Rb. Den Haag - 22/2601
Rb. Den Haag - 22/2601 | |
---|---|
Court: | Rb. Den Haag (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 15 GDPR Article 82 GDPR Article 8:88 Algemene wet bestuursrecht |
Decided: | 21.09.2023 |
Published: | 03.10.2023 |
Parties: | Uitvoeringsinstituut werknemersverzekeringen |
National Case Number/Name: | 22/2601 |
European Case Law Identifier: | ECLI:NL:RBDHA:2023:14359 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | Rechtbank Den Haag (in Dutch) |
Initial Contributor: | Enzo Marquet |
The Dutch Court of Den Haag determined which legislation was applicable to the calculation of damages in compensation for a data breach by a public body. In this case, the Court applied both domestic public law and Article 82 GDPR in the calculation of damages.
English Summary
Facts
On 16 July 2021, the controller, the Institute for Employee Insurance, a public body, informed the data subject of a data breach. Five letters meant for the data subject were sent to the the wrong address. After a complaint made by the data subject to the controller, the controller offered €250 in compensation. The data subject did not agree with the amount offered and demanded €3000. In addition, she made an access request under Article 15. The controller rejected the claim of €3000. The controller as an administrative body
The data subject then appealed the controller's rejection of their initial claim and made another claim under Article 8:88 AWB. Article 8:88 AWB provides that "the administrative court is entitled, at the request of an interested party, to order an administrative body to compensation for damage suffered or will suffer by the interested party."
In a decision of 4 March 2022, the controller dismissed the data subject's appeal. The controller argued that the decisions cited by the data subject on compensation following a data breach were not public law decisions but stems from private law, and thus did not apply to the controller. The controller claimed that the compensation request and the request for access to information were unrelated and should be separately handled. The controller also contended that Article 8:88 AWB did not apply because the matter involved sending letters to the wrong address, was a factual action, not a formal decision with legal implications for the purposes of Article 8:88 AWB. The data subject appealed this to the Court of Den Haag.
Holding
The Court held that the controller correctly dismissed the data subject's appeal because the compensation request and the request for access to information were unrelated and should be separately handled. Nonetheless, the Court nullified the decision of 4 March 2022 and treated the data subject's case purely as a request for compensation under Article 8:88 Awb in connection with Article 82 GDPR.
The Court determined that for the purposes of Article 82 GDPR, a compensatory amount of €500 was fair and appropriate. The Court considered the psychological impact of the data breach on the data subject, but noted that the five letters were returned in sealed envelopes and there was no evidence of third-party use.
Comment
The data subject cited the following Dutch cases:
ECLI:NL:RVS:2020:898; ECLI:NL:RVS:2020:899; ECLI:NL:RVS:2020:900 en ECLI:NL:RVS:2020:901.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.