Rb. Gelderland - 8500601
|Rb. Gelderland - 8500601|
|Court:||Rb. Gelderland (Netherlands)|
|Relevant Law:||Article 5 GDPR|
|Parties:||NederWoon Verhuurmakelaars B.V.|
Plaintiff not specified
|National Case Number/Name:||8500601|
|European Case Law Identifier:||ECLI:NL:RBGEL:2021:1888|
|Original Source:||de Rechtspraak (in Dutch)|
The Gelderland Court of First Instance held that a violation of the GDPR does not automatically lead to damages. In particular, damages stemming from a data breach must be substantiated by a data subject; the mere statement that he or she experienced distress is insufficient.
In May 2019, a hacker obtained unauthorised access to the webserver and website of Nederwoon.nl and exported personal data of users of the website to his personal computer. The hacker was found guilty for unauthorised intrusion in a different case.
The plaintiff argued that NederWoon is in breach of Article 5 GDPR because the plaintiff's personal data should have been deleted because it was no longer necessary in relation to the purposes it was processed for, and because there were no appropriate technical and organisational measures in place to protect the data.
The plaintiff therefore requested a compensation for the damages due to a breach of the GDPR. NederWoon claimed that there was no breach of the GDPR and that there was no damage on the plaintiff's side.
The court held that the plaintiff must prove why Article 5 GDPR was breached. The simple fact that a hacker obtained access to personal data does not mean that NederWoon was acting in breach of Article 5 GDPR. Furthermore, the plaintiff must prove that he in fact has (immaterial) damages on his side. A breach of the GDPR does not automatically lead to damages. (Also see: Dutch Supreme Court (Hoge Raad) ECLI:NL:HR:2019:376). The simple statement that the plaintiff experienced distress is insufficient without further elaborating on why this bothered him or how the distress expressed itself. Because the damage was not substantiated, the claims cannot be upheld. Therefore, the breach of the GDPR is not further discussed.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority District Court of Gelderland Date of judgment 07-04-2021 Date of publication 04-05-2021 Case number 8500601 Jurisdictions Civil rights Special characteristics First instance - single Contradictory Content indication Violation of Article 5 GDPR and unlawful processing of personal data? Hack rental agent website. Claim for non-material damages rejected. Locations Rechtspraak.nl Enriched pronunciation Share pronunciation Print Save as PDF Copy link Statement COURT GELDERLAND Team canton and commercial law Seat in Apeldoorn Case Details: 8500601 CV EXPL 20-1672 Grosse to: mrs. Christians and Wakker Copy to: Mr. Klatt Sent dated judgment of 7 April 2021 of the subdistrict court in the case of [demanding party] , residing in [residence], demanding party, authorized representative: mr. S.G. Klatt (PrivacyPunt B.V.), against the private company NederWoon Verhuurmakelaars B.V., established in Apeldoorn, defendant party, authorized representative: mrs. K. Christianen and S.Y. Awake. The parties are hereinafter referred to as [claimant] and NederWoon. 1 The procedure 1.1 The course of the procedure is evidenced by: - the judgment of 18 November 2020 and the procedural documents referred to therein, - the statement of defense, also document submission of exhibits on the part of NederWoon, - the interim judgment of 13 January 2021, in which an oral hearing has been determined, - the deed of submission and statement of exhibits on the part of [claimant], - the oral hearing of the case on 8 March 2021, noted by the Registrar. 1.2 Hereafter a verdict was determined. 2 The facts 2.1. [claimant] registered with NederWoon as a house seeker on 8 December 2017. He has also created a user account on the NederWoon website. [claimant] has provided personal data, such as a copy of passport, payslips and bank statements. In December 2017 NederWoon used a Privacy Statement, which described, among other things: “(...) If you, as a home seeker, are interested in the offer of a home that we publish, you must create an account. (…) We only process data that you provide to us yourself and that are necessary for the landlord to determine whether you are a suitable candidate. (…) Which personal data do we record? We record the following information about you: • Name / Initials / Insertions • Sex • Address / Zip code / City • Date of birth place of birth • Phone numbers • E-mail address • Copy of identification * • Data on work and income • Landlord statement * Copy of identification When entering into the rental agreement, your identity was checked with a copy of your ID. This copy is part of your rental agreement. We only accept a copy of ID on which the BSN is protected. When you are finally allowed to rent, we ask for the following additional information: (...) User account Every home seeker has a user account via www.nederwoon.nl As a home seeker, you are free to decide for yourself which data you want to upload here. In the event that the account is too incomplete to