Rb. Amsterdam - C/13/731682 / HA ZA 23-329
From GDPRhub
The ICAM foundation has filed a collective action against the State and public health institutions on behalf of 6.5 million Dutch citizens affected by the GGD data breach. The claim is based on Article 82, paragraph 1 of the GDPR.
English Summary
Facts
Before the COVID-19 pandemic: The State and others were already aware that the IT systems of the GGD were outdated and would not be suitable for handling a large epidemic or pandemic. Nevertheless, no adequate measures were taken to improve the systems.
March 2020: The GGD systems, HPZone, and later CoronIT, are used to combat the COVID-19 pandemic.
April 2020: The European Data Protection Board (EDPB) emphasizes the importance of data protection in combating the coronavirus.
January 22, 2021: GGD GHOR Nederland reports a data breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP). This is referred to in the media as the "corona data leak."
January 28, 2021: GGD GHOR publishes a page with "Frequently Asked Questions and Answers about Data Theft" on their website. At this time, there is still much uncertainty about the extent of the data leak.
February 2021:
Following media reports about the theft and trade of personal data from GGD systems, the AP announces that it will intensify its supervision of the GGD. KPMG advises GGD GHOR to stop using HPZone as soon as possible due to inadequate data protection. The AP investigates the security of websites linked to DigiD, including www.coronatest.nl.
April 2021 to January 2022: The AP investigates whether GGD GHOR and two local GGDs have taken appropriate technical and organizational measures to protect personal data in the context of testing, vaccinating, and contact tracing. The AP acknowledges that the GGDs faced a huge challenge due to the pandemic, but emphasizes that good data security is essential, especially given the large amount of sensitive data the GGD processes. The AP shares its findings with GGD GHOR and gives them until March 1, 2022, to implement improvements.
November 25, 2021: Stichting ICAM is founded by [name 1] with the aim of taking action against (threatened) privacy violations of citizens, including claiming compensation after data breaches.
February 8, 2022: ICAM invites the defendants, except for Stichting Landelijke Coördinatie COVID-19 Bestrijding, for consultation in accordance with Article 3:305a paragraph 3 subsection c of the Dutch Civil Code.
February 15, 2022: ICAM submits a Freedom of Information (Wob) request to the defendants.
November 22, 2022: ICAM invites Stichting Landelijke Coördinatie COVID-19 Bestrijding for consultation in accordance with Article 3:305a paragraph 3 subsection c of the Dutch Civil Code.
April 25, 2022: GGD GHOR sends letters to 1,247 individuals whose data had been obtained by third parties. In this letter, GGD GHOR offers a financial compensation of 500 euros in exchange for full settlement. About 80% of these individuals accept the offer.
March 11, 2024: ICAM has 138,244 registrations from people who wish to join the collective action.
March 28, 2023: ICAM serves a summons against the State and others.
April 18, 2024: The Minister for Legal Protection designates ICAM as the competent body under Article 3:305e of the Dutch Civil Code.
Holding
The Amsterdam court issued a ruling on July 17, 2024, in the case of Stichting ICAM against the State and others regarding the GGD data leak. The court ruled that ICAM is admissible in bringing the following claims:
Claims regarding the cessation of the violation of the GDPR (Articles 24, 25, 32, 34, and 35 GDPR) and for better protection of personal data by the government in the future. These claims (K and L) were not considered manifestly unfounded by the court. However, the court instructed ICAM to specify which violations it believes still exist and to provide evidence of this.
Claims to compel the State, GGD GHOR, and the local GGDs to provide more information about the nature and extent of the data breach. The court found it important to clarify the events surrounding the data breach and the roles of the different parties involved.
The court declared ICAM inadmissible in its claims for damages based on both Article 82 GDPR and Article 6:162 of the Dutch Civil Code (BW), for both "Group A" (persons whose data may have been leaked) and "Group B" (persons whose data were actually leaked):
Inadmissibility of Group A's claim: The court ruled that the individuals in Group A, whose data may have been leaked, could not prove that they suffered "actual damage," which is required for compensation under Article 82 GDPR. The court compared the situation of Group A to the MediaMarktSaturn Hagen-Iserlohn case, in which the Court of Justice of the EU (CJEU) ruled that the fear of potential future misuse of personal data, without evidence of actual damage, is insufficient for compensation.
Inadmissibility of Group B's claim: The court determined that the individuals in Group B, whose data were confirmed to have been leaked, may be eligible for compensation. However, ICAM did not sufficiently demonstrate that it represents a representative cross-section of this group. Furthermore, many individuals in Group B had already accepted financial compensation from GGD GHOR in exchange for full settlement, meaning they no longer had an interest in the collective action.
Comment
1. The court acknowledged that the GGD data leak constitutes a serious violation of privacy laws and that steps must be taken to prevent a recurrence.
2. The ruling emphasized the importance of actual damage as a prerequisite for compensation in cases of data breaches.
3. The ruling illustrates the challenges of conducting a collective action on behalf of a large group of people, especially when there is uncertainty about the specific damage they have suffered.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
ECLI:NL:RBAMS:2024:4264
Share judgment
Instance
Amsterdam District Court
Date of judgment
17-07-2024
Date of publication
17-07-2024
Case number
C/13/731682 / HA ZA 23-329
Formal relations
Interim judgment: ECLI:NL:RBAMS:2024:571
Areas of law
Civil law
Special features
First instance - single
Content indication
The claim of the ICAM Foundation for compensation for all 6.5 million people who entrusted their personal data to a GGD during the corona pandemic cannot be granted. Sources
Rechtspraak.nl
NJF 2024/368
Enriched judgment
Judgment
judgment
AMSTERDAM COURT
private law department
case number / roll number: C/13/731682 / HA ZA 23-329
Judgment of 17 July 2024
in the case of
the foundation
FOUNDATION INITIATIVES COLLECTIVE ACTIONS MASS DAMAGE ICAM,
established in Amsterdam,
plaintiff in the main case, plaintiff in the (partly conditional) incident,
attorney mr. D.M. Linders in Amsterdam,
against
1. the public-law legal entity
STATE OF THE NETHERLANDS (Ministry of Health, Welfare and Sport),
seated in The Hague,
defendant in the main case, defendant in the (partly conditional) incident,
attorney Mr. G.J. Zwenne in The Hague,
2. the association
PUBLIC HEALTH AND SAFETY NETHERLANDS,
established in Utrecht,
3. the foundation
FOUNDATION PROJECT OFFICE PUBLIC HEALTH AND SAFETY NETHERLANDS,
established in Utrecht,
4. the foundation
FOUNDATION ASSOCIATION OFFICE PUBLIC HEALTH AND SAFETY NETHERLANDS,
established in Utrecht,
5. the foundation
FOUNDATION NATIONAL COORDINATION COVID-19 FIGHT,
established in Utrecht,
defendants in the main case, defendants in the (partly conditional) incident,
attorney mr. E.P.M. Thole in Amsterdam,
6. the public law entity
MUNICIPAL HEALTH SERVICE (GGD) AMSTERDAM-AMSTELLAND,
seated in Amsterdam,
7. the public law entity
GGD BRABANT-ZUIDOOST,
seated in Eindhoven,
8. the public law entity
HEALTH & YOUTH SERVICE SOUTH-HOLLAND SOUTH,
seated in Dordrecht,
9. the public law entity
GGD DRENTHE,
seated in Assen,
10. the public law entity
GGD FLEVOLAND,
seated in Lelystad,
11. the public law entity
FRYSLÂN SAFETY REGION,
seated in Leeuwarden,
12. the public law entity
SAFETY AND HEALTH REGION GELDERLAND-MIDDEN (VGGM),
seated in Arnhem,
13. the public law entity
GGD GELDERLAND-ZUID,
seated in Nijmegen,
14. the public law entity
GGD GOOI & VECHTSTREEK,
seated in Bussum,
15. the public law entity
GGD GRONINGEN,
seated in Groningen,
16. the public law entity
JOINT SCHEME MUNICIPAL HEALTH SERVICE AND SAFE HOME HAAGLANDEN,
seated in The Hague,
17. the public law entity
GGD HART VOOR BRABANT,
seated in 's-Hertogenbosch,
18. the public law entity
REGIONAL PUBLIC HEALTH CARE SERVICE DUTCH MIDDEN,
seated in Leiden,
19. the public law entity
MUNICIPAL HEALTH SERVICE HOLLANDS NOORDEN,
seated in Alkmaar,
20. the public law entity
GGD IJSSELLAND,
seated in Zwolle,
21. the public law entity
SAFETY REGION KENNEMERLAND,
seated in Haarlem,
22. the public law entity
SAFETY REGION LIMBURG-NOORD,
seated in Venlo,
23. the public law entity
GGD NOORD- EN OOST-GELDERLAND,
seated in Apeldoorn,
24. the public law entity
GGD REGIO UTRECHT,
seated in Zeist,
25. the public law entity
GGD ROTTERDAM-RIJNMOND,
seated in Rotterdam,
26. the public law entity
SAMENTWENTE,
seated in Enschede,
27. the public law entity
GGD WEST-BRABANT,
seated in Breda,
28. the public law entity
GGD ZAANSTREEK-WATERLAND,
seated in Zaandam,
29. the public law entity
MUNICIPAL HEALTH SERVICE ZEELAND,
seated in Goes,
30. the public law entity
MUNICIPAL HEALTH SERVICE SOUTH LIMBURG,
seated in Heerlen,
31. the public law entity
SAFETY REGION AMSTERDAM-AMSTELLAND,
seated in Amsterdam,
32. the public law entity
SAFETY REGION ROTTERDAM-RIJNMOND,
seated in Rotterdam,
33. the public law legal entity
MUNICIPALITY OF AMSTERDAM,
seated in Amsterdam,
34. the public law legal entity
MUNICIPALITY OF ROTTERDAM,
seated in Rotterdam,
defendants in the main case, defendants in the (partly conditional) incident,
attorney mr. B.J.P.G. Roozendaal in Breda.
Plaintiff will hereinafter be referred to as ICAM. Defendant sub 1 will hereinafter be referred to as the State. Defendants sub 2 to and including 5 will hereinafter be referred to jointly as GGD GHOR. Defendants sub 6 to and including 34 will hereinafter be referred to jointly as the GGDs et al.
It should be noted that ICAM refers to the defendants jointly in its procedural documents as Defendants but also as the State et al.
1 The procedure
1.1.
The course of the procedure is apparent from:
- the identical summonses of 28 March 2023;
- the deed of submission of productions, with productions A.1 to K.26;
- the statement of defence, with productions, of the State;
- the statement of defence based on article 1018c paragraph 5 Rv regarding inadmissibility, with production 1, of GGD GHOR;
- the statement of defence pursuant to article 1018c paragraph 5 Rv, with productions 1 and 2, of the GGDs et al.;
- the interlocutory judgment of 20 December 2023;
- the decision on the case of 7 February 2024;
- the deed of declaration of admissibility also containing productions, with productions K.27 to K.29, of ICAM;
- the reply also containing production, with a production, of the State;
- the notification of GGD GHOR, by e-mail message of 8 April 2024 from its lawyer, that it waives a reply;
- the notification of the GGDs et al., by e-mail message of 2 April 2024 from their lawyer, that they waive a reply;
- the minutes of the oral hearing of 22 April 2024 and the documents mentioned therein.
1.2.
Finally, judgment has been determined.
2 The case in brief
2.1.
This case concerns the personal data of persons who were tested and/or vaccinated by the GGDs during the corona pandemic and the personal data of persons for whom a source and contact investigation was conducted by the GGDs during the corona pandemic.
2.2.
It has been established that there were employees of the GGDs who had access to the IT systems and who made personal data available to third parties. This is sometimes referred to as the corona data leak.
2.3.
ICAM has filed claims on behalf of the persons referred to in 2.1 above against a number of defendants, including the GGDs. ICAM wants, among other things, that the defendants be ordered to pay damages, not only to the persons whose personal data has been provided to third parties, but also to everyone who must fear that their personal data has fallen into the wrong hands. And according to ICAM, this applies to everyone who has provided data to a GGD.
2.4.
The law imposes a number of formal requirements on ICAM and the claims it has instituted. In this judgment, the court examines whether these requirements have been met.
2.5.
The court finds ICAM admissible, but not against all defendants, because a number of defendants played no role in the corona data breach.
The claims for damages are inadmissible. According to European case law, compensation for damages due to the fear that data could end up in the wrong hands, without it being established that this is the case, is not possible. In the cases in which it has been established that the data has ended up in the wrong hands, the GGDs have offered financial compensation, which has been accepted by most of the injured parties, thereby waiving a claim for damages. Only a limited group of injured parties remains. ICAM has not been able to demonstrate that it is representative of that group. ICAM is therefore also inadmissible in its claim for damages for this group.
The remaining claims will now be further litigated. The court would like more information about this first.
3 The facts that have been established and are relevant at this stage
In the main case and in the (partly conditional) incident
3.1.
On 28 January 2021, www.ggdghor.nl stated:
Frequently asked questions and answers about data theft
Last update: 28 January 2021
Here you will find frequently asked questions and answers about the data theft that recently took place. We are constantly supplementing these questions with the latest information we have. (…).
We can imagine that the data theft raises questions and may damage your trust. We find this very unfortunate. We want to inform you as best we can and that is why we are constantly supplementing these frequently asked questions with new information.
A police investigation is currently underway, which means that we do not yet know exactly how large the data theft is. We are also not yet allowed to share certain details, because this may jeopardise the investigation.
(…)
Top 3 most frequently asked questions
What exactly happened?
Personal data has been stolen. This data concerns testing for corona and possibly the source and contact investigation and includes name, address, BSN, test result and test location. Whether the data has also been sold and whose data it concerns is part of the police investigation. More information can be found on the police website.
Has my data been stolen?
We cannot say that yet. This is part of the police investigation. As soon as it is established that your data has been stolen, it is our duty to inform you about this and we will do so.
What are the possible consequences? What risk do I run if criminals have my personal data? And what should I pay attention to?
The police website describes the possible consequences well:
• You run the risk of becoming a victim of fraud. For example, criminals call or email you - supposedly on behalf of an institution that you believe is credible, such as your bank - and gain your trust because they already know a lot about you (such as your date of birth or home address). Before you know it, you’ve paid for something – but actually clicked on a phishing link. (…).
• Another risk is identity fraud. For example, the fraudster uses your personal data to obtain products and services in your name. Or to open a bank account or apply for a credit card. (…).
(…)
Questions about the data theft
How did this situation become known to GGD GHOR Nederland?
Via a tip from an RTL journalist last Friday.
