Rb. Rotterdam - 9435922
Rb. Rotterdam - 9435922 | |
---|---|
Court: | Rb. Rotterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 4(2) GDPR Article 6 GDPR Article 82 GDPR |
Decided: | 25.02.2022 |
Published: | 03.03.2022 |
Parties: | |
National Case Number/Name: | 9435922 |
European Case Law Identifier: | ECLI:NL:RBROT:2022:1419 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | Giel Ritzen |
The District Court Rotterdam ordered a controller to pay € 250,00 in damages to the data subject because of a data breach, that resulted from sending an unencrypted excel file containing the personal data of approximately 1,100 data subjects.
English Summary
Facts
The controller is a company that is contracted to plan and build a new neighborhood (called the “Koningskwartier”) in the village Zevenhuizen. In 2021, people that were interested to potentially purchase a house in this neighborhood, could register on the website of the company. Approximately 1,100 persons, including the data subject, made use of this possibility. During the registration, various confidential personal data of these persons were collected, such as the first- and last name; place- and date of birth; email address; phone number; maximum amount they could borrow for the mortgage; yearly income etc.
On 12 April 2021, the controller sent out an email to all persons that registered and attached an unencrypted excel file to this email, that contained all the personal data listed above. The data subject then replied to the email and notified the controller of the fact that they wanted to be reimbursed for the damages of the data breach. The controller tried to repair their mistake by sending out an email to all recipients regarding the mistake. However, they refused to comply with the data subject’s request, so the data subject brought the matter before court. The data subject requested the court to order the controller to pay him € 750,00 in material damages to purchase a new phone since he was being harassed by an unknown number via WhatsApp. Moreover, he wanted € 20,000 in immaterial damages because he feels “watched” and he lost his trust in other people. The controller explained this data breach was caused due to a human error and requested the Court to reject the data subject’s claim.
Holding
First, the Court considered that the controller had no legal basis in Article 6 GDPR to send out an email that contained data subject’s personal data, and thus unlawfully processed the data subject’s personal data. Moreover, the Court noted that it follows from Recital 146 GDPR that the notion of “damage” must be interpreted broadly, and found that data subject’s damages should be compensated by the controller.
Second, the Court considered the claim for material and immaterial damages. Regarding the material damages, the Court found that the data subject’s claim of € 750,00 was unfounded. The Court stated that the data subject’s phone number is also listed on his LinkedIn page, that he could just buy a new sim-card, and that there is no causality between the controller’s violation and the data subjects damages. However, the Court acknowledged the data subject’s claim to be compensated for his immaterial damages pursuant to Article 82, since he lost control over his personal data, and this resulted directly from the controller’s violation.
Third, regarding the height of the compensation, the Court took into account that some of the data subject’s personal data were very confidential, such as his yearly income, but that “only” 1,100 persons received the personal data and the controller tried to repair the mistake. Hence, the Court concluded that compensation of € 250,00 was sufficient.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
COURT ROTTERDAM case number: 9435922 \ CV EXPL 21-30280 verdict: February 25, 2022 judgment of the subdistrict court, sitting in Rotterdam, in the case of [plaintiff] , living in [place of residence] , plaintiff, hereinafter referred to as: [claimant] , authorized representative: mr. A.C. van 't Hek, against [defendant] † located in [establishment] , municipality [municipality] , defendant, hereinafter referred to as: [defendant] , authorized representatives: mr. O.A. Sleeking and mr. A.W.D. lensink. 1. The process 1.1. The course of the procedure follows from the following procedural documents: † the subpoena with productions; † the statement of reply with exhibits; † the interlocutory judgment of 11 October 2021, in which an oral hearing is determined; † the letter from [claimant] dated December 30, 2021 with a USB stick. 1.2. The oral hearing took place on January 31, 2022. [claimant] appeared in person, assisted by his authorized representative. The representatives appeared on behalf of [defendant], accompanied by [person A] and [person B] (employees of [defendant]). 1.3. The district court has ruled that a verdict will be delivered today. 2. The established facts The following established facts are assumed. 2.1. [defendant] is carrying out the new construction project 'Koningskwartier' in Zevenhuizen. In 2021, people who were interested in the possible purchase of a new-build home could register as a candidate buyer via a website. About 1,100 persons, including [claimant], have made use of this option. Various confidential, personal data of the interested parties were collected during this registration. 2.2. On April 12, 2021, [defendant] sent an e-mail to all persons who registered for the Koningskwartier project. [Defendant] enclosed an unsecured Excel file with this e-mail containing the data of all approximately 1,100 people who have registered for the new construction project. The Excel list contains, among other things, the following information about the registered person and his/her partner, if any: † First and last name; † Birthdate and place; † address; † e-mail address and telephone number; † desired purchase price; † maximum amount to be borrowed; † annual income; † own resources that the prospective buyer wishes to contribute; † the new-build homes in which the prospective buyer is interested. 2.3. A minute later, [defendant] attempted to withdraw the email sent. 2.4. That same day, at 6.23 pm, [plaintiff] sent an e-mail to [defendant], in which he states: “Based on the information I have received, I would like to point out an AVG Data Breach! My personal data has now been shared to a very large group and I am very shocked!!! I would like to see urgently the steps you will now take to inform the injured party about this incredible blunder. I also hereby hold you liable for any damage suffered and yet to be suffered as a result.” 2.5. That same evening, [defendant] sent an e-mail to all persons who registered. In it she states that the Excel sheet was sent by mistake and she calls on you to delete the e-mail with attachment immediately. 2.6. Plaintiff's attorney wrote to Defendant and claimed damages. [defendant] refused to pay compensation. 3. The Dispute 3.1. [claimant] has claimed by judgment, provisionally enforceable, to declare that [defendant] has acted unlawfully towards him, and to order [defendant] to pay him €750 in material damages and €20,000, -, at least an amount to be reasonably estimated, in immaterial compensation, plus the statutory interest from the day of the summons until the day of full payment. 3.2. In summary, the claimant based his claim on the following. Sending the Excel list with personal data must be regarded as unlawful act, namely in violation of Article 6 paragraph 1 of the General Data Protection Regulation (hereinafter: AVG). The damage [claimant] has suffered as a result of this must compensate [defendant] on the basis of Article 82 of the GDPR. [claimant] suffers € 750 material damage, because he is being harassed on his mobile phone and therefore wants to buy a new phone. He also suffers € 20,000 in non-material damage. He is in fact affected in his person, because sensitive personal data is known to at least 1099 others. As a result, [plaintiff] feels unsafe and does not trust people. 3.3. [defendant] has concluded (primarily) complete rejection or (alternatively) mitigation of the compensation, without granting provisional enforceability, at least on the condition that [claimant] must provide security for this, with conviction of [claimant] in the (after) costs of these proceedings, plus interest. 3.4. [Defendant] has submitted the following in support of its defence. Due to a human error, the Excel list has been added to the e-mail. However, the mere fact that personal data of [claimant] have been distributed does not mean that [defendant] must pay compensation to [claimant]. [claimant] must specify that there is material and/or immaterial damage. He didn't. Nor can this damage be assumed on the basis of the nature and seriousness of the violation of standards and its consequences. The claimed damages must therefore be dismissed. The declaratory judgment must also be rejected, because [plaintiff] has no interest in doing so. 3.5. Insofar as it is important for the assessment, what further arguments have been put forward by the parties will be discussed below. 4. The assessment statement of law 4.1. There is no dispute that [defendant] has distributed a significant amount of [plaintiff]'s personal data to a large group of people. The dissemination of personal data is a form of processing as referred to in the GDPR (article 4 sub 2 GDPR). Article 6 of the GDPR provides that the processing of personal data is only lawful if one of the processing bases referred to in that article applies. It has not been argued or shown that in this case one of those principles applies. The conclusion is that [defendant] has unlawfully processed the personal data of [claimant]. [defendant] has therefore infringed the GDPR. In principle, the claimed declaration of law is therefore admissible. However, [defendant] disputed that [petitioner] has an interest in that statement. The claimant did not further substantiate what his interest in that statement lies in. This interest cannot be understood without further explanation. In the absence of importance, the claimed declaratory judgment is therefore rejected (Article 3:303 of the Dutch Civil Code). Legal framework 4.2. The claimant is further entitled to compensation for his damage. In that context, the following legal framework is important. The GDPR entered into force on 25 May 2018 and is directly applicable in the Netherlands (Article 99 AVG and 288 TFEU). Article 82 GDPR provides that anyone who has suffered material or immaterial damage as a result of a breach of the GDPR has the right to receive compensation from the processor for the damage suffered. It follows from recital 85 of the preamble that this may include loss of control over personal data, identity theft or fraud, reputational damage, or any other significant economic or social disadvantage for the person in question. Recital 146 explains that the concept of 'damage' must be interpreted broadly in the light of the case-law of the Court of Justice, in a way that fully reflects the objectives of this Regulation. It further follows from that consideration that the persons concerned must receive full and effective compensation for the damage suffered by them. It follows from the aforementioned legal provision and the accompanying explanatory notes that the concept of damage must be interpreted autonomously at Community level in order to ensure effective compliance with the GDPR, with an equivalent level of protection in all Member States (recitals 10 and 11 GDPR). material damage 4.3. [claimant] claims compensation of € 750 for the purchase of a new telephone. In that context, he states that he is being harassed by a stranger. The subdistrict court understands that he means receiving a WhatsApp message that he submitted as exhibit 3. This is a message that reads: “Hi Mom, this is my new number. You can save this one in your contact list and the other one can go”. However, there is nothing to show that the receipt of this Whatsapp message is the result of the unlawful processing by [defendant]. [defendant] pointed out that [claimant]'s 06 number is also listed on his LinkedIn page, so that malicious parties can also take note of it in other ways. Moreover, it is a well known fact that such fraudulent WhatsApp messages are