Kutina Municipal Court - Pn-220/2024.-12
From GDPRhub
| Kutina Municipal Court - Pn-220/2024.-12 | |
|---|---|
 | |
| Court: | Kutina Municipal Court (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 6 GDPR Article 24 GDPR |
| Decided: | 23.04.2025 |
| Published: | 23.04.2025 |
| Parties: | Croatian Pensions Institute |
| National Case Number/Name: | Pn-220/2024.-12 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | Sudovi (in Croatian) |
| Initial Contributor: | cwa |
A court ordered a controller to pay €1,500 in non-material damages after an employee gave a data subject’s employer details of her pension entitlements without a lawful basis.
English Summary
Facts
An employee of the Croatian Pension Institute (controller) provided an employer with information about the work history and potential pension size of one of their employees (data subject) without the data subject’s knowledge or consent.
The employer then used this information to pressure the data subject into retirement in order to avoid formal termination procedures and the paying of required severance payments.
The data subject suffered extreme emotional distress due to fear of loss of her livelihood and took sick leave. The data subject later had to find alternative employment.
The data subject brought a claim for non-material damage against the controller for the emotional distress caused by the alleged improper disclosure of her personal data.
During the trial before the Kutina Munuicipal Court, the controller argued that the data subject could not show evidence of damage and that, in any event, the personal data in question was not sensitive and would be known to any employer.
Holding
The Court rejected the controller’s contention that the personal data in question was not sensitive. In doing so, the Court accepted that a data breach had occurred, as there was no lawful basis for the disclosure. Accordingly, the Court found that the controller had violated Article 6 & 24 GDPR.
The Court accepted that the emotional damage suffered by the data subject warranted the awarding of monetary compensation and ordered the controller to pay the data subject €1,500.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
Republic of CroatiaMunicipal Court in KutinaCroatian Defenders' Court 144320 KutinaCase number: Pn-220/2024.-12.IN THE NAME OF THE REPUBLIC OF CROATIAJUDGMENTMunicipal Court in Kutina by individual judge Jasmina Pintarić, in the legal matter of the plaintiff CĐ from [address], OIB: [personal identification number], represented by attorney Klaudio Čurin from Zagreb, against the defendant CROATIAN RETIREMENT INSTITUTE, Zagreb, A. Mihanovića 3, OIB: 84397956623, represented by attorney NĐ, for compensation of damages, after the conclusion of the public and main hearing held on March 4, 2025 in the presence of the plaintiff's deputy attorney, attorney Bojan Grahek, and the defendant's attorney GĐ, pursuant to Article 335, paragraph 4. of the Civil Procedure Act (Official Gazette, No. 53/91, 91/92, 111/99, 88/01, 117/03, 84/08, 57/11, 148/11, 25/13, 89/14, 70/19, 80/22 and 114/22, 155/23 - hereinafter referred to as the Civil Procedure Act) 7 April 2025. The defendant Croatian Pension Insurance Institute, Zagreb, A. Mihanovića 3 is ordered to pay the plaintiff CĐ from [address] the amount of €1,500.00 (one thousand and five hundred euros), together with the corresponding statutory default interest, calculated from 10 January 2024. until payment at the rate determined for each half-year, by increasing the reference rate by three percentage points, whereby the reference rate in force on 1 January shall apply for the first half-year, and the reference rate in force on 1 July of that year for the second half-year, all within 15 days.II The defendant is ordered to compensate the plaintiff for the litigation costs in the amount of €1,303.10, together with statutory default interest, calculated from 7 April 2025 until payment at the rate determined for each half-year, by increasing the reference rate by three percentage points, whereby the reference rate in force on 1 January shall apply for the first half-year, and the reference rate in force on 1 July of that year for the second half-year, all within 15 days.Reasoning1. The plaintiff states in the lawsuit that the defendant is a public institution that has public authority and collects and keeps records of insured persons, beneficiaries of pension insurance rights and contributors. The plaintiff further states that the data that the defendant keeps in the exercise of its authority are personal data within the meaning of Article 4, indent 1 of Regulation (EU)-2016/679/European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L119 of 14 May 2016, hereinafter: GDPR), from which, according to the plaintiff, it follows that the defendant is the addressee of the GDPR, as the controller, and that when processing data, it is obliged to apply measures to protect the collected data in accordance with Article 24 of the GDPR. The plaintiff has knowledge of unauthorized access to her personal data by an employee employed by of the defendant, which unauthorized access was carried out in November 2023, probably on November 20 or 21, 2023. Regarding the above-mentioned unauthorized access to her personal data, the plaintiff contacted the defendant, and the defendant responded to the aforementioned complaint with a response Class:009- 01/23-01/9, UR. NUMBER: 341-99-01/7-24-8 of January 23, 2024, in a way that he admitted that a personal data breach had occurred. The plaintiff states that the person who had unauthorized access to her personal data provided the same data to the plaintiff's employer, and that the plaintiff's employer further used this data as a means of putting pressure on the plaintiff in order to avoid the prescribed procedure for terminating her employment contract, that is, to avoid the costs of the notice period and severance pay. The plaintiff also points out that in the described manner she suffered extreme mental tension caused by fear for her own existence, but also by distrust of the public service system. As a result, the plaintiff claims compensation from the defendant in the amount of €1,500.00 together with the associated statutory default interest. 