Rb. Den Haag - 22/2601

From GDPRhub
Revision as of 09:35, 12 October 2023 by FeestHoed (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Den Haag |Court_Original_Name=Rechtbank Den Haag |Court_English_Name=District Court Den Haag |Court_With_Country=Rb. Den Haag (Netherlands) |Case_Number_Name=22/2601 |ECLI=ECLI:NL:RBDHA:2023:14359 |Original_Source_Name_1=Rechtbank Den Haag |Original_Source_Link_1=https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBDHA:2023:14359&showbutton=true&keywor...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Rb. Den Haag - 22/2601
Courts logo1.png
Court: Rb. Den Haag (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 15 GDPR
Article 82 GDPR
Article 8:88 Algemene wet bestuursrecht
Decided: 21.09.2023
Published: 03.10.2023
Parties: Uitvoeringsinstituut werknemersverzekeringen
National Case Number/Name: 22/2601
European Case Law Identifier: ECLI:NL:RBDHA:2023:14359
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtbank Den Haag (in Dutch)
Initial Contributor: Enzo Marquet

The Dutch Court of Den Haag determined that €500 compensation is fair and appropriate for sending letters to the wrong address. The Court considered pre-existing psychiatric issues of the data subject, but did not consider the fact that the letters were returned unopened.

English Summary

Facts

On 16 Juli 2021, the controller (the Institute for Employee Insurance, part of the government), informed the data subject about a data breach. Five letters meant for the data subject were sent to the the wrong address. After a complaint of the data subject, the controller offered a compensation of €250. The data subject did not agree with the height of the compensation and demanded €3000. On top of that, she requested access to her personal data under Article 15. The controller rejected the claim of €3000.

The data subject did rephrase her request of information to not be under Article 15, but under article 1:3 Awb (General Administrative Law Act). The data subject argued that a compensation request can be pursued through an administrative procedure, citing four rulings by the Division for Administrative Jurisdiction of the Council of State. These rulings established that there is no requirement for an unlawful decision when applying certain legal provisions. It is enough to have a connection to a relevant decision, like a request for data access, which the plaintiff claimed to have made.

The controller argued that the decision on compensation following a data breach is not a public law decision but stems from private law. The controller claimed that the compensation request and the request for access to information are unrelated and separately handled. The controller also contended that Article 8:88 Awb does not apply because the matter involved sending letters to the wrong address, which is a factual action, not a formal decision with legal implications, and it did not prepare for an unlawful decision.

Holding

The Court held that the controller correctly declared the data subject's appeal inadmissible due to changes in the law. The Court nullified the decision but maintained the legal consequences. The data subject's case was now treated as a request for compensation under Article 8:88 Awb in connection with Article 82

The Court stated that the data subject has fulfilled the requirement by contacting the controller in writing at least eight weeks before submitting the compensation request. The controller admitted to sending five letters to the wrong address, which breached the GDPR. The immaterial harm to the plaintiff was not disputed.

The Court concluded that the dispute revolves solely around the amount of compensation.

The Court determined that a compensation of €500 is fair and appropriate. The Court considered the psychological impact of the data breach on the data subject. The fact that the five letters were returned in sealed envelopes and that no evidence of third-party use of the information was presented did not diminish the data subject's experience of an exacerbation of her pre-existing severe psychiatric issues. Therefore, these considerations were not of decisive significance for the court.

Comment

The data subject cited the following Dutch cases: ECLI:NL:RVS:2020:898; ECLI:NL:RVS:2020:899; ECLI:NL:RVS:2020:900 en ECLI:NL:RVS:2020:901.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=Rb._Den_Haag_-_22/2601&oldid=35365"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki