed by [name 2], to what extent she passed that information on to [name of ex-partner], and whether the information provided was subsequently processed in the book. Moreover, it has also not been shown that the information comes from Bravis, since the Dijkzigt hospital is mentioned in the book and not Bravis' hospital. The statements of [plaintiff] in this context are based purely on an assumption. The data published in the book may have been remembered by [name of ex-partner], since they have experienced events together in their relationship. In addition, the medical terms may come from the Internet, an encyclopedia and/or other material explaining medical matters, Bravis said.

4.7.

In addition to this, Bravis argued at the hearing that Bravis has established that the documents in which the relevant medical data that have been processed in the book were not provided by [name 2] in the period from 24 June 2014 to 11 June 2018 (digital) have been seen. After all, these documents are located under the “Multimedia” tab and the log line that would have been written when that tab was opened has not been written.

4.8.

The court considers as follows. The book contains medical data. Those medical data correspond to data from [plaintiff]'s patient file. [name 2] published the book and is also the current partner of [name ex-partner], the author of the book. [name 2] was also working at Bravis at that time. All this was reason for [plaintiff] to request the logging data of her patient file from Bravis. It subsequently emerged from those logging data that [name 2] had frequently illegally viewed [plaintiff]'s patient file. In view of this, in the opinion of the District Court, it must in fact be assumed that [name 2] has (also) shared medical data from the patient file of [plaintiff] with [name of ex-partner] and that these data were subsequently processed in the book. Bravis argues that other sources are much more plausible, such as the memory of [name of ex-partner], but the court does not follow this in view of the foregoing. Bravis' defense that [name 2] did not actually view the medical information in question, because this information is in another folder of the digital patient file, of which the log line has not been written, also fails. Bravis has not substantiated this defence, which would have been her way now that she is the one who has this information. Thus, the court is of the opinion that it must be assumed in court that [name 2] unlawfully viewed medical data from the patient file of [plaintiff], subsequently shared this medical information with [name of ex-partner], and that this information was incorporated into the book published by [name 2] . In its judgment of 11 February 2019, the Court of Appeal also considered in consideration 6.15.7 that [name of ex-partner] probably obtained the confidential information about [plaintiff] through [name 2].

As a result, [name 2] has not only acted contrary to a social standard of due care, but there is also a (serious) invasion of the privacy of [plaintiff] . The court concludes that [name 2] has committed an unlawful act against [plaintiff]. This act is imputable to her, because no arguments have been put forward that could imply that the act is not imputable to her.

4.9.

In addition, it is required that there is a functional connection between [name 2]'s error and the task assigned to her. This connection is interpreted broadly in case law. It follows from the first paragraph of Article 6:170 of the Dutch Civil Code that this is satisfied if i) the probability of the error is increased by the instruction to perform this task and ii) had superordinate (theoretical) control over the conduct in which the error was located. The court is of the opinion that these two elements have been met. After all, [name 2] had access to patient files in the context of her work as a medical secretary and as a planner in the ICU and during working hours, within the working environment, and using the access/authorization made available to her, she had access to obtained the patient file of [plaintiff] and the medical information. Bravis, as employer of [name 2], had control over this. There is no question of a private act performed in the private sphere, as Bravis argues.

4.10.

In view of the foregoing, the court is of the opinion that Bravis is (risk) liable for the damage suffered by [claimant]. The court will address the damage below (from legal consideration 4.41.).

4.11.

The court is also of the opinion that the position of [claimant] that [name 2] shared her secret address details from the patient file with [name of ex-partner], because [claimant] received an anonymous Christmas card in his handwriting in 2017, is insufficient. is substantiated. [claimant] has not demonstrated that the Christmas card came from [name of ex-partner]. Moreover, at the hearing, [plaintiff] explained, when asked, that she was not harassed (further) by [name of ex-partner] and that no incidents took place. The damage alleged in this regard is therefore dismissed.

unlawful act

4.12.

