Rb. Noord-Nederland - 8187989

From GDPRhub
Rb. Noord-Nederland - 8187989
Courts logo1.png
Court: Rb. Noord-Nederland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 82(1) GDPR
The Civil Code of the Netherlands
Decided: 12.01.2021
Published: 19.01.2021
Parties: Municipality Oldambt
National Case Number/Name: 8187989
European Case Law Identifier: ECLI:NL:RBNNE:2021:106
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: de Rechtspraak (in Dutch)
Initial Contributor: n/a

The District Court of Northern Netherlands (Rb. Noord-Nederland) ordered the municipality of Oldambt to pay a claimant €500 in non-material damages for repeatedly violating the claimant's privacy, by publishing their social security number, e-mail address, and telephone number without their consent.

English Summary


On 1 July 2016 the municipality put a piece of land with an unused shooting range up for sale for a symbolic amount of 1 EUR. The claimant was interested in buying it. To reuse the old shooting range, claimant was required to get an environmental permit from the municipality. The online form available on the sites of the Dutch municipalities, has two options for such permit applications: the complete form, which is available to competent authorities only, and the publicly available version of this form. The information that an applicant wants to keep private is removed from the publicly available version. More specifically, the publicly available version doesn’t contain the applicant’s social security number (BSN) and phone number. When submitting the digital application, an applicant is presented with the following choice: Do you give permission to make publicly available personal and address details of the applicant/notifier and, if applicable, the authorised representative? The claimant submitted his environmental permit application on 9 December 2016. He filled in his social security number, last name, initials, address, phone number and email. He consented to making his data publicly available. On 7 October 2017 and 7 December 2017 the municipality published a draft statement and draft decision, making them available on its site, on the Government Gazette (Staatscourant) and on www.ruimtelijkeplannen.nl. On 2 December 2018 a local journalist twitted about the fact that the municipality has published claimant’s data on its website, including the social security number and phone number. On the same day the claimant reported the data breach to the municipality under GDPR, telling the municipality to remove his data and mentioning non-material and material damages (for the costs involving increased house security). On 3 December 2018 the municipality has included the claimant’s environmental permission application as an agenda item in the council’s meeting and published the agenda on its site, including the claimant’s email, phone number and social security number. Social security and phone numbers were removed from the site on 4 December 2018. The municipality has admitted that personal data breach took place but asked the claimant to substantiate any material damage resulting from the municipality's actions, as it was not prepared to pay non-material damages. The claimant responded with a list of security measures that would be necessary to prevent burglary, blackmail and/or threats. On 10 April 2019, the municipality rejected the claims for material and non-material damages as not sufficiently substantiated.


Should the claimant be awarded a (non-)material damage compensation from the municipality for the data breach?


The Subdistrict Court concluded that the municipality has violated the GDPR by causing data leaks and is therefore liable for damages towards the claimant. In the circumstances of this case there was no reason to award material damages compensation, but there is reason to award (limited) immaterial damages to the claimant. The Court considered the damage compensation claim based on the Dutch Civil Code. The Subdistrict Court arrived at the conclusion that the security measures taken by the claimant could not be regarded as reasonable costs to prevent or limit damage because of the data leaks. The municipality can only be responsible for the breach of the social security number, phone number and email address of the claimant, and nothing else. It was taken into account that the claimant opted in for the public application process, making his address and name publicly available. Against this background it cannot be seen that, because of the data leaks, claimant was forced to secure his home to protect himself, his family, and his possessions. When it comes to the non-material damage compensation, the Subdistrict Court rules that the claimant had not, or at least insufficiently, demonstrated that he has suffered psychological injury because of the unlawful actions of the municipality. Only a strong psychological discomfort, such as temporary feelings of stress or anxiety, are sufficient for compensation of immaterial damage. However, the privacy of the claimant has been violated repeatedly by the municipality because of the unlawful publication of his social security number, the e-mail address, and the telephone number without his consent. These data are sensitive by nature, especially the social security number. The adverse consequences of leaking these, such as identity fraud, are obvious. Therefore, the Court ruled that the claimant was eligible for 500 EUR in non-material damages compensation.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

District Court of Noord-Nederland
Date of decision
Publication date
Case number
Areas of law
Civil law
Special features
instance - single Judge Damages adjudication 
Adversary proceedings
Content Indication
Data leak on website of municipality of Oldambt.
Compensation for injured person for impairment in person.
