Rb. Noord-Holland - 23-3358
Rb. Noord-Holland - 23-3358 | |
---|---|
Court: | Rb. Noord-Holland (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(e) GDPR Article 9(2)(g) GDPR Article 82 GDPR |
Decided: | 18.06.2024 |
Published: | 09.08.2024 |
Parties: | Staatssecretaris van Justitie en Veiligheid (State Secretary for Justice and Security) Centraal Orgaan opvang asielzoekers (Central Agency for the Reception of Asylum Seekers) Dienst Terugkeer & Vertrek (Repatriation and Departure Service) |
National Case Number/Name: | 23-3358 |
European Case Law Identifier: | ECLI:NL:RBNHO:2024:7868 |
Appeal from: | |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | ec |
A court held that the Dutch State Secretary for Justice and Security had no legal basis under Article 6 GDPR and Article 9(2)(g) GDPR for the unnecessary sharing of an asylum seeker's (sensitive) personal data with other agencies. This needless disclosure also violated the principle of data minimisation.
English Summary
Facts
The data subject has an Iranian nationality and applied for asylum in the Netherlands in 2016. After two applications and two appeals, the State Secretary for Justice and Security (the controller) granted the data subject asylum on 25 August 2021 and provided the data subject with a temporary asylum residence permit.
On 22 September 2021, the data subjected requested access under Article 15 GDPR to their personal data that the controller processed and stored.
On 22 October 2021, the controller replied to the access request and, amongst other things, provided the data subject with an overview of the disclosures of the data subject’s personal data. This showed that the controller transmitted the data subject’s personal data to, among others, the Central Agency for the Reception of Asylum Seekers (“Centraal Orgaan opvang asielzoekers - COA”) and the Repatriation and Departure Service (“Dienst Terugkeer & Vertrek - DT&V”).
The data subject then objected to the processing of their personal data (specifically personal data belonging to special categories under Article 9 GDPR), namely the sharing of those data with the COA and DT&V.
The controller rejected the objection of the processing on 7 December 2021.
The data subject appealed this decision at the District Court of Northern Holland (“Rechtbank Noord-Holland”), and also sought damages under Article 82 GDPR for the unlawful processing of their (special categories of) personal data.
The controller argued that there was no unlawful processing of (special categories of) personal data of the data subject and that the sharing of the personal data with the COA and DT&V was necessary under Article 6(1)(e) GDPR for the performance of a task carried out in the public interest or in the exercise of official authority of these agencies.
The COA's tasks include providing guidance and accommodation to asylum seekers. The controller argued that this task also requires the processing of special categories of personal data under Article 9 GDPR to identify at the earliest possible stage whether the asylum seeker is a vulnerable person and needs specific support and guidance. The data subject argued that the sharing of personal data for the purpose of carrying out its duties and providing appropriate support could also be achieved by sharing no or less personal data with the COA. The controller could have also shared with the COA that the subject may need appropriate support and leave the COA to inquire what support is desired from the data subject to leave the data subject in control of what information it wants to share with the COA.
The DT&V's task include implementing the return policy by customising a careful and humane departure strategy. The controller argued that it is therefore therefore of great importance that the DT&V is involved at the earliest possible stage, receiving as much (complete and verifiable) information about the foreign national as possible. Every piece of information, including special categories of personal data under Article 9 GDPR, can be important for deporting a foreign national efficiently and effectively. The data subject argued that the sharing of (sensitive) personal data with the DT&V even before a rejection decision becomes irrevocable would be unnecessary and premature. The data subject also argued that sharing of personal data with the DT&V after the data subject's asylum application was granted, was wrong as the DT&V had nothing to do with the data subject from then on as they were no longer under an obligation to leave.
Holding
Unlawful processing
The court found that the controller shared a large quantity of documents with the COA and the DT&V that contained both “normal” and special categories of personal data under Article 9 GDPR of the data subject. This included judgements, court rulings, a medical opinion and records of hearings.