[claimant] argues that Bravis has acted unlawfully towards her and is liable for the damage suffered by her because i) the hospital has taken insufficient measures to protect her medical data (and address data), ii) Bravis on 11 and 12 July 2018 did not provide logging data to [plaintiff], and iii) Bravis did not conduct sufficient research into the data breach and into what happened to the medical data. The court will then proceed to assess this point by point.

i) insufficient measures to protect medical data

4.13.

[plaintiff] argues that Bravis has taken insufficient measures to protect her medical data (and address data). [claimant] has taken positions in this context that focus on a) the authorization and b) Bravis' control policy. With regard to both the authorization and the control policy, [plaintiff] takes the position that Bravis has acted in violation of Article 32 GDPR (and Article 13 Wbp), which, in short, prescribes that organizations must take appropriate technical and organizational measures to protect personal data. to protect. In the context of authorization, [plaintiff] further argues that Bravis also acted in violation of Article 7:457 of the Dutch Civil Code (joint article 7:462 of the Dutch Civil Code), because only the practitioners directly involved with the patient are entitled to inspect the patient file and [ name 2] cannot be regarded as such.

4.14.

The court takes the following into account in its assessment. In the writ of summons, [plaintiff] based her claim on (among other things) that Bravis acted in violation of Article 32 of the GDPR, after which Bravis pointed out in the statement of defense that, in view of the period for the most part, Article 13 Wbp was applicable. These articles have not been substantially changed in substance; under both articles, the controller must take appropriate technical and organizational measures for the security of personal data, taking into account the state of the art and the implementation costs. In the context of information security at healthcare institutions, the implementation of appropriate and technical organizational measures takes place on the basis of the standards NEN 7510 and NEN 7513.

From 1 January 2018, the interpretation of Article 13 Wbp and (subsequent) Article 32 AVG on the basis of these standards has been implemented with the entry into force of the "Decree on electronic data processing of healthcare providers" (and the articles 3, second paragraph, and 5, first paragraph included therein). member) required. However, even before 1 January 2018, appropriate technical and organizational measures within the meaning of Article 13 Wbp took place on the basis of the aforementioned NEN standards. The parties have submitted various NEN 7510 and NEN 7513 standards. In the opinion of the court, the (successive) standards NEN 7510:2011 and NEN 7510-2:2017 are relevant to the points of dispute at hand. Here too, these standards do not contain any substantive changes on the points at hand.

4.15.

The court must assess, among other things, whether or not Bravis acted in violation of Article 13 Wbp and Article 32 GDPR in the period from June 2014 to June 2018. In view of the foregoing, the court will apply the same standard for this period. It must therefore be assessed whether Bravis has taken appropriate technical and organizational measures in the context of the authorization and its control policy during the aforementioned period, taking into account the state of the art and the implementation costs in relation to the risks and the nature of the protect personal data. The assessment of this takes place on the basis of NEN 7510:2011 and NEN 7510-2:2017. It should be noted in this regard that Bravis rightly argues that before 1 January 2018, a hospital could also demonstrate that the security is in order in another way, for example by complying with the Code for Information Security (ISO 17799).

- the authorization

4.16.

In view of the basis of the claim, it is only relevant in this case whether the authorizations that Bravis granted to [name 2] met the prescribed standard and the applicable framework. The court will therefore disregard general statements directed against Bravis' authorization policy.

4.17.

[claimant] argues that the authorizations of [name 2] were too broad and that they violate the 'need to know' principle, as laid down in Article 9.1.1. NEN 7510-2:2017 and Article 7:457 paragraphs 1 and 2 of the Dutch Civil Code. As a medical secretary in (among other things) the cardiology department, [name 2] wrongly had access to the complete file of [claimant] and the mother and daughter of [claimant], since they were not patients in the cardiology department. In addition, [name 2] in the position of planner in the ICU should not have had any access to patient files, according to [plaintiff].

4.18.