PS-Updates.nl 2021-0080 
Enriched pronunciation 
Department of Private Law
Groningen location
Case number / role number: 8187989 / CV EXPL 19-11402
judgment of the cantonal judge of January 12, 2021 
in the case of
living in [defendant's place of residence]
plaintiff, hereinafter referred to as: [plaintiff] ,
Agent: mr. H.W.J. Smeltekop, lawyer in Peizerwold,
the public-law entity
domiciled in Winschoten,
Defendant, hereinafter referred to as the Municipality,
Agent: mr. A.A. Westers, lawyer in Groningen. 
1 The process sequence
By interlocutory order dated February 18, 2020, an oral hearing was set for the case. 
Due to the court's policy of limiting physical hearings and the resulting possibility of contact between litigants as much as possible in order to combat the Covid-19 (corona) virus, the oral hearing scheduled for May 20, 2020 did not take place. 
The Subdistrict Court then ordered that the proceedings be continued in writing. Following this, the parties submitted the following documents:
- [plaintiff's] reply brief ;
- the municipality's rejoinder;
- the memorandum of productions of [plaintiff] . 
Thereafter, the judgment was (further) determined to be the present. 
2 The facts
On July 1, 2016, the municipality put the plot at the [plot number] , on which there was a shooting range no longer in use, up for sale for the symbolic amount of €1. Plaintiff] was interested in purchasing the shooting range. 
In this case, in order to bring the old shooting range back into use, an environmental permit was required. The application for such a permit can be made via email, post, drop off at City Hall or online via the Environmental Counter. 
All municipalities in the Netherlands use a standard form made available by the Ministry in the Omgevingsloket, headed 'publishable notification'. The complete permit application is intended only for the competent authority, while the publishable application is intended for inspection and publication. In the publishable application, the information that an applicant wishes to keep out of publication is not visible. Both the submitted application and the publishable form contain information about the application, the applicant and the location. Ultimately, the only difference between the submitted application and the publishable application is that the publishable application does not include the applicant's BSN number and phone number. When submitting the digital application, the applicant is presented with a choice: 
Do you authorize the disclosure of personal and address information of the applicant/reporter, and, if applicable, the authorized representative?
On December 9, 2016, [plaintiff] applied to the municipality for an environmental permit through the Environmental Counter for the purpose of bringing the shooting range back into use. The application mentions as project description the bringing back into use of the shooting range. The applicant's details ( [claimant] ) include his/her social security number, surname, initials, address details, telephone number and email address. 
[Claimant] answered YES to the question mentioned above at the end of 2.3.
Thereafter, the personal and address information of [plaintiff] was included in the publishable application. 
On January 25, 2017, the municipality interrupted the statutory decision period of six months from receipt of the application because [plaintiff's] application was incomplete due to the lack of the required spatial substantiation. The Pasmaat agency subsequently drew up a spatial substantiation recommendation at the request of [plaintiff] in March 2017. This advice was made available to the municipality. 
On April 19, 2017, the municipality published in the Municipal Gazette that [plaintiff] had made a notification under the Activities Decree. This notification reads: 
Notification of Activities Decree, [plot number] 
The mayor and aldermen of the municipality of Oldambt, having regard to article 8:41 paragraph 4 of the Environmental Management Act, announce that a notification under the Activities Decree has been made by:
- Claimant] use shooting range, [plot number] 
On October 30, 2017, the City Council issued a draft statement of no objections for the purpose of realizing or reinstating a shooting range at the aforementioned address. 
On December 7, 2017, the municipality published in the State Gazette that it had made a draft decision regarding the environmental permit applied for by [plaintiff]. The draft decision was also published in the Government Gazette and made available at www.ruimtelijkeplannen.nl. made available. 
Via the Twitter account [twitter account reporter] , [twitter account reporter] , a reporter of RTV Noord, 'posted' a screenshot of one page of [plaintiff's] application on Twitter at 11:26 a.m. on December 2, 2018, along with the following text: 
"Permit applicant is mentioned with first and last name, all address details and even his BSN on the public website of the municipality of Oldambt. Is that allowed just like that? For your information: I have blacked out the most important data myself."
The screenshot shows that [plaintiff's] phone number has been erased, as well as his BSN number. The first name, surname and address of [claimant] are not erased and therefore visible. The screenshot does not show the activity involved. 
By email dated December 2, 2018, [plaintiff] reported to the municipality a data leak on the municipality's website that, according to [plaintiff], violated the General Data Protection Regulation (hereinafter: AVG): 
"Under item 5.1.1, you publish attached PDF document.
This document is accessible to everyone and has since been shared on social media (twitter, by at least [twitter account reporter] ). 