The court stated that it could follow that the tasks assigned to COA and the DT&V can be regarded as a task of (substantial) public interest as referred to in Article 6(1)(e) GDPR and Article 9(2)(g) GDPR. However, it could not understand why it was necessary for the controller to share the (special categories of) personal data with the COA and the DT&V in its entirety. The court held that the purpose for which the controller processed this data could be reasonably achieved in another, less detrimental manner. The court further held that in view of the principle of data minimisation under Article 5(1)(c) GDPR, the controller failed to substantiate why the COA’s purpose of careful reception of asylum seekers and DT&V’s purpose of the departure of aliens not eligible for residency, could only be achieved by sharing these documents with the data subject's personal data in its entirety.
The court specifically took into account the sharing of personal data with the DT&V, stating that it could not understand why the sharing was necessary even before it was irrevocably established that a foreign national must leave the Netherlands.
With regard to the sharing of the special personal data under Article 9 GDPR, the court held that it appeared nowhere that the controller weighed up whether the sharing of those data was proportionate in relation to the objective pursued by the sharing of those data, whether the right to the protection of personal data was respected and whether it was necessary to take appropriate and specific measures to protect the fundamental rights and interests of the data subject, as required under Article 9(2)(g) GDPR.
The court therefore held that controller did not sufficiently observe the safeguards for the data processing of both 'ordinary' (Article 6 GDPR) and special categories of personal data (Article 9 GDPR). The controller’s sharing of large quantity of documents containing the data subject’s (sensitive) personal data with COA and DT&V was therefore unlawful, as there was no sufficient legal basis for this under Article 6 GDPR. This also violated the principle of data minimisation under Article 5(1)(c) GDPR.
Non-material damages
The court found that the data subject was entitled to compensation for non-material damages. The controller violated Articles 5, 6 and 9 GDPR and thereby violated the data subject’s right to privacy. The court found that the data subject could not substantiate the amount asked for non-material damages. Considering the circumstances of the case, including the nature, duration and seriousness of the infringement, the court set the amount of non-material damages to €500. The court saw no reason to award a higher amount in view of the fact that the sensitive personal data ended up with a group of professionals, who have a duty of confidentiality by virtue of their position, and the duration of the breach.
Conclusion
Thus, the court found that the controller violated Articles 5, 6 and 9 GDPR by unnecessarily sharing the data subject's personal data in its entirety with the COA and the DT&V. The court therefore ordered the controller to pay €500 in non-material damages to the data subject, and to pay the data subject’s costs of € 1.750 for the legal proceedings.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
ECLI:NL:RBNHO:2024:7868 Share judgment Instance North Holland District Court Date of judgment 06-18-2024 Date of publication 08-09-2024 Case number 23-3358 Areas of law Administrative law Special features First instance - multiple Content indication GDPR, request for access, request for compensation, lawfulness of processing (sharing) (special) personal data of a foreigner between the IND and the COA and the DT&V. Sources Rechtspraak.nl Enriched judgment Judgment COURT OF NORTH HOLLAND Location Haarlem Administrative law case number: HAA 23/3358 judgment of the multi-member chamber of 18 June 2024 in the case between [plaintiff] , from [place] , plaintiff (authorized representative: Mr. I.J.M. Oomen), and the State Secretary of Justice and Security, defendant (authorized representative: Mr. M.M.C. van Graafeiland). The board of the Central Agency from The Hague (the COA) is participating in the case as a third party (authorized representative: Mr. M.M.C. van Graafeiland). Introduction 1.1 In this ruling, the court assesses the claimant's appeal against the decision on her request for access to her personal data under the General Data Protection Regulation (GDPR) and an appealed request for compensation in connection with the sharing of (special) personal data with the COA and the Return and Departure Service (DT&V). 1.2 The defendant responded to the appeal and the request for compensation made in the notice of appeal with a statement of defence. The third party also responded in writing. 