determine whether you are eligible for a home, you will receive message about this when you show your interest in a specific property. You can anonymize or stop the user account at any time. You do this by logging in and click "anonymize account" under "Settings". Your request will be processed within 2 business days picked up and processed. When anonymizing, all your data including name and e-mail address will expire. (…) If a rental agreement is concluded, the data will remain for 12 months visible. This is necessary for the execution of the agreements from the lease. (…) Retention period NederWoon Verhuurmakelaars stores your personal data during the period that your account is active with us. After termination of the user account, we delete the personal data with the exception of name and e-mail address. If you request to anonymize your account, we will use the personal data including name and delete e-mail address immediately. (…) We have taken appropriate technical and organizational measures to protect personal data to protect you against unlawful processing, we have taken the following measures taken; • Our website is hosted by an external IT company • Maintenance of the server and web application has been outsourced • A secure system is used at our office. Employees can only log in here with different passwords and security codes. • The NederWoon website and Backoffice use a secure one internet connection can be recognized by the lock in the web address • NederWoon employees sign for confidentiality (…) ”. 2.2. The NederWoon computer system was hacked in May 2019. The hacker was arrested and sentenced by a judgment of the Overijssel District Court of 24 December 2019 (ECLI: NL: RBOVE: 2019: 4909). In the criminal judgment, the statement of proof can be read - where NederWoon is referred to as 'company 1' -: “he in the period from May 15, 2019 to May 20, 2019 in Arnhem and / or Zwolle, deliberately and unlawfully in part of an automated work, namely the web server of and the login page of the internet page of "www. [company 1] .nl" has been penetrated by breaching a security / technical intervention, after all the defendant - by uploading PHP codes, which codes then web shells (R57.php, WS07.php, K5CNpEZB.php and / or adminer.php) have been created, allowing access and control to the web server and website of [company 1] and then the data that have been stored, processed or transferred by means of the aforementioned automated work in which he was unlawfully taken over, intercepted and recorded for himself (i.e. by exporting one or more data from your t that website (including email addresses, bank details, copies of identity documents) to his, suspects, computer and by blocking access to that website ”. Furthermore, the criminal judgment can be read: (...) For a declaration of (an attempted) extortion in the sense of Article 317, paragraph 2 of the Criminal Code, it is required that the accused has exercised coercion by threatening to use the data that he of an automated work, render it unusable or inaccessible or delete it. The court considers that although the defendant has threatened to make the data public or to sell the data to criminals, the defendant has not threatened to render the data unusable, inaccessible or delete the data. (…) On 24 May 2019, [declarant 1] reported a computer breach of peace on behalf of [company 1]. On Monday, May 20, 2019, the employees of [company 1] discovered that it was not possible to log in to the website of [company 1]. The application manager confirmed that all data had been deleted from the server. Later that day [company 1] received an email from e-mail address [e-mail address] containing a message from someone who wrote that he had hacked the website of [company 1] and that he had 10 GB of data including IDs, employer statements and bank statements had been removed from the website. As proof, a RAR file containing data from [company 1] was sent. Research showed that the hack was carried out by placing malicious software. The hacker uploaded PHP files, placing a web shell program on the web server. The web shell program gave the hacker remote access to the server via the website and thus gained full control over the server. The hacker has downloaded and deleted privacy-sensitive data from the server. Shortly after the hack, [company 1] received 4 emails in which it was threatened to make the privacy-sensitive data of [company 1] public, or to provide it to criminals, if [company 1] did not receive an amount of € 10,000 within 72 hours. , 00 in bitcoins. (…) During the search of the suspect's house, [address 2] in Arnhem, a large number of goods were seized from the suspect, including a large number of SIM cards, laptops, telephones and other digital data carriers. The confiscated equipment corresponds to the modus operandi of the hack. (…) The suspect is guilty of computer hacking. He has accessed the web server and website of [company 1] without the consent of the rightholder and manipulated and downloaded digital data there. By acting in this way, the defendant not only duped [company 1], but also approximately 18,500 customers of [company 1], who must be afraid that their private data will be exposed or used for criminal purposes. The suspect has misused his knowledge of the digital world and thereby damaged the confidence that everyone should have in the use of internal systems and the internet. ”. The seized data carriers have been withdrawn from traffic. 