sent to many individuals. This damage is not eligible for compensation because there is insufficient evidence of a causal relationship between the unlawful processing and the receipt of the Whatsapp message. Not to mention that purchasing a new telephone is in principle not a solution to this problem, since it is more reasonable in that case to purchase a new SIM card with a new telephone number, as rightly and undisputed by [defendant] has been submitted. immaterial damage 4.4. The claimant also claims compensation for his non-material damage. He explained at the hearing that he feels unsafe and watched and that his trust in people has decreased. He also states that he is very uncomfortable with the idea that highly personal data has ended up with at least 1099 other people, including his future neighbors. He also pointed out that it is not known where these data are still circulating and that therefore he does not know what to expect, which gives him a bad feeling. At the hearing, both the attorneys and the employees of [defendant] indicated that they understand these feelings. 4.5. [Defendant] has therefore not disputed that the unlawful processing led to unpleasant consequences for [claimant]. However, it takes the position that this is not legally relevant damage within the meaning of Article 6:106 paragraph 1 sub b of the Dutch Civil Code. However, it ignores the fact that Article 82 of the GDPR must be interpreted autonomously in a way that does full justice to the objectives of this regulation, as considered above under r.o. 4.2. In the opinion of the subdistrict court, the consequences that the unlawful processing have had for [claimant] can indeed cause damage as referred to in Article 82 of the GDPR. The fact that the damage in itself cannot be substantiated directly, as argued by [defendant], is no obstacle to this. One of the main goals of the GDPR is that every person remains in control of their own personal data (Recital 7 GDPR). [claimant] has lost this control because [defendant] forwarded the data to a significant group of people. As undisputedly argued by [claimant] during the hearing, it is not possible to determine where this information is now circulating. In the context of effective compliance with the GDPR, the Subdistrict Court is of the opinion that this should be regarded as damage suffered by [claimant]. 4.6. For the first time during the oral hearing, [claimant] also argued that he is not sleeping well, is experiencing tension in the neck and that he has to go to a physiotherapist for treatment. He only mentioned this in passing and gave no substantiation for it. He also failed to specify when those complaints arose, whether the cause was medically established and what the intensity and duration of the treatments were. Since he has stated insufficiently on this point, this circumstance cannot be included in the calculation of the immaterial damage. amount of compensation 4.7. With regard to the extent of this damage, the Subdistrict Court considers the following. [defendant] forwarded a large amount of personal data of [claimant], which, in addition to contact details, also contain sensitive financial data about the income and assets of [claimant]. The scope of the data and the combination in which it is provided entail risks for [claimant]. Moreover, [claimant] has rightly pointed out that this information unintentionally ended up with the persons who will soon be his immediate neighbours. In short, the nature and seriousness of the unlawful processing affects the awardable compensation. 4.8. On the other hand, the subdistrict court took into account that the data was not made public to a general public, but only to a limited group of approximately 1100 people. It is also important that it is undisputed that adding the attachment to the e-mail is a human error, that [defendant] acted immediately to limit damage and that she reported the infringement. After all, [defendant] requested all recipients that same evening to delete the e-mail and also reported the incident to the Dutch Data Protection Authority. It is also important that the personal data do not concern special personal data, as referred to in Article 9 of the GDPR. 4.9. In view of the foregoing, the subdistrict court awards compensation of €250. The statutory interest on that amount is awarded as undisputed and founded on the law. feasibility at stock 4.10. The claimant has requested that this judgment be declared provisionally enforceable. Pursuant to Article 233(1) DCCP, the court may, if demanded, declare the judgment provisionally enforceable, unless the law or the nature of the case dictate otherwise. Neither the law nor the nature of the case precludes the claimed provisional declaration of enforceability. It follows from settled case law that [claimant] has an interest in the declaration of enforceability, since the judgment relates to payment of a sum of money (HR 27 February 1998, NJ 1998, 512). [Defendant] has filed a defense against the declaration of enforceability. However, the subdistrict court judge does not consider the restitution risk that it has argued to exist with this amount of compensation. The circumstance further advanced that [defendant] will certainly appeal in the event of a granting judgment does not in itself constitute a well-founded reason. The advanced stock enforceability is therefore awarded. 4.11. For the same reason, the sub-district court sees no reason for the requested security (Article 233(3) DCCP). litigation costs 4.12. Since both parties have been partially unsuccessful, the Subdistrict Court sees reason to compensate the costs of the proceedings, in the sense that both parties bear their own costs. 5. The decision The subdistrict court judge: orders [defendant] to pay to [claimant] an amount of €250, plus the statutory interest from 2 September 2021 until the day of full payment; compensates the costs of the proceedings, in the sense that both parties bear their own costs; declares this judgment provisionally enforceable and rejects the more or otherwise claimed. This judgment was rendered by mr. F. Aukema-Hartog and was pronounced in public. 33394