What did you do after this tip?
We immediately contacted the police, filed a report and notified the Dutch Data Protection Authority. We then carried out checks in our systems and gave the police full access to our systems to enable the investigation to take place as effectively as possible.
Questions (security) personal data
Are the data of all Dutch people in your systems?
No, our systems only contain the data of people who have recently had contact with the GGD for a test appointment, source and contact research or a vaccination.
What information do you record about people?
We record personal data such as name, address, place of residence, telephone number/email address, BSN, gender and date of birth. In addition, depending on the contact, also test and/or vaccination appointments and test results. If there is a source and contact investigation, the information from the source and contact investigation conversations is also recorded (in HPZone). This includes: necessary medical data (for example complaints/symptoms and GP), where someone has been and who he/she has been in contact with. Information is also recorded from source(s) and close contacts. This information is limited.
Do the same number of people have access to my data when vaccinating?
The medical data that is recorded during vaccinations is shielded and not visible to employees who are involved in testing. Because everyone only has one file and everyone can also be tested, personal data can be viewed.
What measures do you have to prevent abuse?
There are several:
1. We have checks at the gate. People must provide a Certificate of Good Conduct (VOG) and sign a confidentiality statement. This makes it clear that they are liable if they do not comply with the terms of the agreement.
2. In addition, privacy and confidentiality are an ongoing topic of our training and discussions.
3. Since the start, we have been monitoring the use of our systems by employees, and have continuously improved our controls and are still doing so. Due to the importance of combating the virus and the required speed, we have started random checks in various ways. We have always been transparent about this principle. The Dutch Data Protection Authority has not yet asked any additional questions about the working method.
4. Only people who need access to a personal file for their work are allowed to view this file. As mentioned, we check this on a random basis. In the event of prohibited access, dismissal will follow and, if necessary, a report will be filed.
5. In addition, we are further scaling up the monitoring of the use of our systems. We expect to implement systems that will automatically and continuously check by the end of March. We have been working on this for some time.
How do you monitor how employees handle personal information?
We monitor in various ways how our employees handle the information in our systems. And that has previously led to the discovery of irregularities and to taking measures. In addition, we protect ourselves against attacks on our systems from outside. We process large volumes of data, and this action did not emerge in our checks.
What new measures are you taking?
Various measures have been taken to better protect your data and reduce the risk of theft. We cannot yet tell you what these measures are in the interest of the police investigation.
Questions about systems
Which systems are involved?
It concerns CoronIT. This is the administrative system for the testing and vaccination process and the communication about this. So if you make an appointment for a corona test via the call center, the corona test website or a doctor, your personal data will be entered into CoronIT. Also if you make an appointment for a vaccination.
In addition, there also seems to be HPZone. HPZone is an electronic file that the GGDs use to carry out source and contact research. If someone has a positive test result and this is reported to the GGD, a file for this person is created in HPZone.
What do employees do in the systems?
Employees of the call center (inbound - who are called) can make test appointments and vaccination appointments via CoronIT. Furthermore, the (outbound - who call people) call agents can see the test results, since they call people, without DigiD, with their test results.
Source and contact investigators record all data surrounding an infection in HP-zone.
3.2.
In a letter dated 8 November 2021, the Dutch Data Protection Authority (hereinafter: the AP), insofar as relevant here, wrote to GGD GHOR:
Following the data breach reported to the Dutch Data Protection Authority (hereinafter: AP) on 22 January 2021 by GGD GHOR Nederland (hereinafter: GGD GHOR), also on behalf of the regional GGDs, the worrying media reports about the theft and trade in personal data from the systems of GGD GHOR and the GGDs, as well as the many concerned signals that the AP subsequently received about this, the AP announced that it would intensify its supervision of the GGD and conduct an investigation in that context. The AP investigated whether GGD GHOR and two investigated GGDs have taken appropriate technical and organisational measures to adequately secure the personal data processed in the context of testing, vaccination and source and contract research in connection with the corona pandemic. With this final letter, the AP informs you about the findings of the investigation.
The AP is aware that with the outbreak of the pandemic, the GGDs and GGD GHOR were faced with an enormous task. They were given the task of ensuring large-scale testing of individuals, conducting source and contact research and vaccinating individuals in a very short period of time. The work to achieve this was carried out under great time pressure.
At the same time, it is true that special personal data concerning the health of an exceptionally large group of citizens were and are being processed in this context and that a large group of temporary employees, often hired specifically for this purpose, have access to this. Taking technical and organizational measures that are tailored to the associated risks to personal data is therefore of great importance. After all, the willingness of citizens to be tested and vaccinated or to cooperate in source and contact research is also related to the confidence in the way in which personal data of citizens are processed and secured in that context. This is partly why the AP decided to conduct an investigation.
Conclusion
The AP notes that a number of announced improvement measures have been taken, which have reduced the risk of data leaks. However, the AP still sees significant risks to the security of personal data that require additional improvement measures. This particularly concerns risks related to the large number of parties involved in the processing of personal data in connection with testing, vaccination and source and contact research. In any case, these are the 25 regional GGDs, the national umbrella organization GGD GHOR, six national partner organizations (call centers and alarm centers), various employment agencies and IT suppliers. Clear agreements between the organizations involved on certain security aspects surrounding the systems used for source and contact research are lacking. This applies, for example, to authorization management and the checking of log files. As a result, it is not sufficiently clear who is responsible for what and who should take which measures in this regard. This increases the chance of new shortcomings in the security of personal data.
Furthermore, the Ministry of Health, Welfare and Sport, GGD GHOR and the GGDs are working on replacing the systems for source and contact research (HP Zone and HP Zone Lite). In this context, the AP notes that replacing a system does not automatically lead to better security of the personal data processed therein. The AP would like to emphasise that when developing and implementing a new system, explicit account must be taken of the obligations arising from the General Data Protection Regulation (hereinafter: GDPR), such as carrying out a risk analysis in the form of a data protection impact assessment at an early stage (Article 35 GDPR), the application of data protection by design and by default (Article 25 GDPR) and taking appropriate technical and organisational measures to secure personal data (Article 32 GDPR), such as logging, checking logging and authorisation management.
Investigation
The AP specifically investigated whether sufficient improvement measures had been taken with a view to access security, granted authorizations and authorization management, logging of the systems used, checking this logging and to prevent unauthorized export/printing of personal data from the systems. The AP also checked whether the announced measures with regard to limiting the search functions of users in the systems had actually been taken. In addition, it was investigated whether the data subjects affected by the data breach had been informed of the breach in connection with their personal data in accordance with the GDPR. Finally, the AP investigated – in response to new worrying media reports in February 2021 – whether the website www.coronatest.nl meets the security requirements that apply to connection to DigiD.
The investigation focused on the systems used to process personal data in the context of the corona pandemic, namely for testing and vaccination (CoronIT) and source and contract research (HPZone and HPZone Lite).
As part of the investigation, the AP carried out checks at GGD GHOR and random checks at two regional GGDs and one of the national partners that provide capacity for conducting source and contact research. The findings below are based on the information that the AP collected during the investigation.
(…)
In conclusion
The AP conducted an investigation at GGD GHOR and two (regional) GGDs into the security of personal data that are processed in CoronIT, HPZone and HPZone Lite in the context of the corona pandemic. These systems are used by all 25 GGDs and the security of the personal data processed in them is therefore partly dependent on measures that all 25 GGDs take individually or jointly to adequately secure the personal data. The findings of the AP are therefore relevant to all 25 GGDs. The AP therefore expects that all GGDs will take the necessary improvement measures mentioned in this letter - if they have not already done so - to ensure an appropriate level of security of personal data. Partly with this in mind, this letter will also be sent to the other 23 GGDs.
Information security is a continuous process in which risks and measures must be periodically (re)assessed so that the technical and organizational security measures are always aligned with the current risks for data subjects. For this reason, the AP strongly emphasises the importance of continuing to carry out audits focused on information security and to periodically (re)assess risks and measures so that, where necessary, (additional) technical and organisational measures to secure the (special) personal data that are processed can be taken in a timely manner.
The AP has now explained the findings of the investigation in a conversation with GGD GHOR and will ensure that necessary improvements are implemented in a timely manner. The AP therefore requests GGD GHOR to indicate in a progress report on each of the points indicated in this letter by 1 March 2022 at the latest which improvement measures have actually been or will be taken to reduce the identified risks with regard to the security of personal data that are processed in the context of the corona pandemic. This concerns both the current systems as long as they are still used to combat the corona pandemic and the replacement systems when they are put into production. Should the implementation of improvement measures mentioned in the progress report unexpectedly be delayed, the AP expects to be informed of this by GGD GHOR without delay.
3.3.
ICAM was founded on 25 November 2021 by [name 1].
Its articles of association read, insofar as relevant here:
Objective
Article 3.
3.1
The Foundation aims to act as an independent, non-profit organisation to represent the interests of Victims, being groups of natural persons, companies and/or legal entities, in the Netherlands and/or abroad, who have been or are at risk of being affected in a similar interest within the meaning of Article 3:305a of the Dutch Civil Code (or a comparable or replacing (legal) regulation) and therefore have one or more claims against any third party(ies) in connection with Mass Damage suffered and/or to be suffered by these natural persons, companies and/or legal entities.
3.2
The Foundation's purpose includes in particular:
a. a) Taking action against (threatened) infringements of the right of citizens, consumers, companies and/or legal entities to protection of privacy and protection of personal data, including in particular infringements by the government and/or government agencies, such as the State and other public-law legal entities, including the recovery of Mass Damages that these Victims suffer and/or have suffered as a result of infringements of said rights, including infringements of the EU General Data Protection Regulation (Regulation (EU) 2016/679) and/or any national laws or regulations, policies, codes of conduct or standards resulting therefrom;
b) Taking action against (threatened) infringements of the rights of citizens, consumers, companies and/or legal entities in connection with financial services or products, non-conformity of products and/or product liability and/or in connection with infringements of Union and/or national regulations, including regulations for the protection of consumers;
c) Taking action against (threatened) infringements of the rights of citizens, consumers, companies and/or legal entities in connection with violations of competition law, including cartel agreements and abuse of a dominant position;
d) Taking action against (threatened) infringements of the rights of citizens, consumers, companies and/or legal entities in connection with violations of laws and regulations regulating online markets and online intermediaries, including online platforms;
e) Taking action against (threatened) infringements of the rights of natural persons, companies and/or legal entities in connection with violations of laws and regulations for the protection of people, animals, the environment, climate and/or living environment. 3.3
The Foundation shall attempt to achieve its objective by all means legally available to it, including but not limited to:
a. a) Initiating and/or supporting legal proceedings in the name of the Foundation and/or in the name of the Victims, such as civil, criminal or administrative proceedings, instituting (legal) claims or requests, including claims or requests for compensation, compensation and/or undoing of Mass Damage, repaying amounts paid without due cause, undoing unjust enrichment, obtaining declaratory judgments and taking (interim) measures, and filing complaints with supervisory authorities, all in the Netherlands and in other jurisdictions if necessary and possible, including procedures, claims, requests and complaints as referred to in:
i. i) Article 3:305a paragraph 1 of the Dutch Civil Code;
ii) Article 6:240 of the Dutch Civil Code;
iii) Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers, and repealing Directive 2009/22/EC;
iv) Article 7:907 BW;
v) Article 80 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, or any (legal) regulations replacing them or any comparable (legal) regulations in the Netherlands and/or abroad;
b) Conducting (or having conducted) an investigation into (possible) infringements of the rights of Victims and into the liability of the (legal) persons who (possibly) infringe or have infringed;
c) Conducting negotiations on behalf of or in the interest of Victims about and/or entering into (collective) settlement agreements, including settlement agreements within the meaning of article 7:907 BW;
d) Calculating, determining, obtaining, (continuing) paying and distributing damages and executing (collective) settlement agreements, including settlement agreements within the meaning of article 7:907 BW;
e) Acting as spokesperson and representative of Victims, including in the media, in politics, in the business community, with (potential) counterparties and in relation to civil society;
f) Informing Victims about matters related to the purpose and activities of the Foundation, including via the Website;
g) Making available and/or having an external party make available adequate financing for achieving the objectives of the Foundation, with or without payment of a financing fee for interest and risk incurred;
h) Offering Victims the opportunity to become Participants;
i. i) Performing everything that is related to the above in the broadest sense or that may be conducive to it.
3.4
The Foundation is a non-profit organization. Profit motive does not mean pursuing a market-conform compensation to be received or negotiated by the Foundation for costs incurred, risks taken or services provided, including any reasonable surcharge for (future) collective advocacy and for costs for the use of equity or debt.
3.5
The Foundation endorses the Claim Code. The Foundation will organize its articles of association, organization and working methods as much as possible in accordance with the Claim Code or, if it deviates from it, will explain why it deviates from it.
Bodies and governance structure
Article 4.
4.1
The Foundation has the following bodies:
a. a Board;
b. a Supervisory Board; and
c. a joint meeting of the Board and Supervisory Board.
4.2
The Foundation has Participants.
(…)
Board; composition, appointment, suspension, dismissal
Article 6.
6.1
The Board consists of a number of Directors to be determined by the Supervisory Board of at least three.
6.2
The Board is composed in such a way that the Directors can operate independently and critically with respect to each other, the Supervisory Board, any Financier and the Participants. In addition, the Board is composed in such a way that it has the specific expertise that is necessary for the adequate representation of the interests described in Article 3.
6.3
At least one Director shall have the specific experience and legal expertise necessary for the adequate representation of the interests described in Article 3. At least one Director shall have the specific experience and financial expertise necessary for the adequate representation of the interests described in Article 3.
6.4
The required specific expertise, experience and expertise of the Board as referred to in Articles 6.2 and 6.3 may, where necessary with regard to specific Claims, also be fulfilled by means of support from Claim-specific committees or advisors.
Board; tasks and powers
Article 7.
7.1
The Board is charged with the management of the Foundation. In fulfilling their duties, the Directors shall focus on the interests of the Foundation and the organization associated with it.
(…)
7.3
The Board shall at least once a year report to the Supervisory Board on the determination and implementation of the (financial) policy and the strategy aimed at achieving the statutory objective.
7.4
The Board shall submit any intended substantial change in the governance structure of the Foundation and in compliance with the Claim Code to the Supervisory Board for discussion. The Board shall put the foregoing on the agenda of the meeting as a separate agenda item.
(…)
Board; decision-making
Article 9.