2.3. In an e-mail of 23 May 2019 NederWoon wrote to [claimant]: “(…) You have had contact with NederWoon in the past via our website www.nederwoon.nl. Unfortunately, we have been confronted with a hacker who has a secure website in (part of) our website can penetrate. In accordance with privacy legislation, we hereby inform you about this data breach. What happened? An unauthorized person has entered our website. After an initial investigation, it appears that this intrusion has been limited to the part where data from home seekers is located. We investigate the hack even further, in order to get an even more precise picture of what happened. Of this hack, we immediately reported it to the police. Which data has been leaked? The leaked data concerns the data for the period 2017 to 2019 that you have yourself at the time completed or uploaded via our website www.nederwoon.nl. We don't know exactly which one data from you. You may have completed the following entry fields at the time: Name, address, city, telephone number (s) and e-mail address (es); Data uploaded by you and documents such as your proof of identity (which may include your citizen service number), employer's statement, etc. What are the possible consequences of this data breach? You may receive so-called "phishing emails". Attempts are made to supposedly in the name of NederWoon to steal your (financial) data. This often happens via "links" that you can click on. (…) At the moment we have not yet received any signals that possibly have been abused in any other way (s) is or will be your data. If we still get those signals, we will contact you inform further. What measures have we taken? We have now set up a new server. In addition, we have additional technical measures have been taken to provide additional data from home seekers and existing customers to secure.(…)". 2.4. By e-mail of 15 July 2019, PrivacyPunt, on behalf of [claimant], held NederWoon liable for the damage caused by NederWoon presumably acting in violation of the General Data Protection Regulation (hereinafter: Avg). The immaterial damage is estimated at € 575. NederWoon is requested to pay this amount within fourteen days. 3 The claim and defense 3.1 [claimant] demands that the subdistrict court judge, by judgment, enforceable by stock, I. declare in court that NederWoon has acted unlawfully towards [claimant] by violating the right to respect for privacy and the right to protection of personal data of [claiming party] and / or acting in violation of the Avg by failing to process the personal data of [claiming party] without justification and taking appropriate technical and organizational measures, II. if necessary for the delivery of the judgment, will submit preliminary questions to the Court of Justice of the European Union about the meaning and scope of the concept of damage in the Avg and the estimate of the (non-material) damage that may be attributed in that context, III. primary: NederWoon will order to pay [claimant] a compensation of € 500.00 within fourteen days, or such compensation as is deemed correct, to be increased by the statutory interest on this from April 30, 2020 until the day of the general payment, in the alternative: NederWoon will order compensation for the damage suffered by [claimant], to be drawn up by state and to be settled in accordance with the law, IV. NederWoon will order the costs of the proceedings, plus the statutory interest and subsequent costs. 3.2. To this end, [claimant] argues that NederWoon has processed its personal data for too long and unlawfully in violation of the Avg. After the tenancy agreement was concluded, there was no longer any relevant purpose for storing this data. NederWoon has also not taken appropriate technical and organizational measures to protect the data. This is in violation of Articles 5, 6 and 32 of the Avg. After the hack, [claimant] actually received more phishing emails, which makes it plausible that this was due to the hack. He also fears that his personal data will be misused, now that very privacy-sensitive information has been leaked, such as a copy of a passport. This leads to experiencing distress. 3.3. NederWoon puts forward a defense and contends primarily to declare inadmissible, or at least reject the claims, with an order against [claimant], enforceable in stock, in the legal costs, with statutory interest and subsequent costs, in the alternative, insofar as the statement will be upheld by law. fixing the compensation at nil, or referring the case to the damage statement procedure. NederWoon disputes in particular that there has been a violation of the Avg or other unlawful acts and disputes that there is damage to [claimant]. 3.4. The arguments and positions of the parties will be further discussed below, insofar as they are relevant to the assessment of the claims. 