1.3 The court heard the appeal at a hearing on 5 March 2024 together with case HAA 22/2169. The following participated: the claimant's representative and the representative in case HAA 22/2169, Mr B.J.P.N. Ficq, on behalf of the defendant: [name 3], [name 4], employed at the Immigration and Naturalization Service (IND), [name 5] and [name 6], employed at the DT&V, with Mr. [name 7] and the defendant's attorney, also attorney of the third party, accompanied by [name 1]. Assessment by the court 2. The court assesses the appeal and request for compensation on the basis of the grounds put forward by the claimant. The court finds that the appeal is unfounded, but that there is reason to award compensation. The court will explain below how it reached this conclusion and what the consequences of this conclusion are. 3.1 The court assumes the following facts. The claimant has Iranian nationality. In 2016, the claimant applied for an asylum permit. The defendant rejected this application. The appeal and further appeal lodged against this were declared unfounded. In 2019, the claimant submitted a new application. After this application was rejected again, the appeal lodged against it was declared well-founded. This resulted in the defendant granting the application for an asylum permit by decision of 25 August 2021 and granting the claimant a temporary residence permit for asylum. On 22 September 2021, the claimant requested the defendant (hereinafter: the GDPR request) to provide the 'other personal and reference data' that the defendant keeps/has registered and is processing in relation to her on the basis of Article 107, paragraph 1, under v, of the Aliens Act (Vw). She requested an overview that was as complete as possible, indicating for each piece of data with which agency that data is/is being shared. 3.2 With the decision of 22 October 2021 (primary decision), the defendant granted the GDPR request and provided the claimant's personal data. An overview of the disclosures of the claimant's personal data has also been provided. This overview shows that the defendant has provided the claimant's personal data to, among others, the COA and the DT&V. 3.3 The claimant has lodged an objection in response to the primary decision and has indicated that she objects to the processing of her (special) personal data by the defendant, namely the sharing of that data with the COA and the DT&V. 3.4 The defendant has interpreted this objection as being directed against the primary decision and has declared the objection unfounded by decision of 7 December 2021 (the contested decision). 3.5 The claimant has appealed against the contested decision and in her appeal also requested the award of damages for unlawful processing of her (special) personal data. The COA as a third party 4. At the request of the defendant and the COA, the court has designated the COA as a third party. In a letter dated 15 February 2023, the court informed the plaintiff's representative that the COA is participating in these proceedings as a third party. In the letter dated 17 February 2023, the plaintiff's representative opposes the participation of the COA as a third party. The court has taken note of the arguments that the plaintiff has given both in that letter and at the hearing as to why she believes that the COA should not be admitted as a third party, but the court sees no reason to reconsider the decision to admit the COA as a third party in these proceedings. The defendant has sufficiently explained that the COA, as an independent administrative body, would be directly affected in its interests if the court were to rule that the sharing of (special) personal data by the IND with the COA is unlawful. The appeal against the contested decision 5. The court finds that the grounds for appeal submitted by the claimant relate exclusively to the alleged unlawfulness of the sharing of (special) personal data by the defendant with the COA and the DT&V. These grounds for appeal do not affect the contested decision, which concerns the decision taken on the claimant's request for access. When asked, the claimant's representative indicated at the hearing that she has no objection to the overview provided in response to the request for access, but that it concerns exclusively the - in the eyes of the claimant - unlawful processing of (special) personal data by the defendant. This point will be addressed in the assessment of the request for compensation. Since no grounds have been submitted against the contested decision, the appeal lodged against it is unfounded. The request for compensation 6. The court first states that it has jurisdiction to hear the request for compensation. The court bases this on the judgment of the Administrative Jurisdiction Division of the Council of State (Division) of 1 April 20201 and in particular on considerations 16 to 22 of that judgment. 7. The legislation and regulations that are important for the assessment of the request can be found in the appendix to this judgment. 8. The claimant states that her (special) personal data have been shared unlawfully and that she has suffered damage as a result. The (un)lawful processing of (special) personal data 9. In order to answer the question of whether there is reason to award damages, it must first be assessed whether the processing of the claimant's (special) personal data by the defendant - namely the integral sharing of documents containing the claimant's (special) personal data with the COA and the DT&V - took place lawfully. 