Bravis disputes that [name 2]'s authorizations did not comply with the need to know principle. [name 2] has worked as an administrative assistant in the Emergency Department (A&E). In that position she had full access to patient files in view of her duties. There is a (justified) exception to the basic principle (which is also used by Bravis in its authorization policy), which is proportional and substantiated, because the A&E often involves medical emergencies in which direct access to patient files is vital. The emergency procedure is too cumbersome for this, in a situation where sometimes every second counts.

In addition, [name 2] worked as a planner in the Intensive Care and Cardiac Monitoring Department (IC/CCU), where she also had to assist as an IC secretary in the event of absence or unexpected busyness. She has not had full access to patient records in that position; her rights were limited to patients admitted to the ICU, CCU or the cardiology department. She had to use the emergency button procedure to consult other patient records, according to Bravis.

4.19.

At the hearing, [plaintiff] also argued that Bravis' statements do not correspond to the logging data, further elaborated under 4.3. up to and including 4.5. of the speaking notes. The court reviewed the logging data with the parties and Bravis contested the points put forward by [plaintiff] with reasons. The court refers in this regard to the official report of the oral hearing.

4.20.

The court considers as follows. The starting point for authorization is that employees only have access to patient data if they have a treatment agreement with the patient or if they are directly involved in the execution of a treatment agreement. The employee should only have access to data that is necessary for his task. This is also referred to as the 'need to know principle', which is laid down in Article 11.1.1 NEN 7510:2011 and 9.1.1. NEN 7510-2:2017. In addition, it must be possible to extend authorizations for the provision of necessary care in certain special situations, which is why a hospital must have an emergency button procedure. When using the emergency button procedure, employees are informed that they are not authorized to access the specific patient data. In addition, (within the context of responsible and safe care) exceptions to the aforementioned principle may be appropriate, provided the care institution substantiates these well and the exceptions are proportional. The CPB mentions here (in its report of 2013) as an example the urgent and/or complex nature of assistance in certain situations.

4.21.

The court must assess whether the authorizations of [name 2] complied with the framework outlined above. [name 2] worked as a secretary in the emergency department from 1 January 2007 to 1 October 2017. In that position she had an authorization without restrictions, so that she had full and unlimited access to patient files, including [plaintiff's] patient file. She did not have to use the emergency button procedure. The court is of the opinion that, in view of the nature of the position, this broad access to patient files was justified and proportionate. The court has therefore not shown that the authorization provided by Bravis to [name 2] is in conflict with the 'need to know principle'. Furthermore, [name 2] has (also) worked as a planner (and secretary) in the IC from 15 July 2016 to 13 August 2018. In that position she had limited access to patient files and no (direct) access to [plaintiff]'s patient file. This means that in this position she had to apply the emergency button procedure if she wanted to view [plaintiff]'s patient file. [claimant] argues that [name 2] in this position should not have been given access to patient files at all, but this assertion is insufficiently substantiated, partly in view of Bravis' substantiated dispute. The court is of the opinion that here too it has not been shown that this authorization is in conflict with the 'need to know principle'.

4.22.

The court concludes that with the authorizations granted to [name 2] Bravis did not act in violation of Articles 32 AVG, 13 Wbp and 7:457 of the Dutch Civil Code.

4.23.

Superfluously, the Court notes that it is apparent from the foregoing (and, incidentally, also from Bravis' authorization policy) that Bravis makes a distinction in the authorization between job groups and that, in general, there is therefore no question of unlimited access to patient files, as [plaintiff] (wrongly) states in the summons.

- the control policy

4.24.

[claimant] argues that Bravis' control policy did not comply with Article 12.4.1 NEN 7510-2:2017, which stipulates, among other things, that logging data must be checked regularly. It follows from the investigation report (exhibit 26 summons) issued in March 2019 by the Dutch Data Protection Authority (hereinafter: AP) that the AP uses as a starting point that there must be systematic, consistent control of all logging. The AP has already described this in its report of 2013. Bravis does not meet the standard because it only uses a random check. Furthermore, according to the guideline of the Dutch Association of Hospitals (NVZ) from 2015 (production 21 summons), a check must always be made when using the emergency button procedure. Bravis has not complied with this. After all, the emergency button procedure has been initiated six times by [name 2] and Bravis has not checked once.