(…)
9.10
Resolutions of the Board concerning:
(…)
d. initiating legal proceedings;
e. concluding a settlement agreement;
f. entering into or terminating any financing agreement; and
g. determining or amending the annual budget are subject to the approval of the Supervisory Board. 9.11
In its decision to that effect, the Supervisory Board may subject other decisions of the Board to its approval, which must be clearly described. The Supervisory Board shall immediately inform the Board of such a decision in writing.
(…).
Website
Article 12.
The Board shall maintain a generally accessible Website on which information of interest to the Foundation’s stakeholders is posted, including in any case:
a. the Articles of Association;
b. the Foundation’s purpose and resources;
(…)
i. an overview of the contribution(s) requested from Participants;
(…)
m. an outline plan of approach on the basis of which a potential Participant can assess whether the nature and working methods of the Foundation are in line with his or her interests;
n. an overview of the manner in which persons whose interests the legal action is intended to protect can join the Foundation and the manner in which they can terminate this affiliation;
o. if a contribution is requested from the persons whose interests the legal action is intended to protect: insight into the calculation of this contribution;
p. an overview of the status of legal proceedings initiated by the Foundation;
q. an overview of the main points of settlement agreements concluded by the Foundation;
r. the most recently adopted management report, which is published on the Website within eight (8) days after adoption;
s. if applicable, that external financing is involved, the identity and place of residence of the Financier, the main system of the compensation(s) and agreed services agreed with the Financier and, if applicable, the percentage of a collective (damage) compensation to be awarded in or out of court that is due to the Financier in the form of compensation.
Supervisory Board; composition, appointment, resignation
Article 13.
13.1
The Supervisory Board consists of at least three members, of whom a maximum of one, other than the chairman, can be appointed on the recommendation of a possible Financier. Such an appointment will be published on the Website. The number of members will be determined by the Supervisory Board. Only natural persons can be members of the Supervisory Board.
13.2
The Supervisory Board is composed in such a way that the members can operate independently and critically with regard to each other and the Board and with regard to the interests represented by the Foundation. At least one member of the Supervisory Board has the specific experience and legal expertise necessary for adequate representation and supervision of the interests described in Article 3. At least one member of the Supervisory Board has the specific experience and financial expertise necessary for adequate representation and supervision of the interests described in Article 3.
(…).
Supervisory Board; task and powers
Article 14.
14.1
The Supervisory Board is responsible for supervising the policy and strategy of the Board and the general course of affairs in the Foundation. The Supervisory Board supports the Board with advice. In fulfilling their duties, the members of the Supervisory Board will focus on the interests of the Foundation and the organization associated with it.
(…).
(…)
Participants
Article 19.
19.1
The Foundation may, for organizational, process-technical and/or financial reasons, recognize Participants per specific Claim.
(…)
19.3.
The Board may establish regulations in which further rules and regulations are laid down regarding the (organization of the) Participants. The decision to establish or amend such regulations requires the prior approval of the Supervisory Board.
Compliance and enforcement of the Claim Code
Article 20.
20.1
The main features of the Foundation's governance structure are set out each year on a publicly accessible part of the Website, with an explicit explanation of the extent to which it deviates from it.
20.2
The information about the governance structure published on the Website for each financial year remains accessible to the public as long as the Foundation is active.
20.3
Article 7.4 applies to a change in the governance structure of the Foundation.
External financing
Article 21.
The Foundation may enter into an agreement with a Financier for the purpose of financing statutory activities. The Board shall ensure that individual Directors and members of the Supervisory Board, as well as the lawyer or other service providers engaged by the Foundation, are independent of the Financier and the (legal) persons directly or indirectly associated with them, and that the Financing and the (legal) persons directly or indirectly associated with them are independent of the other party in the collective action. The agreement provides for a scheme that guarantees the independence and independence referred to in the previous sentence. The Board shall ensure that the financing conditions (including the size and system of the agreed compensation) are not reasonably in conflict with the collective interest of the (legal) persons on whose behalf the Foundation acts pursuant to Article 3.
[Name 1] aforementioned, [Name 2] and [Name 3] have been appointed as the first members of the Board.
[Name 4] , [Name 5] and [Name 6] have been appointed as the first members of the Supervisory Board. The latter died unexpectedly on 21 June 2022. [Name 7] was appointed in his place on 30 October 2023.
3.4.
By letters dated 8 February 2022, ICAM invited the defendants, with the exception of Stichting Landelijke Coördinatie COVID-19 Bestrijding (defendant sub 5), (among other things) to hold consultations as referred to in article 3:305a paragraph 3 under c of the Dutch Civil Code (BW).
By letter dated 22 November 2022, ICAM invited Stichting Landelijke Coördinatie COVID-19 Bestrijding (defendant sub 5) (among other things) to hold consultations as referred to in article 3:305a paragraph 3 under c BW.
The consultations that followed these letters did not result in ICAM achieving what was claimed.
3.5.
By letters dated 15 February 2022, ICAM (among other things) requested defendants for information and/or documents on the basis of the Government Information (Public Access) Act (Wob).
3.6.
In a letter dated 25 April 2022, GGD GHOR, insofar as relevant here, wrote to 1,247 of the 1,373 persons whose personal data – as determined by the police – had been stolen from the GGD systems, insofar as relevant here:
Last year we sent you a letter about the theft of your personal data from one of the GGD's computer systems. With this letter we would like to inform you that the police have conducted an investigation and what the outcome is.
We find it very annoying that this data theft has taken place. That is why we would like to make a financial gesture for your inconvenience. You can also read more about this in this letter.
Data theft
We already informed you last year that personal data had been stolen from CoronIT. This is the computer system that the GGD uses to combat the COVID-19 pandemic. We immediately filed a report with the police last year. They started an extensive investigation and arrested a number of suspects. The police have determined that photos (screenshots) were taken of data in CoronIT. This is prohibited and the judge has therefore already convicted a number of suspects for this. The other suspects have yet to appear in court.
Financial gesture
Now that the police investigation into the data theft has been completed, we know that unfortunately photos have also been taken of your data. We find this very annoying and therefore apologize once again. For any inconvenience, we would like to offer you 500 euros. You can choose whether or not you want to make use of this offer.
What do we ask you to do?
You can tick one option on the response letter (which is stapled to this letter). Below are the choices you have:
1. Yes, I will make use of the offer and would like to receive 500 euros in an account in my name.
2. No, I do not want to use the offer of GGD GHOR Nederland.
Put in the mailbox before 1 July 2022
Have you checked your choice? Then you can detach the completed reply letter from this letter and put it in the reply envelope. A stamp is not necessary. Seal this envelope well and post it before 1 July 2022.
If you choose option 1, you will receive the amount within six weeks after we have received your reply letter.
The appendix Questions and answers attached to this letter reads, insofar as relevant here:
Why are you offering a financial gesture?
Your data has been found by the police with the suspects. We find this very annoying. That is why we want to make a financial gesture for your possible inconvenience.
(…)
Why is the amount 500 euros?
We think this is an appropriate amount under the circumstances in which the data theft occurred.
(…)
What if I do not respond before July 1, 2022?
If you do not respond before July 1, 2022, we will assume that you do not wish to use the offer.
You are going to make a gesture to approximately 1250 people. Why not to other people?
During the police investigation into the data theft, data from approximately 1250 people were found. The police found no indications that large-scale data files were in circulation and traded. We only offer 500 euros to those people whose data the police found screenshots of with the suspects.
(…)
What is the current status of the security of your systems? Could something like this happen again in the future?
No organization can give a 100% guarantee. However, data security and privacy are integral parts of our work procedures. It is an ongoing process in which we continuously analyze and improve the security of our systems. We make every effort to properly protect the data of all Dutch citizens and secure it against unauthorized access and misuse. Additional security measures have been taken internally and various system adjustments have been made as a precaution.
What happens if new screenshots are found with (other) suspects?
If new facts become known, we will report them to the police again.
The attachment Response Letter attached to the letter of 25 April 2022 reads, insofar as relevant here:
Choice of financial gesture
(…)
Please tick one of the boxes to let us know your choice.
(…).
□ Yes, I will use the offer from GGD GHOR Nederland and would like to receive €500 in the following account in my name:
(…).
Once we have paid the amount of €500 into your bank account, you will give us final discharge. Read at the bottom of this page what this means for you.
□ No, I do not want to use the offer from GGD GHOR Nederland.
(…).
What is final discharge?
This means that you agree that we have no obligations towards you that relate to the data theft from the GGD's corona systems. This applies to obligations of GGD GHOR Nederland, the GGDs or other government agencies (such as the municipality or the national government).
Approximately 80% of these 1,247 people have accepted the offer.
GGD GHOR recently made the same offer to the remaining 126 people.
4 The dispute
4.1.
ICAM demands that the court, by judgment, to the extent possible provisionally enforceable,
IN THE INCIDENT
A. Request for an order pursuant to Article 22 Rv
order the State et al. pursuant to Article 22 Rv to bring into the proceedings the information and/or documents listed in paragraph 10.2.1 (of the summons; court);
B. Conditional claim: inspection and copy pursuant to article 843a Rv
if or to the extent that the court does not honor request A:
primary
B.I. orders the Defendants to provide a digital copy of the Documents (as referred to in paragraph 10.2.1 of the summons) to ICAM within ten (10) days after service of the judgment in the incident;
subsidiary
B.II. Defendants are ordered to provide a digital copy of the Documents to ICAM's lawyers and to an expert appointed by the court within ten (10) days after service of the judgment in the incident, whereby Defendants will indicate with reasons which part or parts would be confidential with regard to each document, after which the expert will determine in consultation with ICAM's lawyers and the Defendants' lawyers which documents or parts of documents must remain confidential and which documents or parts not, whereby Documents marked as confidential will be destroyed and parts of Documents to be marked as confidential will be blacked out;
B.III. stipulates that the expert and ICAM's lawyers are bound by confidentiality with regard to the Documents marked as confidential and the parts of Documents to be marked as confidential;
B.IV. stipulates that if the expert, ICAM's lawyers and Defendants' lawyers cannot reach an agreement on the question of which parts must remain confidential and which parts not, the expert will make a binding decision on this;
B.V. determines that the expert will provide ICAM with a digital copy of the Documents, with the exception of that which has been designated as confidential, within five (5) days after completion of the determination to be made by him or her;
more subsidiarily
B.VI. orders the Defendants to provide ICAM with access, a copy or an extract of the Documents within ten (10) days after service of the judgment in the incident, in a manner to be determined by the court in good justice;
C. Expert investigation into (the extent and consequences of) the data breach
C.I. instructs an expert to be appointed by the court to investigate, in consultation with Defendants and ICAM, what the extent and risks of the data breach are, or at least have been, including the question of how many and from which (categories of) persons personal data from the GGD systems could be, are and/or can be viewed and/or stolen without authorization, with the instruction to the expert to report his or her findings in writing and in detail to the court and ICAM within eight (8) weeks after the judgment in the incident;
C.II. orders Defendants to fully and unconditionally cooperate with the investigation and reporting by the expert and to provide the expert with all information that the expert deems relevant for the execution of his or her investigation;
D. Notification to Victims
D.I. Defendants are ordered to inform all Victims whose personal data in the GGD systems could be, are and/or can be accessed and/or stolen without authorization, in writing as much as possible on an individual basis, stating the (possible) consequences and risks thereof, within four (4) weeks after service of the judgment in the incident, or at least within four (4) weeks after the report referred to in claim C has become available, and to report this information to the court in writing and in detail within two (2) weeks after informing the Victims;
E. Keeping data available
E.I. Defendants order that, to the extent that they have access to it, each of the following information and data of all Victims be retained and kept available for as long as necessary (i) to fully and correctly notify the Victims as referred to in claim D and (ii) to be able to fully and correctly pay out compensation:
a. a) first and last name;
b) date of birth;
c) address;
d) e-mail address and telephone number;
e) the data that could be, are and/or can be viewed and/or stolen without authorization;
f) the period during which the relevant data could be, are and/or can be viewed and/or stolen without authorization;
g) the number of persons who had (unauthorized) access to the relevant data and the reasons for this, also in light of their roles or functions;
h) information on whether the data in question has actually or probably been stolen or otherwise used in a manner that leads to liability of Defendants towards Victims;
i. i) log files;
E.II. instructs an expert to be appointed by the court to periodically check whether the order based on claim E.I. is being complied with (permanently), with the instruction to the expert to report his or her findings in writing and in detail to the court and ICAM every three (3) months;
E.III. orders Defendants to fully and unconditionally cooperate with the investigation and reporting by the expert and to provide the expert with all information that the expert deems relevant for the execution of his or her investigation;
F. Reimbursement of costs
F.I. Defendants jointly and severally condemned pursuant to 1018l paragraph 2 Rv to pay the reasonable and proportionate legal costs and other costs of the incident, including the costs to be estimated later associated with obtaining access, a copy or an extract and including the attorney's fees and the costs for the expert(s);
G. Penalties
G.I. Defendants jointly and severally ordered to pay a penalty of € 250,000 (in words: two hundred and fifty thousand euros) for each day (a part of a day counted as a whole) that they act wholly or partially in violation of the orders based on requests or claims A, B, C.II, D and/or E, with a maximum of € 100,000,000 (in words: one hundred million euros).