10. In the contested decision, explained in the statement of defence and at the hearing, the defendant adopted the following position. There has been no unlawful processing of (special) personal data. For the processing of personal data, the COA's task performance forms the processing basis as referred to in Article 6, paragraph 1, section e, of the GDPR. It follows from Article 3 of the COA Act and the Regulation on the Provision of Asylum Seekers and Other Categories of Aliens 2005 (Rva 2005) based thereon that the processing of personal data is necessary for the fulfilment of a public task of general interest or the exercise of public authority. On this basis, the COA is charged with providing shelter to asylum seekers throughout the entire asylum process and also has a guidance task. The individual needs of the alien, employees and local residents must be taken into account in this. When receiving aliens, the COA strives for safe and manageable reception and must take into account, among other things, the vulnerability or other special circumstances of an alien. In order to perform this task, it is also necessary to process special personal data, in order to be able to determine at the earliest possible stage whether the asylum seeker is a vulnerable person and needs specific support and guidance. It is also necessary for the safety of the residents and employees of the COA that the COA has sufficient information to form a complete picture of the foreigners it houses. In view of this, the careful reception of asylum seekers and the associated care for their physical and mental health is a major public interest as referred to in Article 9, paragraph 2, under g, of the GDPR, read in conjunction with Article 23, under a, of the GDPR and the Convention relating to the Status of Refugees and the Reception Directive of the European Union2, the COA Act and the Rva 2005. According to the defendant, the basis for the processing of personal data by the DT&V is also found in Article 6, paragraph 1, under e, of the GDPR. The defendant states that the need to process personal data follows from the performance of the DT&V's duties, namely the implementation of the return policy, as laid down in the Vw, the Aliens Regulations 2000 and the European Return Directive3. This performance of duties is characterised by customisation and a careful and humane departure strategy. According to the defendant, it is therefore of great importance that the DT&V is involved at the earliest possible stage and receives as much (complete and verifiable) information about the alien as possible. Every piece of information can be or become important in the return process. According to the defendant, the processing of special personal data is also necessary for the efficient and effective performance of the tasks by the DT&V when deporting aliens. It is important that the DT&V knows the interests and underlying considerations of the alien, in the Netherlands, but certainly also in the country of origin. The information required for this is registered in the procedure of the defendant and by other chain partners and is included in particular in decisions on the credibility of the identity and nationality and reports of hearings. The DT&V has a need to process (special) personal data at the moment that the person concerned is obliged to leave the Netherlands. The rejection of an application for a residence permit is an indicator for the DT&V to start (preparatory) actions for a departure from the Netherlands. During the asylum procedure of the claimant, such an obligation to leave arose and therefore also the need for the DT&V to process special personal data concerning the claimant. The fact that the residence status of the claimant changed during the asylum procedure does not alter this. The processing of special personal data is based on Article 107, paragraph 1, of the Aliens Act, read in conjunction with Article 6, paragraph 1, under e, of the GDPR, Article 107a, paragraph 1 of the Aliens Act, Article 7.1a, paragraph 1, under i, of the Aliens Regulations and Article 9, paragraph 2, under g, of the GDPR. 11. The claimant acknowledges that the COA needs information to perform its task, but states that the defendant has shared far more (special) personal data with the COA than is necessary. According to the claimant, the integral sharing of, among other things, hearing reports, (intentions for) decisions and judicial rulings, in which special personal data of the claimant are included, is in conflict with the principle of minimal data processing, as laid down in Article 5, paragraph 1, under c, of the GDPR. In addition, the defendant seems to assume that the claimant's consent for sharing her personal data is not necessary, because Article 6, paragraph 1, under c and e, of the GDPR apply, but then it is up to the defendant to demonstrate that it follows from legislation or regulations which categories of personal data may be shared with the COA and in what manner. Furthermore, under Article 9 of the GDPR, it is prohibited to process special personal data, unless there is a compelling public interest and if proportionality is met with appropriate and specific measures to protect the fundamental rights and interests of the claimant. The claimant believes that the COA does not need to have knowledge of her special personal data or asylum motives in order to provide ‘appropriate support’. The defendant could have sufficed with stating that in the case of the claimant, appropriate support may have to be provided and then the COA could have asked the claimant what support is appropriate and desirable, whereby the claimant herself could have retained control over what information she does and does not want to share with the COA. The claimant concludes that there is no (necessity) basis for sharing integral documents with the COA and that, to the extent that the special personal data would