This document contains personal data about my person which, in terms of the law on privacy, may not be disclosed. This data, as you are no doubt aware, can be used for shady purposes. For example, fraud and harassment.
I therefore hereby summon you to immediately remove my information from this website. 
I would also like to inform you that according to Article 82 (1) of the AVG, I am entitled to compensation. 
At least for the intangible damage already suffered. For example, you have made me a target for criminals to obtain weapons, thereby also making my family a target. You have made me vulnerable to identity fraud by revealing my BSN etc.
As far as material costs are concerned, you can think, for example, of making my home extra burglar-proof. But also possible misuse of my data in the future, such as identity fraud. (…)" 
On December 3, 2018, an article appeared on the website of RTV Noord with the headline Oldambt fiddles with private data: 'This gives fraud opportunities', written by the aforementioned reporter of RTV Noord, [twitter account reporter] . This article stated, among other things: 
"The municipality of Oldambt has tampered with the data of a permit applicant. The applicant was named with all his personal data on the municipality's public site. 
Among other things, his email address, mobile number and even his citizen service number (BSN) were available for all to see. 
The piece has since been removed from the site. 'This does not reflect a professional organization,' the applicant says of the municipality.
Very angry 
The applicant prefers not to be named because it involves privacy-sensitive information. But in his own words he is 'genuinely very angry' with the municipality. This offers so many opportunities for fraud, it really goes one step too far for me,' he says.
[Plaintiff's] application for an environmental permit was included as an agenda item in the December 3, 2018 City Council meeting, which was available for viewing on the City's website. Agenda item 5 included, in addition to the application, the 
email address, telephone number and BSN number of [plaintiff] . 
On or about December 3, 2018, the municipality removed [plaintiff's] BSN number and phone number from its website. 
On December 4, 2018, an article about the arrival of the shooting range appeared in the Dagblad van het Noorden, based in part on an interview the newspaper conducted with [plaintiff] . This article reads as follows: 
Sale of shooting range still on hold 
Plaintiff] has been working for two years to get possession of the shooting range on the [parcel number] "For fun and to preserve Winschoter history." 
It seems that [plaintiff] will actually have a private shooting range at his disposal in not too long. The municipality of Oldambt already saw no objection and has stuck to that position. A neighbouring resident objected earlier. If he stands by his objection, he has the option of going to the Supreme Court. "Then I have to be patient for two more years," sounds the sober mouth of the hobby shooter.
Plaintiff] had a flora and fauna inventory drawn up this summer, upon request. This revealed that there are no rare plants or animals in the direct vicinity of the shooting range. A number of objections remained, but the board sees no reason not to sell the shooting range.
"If we can get the deal done now, that would be a nice Christmas present," believes [plaintiff] . He wants to use the shooting range, constructed in 1962, privately.
Claimant] is an avid shooter. Once or twice a week he can be found on the indoor range of shooting club [shooting club]. Not without success, as he was club champion several times. 
For 1 euro, he can own the 25-meter track. "With that, I'm helping the municipality. Sports-wise, it won't help me anymore. I am already too old to qualify for the Olympics," he says jokingly. "But of course it's nice to have a private rink. Few can say that."
Last night, the City Council decided not to address the sale of the shooting range until January. Hobby shooter [plaintiff] therefore has to be patient for a while longer.
The municipality responded to the data breach reported by [plaintiff] by email dated December 5, 2018. In this email, the municipality wrote: 
"On September 11, 2017, October 30, 2017 and November 22, 2018, documents containing some of your personal data were posted on the municipality's website. As a result, these personal data were accessible to everyone. It concerns your BSN, email address and telephone number.
This data was improperly posted on the municipality's website, resulting in a data breach that could lead to identity fraud. 
Once these data breaches became known to the municipality they were removed from the website.
In your email of December 2, 2018, you point out the right to compensation under Article 82(1) of the AVG. 
You will be notified of this separately."
Following this email, the municipality wrote to [plaintiff] by email dated December 6, 2018: 
"The December 5, 2018 email erroneously failed to mention that the same document was posted on the municipal website on October 16, 2017.
This data breach has also been reported to the Personal Data Authority. (…)"
In a letter dated December 21, 2018, [plaintiff's] attorney held the municipality liable and requested that [plaintiff] be compensated for the (im)material damages he has suffered and will continue to suffer as a result of the data breach. At the end of this letter, he wrote: 
"In the event that you do not return to me with a satisfactory financial proposal, I will advise my client to file a complaint with the AP. Also to report this to the local news media about the data breaches on the part of the Municipality of Oldambt and to wave away liability for this towards the client. (…)" 
By letter dated January 9, 2019, the municipality requested [plaintiff's] attorney to further substantiate any material damages resulting from the municipality's actions, as well as that it is not willing to pay any intangible damages. 