IN THE MAIN CASE
H. Exclusive representative
ICAM designates as exclusive representative within the meaning of article 1018e paragraph 1 Rv;
I. The represented group of persons
within the framework of article 1018e paragraph 2 Rv determines that ICAM represents the interests of all Victims in this collective action, namely:
a.a) all natural persons whose personal data have been processed in one or both GGD systems in the period between their commissioning in connection with the fight against corona and 1 February 2021, for example because they have made an appointment with a GGD to be tested or vaccinated in connection with corona or because they have been part of source and contact research in connection with corona, with the exception of persons who are part of Victims Category B ("Victims Category A");
b) all natural persons whose personal data have been processed in one or both GGD systems in the period between their commissioning in connection with the fight against corona and 1 February 2021, for example because they have made an appointment with a GGD to be tested or vaccinated in connection with corona or because they have been part of source and contact research in connection with corona, and of whom it has been established or will be established that their personal data have been viewed by unauthorized persons or have come into the hands of unauthorized persons as a result of the GGD data breach, such as through unauthorized viewing, downloading, exporting, printing, copying, photographing and/or offering, trading, receiving or otherwise sharing of the personal data ("Category B Victims");
J. Opt-out / Opt-in
J.I. Defendants orders that the judgment pursuant to Article 1018e paragraph 1 and 2 Rv, accompanied by a simple summary, as well as translations of the judgment and the summary in at least the same languages as the website www.prikkenzonderafspraak.nl of the Central Government is offered, be placed within four (4) weeks after the date of the judgment on (i) the website of GGD GHOR, (ii) the websites of the GGDs and (iii) a website of the Central Government to be created especially for this purpose, in such a way that they can be stored by the Victims for later reference;
J.II. Defendants are ordered to notify all Victims by ordinary letter within four (4) weeks after the date of the judgment pursuant to Article 1018e paragraphs 1 and 2 of the Code of Civil Procedure of the appointment of the Exclusive Representative, the collective action and the narrowly defined group of persons whose interests the Exclusive Representative represents in this collective action;
J.III. Defendants are ordered to announce the appointment of the Exclusive Representative and the collective action and the narrowly defined group of persons whose interests the Exclusive Representative represents in this collective action within four (4) weeks after the date of the judgment pursuant to Article 1018e paragraphs 1 and 2 of the Code of Civil Procedure, in all national and regional newspapers in the Netherlands and with a content and in a manner to be determined by the court in good justice after a statement has been made by the parties thereto;
J.IV. determines that (the legal representative(s) of) each person with residence or abode in the Netherlands who belongs to the group of Victims, has the opportunity to inform the registry of the court by means of a written notice that they wish to be released from the representation of their interests in this collective action (Opt-out) during a period of three (3) months after the announcement within the meaning of article 1018f paragraph 3 Rv;
J.V. determines that (the legal representative(s) of) each person without residence or abode in the Netherlands who belongs to the group of Victims, has the opportunity to inform the registry of the court by means of a written notice that they agree to the representation of their interests in this collective action (Opt-in) during a period of six (6) months after the announcement within the meaning of article 1018f paragraph 3 Rv;
K. Declarations of law
K.I. declares that the Defendants, each individually or jointly with one or more other Defendants, must be regarded as controllers for the data processing in the GGD systems CoronIT and/or HPZone Lite within the meaning of the GDPR;
K.II. declares that the Defendants, or at least the Defendants to be regarded as controllers, act in violation of, or at least have acted in violation of:
a. a) Article 8 ECHR; and/or
b) Article 7 Charter; and/or
c) Article 8 Charter; and/or
d) Article 5 GDPR; and/or
e) Article 24 GDPR; and/or
f) Article 25 GDPR; and/or
g) Article 32 GDPR; and/or
h) Article 34 GDPR; and/or
i. i) Article 35 GDPR; and/or
j) article 7:457 BW; and/or
k) article 10 Wabvpz in conjunction with article 2 Regulation on the use of citizen service numbers in healthcare; and/or
l) article 15j Wabvpz in conjunction with articles 3 and 5 Begz;
K.III. declares that the Defendants are acting unlawfully towards the Victims, or at least have acted unlawfully on the basis of article 6:162 BW;
K.IV. declares that the Defendants, or at least the Defendants to be regarded as controllers, are jointly and severally liable on the basis of article 82 GDPR and/or article 6:162 BW for all damage suffered and yet to be suffered by the Victims as a result of the GGD data breach;
L. Terminating the breach and improving security measures
L.I. Defendants, or at least the Defendants to be regarded as controllers, are ordered to cease and desist within three months of the judgment to be rendered in this case from all infringements of the ECHR, the Charter, the GDPR and specific healthcare legislation described in the body of the summons and from all unlawful acts described in the body of the summons;
L.II. orders the Defendants concerned to cooperate in the assessment and monitoring of all measures taken to implement the order based on claim L.I by an expert to be appointed by the court, with the instruction to the expert to report his or her findings in writing and in detail to ICAM within six months of the judgment to be rendered in this case;
M. Non-material damages
primary
M.I. Defendants jointly and severally sentenced to compensate the non-material damage of each Victim and that non-material damage is estimated at:
a. a) an amount of € 500,- (in words: five hundred euros) per Victim within Victims Category A;
b) an amount of € 1,500,- (in words: fifteen hundred euros) per Victim within Victims Category B;
to be increased by the statutory interest from the date of the judgment to be rendered in this case until the date of full payment;
alternatively
M.II. Defendants jointly and severally sentenced to compensate the non-material damage of each Victim and that non-material damage is estimated at an amount or amounts to be determined by the court in good justice, to be increased by the statutory interest from the date of the judgment to be rendered in this case until the date of full payment;
more alternatively
M.III. determines that the non-material damage suffered by the Victims will be further determined by statement and will be settled in accordance with the law;
N. Material damages
primary
N.I. orders the Defendants jointly and severally to compensate the material damage of each Victim and estimates that material damage at an amount of € 50 (in words: fifty euros) per Victim, increased by the statutory interest from the date of the judgment to be rendered in this case until the date of full payment, with the proviso that this does not affect the Victims' individual right to higher compensation for material damage if it appears at any time that it is higher;
subsidiary
N.II. an amount or amounts to be determined by the court in good justice, to be increased by the statutory interest from the date of the judgment to be rendered in this case until the date of full payment, with the proviso that this does not affect the fact that the Victims are individually entitled to higher compensation for material damage if it appears at any time that this is higher;
more subsidiarily
N.III. determines that the material damage suffered by the Victims will be further determined by statement and will be settled in accordance with the law;
O. Costs
primary
O.I. orders the Defendants jointly and severally to compensate ICAM for:
a. a) the full extrajudicial costs incurred by ICAM;
b) the reasonable and proportionate legal costs and other costs of ICAM, including the subsequent costs, on the basis of article 1018l paragraph 2 Rv, or at least article 237 Rv;
c) if or to the extent that this does not fall under sub b), the full compensation to be paid by ICAM to the Financier on the basis of the Financing Agreement, being 20% (in words: twenty percent) of (any part of) any sum of money, or any asset valued in money, that is actually awarded to the Victims on the basis of the claims, with a maximum of an amount equal to five times the full amount that has actually been invested by the Financier to finance these proceedings, all this to be increased by VAT if applicable;
all this as to be further estimated on the basis of information to be submitted by ICAM and to be increased by the statutory interest from the date of the judgment to be rendered in this case until the date of full payment, if necessary to be determined by statement and to be settled in accordance with the law;
d) the full costs that ICAM will still incur in connection with the execution of the judgment to be rendered in this case and the handling of the determination and payment of the damages and the supervision and control of that process, in accordance with the method of settlement of damages referred to in claim P, to be increased by VAT if applicable, to be paid in advance every six months on the basis of reasonable advance amounts to be determined by ICAM and to be settled after rounding on the basis of a post-calculation;
subsidiarily
O.II. determines that ICAM may deduct the costs referred to in claim O.I from the damages to be paid by or on behalf of ICAM to the Victims;
P.Settlement of damages
primary
P.I. to instruct an expert appointed by the court in the field of the implementation and handling of collective settlement of damages to proceed, in consultation with Defendants and ICAM, to the collection and distribution of all damages awarded in these proceedings;
P.II. orders Defendants jointly and severally to proceed, within one month after the judgment to be rendered in this case, to pay the amounts referred to in claims M and N to a quality account to be specifically set up by the expert for that purpose;
P.III. orders Defendants to fully and unconditionally cooperate with the settlement of damages by the expert in accordance with the instructions to be given by the expert and to provide the expert with all information that the expert deems relevant for the performance of his or her tasks in that regard;
P.IV. Defendants jointly and severally ordered to reimburse the costs involved in the work of the expert, as well as all additional costs, increased by VAT if applicable, to be paid in advance every six months on the basis of reasonable advance amounts to be determined by the expert and to be settled on the basis of a post-calculation after completion;
P.V. determines that any amount of compensation that remains after the settlement of the damage and cannot be paid to the Victims, will be paid by the expert to one or more non-profit organizations to be designated by ICAM that are active in the field of privacy protection and security of personal data;
P.VI. determines that the Victims who wish to be eligible for payment of compensation must agree to a binding advice procedure with regard to the determination by the expert of the right to compensation and with regard to the distribution of the compensation, in which an independent person with sufficient expertise to be appointed by the court, after a statement to that effect by ICAM and the Defendants, will act as binding advisor;
alternatively
P.VII. to shape the collective compensation settlement in such a way as the court deems advisable on the basis of (a) proposal(s) for a collective compensation settlement to be submitted by ICAM and/or the Defendants pursuant to Article 1018i of the Code of Civil Procedure;
Q. Penalties
Q.I. Defendants jointly and severally ordered to pay a penalty of €250,000 (in words: two hundred and fifty thousand euros) for each day (a part of a day counted as a whole) that they act in whole or in part in violation of the orders based on claim J, L, P.II and/or P.III, with a maximum of €100,000,000 (in words: one hundred million euros).
4.2.
Chapter 1 (Introduction) of the summons reads, insofar as relevant here:
1.1.
Core of this case
1. Stichting ICAM represents the interests of over 6.5 million people whose highly privacy-sensitive information has been exposed to theft. This concerns personal data from the IT systems of the GGDs, collected and used in connection with the fight against corona. Stichting ICAM is actively supported by 133,691 Participants. They want the Dutch government to be more careful when dealing with sensitive information from citizens, clarification about the exact size and impact of the GGD data breach and compensation for the damage that the data breach has caused for all those affected.
2. This WAMCA case concerns the largest and most serious data breach in Dutch history, caused by reprehensible actions and omissions by the Dutch government.
3. In January 2021 it became known that the IT systems used by the GGDs in connection with corona contained serious security flaws. Personal data of at least 6.5 million people were unnecessarily and avoidably accessible for at least eleven months to approximately 35,000 hastily deployed temporary GGD employees, including many new and externally hired workers. After inadequate screening, the employees in question were given access to much more data than was necessary for their work, including name and address details, telephone numbers, e-mail addresses, BSN numbers and data on infections and vaccination status, underlying medical complaints, work situation and close contacts.
4. The activities of the GGD employees in the systems were not adequately logged and monitored. As a result, they were able to view, copy and download large data files with sensitive personal data of 6.5 million Dutch people without being noticed.
5. The fact that this data leak occurred is not disputed between the parties. Due to the poor security - in violation of, among other things, the GDPR - personal data of a large group of people have been unlawfully exposed to theft for a long period of time. As a result, the Victims have lost control over their personal data. They know that their personal data has been accessible to a very large group of unauthorized persons; they do not know whether it has actually been stolen and has been or will be further misused. Internet criminals use personal data for identity fraud, fraud, phishing and intimidation. When data falls into the hands of the wrong parties, this also entails risks of stigmatization, exclusion and discrimination. This could include the situation where data on underlying health issues – such as an HIV infection – end up with (potential) employers, insurers or foreign regimes.
6. It is also not in dispute that personal data has actually been stolen and has ended up in the criminal circuit: that is the case. Four people have also been convicted for this (…). As far as the Defendants have acknowledged and communicated so far, this would (only) concern a group of approximately 1,250 people. However, there are strong indications that this information is incomplete and that this group of people is significantly larger. The most important indication is the findings of RTL Nieuws. RTL Nieuws has been in contact with internet criminals, whereby its files with data of many more than 1,250 people have been offered (…):
‘The data theft at the GGD affects many more people than the number of victims that the organisation publicly reports. […] the actual number of victims is much higher, and after months the GGD still does not have a good picture of the real extent of the data theft, according to research by RTL Nieuws. […] RTL Nieuws randomly called several people whose data was offered for sale by criminals. This data comes from two corona systems of the GGD: CoronIT, which is used for testing and vaccinations, and HPZone Lite, the system used for source and contact research. None of the people were informed by the GGD that their data had been stolen from the GGD systems and possibly traded. […] According to the providers, the data files, with a total of the private data of around 600 people, were a foretaste of the many thousands to tens of thousands of people that could be supplied.’
7. The impact of the data leak should not be underestimated. This concerns (i) many Victims, (ii) special, sensitive and many personal data, (iii) a violation of the law by the government, which Victims should be able to trust above all else, and (iv) databases in which Victims de facto have no choice whether or not they want to be included: providing special personal data to the Defendants is unavoidable, in any case if someone wants to be tested or vaccinated.
8. Because of all these factors, it is important for the Victims and for society in general that clarity is provided about what happened. This procedure serves that purpose, among other things. Stichting ICAM is filing a number of incidental claims with this goal in mind (…).
9. The cause of the GGD data leak is that the Defendants have done insufficient for years to properly secure their IT systems. They have failed to take even the most basic security measures in the GGD systems.
10. The ICAM Foundation naturally appreciates the enormous effort made by the central government and the GGDs in combating the corona pandemic. It also understands the argument that the corona testing capacity had to be expanded in the short term and that this entailed challenges, including in the area of information security. However, all this does not alter the fact that the Defendants could and should have taken earlier, faster and better measures:
a. a) Be prepared for an outbreak of infectious diseases. The State et al. could and should have set up the GGD systems better in advance, so that they would have been able to withstand a situation such as the corona pandemic. After all, it is not the case that a major infectious disease outbreak such as the corona pandemic could not and was even foreseen by the State et al. The (relevant departments at) the Defendants derive their right to exist from combating this type of disease, not only reactively, but also proactively. Long before the first corona infection occurred, it was already known that the day would come when a major epidemic or pandemic would break out and that the outdated GGD systems would then not be suitable and safe. It is the task and responsibility of the State et al. to be prepared for this as well as possible within reasonable limits. After all, in a crisis situation such as the corona pandemic, it is much more difficult to keep things under control, while the importance of good information security increases exponentially at that time. Moreover, all countries in the world were dealing with the same crisis and as far as Stichting ICAM is aware, nowhere did things go as wrong as in the Netherlands;
b) Faster resolution of the security flaws. The State et al. could and should have resolved the data leak faster. The leak existed unnecessarily long, while the State et al. had been aware of the risks and potential consequences of the poor security for a long time. The State et al. have been reminded several times that the personal data of millions of people were at risk. Even then, they did not take adequate measures to remedy the (legally reprehensible) defects. In any case, when the pandemic broke out, the security of the special personal data of the individuals in the relevant databases should also have become an important spearhead at the same time. The GGD systems were deployed from March (HPZone) and June (CoronIT) 2020. In the guidelines issued by the European Data Protection Board in April 2020, the EDPB already emphasized the importance of data protection in combating the coronavirus. In February 2021, KPMG wrote in an advice to the GGD umbrella organization GGD GHOR, based on research that took only two days (…):
‘The use of HPZone should be stopped as soon as possible. With the current system and the management measures taken, an adequate level of security appropriate to the personal data cannot be achieved.’
11. It was not until January 2021, after RTL Nieuws published its first conclusions, that the most serious security flaws were remedied. The minister said the following about this in the parliamentary debate on the GGD data leak (…):
‘It is not that nothing happened, but we did not pay enough attention to it. […] I should have been more vigilant about this myself. This - with all the multitude of tasks - was not at the top of the pile, it should have been. Could it have been done earlier, should it have been done earlier? Yes.’