already fall under Article 107, paragraph 4, of the Vw, the defendant has violated the principle of proportionality by integrally sharing documents, hearings, decisions and judicial rulings. Providing the COA with necessary information for the performance of its duties could also be achieved by sharing no or less personal data with the COA, according to the claimant. The claimant further states that the above also applies to the sharing of (special) personal data by the defendant with the DT&V. The claimant considers the sharing of (special) personal data with the DT&V before a negative decision became irrevocable to be unnecessary and premature. It is also important that all data that the defendant shared with the DT&V after 20 March 2019 - the date on which the claimant's asylum application was ultimately granted - was shared wrongfully, since the DT&V had nothing more to do with the claimant from that moment on, because she was no longer obliged to leave. Because she considers the processing (sharing) of the aforementioned data to be unlawful, the claimant has requested compensation on appeal. 12.1 In assessing the lawfulness of the processing of the (special) personal data of the claimant by the defendant, the court takes into account the conclusion of the Attorney General of the Supreme Court of 15 September 2021.4 The following was considered in that conclusion. 12.2 Article 6, paragraph 1, of the GDPR contains an exhaustive list of the grounds on which personal data can be lawfully processed. In this paragraph, insofar as relevant here, under e, it is determined that the processing of personal data is only lawful if the processing is necessary for the performance of a task in the public interest or a task in the context of the exercise of public authority assigned to the controller. 12.3 The exhaustive nature of the list is apparent from the word ‘only’5. The words ‘to the extent’ confirm the principle of data minimisation (Article 5, paragraph 1, point (c), of the GDPR): if only part of the processing or only part of the processed data falls within the scope of the applicable processing ground(s), the processing is only lawful to that extent, and otherwise prohibited. The words ‘at least’ make it clear that one and the same processing may fall within the scope of more than one processing ground. The processing grounds may overlap in this sense, but the applicability of one processing ground is sufficient to assume lawfulness.6 12.4 The processing grounds are regarded in the literature as equivalent, or as equivalent alternatives.7 It is important to note that the scope and legal consequences of the processing grounds differ. For example, consent (ground a) may be withdrawn at any time (Article 7(3) GDPR), while processing carried out for the purpose of a task carried out in the public interest (ground e) or the pursuit of legitimate interests (ground f) may be objected to at any time (Article 21(1) GDPR). These reservations do not apply if the processing is based on a legal obligation (ground c), but this requires a basis in Union or national law that meets certain preconditions (Article 6(3) GDPR). Given these differences, it is important to distinguish between the grounds for processing, even though ultimately all data processing must meet the basic requirements of Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms and Article 8 of the Charter of Fundamental Rights of the European Union.8 12.5 The grounds for processing b to f have in common that they only allow data processing if and to the extent that it is ‘necessary’ for the stated purposes. This requirement of necessity corresponds to the principles of proportionality and subsidiarity.9 The case law of the Court of Justice of the European Union (CJEU) shows that the concept of ‘necessary’ has an autonomous meaning under EU law in this context.10 13. In addition to the processing of personal data within the meaning of Article 6 of the GDPR, this also concerns the processing of special personal data as referred to in Article 9, paragraph 1, of the GDPR. This case concerns the processing of personal data relating to the claimant’s racial/ethnic origin, political opinions, religious or philosophical beliefs and health data. The processing of special personal data is prohibited unless one of the conditions set out in the second paragraph of Article 9 of the GDPR is met. In this case, the question must be answered whether the exception in Article 9, paragraph 2, under g, of the GDPR is met, from which it follows that the prohibition on the processing of special personal data does not apply if the processing is necessary for reasons of substantial public interest, on the basis of Union law or Member State law, whereby proportionality with the objective pursued is guaranteed, the essential content of the right to protection of personal data is respected and appropriate and specific measures are taken to protect the fundamental rights and interests of the data subject. 