2. In its response to the lawsuit, the defendant fully opposes the lawsuit and the claim as unfounded. The defendant states that the plaintiff filed a claim for damages in the lawsuit without any evidence related to the harmful event itself, the occurrence of the damage, the amount of the damage and the harmful conduct of the defendant himself as the alleged harmdoer. The defendant states that this concerns general data about the employee that the defendant keeps and exchanges with employers, and that it is clear from the lawsuit itself that the plaintiff points to facts and circumstances that cannot have an impact on the occurrence of any damage, given that certain personal data of the plaintiff, which were allegedly delivered to her employer, represent almost entirely the data that the employer had or had to have in its personnel files and records about its employee. It is emphasized that the plaintiff did not submit any request to the competent Personal Data Protection Agency in the pre-trial proceedings and therefore the defendant believes that the procedural prerequisites for compensation for damage have not been met, especially since no violation of the plaintiff's rights has been established in the relevant administrative procedure. The defendant states that the plaintiff did not attach any evidence of any damage to the claim, nor did she make it probable at all. 3. During the proceedings, the court heard the plaintiff and reviewed the defendant's response Class: 009-01/23-01/9, REG. NUMBER: 341-99-01/7-24-8 of January 23, 2024. 4. The claim was fully founded. 5. The plaintiff essentially stated that the employer decided to terminate her employment contract with immediate effect, stating that there was no longer a need for her work and that there were three solutions, one of which was for the plaintiff to retire on December 31, 2023. The plaintiff said that she did not agree with this and saw that it angered the employer and that he had the name and surname of one of the defendant's employees on his computer for several days. The plaintiff's employer, as a natural person, went to the defendant's employee and obtained information from him about the plaintiff's total length of service and the amount of her pension. After that, the plaintiff's employer began to shout at the plaintiff that she had deceived the association, portrayed the plaintiff in front of all the other employees as a liar who was deceiving everyone, and when she asked him what had happened to her severance pay, he replied that she had worked 19 months more than she was supposed to and that those 19 months were her excess severance pay. The plaintiff had difficult conversations with her employer and he put pressure on the plaintiff to retire. All of the above caused severe stress for the plaintiff, she could not sleep, she had to take tranquilizers, and the plaintiff has high blood pressure and thyroid problems and must not be disturbed. The plaintiff was on sick leave and after two weeks the doctor suggested that she see a psychiatrist, but the plaintiff could only get an appointment with a psychiatrist after the New Year.7. The provision of Article 5, paragraph 1.b of the GDPR stipulates that personal data must be collected for specific, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes. The provision of Article 24, paragraph 1 of the GDPR stipulates that, taking into account the nature, scope, nature and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation. Article 25, paragraph 2 of the GDPR stipulates that the controller shall implement appropriate technical and organizational measures to ensure that only personal data that are necessary for each specific purpose of the processing are processed in an integrated manner8. Having reviewed the defendant's response to the plaintiff's complaint Class:009-01/23-01/9, UR. NUMBER: 341-99-01/7-24-8 of January 23, 2024, it was established that the defendant stated in its response that after an internal analysis of the available records, it was determined that several employees had accessed the plaintiff's personal data during the stated period, with three employees having a business-justified reason for doing so, given that the plaintiff had submitted a Request for Pre-Completion during that period, and one employee accessed the plaintiff's data even though he did not have a business-related reason for doing so. The stated response also states that the said behavior of the defendant's employee represents an isolated case of a personal data breach, of which the defendant also notified the AZOP and that measures prescribed by the defendant's general acts will be taken against the employee. It was also stated that in order to raise awareness of the need to