12. The State et al. did not do enough and intervened too late. Even now, the State et al. are still falling substantially short in the security of personal data of Dutch residents.
13. Stichting ICAM is convinced that there has been particularly culpable conduct (although this is not a requirement for determining liability in this case). After the data leak became known, measures were taken to improve security, but there has been no evidence of actual responsibility being taken and of a visible policy and practical change in the approach and prevention of these types of problems - despite the enormous impact on Data Subjects.
1.2
Importance and purpose of this case
14. Stichting ICAM is an Article 3:305a interest group. In these proceedings, it represents the interests of all natural persons whose personal data were processed in one or both GGD systems at the time of the GGD data leak (the Victims, as defined in production A.1). This group of persons falls into two categories:
a. a) Persons of whom it is uncertain whether their personal data were stolen as a result of the GGD data leak (Victims Category A, as defined in production A.1). This concerned approximately 6.5 million persons in January 2021. It cannot be demonstrated that this is less than that. Some of the claims are aimed at obtaining more clarity about the extent of the GGD data breach;
b) Persons whose personal data has been or will be determined to have been viewed by unauthorized persons or to have been obtained by unauthorized persons as a result of the GGD data breach (Category B Victims, as defined in production A.1).
15. The objectives that Stichting ICAM is pursuing with this procedure are the following.
1.2.1
Clarity about (the extent and consequences of) the GGD data breach
16. The Victims have an interest in transparency about the GGD data breach, its extent and the (potential) consequences for their rights and freedoms. It is currently unclear how many Data Subjects have actually had their data stolen. The State and others provide unclear and incomplete information about this and withhold important documents and information (…). Due to the unclear provision of information, millions of Victims are uncertain about whether their personal data has been stolen or not, or even under the incorrect assumption that this is not the case. If they are correctly and fully informed about the chance that their data has ended up in criminal hands, they can better arm themselves against possible misuse of the data. If it were to become clear that it can actually be ruled out that certain Victims' personal data has been stolen, this would remove their uncertainty and thus a heavy burden.
17. The incidental claims under 10.3 (investigation into the extent of the data breach), 10.4 (informing the Victims) and 10.5 (keeping information available) are aimed at this interest.
1.2.2
Termination of the infringement
18. The Victims have an interest in terminating the infringement. According to the AP, the State and others still do not meet their (security) obligations under the GDPR (…). The claims under 11.5 aim to end this infringement.
1.2.3
Better security of IT systems and personal data by the government
19. The Victims have an interest in the government being persuaded to strive for a higher level of information security in general. The collective damages claim instituted by Stichting ICAM in this case also serves this purpose.
20. Unfortunately, the Dutch government has repeatedly shown in recent years that it is unwilling or unable to properly deal with the personal privacy of citizens and to adequately protect them against infringements of their privacy and unlawful processing of personal data. Former Member of Parliament Verhoeven submitted a motion in response to the GGD data leak (…):
‘noting that the government is structurally failing to comply with GDPR data security principles such as privacy by design, data minimization, purpose limitation and technical and organizational provisions, as well as audits and quality standards.’
21. In this day and age, it is more than justified to force governments, including the Dutch government, to take appropriate measures to safeguard the fundamental right to data protection. The incentives that have been used to this end are apparently insufficient. Unfortunately, supervisors, including the Dutch AP, do not have sufficient capacity to enforce the GDPR. In addition, the AP has indicated that it finds it difficult to fine governments because those fines ultimately end up in the treasury. The AP also failed to take enforcement action in response to the GGD data leak. There is therefore a public interest in the government receiving a strong signal from society that it must take better care of the security of personal data.
22. The point of view that citizens provide personal data to the government in the confidence that it will handle it with care is also relevant. If the government does not handle its citizens' personal data with care, there is a risk that citizens will start to distrust the government and will no longer be prepared to provide data, such as in this case for the purpose of testing and vaccinating for corona. Representative research by KPMG and Motivaction from October 2021 shows that privacy incidents during the corona crisis have increased the awareness of Dutch people about this and that the GGD data leak has had a major impact (...):
'Dutch people are concerned about data leaks. Almost two-thirds (63%) are afraid that this will result in personal data being leaked. Privacy incidents during the corona crisis seem to have increased the awareness of Dutch people. For example, 83% are aware of the major data leak at the GGD, which was announced at the end of January 2021. The administration system for the testing and vaccination process and the communication about this was hacked and personal data concerning the source and contact investigation of the GGD was also stolen. As a result, private data of millions of Dutch people ended up in the hands of malicious parties, who sold the data on via the internet.
The impact of this leak on Dutch people appears to have been quite significant', says Stephan Idema, who heads the privacy team at KPMG. 'For example, one in five respondents (22%) was less likely to be tested for the coronavirus because of the GGD leak.' This result is in line with figures from the RIVM. At the beginning of March, the institute announced that 35% of Dutch people had been tested for corona if they had symptoms. At the beginning of January, according to the RIVM, this was still 50%. Idema: ‘We see this decrease in the group of respondents – one in five – who indicated that they would be less likely to take a corona test after the GGD leak.’
23. Furthermore, the government has an important exemplary function when it comes to compliance with the GDPR and meeting security requirements. If the government is already so lax with the rules, why would citizens and companies comply with them?
24. Stichting ICAM would prefer to institute proceedings that oblige the State and others to take certain, specifically described improvement measures. However, neither Stichting ICAM nor the court is probably authorised or able to prescribe how this should be done. For that reason, Stichting ICAM is not requesting this. However, it believes that awarding a collective damages claim will also have the effect that the government implements better information security policy. Stichting ICAM is convinced that civil enforcement by means of a collective damages claim is an appropriate means of promoting change. If the State and others also experience the (financial) consequences of their actions, it may be assumed that they will make an effort to improve their behavior.
25. The claims under K (declarations of law), under M (non-material damage) and N (material damage) are also instituted with a view to the aforementioned interest.
1.2.4
Compensation for the damage suffered by the Victims
26. All Victims of the GGD data leak have suffered damage. This must be compensated. This applies to both Victims Category A and Victims Category B. The Victims suffer non-material damage because they have lost control over their personal data. This also results in real feelings of uncertainty, stress and fear (…). They must be constantly vigilant. The Victims suffer material damage because they have to (have) personal data adjusted, to the extent possible, and have to continuously check whether their data is not being used by criminals to change bank details or place orders in their name (…).
27. With regard to the Victims of Category B, it is not conceivable that they have suffered damage: their data has been stolen.
28. With regard to Victims of Category A, a more fundamental discussion is conceivable. This discussion concerns the question of whether the fact that personal data has been leaked and exposed to theft already causes or can cause damage to those Victims.
29. Stichting ICAM believes that it does. After all, the Victims of Category A are uncertain about what has happened or will happen to their personal data and whether or not their data has been stolen. Because the State et al. had not implemented sufficient control mechanisms (…), they cannot rule out that data has been stolen for any Victim. The fact is that the data breach and the knowledge thereof cause feelings of lack of control and risk of actual abuse. That is damage, even if no material damage is caused. Certainly in the case of a data breach as serious as the GGD data breach.
30. A different view would also lead to unacceptable consequences. Characteristic of violations of the GDPR is that they do not primarily lead to damage to property, but to incorrect handling of data. Inherent to this is then that in many cases (i) it is not established whether this has led to concrete consequences or will lead to them at some point, and (ii) if this is the case, a causal link is difficult to demonstrate, because the same personal data could also have been stolen via, for example, another data breach. The Defendants have also already raised this defence (…).
31. In other words: it is often impossible for an Injured Party to demonstrate that a violation of the GDPR has led to a specific identifiable consequence, other than the exposure or theft itself. If that exposure or theft would not give rise to a right to compensation, the right to compensation for GDPR violations becomes virtually illusory and with it the civil enforcement of those standards. That is undesirable. It also has a broader social consequence, namely that the proper functioning of the GDPR will decline unacceptably. If a violation of the GDPR has no or virtually no financial consequences, the incentive to comply with the GDPR will become particularly low.
32. If the GDPR is to provide effective safeguards against flagrant violations, it must be interpreted in such a way that the award of non-material damages is the norm for serious violations such as the GGD data breach.
33. There are currently a number of proceedings pending before the CJEU on this subject. Stichting ICAM will discuss these matters in paragraph 5.2.1.4.
34. The claims under M (non-material damage) and N (material damage) are aimed at answering the aforementioned questions of principle and obtaining the intended compensation.
4.3.
In number 47 of the summons, ICAM explains its request and claim in the (conditional) incident as follows:
Since the outcome of the Woo procedures is not yet known and the State et al. appear to be doing everything they can to withhold information, Stichting ICAM requests the court to order the State et al. to submit certain documents to the proceedings pursuant to Article 22 of the Code of Civil Procedure, and Stichting ICAM files a number of incidental claims aimed at obtaining clarity about (the scope and consequences of) the GGD data breach, including a claim for production pursuant to Article 843a of the Code of Civil Procedure and a claim for ordering an expert report (…).
4.4.
The State, GGD GHOR and the GGDs et al. have each filed a statement of defence pursuant to Article 1018c paragraph 5, last sentence, of the Code of Civil Procedure, which is (mainly) limited to the defences relating to the matters referred to under a to c of that paragraph.
4.4.1.
The State concludes that ICAM is inadmissible.
4.4.2.
GGD GHOR concludes that ICAM is inadmissible in its claims, or at least that these claims are dismissed, with ICAM being ordered to pay the costs of the proceedings, as well as the usual subsequent costs (both without and with service), increased by the statutory interest referred to in Article 6:119 of the Dutch Civil Code from fourteen days after the date of the judgment, all this by judgment, provisionally enforceable to the extent legally possible.
4.4.3.
The GGDs et al. conclude that the court, by judgment, to the extent possible provisionally enforceable, (i) determines that ICAM is inadmissible in its claims against them; (ii) orders ICAM to pay the costs of the proceedings, including subsequent costs, to be paid within fourteen days after the date of the judgment, and – in the event that the costs are not paid within the aforementioned period – to be increased by the statutory interest on the costs to be calculated from fourteen days after the date of the judgment; (iii) orders ICAM to pay the actual legal costs with respect to the safety regions (defendants sub 31 and 32), the municipalities (defendants sub 33 and 34), GGD Gooi & Vechtstreek (defendant sub 14) and GGD Amsterdam-Amstelland (defendant sub 6).
5 The assessment in the main case
Introduction
5.1.
On 28 March 2023, ICAM instituted claims as referred to in Article 3:305a of the Dutch Civil Code. Pursuant to Article 1018b paragraph 1 of the Dutch Code of Civil Procedure (Rv), Title 14A (On the administration of justice in cases concerning a collective action and collective damage settlement) of Book 3 of the Code of Civil Procedure applies to the proceedings concerning the claims instituted by ICAM.
5.2.
On 28 March 2023, Article 1018c Rv read, insofar as relevant here:
1. Without prejudice to Article 111, paragraph 2, the summons with which the collective action referred to in Article 305a of Book 3 of the Dutch Civil Code is instituted shall state:
a. a description of the event or events to which the collective action relates;
b. a description of the persons whose interests the collective action is intended to protect;
c. a description of the extent to which the factual and legal questions to be answered are common;
d. a description of the manner in which the admissibility requirements of Article 305a, first to third paragraph, of Book 3 of the Civil Code have been met or of the grounds on which the sixth paragraph of that article applies;
e. the information that enables the court to appoint an Exclusive Representative for this collective action, in the event that other collective actions for the same event are instituted in accordance with Article 1018d;
f. the obligation of the claimant to make a note of the case in the register referred to in the second paragraph and to state the consequences of that note pursuant to this article.
2. On pain of inadmissibility, and notwithstanding Article 125, paragraph 2, the writ of summons shall be filed with the registry within two days after the date of the summons, while simultaneously recording the summons in the central register for collective actions as referred to in Article 305a, paragraph 7, of Book 3 of the Civil Code. The recording shall be accompanied by a copy of the summons.
3. (…).
4. (…).
5. The substantive hearing of the collective action shall only take place if and after the court has decided:
a. that the claimant meets the admissibility requirements of Article 305a, paragraphs 1 to 3, of Book 3 of the Civil Code or that these requirements do not need to be met on the basis of the sixth paragraph of this article;
b. that the claimant has sufficiently demonstrated that conducting this collective action is more efficient and effective than instituting an individual action because the factual and legal questions to be answered are sufficiently common, the number of persons whose interests the action is intended to protect is sufficient and, if the action is for damages, that they alone or jointly have a sufficiently large financial interest;
c. that the collective action is not summarily invalid at the time the proceedings are instituted.
By way of exception to Article 128, paragraph 3, the defendant may confine himself to the defences relating to the matters referred to under a to c, until a decision has been made on this matter.
5.3.
Article 3:305a BW read on 28 March 2023, insofar as relevant here:
1. A foundation or association with full legal capacity may institute legal proceedings to protect similar interests of other persons, insofar as it represents these interests in accordance with its articles of association and these interests are sufficiently safeguarded.
2. The interests of the persons whose interests the legal proceedings are intended to protect are sufficiently safeguarded if the legal entity referred to in paragraph 1 is sufficiently representative, given the membership and the size of the represented claims and has:
a. a supervisory body, unless Article 9a, paragraph 1, of Book 2 of the Civil Code has been implemented;
b. appropriate and effective mechanisms for the participation in or representation in decision-making of the persons whose interests the legal proceedings are intended to protect;
c. sufficient resources to bear the costs of instituting legal proceedings, whereby the legal entity has sufficient control over the legal proceedings;
d. a generally accessible internet page, on which the following information is available:
1°. the articles of association of the legal entity;
2°. the management structure of the legal entity;
3°. the most recently established annual accountability in broad outline of the supervisory body on the supervision it has carried out;
4°. the most recently established management report;
5°. the remuneration of directors and members of the supervisory body;
6°. the objectives and working methods of the legal entity;
7°. an overview of the status of ongoing procedures;
8°. if a contribution is requested from the persons whose interests the legal action is intended to protect: insight into the calculation of this contribution;
9°. an overview of the manner in which persons whose interests the legal action is intended to protect can join the legal entity and the manner in which they can terminate this affiliation;
e. sufficient experience and expertise with regard to instituting and conducting the legal action.
3. A legal entity as referred to in paragraph 1 is only admissible if:
a. the directors involved in the establishment of the legal entity, and their successors, do not have a direct or indirect profit motive that is realised through the legal entity;
b. the legal action has a sufficiently close connection with the Dutch legal sphere. A sufficiently close connection with the Dutch legal sphere exists if:
1°. the legal entity makes it sufficiently plausible that the majority of the persons whose interests the legal action is intended to protect have their habitual residence in the Netherlands; or
2°. the person against whom the legal action is directed has his place of residence in the Netherlands and additional circumstances indicate sufficient connection with the Dutch legal sphere; or
3°. the event or events to which the legal action relates took place in the Netherlands;
c. the legal entity has sufficiently attempted to achieve the claim in the given circumstances by consulting with the defendant. A period of two weeks after the defendant has received a request for consultation stating the claim is in any case sufficient for this purpose.
4. (…).
5. A legal entity as referred to in paragraph 1 shall draw up a management report and annual accounts in accordance with the provisions for associations and foundations in Articles 49 and 300 and in Title 9 of Book 2 respectively. Without prejudice to the provisions of Title 9, the management report shall be published on the general (general; court) accessible internet page of the legal entity within eight days after adoption.
6. (…).
7. There shall be a central register for collective claims as referred to in this article. This register shall be kept by an authority to be designated by general administrative measure.
5.4.
With effect from 25 June 2023, Article 3:305a BW and Title 14A of Book 3 of the Code of Civil Procedure shall be amended. Based on Article 119a Transitional Act New Civil Code and Article VI of the Implementation Act Directive Representative Actions for Consumers, Article 3:305a BW and Title 14A of Book Three of the Code of Civil Procedure as applicable at the time the claims were instituted continue to apply in this case. These provisions will therefore be applied in this judgment. For the sake of readability, it will not be stated that articles that have been amended in the meantime are outdated articles.
Article 1018c paragraph 1 Rv
5.5.
Based on Article 1018c paragraph 1 Rv, the summons with which a collective action is instituted must contain a number of descriptions and information.
5.5.1.
ICAM does not provide a separate description of the event or events to which its collective action relates in the summons. In number 725 under a, it refers to “the previous chapters of this Summons”. These chapters show that there is insufficient protection of personal data, as a result of which employees of the GGDs who had access to the IT systems have appropriated this personal data, or at least could have appropriated it, and have made this personal data available to third parties (persons without access to the IT systems of the GGDs), or at least could have made it available.
5.5.2.
ICAM describes the persons whose interests its collective claim is intended to protect in number 14 of the summons as “all natural persons whose personal data were processed in one or both GGD systems at the time of the GGD data breach”. ICAM distinguishes two categories within this group: “Persons whose personal data has been stolen as a result of the GGD data breach (Affected Persons Category A (...))” and “Persons whose personal data has been or will be determined to have been viewed by unauthorized persons or to have come into the hands of unauthorized persons as a result of the GGD data breach (Affected Persons Category B (...))”. ICAM further defines Affected Persons Category A as: “All natural persons whose personal data have been processed in one or both GGD systems in the period between their commissioning in connection with the fight against corona and February 1, 2021, for example because they have made an appointment with a GGD to be tested or vaccinated in connection with corona or because they have been part of source and contact research in connection with corona, with the exception of persons who are part of Affected Persons Category B”. ICAM further defines Victims Category B as: “All natural persons whose personal data have been processed in one or both GGD systems in the period between their commissioning in connection with the fight against corona and 1 February 2021, for example because they have made an appointment with a GGD to be tested or vaccinated in connection with corona or because they have been part of source and contact research in connection with corona, and of whom it has been established or will be established that their personal data have been viewed by unauthorized persons or have come into the hands of unauthorized persons as a result of the GGD data breach, such as through unauthorized viewing, downloading, exporting, printing, copying, photographing and/or (…) offering, trading, receiving or otherwise sharing of the personal data”. According to ICAM, Category A consisted of approximately 6.5 million persons in January 2021.
5.5.3.
For a description of the extent to which the factual and legal questions to be answered are common, ICAM refers in number 725 under c of the summons to paragraphs 9.1.1 (Similar interests that lend themselves to bundling) and 9.4.1 (Factual and legal questions are sufficiently common).
5.5.4.
For a description of the manner in which the admissibility requirements of Article 3:305a paragraphs 1 to and including 3 BW have been met, ICAM refers in number 725 under d of the summons to paragraph 9.1 (Stichting ICAM is admissible under Article 3:305a BW). In response to paragraph 3 (Preliminary point of procedural order: ICAM has insufficiently substantiated the admissibility requirements) of the conclusion of the response of GGD GHOR and paragraph II (Point of procedural order) of the conclusion of the response of the GGDs et al., the court considers that the description requirement of article 1018c paragraph 1 under d Rv must be distinguished from the admissibility requirements of article 3:305a paragraphs 1 to and including 3 BW. If, as GGD GHOR and the GGDs et al. argue, the description cannot substantively support admissibility, this will become apparent during the admissibility review to be carried out below.
5.5.5.
For the data that enable the court to appoint an Exclusive Representative for this collective action, in the event that other collective actions for the same event are instituted in accordance with Article 1018d of the Code of Civil Procedure, ICAM refers in number 725 under e of the summons to paragraph 9.4.2 (ICAM Foundation as Exclusive Representative).
5.5.6.
For its obligation to make a note of the case in the central register for collective actions and to state the consequences of that note pursuant to Article 1018c of the Code of Civil Procedure, ICAM refers in number 725 under f of the summons to paragraph 9.4.3 (Note in the central register (…) for collective actions and the consequences thereof).
Article 1018c paragraph 2 of the Code of Civil Procedure
5.6.
The court establishes that the acts prescribed on pain of inadmissibility as referred to in Article 1018c paragraph 2 of the Code of Civil Procedure have been complied with. The summonses issued on 28 March 2023 were registered in the central register for collective claims on the same date and were received by the registry of this court on 29 March 2023.
Introduction to the admissibility review
5.7.
By way of introduction to the admissibility review, the court considers the following.
5.7.1.
The admissibility requirements of Article 3:305a BW and Article 1018c paragraph 5 Rv concern, on the one hand, ICAM itself and, on the other hand, the claims instituted by ICAM.
5.7.2.
If necessary, the court shall (also) review ex officio whether one of grounds a to c of Article 1018c paragraph 5 Rv applies, according to the Explanatory Memorandum to the WAMCA1.
5.7.3.
Article 1018c paragraph 5 under c Rv mentions the moment at which the case is initiated (in this case: 28 March 2023) as the moment of assessment. For article 1018c paragraph 5 under a and b Rv, the moment of assessment is the date on which the admissibility decision is taken.
5.7.4.
In this case, the admissibility of ICAM and the claims brought by it is also based on Article 80 (Representation of data subjects) of the General Data Protection Regulation2 (GDPR), which states:
1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, the statutory objectives of which are in the public interest and which is active in the field of the protection of the data subject’s rights and freedoms with regard to the protection of his or her personal data, to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf and to exercise the right to compensation referred to in Article 82 on his or her behalf, where Member State law so provides.
2. Member States may provide that a body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject's mandate, has the right to lodge a complaint in that Member State with the supervisory authority competent in accordance with Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers, respectively, that the rights of a data subject under this Regulation have been infringed as a result of the processing.
In addition, Article 37 of the GDPR Implementation Act is relevant, which states:
A processing operation may not serve as a basis for a claim as referred to in Article 305a of Book 3 of the Civil Code, insofar as the person affected by the processing objects to it.
5.7.5.
The fact that the Minister for Legal Protection designated ICAM as a competent authority within the meaning of Article 3:305e of the Dutch Civil Code on 18 April 2024 upon its application is not relevant for the admissibility assessment to be carried out in this judgment. This concerns a designation as referred to in Article 4 paragraph 3 of the Representative Actions Directive3, namely a “designation as a competent authority for bringing cross-border representative actions”. Recital 23 preceding the aforementioned Directive shows that if a competent authority brings a representative action in the Member State where it has been designated, that representative action must be regarded as a domestic representative action. Therefore, in this case, the designation of ICAM as a competent authority for bringing cross-border representative actions is of no significance for the assessment of its admissibility in this domestic representative action.
See also Article 4 paragraph 6 of the Representative Actions Directive:
“Member States may, at the request of the latter, designate an entity on an ad hoc basis as competent to bring a specific domestic representative action, provided that the entity meets the criteria for designation as competent under national law.”
This is the situation here.
5.7.6.
The admissibility of ICAM itself will first be assessed below, and then its admissibility in the actions brought by it. The relevant GDPR provision(s) will also be discussed at the most appropriate places.
Foundation (Articles 3:305a paragraph 1 BW and 80 GDPR)
5.8.
ICAM is a foundation within the meaning of Article 2:285 paragraph 1 BW and therefore both a foundation within the meaning of Article 3:305a paragraph 1 BW and an organisation within the meaning of Article 80 GDPR.
Interests of other persons (Articles 3:305a paragraph 1 BW and 80 AVG)
5.9.
ICAM has instituted claims that aim to protect the interests of the persons it represents. This also concerns the exercise, independently of the assignment of the persons concerned, of the rights referred to in Article 79 AVG on the basis of Article 80 paragraph 2 AVG. This also concerns the exercise, on behalf of the persons concerned, of the right to compensation referred to in Article 82 on the basis of Article 80 paragraph 1 AVG. The court will return to the question of whether Dutch law provides for the latter, if necessary, below.
Articles of association (Articles 3:305a paragraph 1 BW and 80 AVG)
5.10.
Articles 3:305a paragraph 1 BW and 80 AVG impose requirements on the articles of association of the interest group. Article 80 GDPR also stipulates that the interest group is active in the field of protecting the rights and freedoms of the data subject in connection with the protection of his or her personal data.
5.10.1.
The parties do not dispute that ICAM, pursuant to its articles of association, represents the interests that its claims seek to protect. The court sees no reason to rule otherwise ex officio.
5.10.2.
The parties also do not dispute that ICAM's statutory objectives serve the general interest. The court sees no reason to rule otherwise ex officio.
5.10.3.
The State and GGD GHOR argue that ICAM is not, or at least not sufficiently, active in the field of protecting the rights and freedoms of the data subject in connection with the protection of his or her personal data. They point out that ICAM was established on 25 November 2021, that the collective action in this case is its first collective action and that its second collective action does not concern the area referred to in Article 80 GDPR.
The court adopts the judgment of this court of 30 June 2021, ECLI:NL:RBAMS:2021:3307 (Facebook) and makes it its own: being active in the field of data protection as referred to in Article 80 GDPR does not have to be subject to high requirements from the perspective of effective exercise of enforcement options. Nor does it appear from the preamble to the GDPR that this concept should be interpreted restrictively.
According to Article 3.2(a) of its articles of association, ICAM specifically considers its objective to be taking action against (threatened) infringements of the right to protection of privacy and protection of personal data, including in particular infringements by the government and/or government agencies.
In the summons, ICAM mentions a number of activities that it has undertaken since its establishment. Its activities are currently mainly expressed in this case. In view of this, ICAM is actually carrying out activities and the requirement that ICAM is active in the area referred to in Article 80 GDPR has been met.
Guarantee requirement (Article 3:305a paragraphs 1 and 2 of the Dutch Civil Code)
5.11.
The guarantee requirement regulated in Article 3:305a paragraphs 1 and 2 of the Dutch Civil Code consists of two parts.
Representativeness requirement (Article 3:305a paragraphs 1 and 2 of the Dutch Civil Code)
5.12.
This first concerns the representativeness requirement.
5.12.1.
The State, GGD GHOR and the GGDs et al. argue that ICAM does not meet this requirement. According to them, the registration process used by ICAM is defective and the number of supporters claimed by ICAM is in any case insufficient.
5.12.2.
The court first states that the ICAM constituency is understood to mean the group of persons it represents who have committed themselves to it with a view to its collective action.
5.12.3.
The court further states that the mere fact that some persons ICAM represents do not support its collective action does not have to stand in the way of its representativeness.
5.12.4.
The court notes that ICAM has not made a distinction between Category A and Category B, in the sense that it states that it has a sufficient constituency for each category. In this context, ICAM does state that Category B also consists of persons who do not know and cannot know that they belong to this category. The court will return to this point below in 5.20.20.
5.12.5.
ICAM has submitted to the court a Report of Findings Stichting ICAM v. de Staat, dated 9 April 2024, from DigiJuris B.V. (hereinafter: DigiJuris) in Deventer and a report of findings, dated 11 April 2024, from W.L.D. Karsseboom, candidate bailiff working at the office of Mr. S.J.W. van der Putten, bailiff in Amsterdam.
Paragraph 3 (Method) of the DigiJuris report reads, insofar as relevant here:
In the presence of the bailiff, the registration process on the ICAM website was completed. The bailiff included a description of this in his report.
Paragraph 5 (Conclusions) of the DigiJuris report states:
Returning to ICAM's request for information, we draw the following conclusions:
1. The registered stakeholders have registered according to the registration process as discussed (...). This registration process has been tested and checked by us;
2. The number of stakeholders (both living in the Netherlands and abroad) registered on 11 March 2024 is 118,504 adults and 19,740 minors;
3. Despite the fact that various types of (contact) data are requested during the registration process, not all participants have filled in all fields (correctly). The following (contact) details were provided by the total number of participants:
Adults
Minors
Number of unique, non-cancelled registrations of which the age is correct
118,504
19,740
Of which first and last name >2 characters
118,051
19,689
Of which place of residence >2 characters
117,839
n.a.
Of which correct email address
117,668
18,983
Of which correct date of birth
117,642
18,974
Number of unique registrations where first and last name, place of residence, email address and date of birth were entered correctly
117,642
18,974
4. The number of interested parties who (probably) live in the Netherlands divided into the following categories:
a. Dutch place of residence: 117,156 adults and 18,161 minors;
b. No Dutch place of residence, but a Dutch email domain: 90 adults and 12 minors;
5. The vast majority of registered participants have signed an agreement, whereby two different agreements were used. The first participant agreement was accepted by 64,262 adults and 10,701 minors and the second participant agreement was accepted by 53,214 adults and 8,245 minors. No agreement was signed by 166 adults and 28 minors.
6. The distribution of registrations per month is as follows:
Number of unique, valid registrations adults
Number of unique, valid registrations minors
December 2021
(…)
(…)
(…)
(…)
(…)
March 2024
(…)
(…)
(blank), no date
(…)
(…)
Total
117,642
18,974
7. The number of stakeholders per category is:
Number of unique, valid registrations adults
Number of unique, valid registrations minors
11. Corona test
20,527
8,886
12. Vaccination
17,274
855
13. Source and contact research
629
236
14. ‘I know not’
1,591
248
15. Test and vaccination (A)
44,889
3,227
16. Test and source research (B)
9,610
3,721
17. Vaccination and source research (C)
975
40
18. Test, vaccination and source research (D)
21,582
1,593
19. Combination of ‘I don’t know’ and other answer (E)
564
170
20. No answer entered
1
0
Total
117,642
18,974
8. With regard to the authenticity of (the data in) the database, we have been able to establish that the tables reported to us correspond with the non-manipulable data in Typeform.