14.1 The court finds that the defendant has shared a large number of documents, containing both ‘ordinary’ and special personal data of the claimant, in their entirety with the COA and the DT&V. This includes orders, court rulings, medical advice and reports of hearings. The court can follow the conclusion that the tasks of the COA and the DT&V can be regarded as a task of (important) general interest as referred to in Article 6, paragraph 1, under e, of the GDPR and Article 9, paragraph 2, under g, of the GDPR. The defendant has sufficiently explained this. This is also not in dispute. However, the court does not follow that it is necessary to fully share the above-mentioned documents with the (special) personal data included therein with the COA and the DT&V in order to fulfil these tasks. In the opinion of the court, it is not clear that the purpose for which the (special) personal data of the claimant are processed cannot reasonably be achieved in another, less disadvantageous manner. This objective is, as far as the COA is concerned, the careful reception of asylum seekers and, as far as the DT&V is concerned, the realisation of the departure of aliens who do not qualify for a residence permit. Respondent has also failed, in light of the principle of minimal data processing (Article 5, paragraph 1, under c, of the GDPR), to substantiate why these objectives can only be achieved by sharing the documents containing (special) personal data of the claimant in full. Furthermore, as far as sharing personal data with DT&V is concerned, it has not been sufficiently substantiated why sharing all this data is already necessary before it has been irrevocably established that an alien must leave the Netherlands. In addition, with regard to the sharing of the special personal data, there is no evidence that the defendant has considered whether the sharing of that data is proportionate in relation to the objective pursued by sharing that data, whether the essential content of the right to protection of personal data is respected and whether it is necessary to take appropriate and specific measures to protect the fundamental rights and interests of the claimant, as is required under Article 9, paragraph 2, under g, of the GDPR. 14.2 The court therefore concludes that the defendant has insufficiently observed the guarantees for the data processing of both the ‘ordinary’ (Article 6 of the GDPR) and the special personal data (Article 9 of the GDPR). The court therefore considers the defendant’s integral sharing of the large number of documents containing the claimant’s (special) personal data with the COA and the DT&V to be unlawful, as there was insufficient basis (necessity) for this. This also undermines the principle of data minimisation laid down in Article 5, paragraph 1, point (c), of the GDPR. Awarding damages 15. The court concluded above that the processing of (special) personal data of the claimant was unlawful. The question then arises whether this should lead to the award of damages. In assessing this, the court takes the following into consideration. 16. The fact that there has been unlawful data processing is not in itself sufficient to claim damages. This is evident from a judgment of the ECJ of 4 May 202311, which determined that an infringement of the provisions of the GDPR is not in itself sufficient for the granting of a right to damages. In this judgment, the ECJ first determined that the occurrence of damage in the context of the processing of personal data is only potential and, secondly, that an infringement of the GDPR does not necessarily lead to damage and, thirdly, that a causal link must exist between the infringement in question and the damage suffered by the data subject in order to give rise to a right to damages. In this judgment, the ECJ further considered that a person affected by a breach of the GDPR with negative consequences for him must prove that those consequences constitute non-material damage within the meaning of Article 82 of the GDPR. 17.1 According to settled case law of Division 12, the assessment of a request for compensation for non-material damage is based on civil damages law. 17.2 Article 6:106 of the Civil Code (BW) states: For disadvantage that does not consist of financial loss, the injured party is entitled to compensation to be determined in fairness: (…) b. if the injured party has suffered bodily injury, has been harmed in his honour or good name or has been otherwise affected in his person; (…). 17.3 The violation of person ‘in other ways’ referred to in Article 6:106, first paragraph, opening sentence and under b, of the Civil Code will in any case occur if the injured party has suffered mental injury. The person who relies on this will have to provide sufficient concrete data from which it can be concluded that mental damage has occurred in connection with the circumstances of the case. To this end, it is required that the existence of mental injury can be established according to objective standards. Even if the existence of mental injury in the aforementioned sense cannot be assumed, it is not excluded that the nature and seriousness of the violation of the standard and of its consequences for the injured party entail that the violation of person ‘in other ways’ referred to in Article 6:106, opening sentence and under b, of the Civil Code has occurred. In such a case, the person who relies on this will have to substantiate the violation of person with concrete data. This is only different if the nature and seriousness of the violation of standards mean that the adverse consequences for the injured party that are relevant in this context are so obvious that an infringement of the person can be assumed. An infringement of the person ‘in another way’ as referred to in Article 6:106, opening words and under b, of the Civil Code does not already occur in the case of the mere violation of a fundamental right.13 17.4 According to the aforementioned Divisional Judgment of 1 April 2020, the framework outlined in 17.3 can meet the requirements of the GDPR and the case law of the CJEU, which held that in the absence of Community legislation, it is a matter for the internal legal order of each Member State to determine the rules for exercising the right to compensation, provided that the principles of equivalence and effectiveness are observed.14 17.5 The court finds that the claimant has not stated that she has suffered mental harm as a result of the defendant's unlawful conduct, which can be established on objective grounds. 