By letter to the municipality dated February 25, 2019, [plaintiff's] attorney further elaborated on the damages alleged by [plaintiff]. In that regard, he wrote, among other things: 
Material damage (Art. 6:96 Dutch Civil Code) as a result of measures taken/to be taken 
A number of measures are necessary in light of the AVG to be able to prevent abuse by rogue parties. These include offences such as burglary, blackmail and/or threats. In the first place it will be necessary to have security cameras installed. The costs for this amount to € 2395.00 (including VAT). In addition, an alarm system will have to be installed. The costs are € 1945.00 (incl. VAT). Finally, it is also necessary to place shutters. The costs of this have been quoted at the amount of € 6967. This issue has also resulted in Mr. [plaintiff] being unable to work in his catering establishment for a considerable number of hours. For this he has employed an employee for 31 hours. The costs of this amounted to € 17.50 (ex. VAT) with a total amount of € 542.50. 
On February 27, 2019, the municipality adopted the decision to grant a permit to [plaintiff] for the establishment of a private shooting range c.q. the reinstatement of a tube shooting range on the plot [plot number] . The application, the final decision and the accompanying documents have been made available for inspection at the town hall. The decision was published in the Government Gazette. 
An article appeared in the Dagblad van het Noorden of March 1, 2019, based in part on an interview with [plaintiff] . This article reads as follows: 
Data leak victim' demands 15,000 euros from municipality of Oldambt: 'I want to wake them up'. 
A man from [defendant's place of residence] is filing a claim for damages of 15,000 euros with the municipality of Oldambt. The municipality published all the man's personal data, including his address, mobile number and even his citizen service number (BSN), on its website.
The document containing all the sensitive data has been published four times and has been publicly available on the municipality's website for a total of about two years. Oldambt has since removed the documents. 
[Place of residence defendant] had to fill in his details for a permit application in the municipality of Oldambt years ago. That document was not meant to be published. 'An employee accidentally posted the wrong document,' the municipality informed us last December.
Because all his data was on the street and the permit application is sensitive, the man prefers not to be named and shamed.
The man says he had to take measures out of a sense of insecurity. 'I bought alarm and camera systems and shutters. If you tie all the data together, all the information could be useful to a criminal,' he says. 'I don't want to do that to society and myself.'
He says the total cost of the measures is around 15,000 euros.
Making a Statement 
In his own words, the 'data leak victim' is not so much about the money. 'Look, nobody says no to money, but this is about something completely different. Everyone has to comply with privacy laws and companies even have to buy entire systems and go on courses to avoid making mistakes.'
He continued: 'Then it can't be that the municipality is just flouting this. I want to shake up the municipality, make a statement.' (…)
By letter to [plaintiff's] attorney dated 10 April 2019, the municipality of Oldambt rejected the material and immaterial damages claimed by [plaintiff], for lack of substantiation. Even after this, the parties did not reach an agreement on these damages. 
3 The dispute
plaintiff] claims that the Subdistrict Court, in a judgment that is provisionally enforceable, declares that the municipality acted unlawfully towards him, ordering the municipality to pay an amount of material damages of € 11,307.00 and an amount of immaterial damages to be determined ex aequo et bono, or at least an amount of damages to be determined by the Subdistrict Court in good justice, increased by the statutory interest, and ordering the municipality to pay the legal costs. 
The [plaintiff] bases his claims, summarized, on the following. In violation of the AVG, the municipality has repeatedly published personal data of [plaintiff] , namely his email address, telephone number and BSN number, publicly via the municipal website. These data breaches concern an unlawful processing of personal data, which can be attributed to the municipality as the controller. The plaintiff] has suffered damage as a result of this unlawful act by the municipality. The municipality must fully compensate the actual damage suffered by [plaintiff] under Section 82 AVG. The material damage of [plaintiff] consists of the costs for securing the home of [plaintiff] , such as the installation of roller shutters, security cameras and alarm systems. [Claimant] took these measures in the spring of 2019. The relevant costs were necessarily and reasonably incurred by [plaintiff] due to the potential, serious risks of leaks of the personal data he provided for the purposes of the permit application, such as a burglary of the home, robbery/assault and identity fraud. A shooting range is an indication that [plaintiff] possesses a firearm. Thus, the causal link between the municipality's actions and the material damage is given. The immaterial damage of [plaintiff] lies in the fact that he has had strong feelings of anxiety as a result of the data breach. For a long time he has not felt safe in his own home and he (was) afraid that a malicious person would want to do something to him or his family. His personal data had also been on the street for quite some time. The fact that the municipality reported the data leaks to [the plaintiff] and the Personal Data Authority already shows that there was a great risk of damage for [the plaintiff]. Thus, there is an impairment of the person as referred to in Section 6:106 (1) under b of the Dutch Civil Code1 , which justifies the award of damages to be determined ex aequo et bono. Claimant] has purely sought publicity to open the eyes of the municipality and to expose abuses. This was a desperate act, according to [plaintiff] . 