5.12.6.
In the court's opinion, the absolute numbers determined by DigiJuris are sufficient to consider ICAM representative. The fact that this concerns a limited percentage of all persons represented does not alter this.
Other requirements
5.13.
Article 3:305a paragraph 2 BW also sets a number of requirements in the context of the guarantee requirement, aimed at transparency and good governance. These requirements will be discussed in turn below.
Supervisory body
5.13.1.
The State and the GGDs et al. argue that the Supervisory Board of ICAM did not comply with Article 13.1 of its articles of association in the period between the death of [name 6] on 21 June 2022 and the appointment of [name 7] on 30 October 2023. The State and the GGDs et al. point out that ICAM initiated this case during this period. 5.13.2.
The court considers that Article 3:305a paragraph 2 under a BW does not prescribe a minimum number of members of the supervisory board. The two remaining members of the ICAM Supervisory Board after the death of [name 6] were also able to legally exercise their statutory duties and powers in the period between 21 June 2022 and 30 October 2023. The Supervisory Board has been at full strength again since 30 October 2023. The agreement with the litigation funder – which will be discussed in more detail below under 5.13.4 – had already been concluded before 21 June 2022. Moreover, for the admissibility test based on Article 1018 c paragraph 5 under a Rv in conjunction with Article 3:305 paragraph 2 under a BW, the test moment is the date on which the admissibility decision is taken. The temporary understaffing of the Supervisory Board is therefore not a reason to declare ICAM inadmissible.
Participation in or representation in decision-making
5.13.3.
The State, GGD GHOR and the GGDs et al. argue that ICAM does not have appropriate and effective mechanisms for the participation in or representation in decision-making of the persons whose interests the legal action is intended to protect.
5.13.4.
The court considers that the Explanatory Memorandum to the WAMCA, insofar as relevant here, states4:
It is up to the interest group itself to determine how it wishes to implement this provision. If the interest group is organised as an association, representation in decision-making can be arranged via the members' meeting. Foundations will therefore have to ensure in another way that members have sufficient say in decision-making at the foundation. One option is to give members the opportunity to express their views on certain decisions. If an interest group is set up in accordance with the Claim Code, it can be assumed that the requirement of this section has been met.
ICAM states that it is set up in accordance with the Claim Code. It has not been stated or demonstrated, or at least not sufficiently stated, that ICAM has nevertheless failed to meet the requirement of Article 3:305a paragraph 2 under b of the Dutch Civil Code.
Sufficient resources and control
5.13.5.
Article 3:305a paragraph 2 under c of the Dutch Civil Code contains two provisions: (i) the interest group must have sufficient resources to bear the costs of instituting legal proceedings and (ii) the interest group must have sufficient control. The first provision is to be understood as having sufficient resources to bear the reasonably foreseeable costs of conducting the proceedings – whether or not in a specific instance.
5.13.6.
In the decision of 7 February 2024, the court ordered ICAM, pursuant to Article 22 of the Code of Civil Procedure, to bring the agreement with its litigation funder into the proceedings in the manner stated in that decision. ICAM then brought its agreement, dated 12 July 2021, with [company] in [place] into the proceedings. It submitted a version without illegible parts to the court, including appendices. It confirmed that the documents thus provided contained all agreements made with its litigation funder. The court has satisfied itself that ICAM has sufficient resources to bear the costs of instituting its legal proceedings and that it has sufficient control over the legal proceedings.
Internet page
5.13.7.
Article 3:305a paragraph 2 under d BW stipulates that the interest group must have a generally accessible internet page on which the information described in this provision is available.
5.13.8.
The debate on this provision focuses on the insight into the calculation of the contribution requested from the persons whose interests the legal proceedings are intended to protect. ICAM refers to this passage on its website:
Does it cost money to participate? Participating in this action will not cost you anything. This was a conscious choice, in line with the mission of our foundation that costs for victims should not play a role in obtaining their rights. ICAM is not a profit-making organisation. The procedure is conducted on a “no cure, no pay” basis. All costs are paid by ICAM, so you do not have to pay anything yourself. Only if compensation is awarded, ICAM will ask for a no cure, no pay fee to cover the costs incurred and the risks. The no cure, no pay fee amounts to 20% of the compensation collected for you. ICAM will try to have the defendants pay the no cure, no pay fee, so that you do not have to pay that fee either.
In the opinion of the court, this passage provides sufficient insight into the calculation of the contribution of the persons for whom ICAM is standing up.
Conclusion regarding the guarantee requirement
5.13.9.
ICAM meets the representativeness requirement and the other requirements of Article 3:305a paragraph 2 of the Dutch Civil Code.
Article 3:305a paragraph 3 of the Dutch Civil Code
5.14.
Article 3:305a paragraph 3 of the Dutch Civil Code contains three, different, admissibility requirements.
No profit motive (Article 3:305a paragraph 3 under a of the Dutch Civil Code)
5.14.1.
It has not been stated or proven, or at least not sufficiently, that the directors involved in the establishment of ICAM, or their successors, have a direct or indirect profit motive, which is realised via ICAM.
Connection with the Dutch legal sphere (Article 3:305a paragraph 3 under b of the Dutch Civil Code)
5.14.2.
The defendants are all established in the Netherlands and the corona data leak occurred in the Netherlands, so that this requirement is met.
Consultation (Article 3:305a paragraph 3 under c BW)
5.14.3.
It has neither been alleged nor proven that ICAM, in the given circumstances, has not sufficiently attempted to achieve the claim by consulting with the State, GGD GHOR and the GGDs et al.
No profit motive (Article 80 paragraph 1 GDPR)
5.14.4.
It has not been alleged or proven, or at least not sufficiently, that ICAM has a profit motive. The mere fact that ICAM has claimed that it will be allowed to retain any remaining surplus in damages cannot be regarded as sufficient in this context. After all, that claim will still have to be assessed by the court. The mere fact that ICAM has agreed on a certain return with its litigation funder does not mean that ICAM has made the commercial interests of the litigation funder its own. It is generally accepted that interest groups who initiate WAMCA proceedings engage a litigation funder. The fact that the litigation funder has a profit motive does not mean that ICAM does too.
Annual accounts (article 3:305a paragraph 5 BW)
5.15.
The circumstance put forward by GGD GHOR and the GGDs et al. that ICAM has not (yet) drawn up annual accounts, or at least published them, is ignored. Article 3:305a paragraph 5 BW does not prescribe publication of the annual accounts. In addition, it is apparent from article 1018c paragraph 1 under d and from article 1018c paragraph 5 under a Rv that drawing up annual accounts is not one of the admissibility requirements.
Conclusion regarding the admissibility of ICAM itself
5.16.
ICAM is admissible. Because ICAM is the sole claimant in this case, it will be designated as the exclusive representative.
The groups of persons represented (group A and group B) will be determined as requested under I.
The decision on opt-out and opt-in is postponed, ICAM is given the opportunity to express its opinion on the desirability of opt-out and opt-in in view of the decisions given in this judgment.
In view of what will be considered under 5.21. the court will postpone the decision on what exactly the collective action entails (art. 1018 e paragraph 2 Rv).
Introduction to the assessment of the admissibility of ICAM in the claims instituted by it
5.17.
The WAMCA provides regulations in various places regarding the admissibility of the interest group in the collective action instituted by it.
First of all in article 3:305a paragraph 1 BW: the interests of the other persons to be protected by the collective action must be similar or bundleable. Furthermore, in Article 1018c paragraph 5 under b Rv (added value): substantive hearing of the collective action will only take place if and after the court has decided that the claimant has sufficiently demonstrated that conducting this collective action is more efficient and effective than instituting an individual action because the factual and legal questions to be answered are sufficiently common, the number of persons whose interests the action is intended to protect is sufficient and, if the action is for damages, that they alone or jointly have a sufficiently large financial interest. Finally, in Article 1018c paragraph 5 under c Rv (summary invalidity): substantive hearing of the collective action will only take place if and after the court has decided that the invalidity of the collective action is not summarily apparent at the time the proceedings are instituted.
5.18.
The following will be discussed in succession: (i) the defendants, (ii) the claims for damages and (iii) the other claims.
The defendants
5.19.
This concerns first of all claim K.I.
5.19.1.
Article 4 under 7) GDPR defines “controller” as “a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. It adds that where the purposes and means of such processing are determined by Union or Member State law, that law may determine who the controller is or the criteria for its designation. Article 4 under 8) GDPR defines “processor” as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
5.19.2.
The State disputes that it is the controller. According to ICAM and GGD GHOR, that is the case. GGD GHOR states that it has set up CoronIT and HPZone Lite in accordance with the instructions of the State, so that the State must be considered the controller. If the State is not the controller, it is not liable under the GDPR, because it has been established that the State itself did not process the data at issue in this case.
ICAM's argument that it also bases liability on unlawful act does not lead to a different judgment, because if the State is not the controller, there are no grounds to assume that it is nevertheless responsible for insufficient security of the personal data processed by GGD GHOR or the GGDs using CoronIt and HPZone Lite. If the State is not the controller, this means that the collective claim against the State is summarily proven to be invalid (Article 1018c paragraph 5 under c Rv), so that ICAM is inadmissible in this claim.
The court will order the State and GGD GHOR pursuant to Article 22 of the Code of Civil Procedure to submit evidence in the proceedings showing which order was given to GGD GHOR with regard to the registration of citizens for the purpose of testing, vaccination and source and contact research with regard to Covid-19. ICAM and GGD GHOR et al. will then be given the opportunity to file a response.
5.19.3.
ICAM has not stated any circumstances in the summons on the basis of which it can be assumed that the statutory responsibility of the municipalities (defendants sub 33 and 34) and the safety regions (defendants sub 31 and 32) for combating infectious diseases can also be inferred that they are controllers within the meaning of the GDPR for the personal data processed with the aid of CoronIT and HPZone Lite. It has been established that they themselves did not process personal data using CoronIT and HPZone Lite.
The GGDs et al. have stated that the Municipal Health Service (GGD) Amsterdam-Amstelland (defendant sub 6) and the GGD Gooi & Vechtstreek (defendant sub 14) did not process data using CoronIt and HPZone Lite. ICAM has not disputed this.
All this leads to the conclusion that the collective claims against the safety regions, the municipalities, the Municipal Health Service (GGD) Amsterdam-Amstelland and the GGD Gooi & Vechtstreek are summarily proven to be invalid (Article 1018c paragraph 5 under c Rv), so that ICAM is inadmissible in these claims. ICAM will be ordered to pay the legal costs incurred by these defendants. There are no grounds for the order that ICAM be ordered to pay the actual legal costs claimed by the GGDs et al. It cannot be assumed that ICAM should have been absolutely clear that it could not have any claim against these parties, partly because the other GGDs were involved in processing personal data in connection with the corona pandemic.
5.19.4.
Because ICAM is inadmissible against the defendants sub 6, 14, 31, 32, 33 and 34, it will be ordered to pay the legal costs incurred by them. These defendants were assisted by the same lawyer and paid a joint court fee. The costs on the side of these parties are estimated at 6/29th of EUR 17,233.00 (EUR 8,519.00 in court fees and EUR 8,714.00 in lawyer's fees (two points, rate VIII)). This is EUR 3,565.49. In addition, EUR 178.00 in additional costs are added, to be increased as determined in the decision.
The claims for damages
5.20.
This concerns claims M and N.
The extent of the data breach
5.20.1.
ICAM and the defendants disagree about the extent of the data breach. The defendants acknowledge that there has been a data breach, persons who had legitimate access to personal data that could be consulted using CoronIT have photographed, taken over or otherwise appropriated that personal data. According to the defendants, the police investigation shows that this happened to no more than 1,373 persons. According to ICAM, there is a data breach of much greater magnitude; according to ICAM, it concerns both CoronIT and HPZone Lite and also the data of tens of thousands of persons.
5.20.2.
ICAM mainly bases its findings on messages from RTL, which are based on contacts with persons who claim to have personal data stolen from the GGDs. Whether the personal data that these persons claim to have actually originated from the GGD systems has never been established, because RTL, which claims to have had a sample file, deleted it.
5.20.3.
To the extent that ICAM bases itself on reports and the like that have circulated at GGD GHOR or the GGDs, there is sometimes indirect mention of a supposed large-scale data leak, but these pieces of evidence do not concern that and are not a reflection of research conducted into it, but concern other subjects, such as the phasing out of HP Zone Lite or the IT assessment. The source of the comments about the data leak and its extent cannot be deduced from these documents, in any case it is not an independent investigation into the data leak.
5.20.4.
The information from an anonymous civil servant about the awareness of the vulnerability of the systems may be relevant to the question of whether sufficient precautions have been taken to prevent a data leak, but nothing can be inferred from these statements about (the extent of) the actual data leak.
5.20.5.
The only investigation that has been conducted into the data leak is the police investigation, in which a number of suspects have emerged. These suspects have been prosecuted and convicted. No large-scale theft of personal data has emerged from that investigation. As ICAM rightly states, it cannot simply be concluded from this that no other data theft has taken place than that established by the police.
5.20.6.
The defendants have pointed out that if data from as many people had actually been stolen as ICAM claims, there would have been many more cases of misuse of those personal data by now. ICAM has included in its procedural documents the statements of six people who believe that after they had entrusted their data to the GGD, that data had ended up with third parties. When asked about this at the hearing, ICAM could not say whether there were also persons who stated that their BSN had ended up in the wrong hands due to the corona data leak.
5.20.7.
Although all this gives food for thought and a large data leak could be expected to have consequences for a large number of persons, the court will assume hereafter, when discussing the claims for damages, that in addition to the data of persons that were found to have been stolen in the police investigation, personal data of an unknown number of other persons registered in CoronIT and HPZone Lite have also ended up in the wrong hands.
Non-material damage
5.20.8.
According to ICAM, all persons whose data were registered in CoronIT and/or HPZone Lite suffer non-material damage. They have all lost control over their personal data due to the data leak. After all, they are uncertain about what has happened or will happen to their personal data and whether or not their data has been stolen. This fear results in non-material damage. According to ICAM, the following data has been recorded for everyone registered in one of the systems with the GGDs: name, address, place of residence, e-mail address, telephone number, BSN.