17.6 The claimant states that she has been affected in her person. She claims that her privacy has been violated because the data shared by the defendant contains strictly confidential and sensitive personal data and she did not give permission for the sharing of that data with the COA and the DT&V. This concerns very personal, intimate and private information, including information about her political opinions, religious beliefs, medical information and very traumatic experiences and the psychological consequences thereof, which the defendant had promised to treat confidentially. The claimant is very sad and upset that her most intimate and personal data has been shared with strangers. A large number of COA employees have had access to that data. She therefore requests the award of compensation of at least €20,000, but no more than €24,999, pointing out that the processing of her data is very far-reaching and unnecessary and that it concerns a great deal of data of a very personal nature. 17.7 The court finds that the claimant is entitled to compensation for non-material damage. The defendant has acted in violation of Articles 5, 6 and 9 of the GDPR and has thereby violated the right to respect for the personal privacy of the claimant. An infringement of the personal privacy of the claimant can be regarded as an infringement of the person as referred to in Article 6:106, first paragraph and under b, of the Dutch Civil Code, which gives rise to a claim for compensation for non-material damage. However, the claimant has not substantiated the amount of the requested compensation at all. In view of the circumstances of this case, including the nature, duration and seriousness of the infringement, the court will determine this damage in fairness at € 500. The court hereby follows the case law of Division 15. In doing so, the court takes into account the particular sensitivity of the nature of the personal data that were processed in this case without the consent of the claimant. For the processing of special (sensitive) personal data as referred to in Article 9 of the GDPR, a higher level of protection has been laid down in the GDPR than for ordinary personal data. The adverse consequences of the provision of sensitive personal data are obvious. In this case, the court sees no reason to award a higher amount, given the fact that the privacy-sensitive personal data ended up with a group of professionals who, by virtue of their position, have a duty of confidentiality and the duration of the infringement. Conclusion and consequences 18.1 In view of what was considered under 5., the appeal is unfounded. This means that the contested decision remains in force. 18.2 The request for the award of damages for the unlawful processing of (special) personal data of the claimant is granted up to an amount of € 500. 18.3 In view of this, the court sees reason to order the defendant to pay the legal costs incurred by the claimant. The defendant must pay this compensation. This compensation amounts to € 1,750 because the claimant's representative filed an appeal and participated in the hearing. No further costs were incurred that can be reimbursed. 18.4 Because the claimant is exempt from paying court fees, she does not have to pay court fees. Decision The court: - declares the appeal unfounded; - grants the request for compensation and orders the defendant to pay the claimant €500 in compensation; - orders the defendant to pay the claimant €1,750 in legal costs. This decision was made by Mr. D.M. de Feijter, chairman, and Mr. drs. J.H.A.C. Everaerts and Mr. J. de Wit, members, in the presence of R.I. ten Cate, clerk. The judgment was pronounced in public on 18 June 2024. registrar chair A copy of this judgment was sent to the parties on: Information on appeal A party that disagrees with this judgment may send a notice of appeal to the Administrative Jurisdiction Division of the Council of State explaining why the party disagrees with this judgment. The notice of appeal must be filed within six weeks of the date on which this judgment was sent. If the submitter cannot await the hearing of the appeal because the case is urgent, the submitter may request the provisional relief judge of the Administrative Jurisdiction Division of the Council of State to grant an interim measure (a temporary measure). Appendix: legislation and regulations relevant to this judgment General Data Protection Regulation Article 4 For the purposes of this Regulation, the following definitions apply: 1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘the data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (…) Article 5 1. Personal data must be: (…) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (…) 2. The controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (‘accountability’). Article 6 1. Processing shall be lawful only if and to the extent that at least one of the following applies: a. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the performance of their tasks. Article 9 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. 2. Paragraph 1 shall not apply if one of the following applies: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject; processing is necessary for the purposes of carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment law, social security and social protection law, insofar as it is authorised by Union or Member State law or by a collective agreement in accordance with Member State law which provides appropriate safeguards for the fundamental rights and interests of the data subject; processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; processing is carried out by a foundation, association or other non-profit body with a political, philosophical, religious or trade union objective in the course of its legitimate activities and subject to appropriate safeguards, provided that the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes, and that the personal data are not disclosed outside that body without the data subjects' consent; the processing relates to personal data which have manifestly been made public by the data subject; the processing is necessary for the establishment, exercise or defence of legal claims or when courts are acting in their judicial capacity; the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to protection of personal data and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject; the processing is necessary for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of Union or Member State law or in accordance with contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to protection of personal data and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. 3. The personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to an obligation of professional secrecy under Union or Member State law or rules laid down by national competent bodies, or by another person also subject to an obligation of secrecy under Union or Member State law or rules laid down by national competent bodies. 4. Member States may maintain or introduce additional conditions, including restrictions, with regard to the processing of genetic data, biometric data or data concerning health. Article 15 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning him or her, as well as the right to object to such processing; the existence of the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 3. The controller shall provide the data subject with a copy of the personal data undergoing processing. If the data subject requests further copies, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others Article 82 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. 2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or has acted outside or contrary to lawful instructions of the controller. 3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage. 4. Where more than one controller or processor, acting in the same processing, is responsible for any damage caused by processing under paragraphs 2 and 3, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. 5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2. 6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2). 1 ECLI:NL:RVS:2020:898 2 Directive 2013/33/EU of 26 June 2013 laying down standards for the reception of applications for international protection 3 Directive 2008/115/EC 4 ECLI:NL:PHR:2021:831 5 See, on the exhaustive nature of Article 8 of the Personal Data Protection Act (Wbp) and Article 6, first paragraph, GDPR and Explanatory Memorandum (Wbp), respectively, Parliamentary Papers II 1997/98, 25 892, no. 3, p. 80 et seq. and Explanatory Memorandum (UAVG), Parliamentary Papers II 2017/18, 34 851, no. 3, p. 33 et seq. See also Kranenborg and Verhey, The GDPR in European and Dutch Perspective, 2018, p. 141 et seq. 6 See Krzysztofek, GDPR: General Data Protection Regulation (EU) 2016/679, 2019, p. 71 7 See Krzysztofek, GDPR: General Data Protection Regulation (EU) 2016/679, 2019, p. 71. Cf. also p. 13 of the Legitimate interest opinion of the Article 29 Working Party discussed below, where it is noted that the text of Article 7 of the Directive does not suggest a ‘hierarchy between the grounds’. Cf. also paragraph 2.30 below, on the qualification of the f-ground as a ‘residual ground’. 8 See W. Kotschy, ‘Article 6: Lawfulness of Processing’, in: C. Kuner et al. (eds.), The EU General Data Protection Regulation (GDPR). A Commentary, Oxford University Press 2020, p. 339-340. 9 See Kranenborg and Verhey, The GDPR in European and Dutch Perspective, 2018, p. 144. 10 See ECJ 16 December 2008, C-524/06, ECLI:EU:C:2008:724, EHRC 2009/23, m.nt. E. Brems (Huber/Germany), rov. 47-52. 11 UI v Österreichische Post AG, C-300/21, ECLI:EU:C:2023:370 12 See the aforementioned judgment of the Division of 1 April 2020 (ECLI:NL:RVS:2020:898) 13 See the judgments of the Supreme Court of 15 March 2019, ECLI:NL:HR:2019:376, r.o.4.2.2, of 28 May 2019, ECLI:NL:HR:2019:793, r.o. 2.4.5. and of 19 July 2019, ECLI:NL:HR:2019:1278, r.o. 2.13.2. 14 See the judgment in Manfredi, paragraph 64. 15 See the judgment of 1 April 2020, ECLI:NL:RVS:2020:898