4.25.

Bravis argues that the logging and the control thereof met the requirements of the Wbp and the AVG. Both Article 13 Wbp and Article 32 AVG take technical possibilities and costs into account when assessing what can reasonably be expected in the context of security. According to the current NVZ policy (exhibit 19 statement of reply), a random check is (still) accepted and a minimum condition. Bravis already more than met that standard at the time. The use of the emergency button procedure was randomly checked each month in two ways. Bravis also randomly checked two patient files every month.

4.26.

[name of official] explained at the hearing how Bravis checked the logging of patient files over the relevant period in practice. The court concludes from this explanation, among other things:

-

[name of official] was actually charged with checking the logging. Management was not involved at this point; [name of official] has performed the check of the logging to the best of his knowledge, without having received instructions from management to do so.

-

the logging of patient records viewed by employees with unrestricted access was not checked.

-

there was one Excel file in which all loggings of the regular and emergency button procedure were listed. From this file, one random day of the month was selected and scanned every month (for matches in (own) names of patient and employee, and suspicious situations). Subsequently, two random patient files were selected from the list (of the relevant day), the logging of which was checked.

4.27.

The court considers as follows. The standards 10.10.2 NEN 7510:2011 and 12.4.1. of NEN 7510-2:2017 stipulate that log files should be reviewed regularly. The starting point for this is that there should be a systematic, consistent check of all logging. A random check and/or a check based on complaints is not sufficient to give substance to this. The AP (then CBP) already laid down these principles in its report in 2013 on the security of patient files, so that this was (also) the applicable standard for the period from June 2014 to June 2018.

4.28.

The court is of the opinion that Bravis did not meet this standard in the period referred to. There was no control policy established by (the management of) Bravis. [name of official] himself had to implement the control of the logging and that control was insufficient (by the standards that applied at the time). The logging of the patient files viewed by employees with unlimited access has not been checked at all. Furthermore, only two patient records were checked on a monthly basis; [name of official] selected these files from an Excel file containing both the regular and emergency button procedure logging. This (evidently) means that there is no systematic and risk-oriented control. Moreover, this control was also insufficient in scope, in view of the scale of processing operations in the hospital.

4.29.

Bravis has insufficiently substantiated the fact that checking the logging in another way complies with Articles 13 Wbp and 32 GDPR. At the hearing, Bravis argued that intelligent logging did not yet exist at that time. In this context, the court notes that the CPB indicated in its 2013 report that hospitals should strive for more intelligent analysis/control of the logging. This report also states that if technological facilities are lacking, the deployment of (sufficient) manpower is recommended to guarantee the required appropriate security level. This can, however, be left undecided since the way in which the checks took place was in any case (far) inadequate. It is also important that this concerns a special category of personal data that deserves a high degree of protection.

4.30.

The court therefore concludes that Bravis did not take appropriate measures with regard to the control of logging within the meaning of Articles 13 Wbp and 32 GDPR for the period from 24 June 2014 to 11 June 2018 inclusive.

4.31.

The court is of the opinion that this constitutes an unlawful act against [plaintiff]. The purpose of checking the logging is to check whether access to the patient records is limited to situations where it is lawful. It is one of the most important security requirements for protecting personal health information. In the given situation, in which the patient file of [plaintiff] has frequently been illegally viewed over a period of almost four years, the aforementioned standards and Article 13 Wbp and 32 AVG with regard to the control of the logging in the same period wrongfully against [plaintiff].

The court will address the damage below (from legal consideration 4.41.).

ii) failure to provide the logging data on time

4.32.