The municipality disputes the claims of [plaintiff] , to which end it submits, in summary, the following. In the summons [plaintiff] did not state many relevant facts completely and truthfully, so that he should be declared inadmissible in his claims based on Article 21 Rv2, or at least for that reason the claims should already be rejected, or the damages should be set at nil. In addition, the failure to provide relevant facts fully and truthfully in the given circumstances constitutes an abuse of authority (pursuant to Section 3:13 of the Dutch Civil Code) of the right to claim damages. There is no interest in the declaratory judgment claimed by [plaintiff], since there has only been one incident and no more than that, without any damage being made plausible. [plaintiff] has also demonstrably suffered no financial loss, while he pretends to have incurred costs for the security of his home. No shutters or security cameras were installed on [Claimant's] home. Any proof of payment for these has also not been submitted. Furthermore, according to the municipality, [plaintiff] has not suffered any immaterial damage. For the awarding of such damages, there must be an impairment of the person and this is not easily the case. Neither has there been an infringement of a fundamental right of [claimant]. From his statements in the media it is clear that [plaintiff] is out to teach the municipality a lesson and that this is not necessarily a matter of stress and feelings of anxiety. Moreover, any damages can only concern the damage that [plaintiff] would have suffered as a result of the publication of his BSN number, telephone number and e-mail address. Not whether he has suffered damage as a result of his name being associated with the shooting sport or his desire to obtain the shooting range. That [plaintiff's] name is associated with firearms is his own fault by choosing to publish personal data for his permit application and by seeking publicity about the shooting range. 
The parties' contentions are discussed in more detail below, to the extent necessary. 
4 The assessment
Key points. 
In these proceedings, the central question is whether [plaintiff], in connection with a number of data leaks on the municipal website, in which his BSN number, e-mail address and telephone number were published, can claim payment of compensation from the municipality for the material and immaterial damage he claims. The Subdistrict Court will conclude below that the municipality has violated the AVG with the occurrence of the said data leak and is therefore liable for compensation towards [plaintiff]. In the given circumstances there is no reason to award an amount of material damages, but there is reason to award a (limited) amount of immaterial damages to [claimant] . The Subdistrict Court will explain this opinion below. 
Article 21 Rv 
Pursuant to Article 21 of the Dutch Code of Civil Procedure, the parties are obliged to present the facts that are relevant for the decision, completely and truthfully. If this obligation is not complied with, the Subdistrict Court may draw whatever conclusions it deems appropriate. 
It is characteristic of civil proceedings that both parties, in support of the claim or the defense, point out those facts in particular that they consider relevant for the support of their own positions. The fact that the plaintiff, in the opinion of the defendant, does not mention all facts that the defendant considers relevant for the case, does not in itself mean that the plaintiff is acting in violation of article 21 Rv. In the opinion of the Subdistrict Court in these proceedings it has not become evident that [plaintiff] consciously tried to conceal facts that - according to objective standards - are important for the decision to be made. In addition, the municipality in its turn has given a very extensive factual explanation. All in all, the Subdistrict Court therefore considers itself amply informed about the relevant facts. Moreover, even if [plaintiff] had not mentioned all relevant facts, this circumstance - contrary to what the municipality apparently argues - does not automatically lead to the conclusion that [plaintiff] cannot be granted his claims in advance, or that the claims must be dismissed in advance. 
Abuse of power 
Also, in the opinion of the subdistrict court, the municipality's defense that [plaintiff] is abusing his authority by instituting his claims cannot succeed. 
The institution of a legal action can only constitute abuse of power as referred to in Article 3:13 of the Civil Code in exceptional cases. For that purpose it is necessary that in view of the obvious unfoundedness of the claim, it should not have been instituted in connection with the interests involved of the other party. This is only the case if the plaintiff has based the claim on facts and circumstances of which he should have known or been aware of the incorrectness, or on statements which he should have understood in advance had no chance of success. 3 The court should, also in view of the right to access to justice guaranteed by Article 6 of the ECHR4 , be cautious in considering such a situation to be present. 