comply with personal data protection measures, a warning about the need to protect personal data was sent to all employees via e-mail again.9. In light of the above, it is indisputable that the defendant, in its statement Class: 009- 01/23-01/9, REG. NUMBER: 341-99-01/7-24-8 of 23 January 2024, admitted that one of its employees had processed the plaintiff's data without authorisation and that this was an isolated case of a personal data breach, which is why the defendant notified the Personal Data Protection Agency, and that all other employees of the defendant were also informed of the personal data breach in question, and that the defendant will take appropriate measures against the employee who processed the plaintiff's personal data without authorisation.10. In the specific case, the defendant, as the data controller, did not ensure the lawfulness of the data processing in accordance with Article 6 in conjunction with Article 24 of the GDPR, and is therefore liable for the damage caused to the plaintiff.11. According to the provisions of Article 19 of the Civil Obligations Act (Official Gazette No. 35/05 - hereinafter: ZOO), every natural person has the right to protection of his or her personality rights under the conditions established by law. Paragraph 2 of the same Article of the ZOO stipulates that personality rights within the meaning of this Act are understood to mean the right to life, physical and mental health, reputation, honor, dignity, name, privacy of personal and family life, freedom, etc.12. According to the provisions of Article 1100, paragraph 1 of the ZOO, in the event of a violation of personality rights, the court shall, if it finds that the gravity of the violation and the circumstances of the case justify it, award fair monetary compensation, regardless of compensation for property damage, and even if there is none.13.It is indisputable from the plaintiff's statement that the defendant's employee provided her employer with information about her total length of service and information about the amount of pension that the plaintiff would receive, and it is noted that this is not information that is otherwise known and available to the employer, as the defendant incorrectly states in its response to the lawsuit.14. It was also established from the plaintiff's statement that her employer, having obtained the above information from the defendant's employee, used it to pressure the plaintiff to retire, and in doing so, insulted and defamed her in front of other employees. Due to these circumstances, the plaintiff was on sick leave for three weeks, and ultimately entered into an employment relationship with another employer. Taking into account all of the above, the court finds that the plaintiff suffered damage because the employer pressured her to retire, defamed her in front of other employees, all of which negatively affected the plaintiff and her health, especially since the plaintiff already has health problems with her thyroid gland and has high blood pressure, which is why she should not be further disturbed. The fact that the plaintiff had to find a new job with another employer also further affected the plaintiff and her health.15. When deciding on the amount of fair compensation, this court took into account the severity of the mental suffering due to the mental health injury, and the purpose of the compensation in accordance with Article 1100, paragraph 2 of the ZOO. Particular consideration was given to the circumstances that the plaintiff was pressured to retire, that she was insulted in front of other colleagues, that the plaintiff experienced enormous stress and fear at work, that due to such treatment by the employer, she had to go on sick leave and that her doctor suggested that she see a psychiatrist, but that the plaintiff could not get an appointment with a psychiatrist in the near future, that the plaintiff was no longer able to continue working in the association and that she had to find another job and get employed by another employer.16. In accordance with Article 223, paragraph 1 of the Civil Procedure Code, the court determines that the requested amount of fair compensation for damage due to the violation of personality rights in the amount of €1,500.00 is fully founded, and the plaintiff was awarded the specified amount of compensation in full, together with statutory default interest from the date of filing the complaint with the defendant as the due date for payment.17. Litigation costs were awarded to the plaintiff based on the provisions of Article 154, paragraph 1 of the Civil Procedure Code. The plaintiff was awarded the cost of drafting the lawsuit in the amount of €200.00, the cost of drafting the submission of 23.7.2024 in the amount of €200.00, representation at the hearing of 9.10.2024 in the amount of €200.00, representation at the hearing of 26.11.2024 in the amount of €200.00, at the hearing of 4.3.2025. €200.00, VAT €250.00 and court fees on the lawsuit €26.55 and on the judgment €26.55.18. For the above reasons, the judgment is as in the dictum. In Kutina, April 7, 2025. Judge Jasmina Pintarić Instructions on legal remedies The dissatisfied party has the right to appeal against this judgment within 15 days, counting from the first day following the date of delivery of the judgment. The appeal is filed with this court. The competent county court shall decide on the appeal (Article 348 of the Civil Procedure Code). Bottom 1. Attorney Klaudio Čurin, Zagreb 2. HZMO Zagreb