[claimant] argues that Bravis acted in violation of Article 15, paragraph 3 of the GDPR, by not immediately providing it with the logging data after it twice requested Bravis to do so on 11 July 2018. The investigation that would be initiated into [name 2] is completely independent of the question whether [plaintiff] is entitled to the logging data and this was therefore not a valid reason not to provide the logging (immediately) to [plaintiff]. . Bravis has been hiding behind [name 2]'s privacy interest. Bravis has not weighed up interests in this context, and in any case has not explained why the privacy interest of [name 2] should outweigh the interest on the basis of the exception in Article 41 UAVG or the second sentence of Article 7:456 of the Dutch Civil Code. of the patient, [plaintiff]. This while Bravis was aware of the great importance of [plaintiff] that she needed the data as evidence for the summary proceedings hearing on July 12, 2018. Even after Bravis had spoken with [name 2] (prior to the hearing) on July 12. 2018, Bravis has not (yet) provided the logging data to [plaintiff]. Due to the refusal to issue the logging data on 11 and 12 July 2018, [plaintiff] was unable to demonstrate that [name 2] viewed and used her medical data in the book, and as a result she lost the summary proceedings. As a result of the loss of the summary proceedings, the book remained available in bookshops and digitally until the judgment of the 's-Hertogenbosch Court of Appeal in February 2019. The Court of Appeal took the logging data into consideration in its judgment and quashed the judgment of the preliminary relief judge partly on the basis of that logging data. The book was banned seven months too late due to Bravis' wrongful acts. According to the claimant, Bravis's chances of winning in the interim injunction proceedings before the preliminary relief judge have been considerably reduced.

4.33.

Bravis argues that it provided the logging data to [plaintiff] within the legal term of Article 12(3) of the GDPR and thus did not act unlawfully. The copy of the logging data was provided to [plaintiff] on 18 July 2018. In addition, on 11 July 2018, [plaintiff] did not demonstrate why the logging would be relevant for the summary proceedings. During the conversation with Bravis, [plaintiff] indicated that the medical information in the book was incorrect and "wasn't even the worst". At the time, she had not substantiated the statements made by [plaintiff] about the procedure. Moreover, at that time there was only a suspicion that [name 2] had illegally viewed the file, which first had to be investigated further. As a good employer, Bravis first heard [name 2] about the access to the patient file, before it provided [plaintiff] with a copy of the logging.

Bravis further argues that the condicio sine qua non-relation is lacking. According to Bravis, [plaintiff] has not substantiated how the copy of the logging data would have led to a different conclusion from the judge in preliminary relief proceedings.

4.34.

The court considers as follows. Article 12(3) of the GDPR provides that the controller shall provide the data subject with information about the follow-up to the request without undue delay and in any event within one month of receipt of the request pursuant to Articles 15 to 22. Depending on the complexity of the request, that period may be extended by a further two months if necessary.

4.35.

The court establishes that [plaintiff] made a first request to issue the logging data on 11 July 2018 and that Bravis complied with that request on 18 July 2018. Bravis thus provided the logging data to [plaintiff] without delay and within one month. By providing the logging data within this period, Bravis has not made an exception as referred to in Article 41 UAVG, so that [plaintiff] cannot be followed in this statement. The court is of the opinion that Bravis has not acted unlawfully. After the discovery of the unlawful inspections, Bravis immediately entered into a conversation with [name 2]. Bravis first started her investigation at that time. Subsequently, after seven days, she provided the logging data to [plaintiff]. The court is of the opinion that Bravis acted carefully and expeditiously in this regard. The court does not agree that Bravis should have provided the logging data immediately because of the interest of [plaintiff]. In addition, the court notes that during the summary proceedings, [plaintiff] did not report to the preliminary relief judge the finding with regard to the unlawful inspections or asked for the hearing to be postponed. It would have been up to [plaintiff] - if she considered the importance of this to be so important - to inspect the preliminary relief judge of the wrongful person, and the fact that she requested evidence (the logging data) of this from Bravis but has not yet received it. obtained, to be notified.