Now that it has been established that there have been several data leaks of personal data of [plaintiff] on the municipal website, [plaintiff] was free, in the opinion of the Subdistrict Court, to subsequently bring the dispute between the parties about the liability of the municipality for these data leaks before the court. The related claims of [plaintiff], contrary to the opinion of the municipality, can certainly not be regarded in advance as so obviously unfounded that [plaintiff] could not reasonably proceed to summon the municipality. 
Legal framework 
With that, the Subdistrict Court comes to the substantive assessment of [plaintiff's] claims. To this end, the Subdistrict Court will first set out the legal framework of a claim for damages under the AVG. 
Article 6(1) of the AVG provides that processing of personal data is lawful only if at least one of the conditions set out there in (a) to (f) is met. An unauthorized processing of a data subject's personal data must be considered an unlawful act of the controller against the data subject by civil law standards. 
In addition, Article 82 of the AVG, to the extent relevant here, reads: 
1. Any person who has suffered material or immaterial damage as a result of a breach of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. 
2. Each controller involved in processing shall be liable for the damage caused by processing that violates this Regulation. (…) 
6. Judicial proceedings for the exercise of the right to compensation shall be conducted before the courts of the Member State referred to in Article 79(2). 
The AVG is directly applicable in any EU member state (Article 99 (3) AVG). The claim for damages in case of acting in violation of the AVG flows directly from the AVG. However, the AVG does not determine which court in a member state is competent to adjudicate the right to damages when, as here, the infringement was committed by an administrative body. In this case, the Subdistrict Court considers itself competent to take cognizance of the dispute, in view of the civil basis of the claims of [claimant] and the amount claimed. 
Although it follows from Article 82 AVG that full compensation for actual damage resulting from the breach(s) of the AVG must be provided in a manner that does justice to the objectives of this Regulation, the AVG does not stipulate the manner in which the data subject's damage must be established and calculated. According to established case law of the Court of Justice, in the absence of Community rules, it is a matter for the internal legal order of each Member State to lay down the rules governing the exercise of the right to compensation, subject to compliance with the principles of equivalence and effectiveness. 5 Nevertheless, when exercising the right to compensation as laid down in Article 82 AVG, account must be taken of recital 146 of the preamble to the AVG. This states, inter alia, that the controller must compensate any damage that a person may suffer as a result of processing in breach of this Regulation. The concept of damage should be interpreted broadly, in light of the Court's case law, in a way that fully reflects the objectives of the AVG. It has also been mentioned that data subjects must obtain full and effective compensation for damage suffered by them. The mere fact that damage cannot be precisely specified and may be minor is no ground to reject any claim to it. 6 
The Court has not yet provided an explanation of the concept of damage or about the compensable (material and immaterial) damage in the event of unlawful processing of personal data. According to established case law of the Court, a violation of norms does not by definition lead to damage. 7 Furthermore, the damage to be compensated must be real and certain. 8 
The Subdistrict Court thus concludes that, taking into account the aforementioned case law of the Court and Article 146 of the Preamble to the AVG, national law is decisive in answering the question of whether alleged damage is eligible for compensation. 9 
Breach of AVG 
The Court is of the opinion, together with the parties, that the repeated data leaks on the municipality's website, in which certain personal data of [plaintiff] were published without his (prior) consent, namely his e-mail address, BSN number and telephone number, must be regarded as infringements of [plaintiff]'s privacy as referred to in Article 4 (12) of the AVG. The declaration of rights claimed by [plaintiff] in connection with this is therefore allowable, as will be reported below in the decision. Even if there would be an incident, as the municipality argued, [claimant] still has a sufficient interest in this claim, in the opinion of the Subdistrict Court. 
Damage liability of the municipality 
The aforementioned violations mean that [claimant] is in principle entitled to payment of damages against the municipality under Article 82 AVG. In that respect, [plaintiff] claims compensation for both material and immaterial damage. These items of damage must, as established above, be assessed on the basis of Dutch civil law. 
Article 6:95 of the Civil Code provides that the damage which must be compensated on the grounds of a statutory obligation to pay compensation consists of financial loss (Article 6:96 of the Civil Code) and other disadvantage, the latter insofar as the law gives the right to compensation for this. The latter refers to immaterial damage (Article 6:106 BW). 