4 The assessment 4.1 The Avg entered into force in May 2016. Organizations were given until May 25, 2018 to bring their business operations into line with the Avg. At the time of the registration of [claimant] with NederWoon, it was therefore possible that the processing of personal data by NederWoon was not entirely in accordance with the Avg. Of course NederWoon was obliged to put this in order by May 24, 2018.NederWoon states indisputably that [plaintiff], in order to register as a home seeker, had to 'tick', among other things, that he agreed when creating a user account. with the processing of his personal data and with the Privacy Statement. He has it under 2.2. can also view the said Privacy Statement. 4.2. Article 5 of the GDPR stipulates, among other things, that personal data must be processed in a lawful, proper and transparent manner and may no longer be saved than necessary. The data must also be "processed by taking appropriate technical or organizational measures in such a way that it is adequately protected and that it is protected, among other things, against unauthorized or unlawful processing and against accidental loss, destruction or damage". 4.3. Now that [claimant] argues that NederWoon has acted in violation of article 5 Avg and NederWoon disputes this with reasons, it is up to [claimant] to substantiate and - if necessary - prove that this is the case. Contrary to what [claimant] is of the opinion, the mere fact that a hacker has succeeded in accessing the personal data cannot yet be inferred that NederWoon has acted in violation of article 5 Avg. After all, even with the most optimal security, it cannot be completely ruled out that technically (very) competent malicious parties gain access. 4.4. In the case of a claim for a declaration of judgment, the starting point is that there must be an interest in this. For that interest, it is necessary that the party claiming the statement benefits from it and the other party is bound by it. The interest may lie in a claim for damages. For this, however, it must be established that damage has also been suffered that is eligible for compensation. 4.5. [claimant] argues that he has suffered non-material damage and is claiming damages for this amount of € 500, at least a reference to the damage statement procedure. He argues that in violations of the Avg, a broad interpretation must be given to the term 'damage' and that the award of compensation for immaterial damage is not limited by Article 6: 106 BW, but that the Avg offers an independent basis for this. Whatever that may be, even if [plaintiff] should be followed in this, it is up to him to state and substantiate sufficiently that actual (immaterial) damage has been suffered. Contrary to what [claimant] apparently believes, it is not automatic that a violation of the Avg leads to (immaterial) damage and thus to compensation. NederWoon rightly refers in this regard to the judgment of the Supreme Court of 15 March 2019 (ECLI: NL: HR: 2019: 376). The mere assertion that there has been "distress" is insufficient if no substantiation is given showing that [plaintiff] was actually bothered by this or how this "distress" manifested itself in him. It has not been found that [plaintiff], for example, immediately after receiving the letter from NederWoon, asked questions or indicated that he was concerned in any other way. Other expressions of unease have also been neither stated nor revealed. 4.6. Contrary to the examples from case law cited by [claimant] in which compensation for immaterial damage has been awarded, it has not been shown that the data involved in the hack was actually misused. On the contrary, the criminal judgment shows, as NederWoon also argues, that the hacker had not (yet) sold or transferred the personal data to third parties, while all data carriers that have been seized have been withdrawn from traffic, so that the chance that the data is still getting into the wrong hands is nil. 4.7. Now that [claimant] has not substantiated the alleged damage and can therefore not follow any allocation of the claims for that reason, it can be left open whether there has been a violation of the Avg in the manner alleged by [claimant]. 4.8. As the unsuccessful party, [claimant] will be ordered to pay the costs of the proceedings, which on the part of NederWoon up to and including today are set at € 166.00 in the salary of the authorized representative. The interest payment claimed on this is also attributable. 5 5. Decision The Subdistrict Court: 5.1. rejects the claims, 5.2. orders [claimant] to pay the legal costs, which on the part of NederWoon up to and including today are set at € 166.00 in the salary of the authorized representative, to be increased by the statutory interest if payment is not made within fourteen days after the judgment has been served satisfied, 5.3. declares this judgment with regard to the conviction provisionally enforceable. This judgment was rendered by mr. M. Engelbert-Clarenbeek and pronounced at the public session of April 7, 2021 in the presence of the registrar.