4.36.

[plaintiff] has further argued that due to Bravis the chances of winning of [plaintiff] in the summary proceedings of 12 July 2018 have been considerably reduced. In this context, the court notes that the preliminary relief judge has ruled in preliminary relief proceedings that [plaintiff] has not been affected in her honor and reputation by the publication of the book, because [name of ex-partner] has used pseudonyms and by [plaintiff] ] it has not been made clear that the contents of the book can be traced back to her, so that one can wonder whether the logging data would have led to a different outcome. However, no judgment on this point has been made because the claim is already subject to the absence of unlawful conduct as considered in 4.35.

iii) insufficient investigation into data breach and into what happened to medical data

4.37.

[claimant] states that in view of the seriousness and scope of the data breach, Bravis had the obligation to conduct a thorough investigation into what [name 2] did with the confidential patient information. By failing to conduct a proper investigation, Bravis is acting unlawfully towards [plaintiff]. Bravis' investigation consisted of only one conversation with [name 2], in which [name 2] indicated that he had not done anything with the information. Bravis has erroneously accepted this and acted with a high degree of carelessness. Furthermore, Bravis has failed to investigate [name 2]'s email boxes and her printing history. Bravis has acknowledged that she did not check [Name 2]'s emails.

4.38.

Bravis argues against this that it is not clear which legal obligation Bravis allegedly violated. [plaintiff] has not demonstrated that Bravis has violated an obligation to investigate. The investigation includes more than one interview with [name 2] ; she was heard twice, her statement was checked against schedules and other patient records were also checked. There was no indication that the information had been shared with third parties. Furthermore, there are no specific legal requirements for how an investigation into a data breach should be conducted. In this context, Bravis has complied with the requirements set out in Articles 33 and 34 of the GDPR and the associated Guidelines for the reporting of personal data breaches under Regulation 2016/679.

4.39.

The court is of the opinion that Bravis did not act unlawfully, and therefore not contrary to a social standard of due care, towards [plaintiff] by not conducting a more thorough investigation into the data breach and into what [name 2] did with the medical information it provided. obtained the patient file from [plaintiff]. The court does note in this context that the way in which Bravis dealt with [plaintiff]'s complaint could have been better. As considered above in 4.8, there were indeed indications that [name 2] had shared the information with her partner. In the letter of August 14, 2018, Bravis also suggests with the phrase “We have not been able to determine that the employee has shared information from these patient records with her husband” that an investigation has been carried out on this point, while in fact this has not actually taken place; the mere denial of [name 2] is considered by the court to be insufficient for that determination. At the hearing it was discussed that [plaintiff] mainly misses the fact that Bravis did not personally contact [plaintiff] to discuss what happened to her. She does not feel heard in this. The court can understand this.

4.40.

At the hearing, [plaintiff] also argued that Bravis drew incorrect conclusions with its inadequate investigation and that essential evidence can no longer be found. According to [plaintiff] Bravis is acting in violation of the NEN standards and therefore unlawful towards [plaintiff]. In this context Bravis mentions (in a footnote) pages 139 and 140 of NEN 7510:2017-2 and also pages 17 and 18 of NEN:7513:2018. The court is of the opinion that this position is in fact insufficiently structured to lead to the conclusion that Bravis acted unlawfully towards [plaintiff]. There is therefore no question of an unlawful act.

injury

4.41.

It follows from the foregoing that the court is of the opinion that Bravis is (risk) liable for the wrongful act of [name 2] and that Bravis is liable on the basis of wrongful act because it does not have appropriate security measures with regard to the control of the logging. taken. In this context, [plaintiff] claims (on both grounds) compensation for non-material damage of a total of € 15,000.00, the costs for the security of the house of a total of € 3,000, and the removal costs of a total of € 20,000.00. The court will discuss these damage items below.

the immaterial damage

4.42.