Asset Damage 
The Subdistrict Court established that [claimant] based his claim for compensation of material damage on Section 6:96 (2) under a of the Dutch Civil Code, which provides that as financial damage the reasonable costs of preventing or limiting damage that could be expected as a consequence of the event on which the liability is based, also qualify for compensation. Against this background [plaintiff] claims, in brief, compensation for the costs of the measures he claims to have taken after the occurrence of the data leaks for the security of his house, consisting of the installation of security cameras, alarm systems and rolling shutters. 
The costs referred to in the aforementioned article of law must meet a "double reasonableness test". Both the taking of the measures in question in itself and the associated costs must be reasonable. Specifically, it must concern measures that, in light of all the circumstances, were justified. This includes factors such as: was there a sufficient threat of such an event; was there a reasonable relationship between the extent of the expected costs of the measures and the amount of damage to be expected as a result of the event? There must be at least a serious chance of damage as a result of the event(s) in question in order for these costs to be eligible for reimbursement. 10 
The Subdistrict Court is of the opinion that the security measures taken by [plaintiff] in the present case to his home cannot be regarded as reasonable costs to prevent or limit damage as a result of the events on which the liability is based in this case, the data leaks. To this end, the following is relevant. 
What has happened here in concrete terms is that, as a result of some data leaks at the municipality, the BSN number, e-mail address and telephone number of [plaintiff] have been revealed on the municipal website, as a result of which others have been able to take note of these personal data. That is the reproach that the municipality can be made of, in the opinion of the court. No more, no less. By using these personal data, malicious persons could have taken advantage of them, such as identity fraud. The Subdistrict Court considers it understandable that [claimant] has been unpleasantly affected by these data leaks and has feared for the (increased) risk that others could get hold of these personal data, which could cause him harm. However, it has neither been argued nor has it become evident that in this case there was any concrete threat of such damage. After having reported the data breach, the municipality also quickly "plugged" it by removing the personal data concerned from the municipal website. In addition, it must be considered that [claimant] , who had opted for a public application for an environmental permit for the shooting range, had in any case already - voluntarily - revealed his own name and residential address to the public for the purpose of publication of the application by the municipality. With this, [plaintiff] knew, or at least he could have reasonably known, that his residential address and the opening of a shooting range in Winschoten desired by him could be linked by third parties. However serious the data leaks in question may have been, in the given circumstances the Subdistrict Court does not consider it plausible that there was a serious chance that these data leaks as such could lead to personal danger to [claimant] , or at least to his property. Against this background it cannot be seen that, as a result of the data leaks, [plaintiff] was forced to secure his home in order to protect himself, his family and his goods. Thus, there is no question of reasonable measures to prevent or limit damage resulting from the data breaches. 
It did not escape the district judge's notice that [plaintiff] could be associated with shooting sports. However, this circumstance can hardly be attributed to the municipality. As already considered above, [plaintiff] first of all consciously cooperated with the fact that his address details would be published in connection with the application for an environmental permit for the shooting range. Furthermore, [plaintiff] consciously cooperated with the publication of an article in the Dagblad van het Noorden newspaper about the arrival of the shooting range, in which he was clearly associated with this shooting range. In the opinion of the Subdistrict Court, [the plaintiff] has ensured himself that third parties could associate him with the shooting range and/or the sport shooting activities. His fear that malicious persons would (could) target him for that reason is therefore in his own sphere of risk. The municipality has nothing to do with this. It is obvious that [plaintiff], in view of his - by himself made known - possession of firearms, would have started securing his home in any case. 
In view of the foregoing, the compensation for material damage claimed by [plaintiff] must be rejected. 
Intangible damages 
Pursuant to Section 6:106 of the Dutch Civil Code, an injured party is entitled, insofar as relevant here, to damages to be determined on an equitable basis for disadvantage that does not consist of property damage, if (sub b) the injured party has been affected 'in another way in his person'. 
The aforementioned 'harm to the person' is in any case damage if the injured party has suffered mental injury as a result of the event causing the damage. The party who relies on this, will have to provide sufficient concrete data from which can follow that in connection with the circumstances of the case mental damage has occurred. For that purpose it is required that according to objective standards the existence of mental injury can be established. Even if the existence of mental injury in the aforementioned sense cannot be assumed, it is not excluded that the nature of the norm violation and its consequences for the injured party mean that there is an impairment of the person referred to in Section 6:106 opening words and under b of the BW 'in another manner'. In such a case, the party who relies on this will have to substantiate the personal injury with concrete data. This is only different if the nature and seriousness of the violation of the standard mean that the relevant adverse consequences for the injured party are so obvious that an impairment of the person can be assumed. The mere violation of a fundamental right does not constitute an impairment of the person 'in another manner' as referred to in Section 6:106. opening words and under b of the BW. 11 
The Subdistrict Court is of the opinion that the framework outlined above allows the requirements of the AVG and the case law of the Court, as set out above under 4.11. and 4.12., to be met when assessing a request for immaterial compensation under Article 82 AVG. 
The Subdistrict Court then considered that a violation of the AVG does not automatically imply an impairment of the integrity of a person and therefore leads to compensable immaterial damage. The injured party must make the impairment of his person plausible and substantiate the alleged damage with concrete data. 12 
In the opinion of the Subdistrict Court, [plaintiff] has not, or at least has not sufficiently, argued that as a result of the unlawful actions of the municipality he has suffered psychological damage established on objective grounds, in the sense of a syndrome recognized in psychiatry13. Data showing that he suffered psychological damage in relation to the circumstances have not been supplied. Only a more or less strong psychological discomfort, such as temporary feelings of stress or anxiety, is insufficient for compensation of immaterial damage. 14 
The Subdistrict Court, however, is of the opinion that [claimant]'s personal privacy has been affected in other ways. The privacy of [claimant] has been violated repeatedly by the municipality because of the - in violation of the AVG - publication of the BSN number, the e-mail address and the telephone number of [claimant] on the municipal website, without [claimant] having given the municipality permission to do so (see section 36 of the judgment of the Division). This also concerns data that are sensitive by nature, certainly when it concerns the BSN number of [claimant]. The adverse consequences of leaking these, such as identity fraud, are obvious. Therefore, in the opinion of the Subdistrict Court, [claimant] is entitled to compensation for immaterial damage suffered, to be determined in fairness. In view of the circumstances of the present case, including the nature, duration, frequency and seriousness of the breach, set off against the circumstance that it has not appeared that the data breach has led to concrete negative consequences, the Subdistrict Court will determine this compensation in all fairness in an amount of € 500.00. This amount will be awarded below. 
Litigation costs 
In view of the outcome of these proceedings, the Subdistrict Court sees cause to compensate the legal costs between the parties in the manner set forth below. 
Declaration of executability by stock 
Only the decision mentioned under 2. below is by its nature provisionally enforceable. A declaration for justice is not. 
The subdistrict court: 
Declares that the municipality of Oldambt acted unlawfully towards [plaintiff] by repeatedly publishing personal data (e-mail address, telephone number and BSN number) of [plaintiff] on the website of the municipality of Oldambt without [plaintiff]'s consent; 
Orders the municipality of Oldambt to pay [plaintiff] an amount of 
€500.00 in intangible damages; 
3. declares the judgment to be provisionally enforceable as far as the sentence under 2. is concerned; 
Rejects the more or otherwise claimed; 
5. shall compensate the costs of the proceedings in such a way that each party bears its own costs. 
This judgment was rendered by M. Griffioen, subdistrict court judge, and pronounced at a public hearing on January 12, 2021, in the presence of the clerk.
MP (520)
1 BW = Civil Code 
2 Rv = Code of Civil Procedure 
3 cf. HR 15 September 2017, ECLI:NL:HR:2017:2360. 
4 4 ECHR = European Convention on Human Rights. 
5 cf. ECJ 13 July 2006, C-295/04 - 298/04, Manfredi, ECLI:EU:C:2006:461. 
6 cf. Rechtbank Noord-Nederland 15 January 2020, ECLI:NL:RBNNE:2020:247. 
7 cf. CJEU 6 November 2012, C-199/11, Otis, ECLI:EU:C:2012:684. 
8 cf. CJEU 4 April 2017, C-337/15 P, European Ombudsman v Staelen, ECLI:EU:C:2017:256. 
9 cf. ABRvS 1 April 2020, ECLI:NL:RVS:2020:898. 
10 See T.F.E. Tjong Tjin Tai, 'Liability for data breaches', WPNR 2016/7110, para. 6. 
11 cf. HR 15 March 2019, ECLI:NL:HR:2019:376, HR 28 May 2019, ECLI:NL:HR:2019:793 and HR 19 July 2019, ECLI:NL:HR:2019:1278. 
12 cf. ABRvS 1 April 2020, ECLI:NL:RVS:2020:899. 
13 cf. HR 22 February 2002, ECLI:NL:HR:2002:AD5356. 
14 cf. HR January 23, 1998, ECLI:NL:HR:1998:ZC2551 and Arnhem-Leeuwarden Court of Appeal, December 22, 2020, ECLI:NL:GHARL