Because all members of this group are in the same situation, their claims can be combined according to ICAM.
5.20.9.
The defendants dispute this. They believe that there are many individual circumstances that are relevant to the assessment of a claim for compensation for non-material damage, so that the claims cannot be combined. They mention the following circumstances as relevant circumstances that differ for the various persons registered with the GGDs:
- the data theft related to two very different systems, in which different types of data were recorded for different persons, which were used for very different purposes;
- the same data were not always recorded per person,
- the extent and nature of the damage actually suffered by the various persons depends to a large extent on their individual and personal circumstances.
5.20.10.
The court considers the circumstances in which the persons in group A find themselves to be largely comparable. None of them know whether their data may be involved in a data breach and none of them know which of their data may have ended up with third parties in that case, which may be misused. In order to determine whether not only the circumstances but also the claims of the members of this group are so similar that they can be combined, it must first be examined whether there can be a right to compensation for non-material damage in this case.
5.20.11.
The Court of Justice of the European Union has made a number of rulings on the question of in which cases non-material damages can be awarded in the event of a breach of the GDPR, which will be discussed below, insofar as relevant to this case.
5.20.12.
In the judgment in Östereichische Post5, the Court of Justice of the European Union ruled, among other things, that the GDPR must be interpreted in such a way that an infringement of the provisions of this regulation is not in itself sufficient to grant a right to compensation. The existence of ‘damage suffered’ is one of the conditions for the right to compensation. In order to determine the extent of the compensation, the court must apply national law.
5.20.13.
The judgment in VB/NAP6 ruled, inter alia, that Article 82 of the GDPR must be interpreted as meaning that the fear that a data subject has of possible misuse of his personal data by third parties following an infringement of this Regulation may in itself constitute ‘non-material damage’ within the meaning of that provision.
5.20.14.
The judgment in Krankenversicherung Nordrhein7 ruled that Article 82(1) of the GDPR must be interpreted as meaning that the right to compensation provided for in that provision fulfils a compensatory function, in the sense that monetary damages based on that provision must make it possible to fully compensate for the damage specifically suffered as a result of the infringement of this Regulation, but not a deterrent or punitive function. It has also been decided that that article does not require the degree of fault to be taken into account when determining non-material damage.
5.20.15.
In the MediaMarktSaturn Hagen-Iserlohn judgment8, the CJEU held that Article 82(1) of the GDPR must be interpreted as meaning that the person claiming compensation under that provision must show not only that provisions of that regulation have been infringed, but also that he has suffered material or non-material damage as a result of that infringement and that, where a document containing personal data has been given to an unauthorised third party and it is established that the third party was not aware of it, the mere fact that the data subject fears that his data will be disseminated in the future or even misused because that communication has made it possible to make a copy of that document before it is returned does not constitute ‘non-material damage’ within the meaning of that article.
5.20.16.
It can be inferred from this case law that only non-material damages can be awarded to persons against whom not only a breach of the GDPR has been committed, but who have also actually suffered damage as a result of that breach. The fear that a data subject harbors after a breach of the GDPR of possible misuse of his personal data by third parties can constitute "non-material damage".
It is therefore required that the injured party demonstrates that provisions of the GDPR have been breached. That is precisely not the case here, because according to ICAM, group A concerns persons who are uncertain whether or not their data has been stolen. For that reason alone, these persons cannot claim damages.
Furthermore, the fear stated by ICAM is not the fear that third parties will misuse the personal data that they have unlawfully obtained, 'the fear after a breach', but 'the fear of a breach'. This is the fear that third parties could possibly have unlawfully obtained personal data (and could then misuse it). Such a fear is comparable to the fear in the MediaMarktSaturn Hagen-Iserlohn case. That case concerned the situation in which an infringement was possible, but had not been established, so that it concerns the fear that an infringement could still become apparent in the future. However, according to the CJEU in the aforementioned judgment, the mere fact that the data subject fears that his data will be disseminated or even misused in the future (…) does not constitute ‘non-material damage’ within the meaning of Article 82 of the GDPR. The fear that an infringement of the GDPR will become apparent in the future is also not ‘the fear that a data subject has following an infringement of this regulation’ as referred to in the VB/NAP judgment. In other words: non-material damage requires that an infringement of the GDPR has been established. The fear of an infringement is not sufficient. Because ICAM bases its claim regarding Group A on that fear of an infringement, the case law of the CJEU excludes the possibility of non-material damages being awarded for this. The claim on behalf of group A is therefore summarily defective and therefore inadmissible.
The material damage of group A
5.20.17.
In the judgment in Krankenversicherung Nordrhein9 it was decided that Article 82(1) of the GDPR must be interpreted as meaning that the right to compensation provided for in that provision fulfils a compensatory function, in the sense that pecuniary compensation based on that provision must make it possible to fully compensate the damage specifically suffered as a result of the infringement of this regulation. This means that for material damage it is also required that an infringement of the GDPR has been established. As explained above, for the persons in group A, an infringement has not been established. The fear of an infringement is not sufficient. Since ICAM also bases its claim for material damage on the fear of an infringement, it is excluded on the basis of the case-law of the CJEU that compensation can be awarded for this. The claim for material damage on behalf of group A is therefore summarily defective and therefore inadmissible.
The immaterial and material damage of group B
5.20.18.
The police investigation shows that the data of 1,373 people have ended up with unauthorized persons. They have now received the offer of a financial gesture. Of the first group that received this (1,247 people), approximately 80% accepted the financial gesture. Nothing is known about the second group of 126 people. According to GGD GHOR, there were also people who did not accept the offer because they did not consider financial compensation necessary. It must be assumed that these people do not support ICAM's claims.
5.20.19.
The people who accepted the compensation have granted final discharge to GGD GHOR, the GGDs and other government agencies (such as the municipality or national government). The court does not follow ICAM's explanation that this discharge is limited to "the data theft" (by photos) from CoronIT. The text of the letter of 25 April 2022 is general and cannot have been understood otherwise by its recipients.
5.20.20.
This means that, as far as the group of 1,373 known injured parties is concerned, ICAM can only represent the persons who did not accept the compensation and therefore did not grant a final discharge, with the exception of the persons who did not consider financial compensation necessary. According to ICAM, group B also consists of persons “whose personal data has been or will be viewed by unauthorized persons or has come into the hands of unauthorized persons as a result of the GGD data breach”. The size of the first group is unknown, but it cannot exceed 376 persons.10 The size of the second group (“whose personal data has been or will be viewed by unauthorized persons or has come into the hands of unauthorized persons as a result of the GGD data breach”) is completely unknown. Based on RTL's reports, ICAM claims that this would involve tens of thousands of people. However, RTL's reports cannot be verified. The fact that ICAM has only been able to provide six examples of people who claim to have suffered the consequences of the corona data leak (whereby the question of whether this is actually the case has not been investigated) means that this group, if it exists at all, is small to very small. The question now is whether sufficient people from group B support the action taken by ICAM on their behalf. ICAM cannot demonstrate this, because it did not ask when registering whether the person concerned belongs to group A or B. This is not an objection for group A, because it is very large, but it is important for group B because this group is small or very small, so that it is important to know whether any victims from this group support the claim. This means that ICAM does not meet the representativeness requirement in this respect; see 5.12.4 for this. In addition, ICAM does not, or at least not sufficiently, explain that and why the interests of this group are similar, nor that and why its claims have added value within the meaning of Article 1018c paragraph 5 under b Rv.
The conclusion must be that ICAM is inadmissible in the claims on behalf of group B.
Consequences of the inadmissibility of the claims for damages
5.20.21.
It can be left undecided whether, as the State, GGD GHOR and the GGDs et al. argue, Article 80 paragraph 1 GDPR stands in the way of the claims for damages instituted by ICAM.
5.20.22.
There is no reason to postpone the decision regarding the claim for compensation for non-material damage until the appeal against the judgment of this court of 25 October 2023, ECLI:NL:RBAMS:2023:6694 (TikTok) has been decided.
5.20.23.
Because the claims under M and N are inadmissible, the related claims under P are also inadmissible.
The other claims
5.21.
This concerns claims K and L.
5.21.1.
In light of what was considered above under 5.17, ICAM can be admitted in these claims in itself. These claims are similar (bundlable) per IT system, even though the systems differ from each other and contain different data.
5.21.2.
In view of its inadmissibility in its claims for damages, ICAM will however be given the opportunity to explain in a deed what interest it still has in claims K.II to K.IV. The State, GGD GHOR and the GGDs et al. will then be given the opportunity to file a response.
5.21.3.
In the opinion of the court, claim L is not summarily defective, not even after the assessment by the AP of the measures taken. However, the court will order ICAM on the basis of article 22 Rv to explain in a deed which of the infringements referred to in claim L.1 are still present and where this is evident.
6 The assessment in the (partly conditional) incident
6.1.
The court will not honour ICAM's request for an order on the basis of article 22 Rv, because there is no reason for such an order - at least at this stage of the proceedings. This brings us to claim B.
6.2.
ICAM is inadmissible in claim B on the basis of article 70 paragraph 1 Rv insofar as an objection could be lodged against the administrative body's negative decision, an administrative appeal could be lodged or an appeal could be lodged with an administrative court. Based on the footnotes to the documents mentioned in the summons under 10.2.1, this seems to apply to the documents numbered 9 to 27. ICAM will have to explain whether this is correct. The other documents are stated to be in the domain of the State et al. That is not sufficient; ICAM will have to indicate which of the defendants has these documents and whether or not this document was requested or could be requested within the framework of the Open Government Act and if it was requested with what result. Defendants may respond to this. The case will be referred to the roll for this purpose; any decision on this point will be postponed.
6.3.
Claim C will be dismissed. This is partly because the requested investigation is impossible. There is no expert who could determine the extent of the data breach.
This is partly because the question is too general and an expert investigation is too early at this time. For example, it is conceivable that an investigation will be conducted into the question of whether the personal data of citizens were sufficiently protected in the given circumstances. However, the court does not consider an expert report on this point to be appropriate at this time; only after a substantive hearing on this point there is reason to do so, but then on the basis of a specific question, on which both parties have been able to express their views and which has subsequently been established by the court. This investigation must then be carried out by an expert appointed by the court, after both parties have expressed their views on the required expertise and have had the opportunity to propose experts.
6.4.
Claim D must be rejected, because only an actual infringement according to article 34 paragraph 1 GDPR needs to be communicated to the persons concerned and not that there is a possibility of an infringement. Insofar as the police investigation has shown that data has actually been stolen, the persons concerned have already been informed. An obligation to inform others as claimed under D cannot be assumed. Moreover, if this obligation already existed in this case on the basis of article 34 paragraph 3 under c GDPR, the extensive information on the website of DDG GHOR (shown under 3.1) would suffice in this case.
6.5.
Claim E will be rejected because the request under A will be rejected and because in the main case the claims for damages are inadmissible.
7 Finally
7.1.
In view of the nature of what has been considered and judged above, it will be determined that an appeal against this judgment is already open.
7.2.
Any further decision will be postponed.
8 The decision
The court:
in the main case
8.1.
declares ICAM admissible in its claims under K and L;
8.2.
appoints ICAM as exclusive representative;
8.3.
determines that the narrowly defined group of persons for whom ICAM acts is established as claimed under I (shown in 4.1);
8.4.
declares ICAM inadmissible in its claims against the safety regions (defendants sub 31 and 32), the municipalities (defendants sub 33 and 34), the Municipal Health Service (GGD) Amsterdam-Amstelland (defendant sub 6) and the GGD Gooi & Vechtstreek (defendant sub 14);
8.5.
orders ICAM to pay the legal costs incurred by the defendants mentioned under 8.4, for which they are jointly estimated at EUR 3,743.49 in this judgment, to be paid within fourteen days after notice to do so;
8.6.
orders ICAM, in the event that it does not comply with this order in time, to pay the additional subsequent costs of EUR 92.00 plus the costs of service;
8.7.
orders ICAM to pay the statutory interest as referred to in article 6:119 BW on these legal costs if they have not been paid within fourteen days after notice;
8.8.
declares these costs orders provisionally enforceable
8.9.
declares ICAM inadmissible in claims M, N and P;
8.10.
orders ICAM, pursuant to article 22 Rv, to explain by deed what interest it still has in claims K.II to and including K.IV;
8.11.
orders ICAM, pursuant to Article 22 of the Code of Civil Procedure, to explain by deed which of the infringements referred to in claim L.1 are still present and what demonstrates this;
8.12.
orders the State and GGD GHOR to submit by deed evidence in the proceedings demonstrating which order was given to GGD GHOR with regard to the registration of citizens for the purpose of testing, vaccination and source and contact research with regard to Covid-19;
8.13.
gives each of the parties the opportunity to express their views on opt-out and opt-in, given the decisions given in this judgment;
8.14.
refers the case for the purpose referred to above under 8.10 to 8.13 to the role of 14 August 2024;
in the (partly conditional) incident
8.15.
refers the case to the role of 14 August 2024 so that ICAM can express itself as described under 6.2;
8.16.
dismisses claims C, D and E;
in the main case and in the (partly conditional) incident
8.17.
determines that each of the parties may respond to the documents to be taken on 14 August 2024 by means of a response,
8.18.
determines that an appeal against this judgment is already open;
8.19.
refers the case to the multi-member chamber for further handling and decision;
8.20.
stays any further decision.
This judgment was rendered by Mr. R.H.C. Jongeneel, judge, assisted by Mr. A.A.J. Wissink, registrar, and pronounced in public on 17 July 2024.
1 House of Representatives, session year 2016-2017, 34608, no. 3, p. 39
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3 Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers, and repealing Directive 2009/22/EC.
4 House of Representatives, session year 2016-2017, 34 608, no. 3, pp. 19-20 5 CJEU 4 May 2023, ECLI:EU:C:2023:370 (Österreichische Post), see paragraph 32 and the operative part.
6 CJEU 14 December 2023, ECLI:EU:C:2023:986 (VB/NAP).
7 CJEU 21 December 2023, ECLI:EU:C:2023:1022 (Krankenversicherung Nordrhein).
8 CJEU 25 January 2024, ECLI:EU:C:2024:72 (MediaMarktSaturn Hagen-Iserlohn).
9 CJEU 21 December 2023, ECLI:EU:C:2023:1022 (Krankenversicherung Nordrhein)
10 This is 20% of .1274 + the second group of 126, assuming that none of them would have accepted the financial gesture, which is unlikely and without deducting the persons who do not consider the financial gesture necessary and therefore do not support the claim
Help with searching