It follows from Article 6:95 of the Dutch Civil Code that loss other than financial loss is only eligible for compensation insofar as this is determined by law. Article 6:106, under b, of the Dutch Civil Code provides that there is a right to compensation to be determined in fairness if the injured party has suffered physical injury, has been damaged in his honor or reputation or is otherwise damaged in his person. [plaintiff] argues that she has been affected both in her honor and good name and in another way in person.

4.43.

The court states first and foremost that [plaintiff] has substantiated her claim that her honor or reputation has been harmed by arguing that the publication of the book containing the specific medical data about [plaintiff] is defamatory and an infringement of brings her honor and reputation. The court is of the opinion that it has not been sufficiently specified that, and if so to what extent, the alleged damage to the honor and reputation of [plaintiff] would have been caused by the inclusion of a passage with medical data in the book, while the entire book – as [plaintiff] argues – is full of untruths, unnecessarily offensive statements and privacy-sensitive information. To the extent that [plaintiff]'s claim is based on this ground, the court will therefore dismiss that claim.

4.44.

With regard to the impairment of the person 'in another way', the court considers as follows. The nature and seriousness of the violation of standards and of its consequences for the injured party may mean that the impairment referred to in Section 6:106(1)(b) of the Dutch Civil Code is affected in a different way. In principle, the person who invokes this will have to substantiate the damage to his person with concrete information. Where appropriate, the nature and seriousness of the violation of norms may mean that the relevant adverse consequences for the injured party in this regard are so obvious that an impairment in the person can be assumed.

A violation of the person in another way as referred to in Article 6:106, under b, of the Dutch Civil Code, does not already exist in the case of a mere violation of a fundamental right (HR 15 March 2019, ECLI:NL:HR:2019:376 ( EBI) and HR 19 July 2019, ECLI:NL:HR:2019:1278 (Earthquake damage Groningen)).

4.45.

[plaintiff] has not substantiated the damage to the person with concrete data. The dispute therefore focuses on the question of whether the nature and seriousness of the violation of standards means that the adverse consequences are so obvious that an impairment in the person can be assumed. Bravis is of the opinion that there is no such situation and argues in this context that the present case is not comparable with the situations in the judgments in Wrongful life (HR 18 March 2005, ECLI:NL:HR:2005:AR5213) and Oudejaarsriots ( HR 9 July 2004, ECLI:NL:HR:2004:AO7721).

4.46.

The court considers that this case should be judged on its own merits. Fundamental rights have been violated in this case; after all, there is an infringement of the right to respect for the privacy of [plaintiff] and of the right to the protection of personal data. The court is of the opinion that there is a situation in which the adverse consequences for [plaintiff] are so obvious that an impairment of the person as referred to in Article 6:106, under b, of the Dutch Civil Code can be assumed. The court considers the following important in this regard. This concerns a special category of personal data, namely medical personal data from a hospital's patient file. Over a long period of four years, these data were frequently viewed unlawfully and were also insufficiently protected during this period. In addition, medical information has also been shared with third parties and published in a book. It is obvious that [plaintiff] experiences adverse consequences from this, in the form of, for example, anxiety complaints and the loss of control and the confidentiality of her personal data.

4.47.

In its judgment, the court also takes into account that Article 32 of the GDPR has been violated in this case. In the GDPR, principles have been formulated for the assessment of the violation, the (material and immaterial) damage and the causal relationship between them. It is stated in recital 146 in the preamble that the concept of 'damage' must be interpreted broadly in the light of the case-law of the Court of Justice, in a manner that fully reflects the objectives of the Regulation. The importance of control over personal data and enforcement of the violated rule follows from the GDPR. An interpretation of 6:106 paragraph 1 of the Dutch Civil Code in accordance with Regulations (also) entails that [plaintiff] is entitled to a fair compensation for her non-material damage.

4.48.

In view of the foregoing, the court deems a compensation of € 2,000 appropriate and fair. Bravis will be ordered to pay this amount to [plaintiff].

home security costs

4.49.

[plaintiff] has specified the costs for securing the house (including travel costs to surrounding hospitals) under 2.16 of her deed after oral hearing.

4.50.

[plaintiff] states, among other things, that she has incurred costs for six electric shutters, security cameras and an Aware alarm button. These costs are based on the argument that [name of ex-partner] became aware of the secret address of [plaintiff] through Bravis and [name 2]. The court will post these items in view of the judgment in consideration 4.11. reject.

4.51.

[claimant] further states that since June 2018 she has been forced to move to surrounding hospitals, such as the Erasmus MC in Rotterdam and the Amphia Hospital in Breda, and that the travel costs she incurred totaling € 562.02 by Bravis should be reimbursed. After all, [plaintiff] has lost all confidence in Bravis and her medical data are not safe there, according to [plaintiff]. The court is of the opinion that the claimant has not sufficiently substantiated her allegation. For example, the court has not found that these costs are related to the specific accusation; there may also be other reasons for the treatment in another hospital (for example because of a specialism). In addition, [name 2] is no longer employed by Bravis and Bravis explained at the hearing that after this incident she has made a lot of efforts in the field of security and that her security policy is (currently) in order. [Buyer] has not argued against this with reasons. These costs must therefore be rejected.

the moving costs

4.52.

[plaintiff] has estimated the costs that she deems necessary for moving to a new home and further specified under 2.22 of her deed after the oral hearing.

4.53.

The court understands that the substantiation of the damage on this point is twofold. In the first place, [claimant] takes the position that she should move because of fear of [name of ex-partner], after passing on her secret address details. In addition, [plaintiff] states that she has lost confidence in Bravis because her medical data are not safe, so that she wishes to move to another region (the Westland) where she lives near a hospital other than Bravis. After all, [plaintiff] is then no longer dependent on Bravis if she needs medical assistance, also in emergency situations. Having regard to recital 4.11. the court will only consider the second statement in its judgment.

4.54.

The court finds that [plaintiff] has not moved to date and only wishes to move. The court has not established that there is a need to move, partly in view of consideration 4.51. The court is therefore of the opinion that this damage by [claimant] is insufficiently substantiated and will dismiss this claim.

4.55.

The other alleged damage (with regard to the claim parts i sub b and c) is rejected, now that the court is of the opinion that Bravis has not acted unlawfully on these points.

declaratory judgments

4.56.

[Plaintiff] initially claimed two declarations of justice in combination with the determination of the damage by means of a damage assessment procedure. At the hearing, [plaintiff] was asked to specify her damage in these proceedings, after which she amended her claim on this point. The court is of the opinion that, in addition to the order to pay compensation, the requested declaratory judgments have no independent meaning. The claimed declaratory judgments will therefore be rejected because of the lack of procedural interest.

litigation costs

4.57.

Bravis will be ordered to pay the costs, because she can be regarded as the largely unsuccessful party. Because a significant part of the amount claimed is rejected, the court estimates the costs of the proceedings on the part of [plaintiff] on the basis of the amount awarded at:

- summons € 103.83

- court fee 309.00

- lawyer's salary 1,195.00 (2.5 points × rate € 478.00)

Total €1,607.83

4.58.

The claimed statutory interest on the costs of the proceedings has not been disputed and will be awarded with due observance of the term to be determined in the decision.

5 The decision

The court

5.1.

orders Bravis to pay [plaintiff] compensation of € 2,000.00 (two thousand euros),

5.2.

orders Bravis to pay the costs of the proceedings, estimated on the part of [plaintiff] to date at € 1,607.83, to be increased by the statutory interest as referred to in Section 6:119 of the Dutch Civil Code on this amount from the fifteenth day after service of this judgment until on the day of full payment,

5.3.

declares this judgment provisionally enforceable,

5.4.

rejects the more or otherwise advanced.

This judgment was rendered by mr. Fleskens, mr. Poerink and mr. Willems-Ruesink and pronounced in public on September 21, 2022.1

1type: SHGcoll: