Rb. Noord-Nederland - 8187989
| Rb. Noord-Nederland - 8187989 | |
|---|---|
 | |
| Court: | Rb. Noord-Nederland (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 82(1) GDPR The Civil Code of the Netherlands |
| Decided: | 12.01.2021 |
| Published: | 19.01.2021 |
| Parties: | Municipality Oldambt |
| National Case Number/Name: | 8187989 |
| European Case Law Identifier: | ECLI:NL:RBNNE:2021:106 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | de Rechtspraak (in Dutch) |
| Initial Contributor: | n/a |
The District Court of the Northern Netherlands ordered the municipality of Oldambt to pay claimant 500 EUR in non-material damages but rejected the claim for material damage compensation for the unlawfully published personal data of claimant.
English Summary
Facts
On 1 July 2016 the municipality put a piece of land with an unused shooting range up for sale for a symbolic amount of 1 EUR. The claimant was interested in buying in. To reuse the old shooting range, claimant was required to get an environmental permit from the municipality. The online form available on the sites of the Dutch municipalities, has two options for such permit applications: the complete form, which is available to competent authorities only, and the publicly available version of this form. The information that an applicant wants to keep private is removed from the publicly available version. More specifically, the publicly available version doesn’t contain the applicant’s social security number (BSN) and phone number. When submitting the digital application, an applicant is presented with the following choice: Do you give permission to make publicly available personal and address details of the applicant/notifier and, if applicable, the authorised representative? The claimant submitted his environmental permit application on 9 December 2016. He filled in his social security number, last name, initials, address, phone number and email. He consented to making his data publicly available. On 7 October 2017 and 7 December 2017 the municipality published a draft statement and draft decision, making them available on its site, on the Government Gazette (Staatscourant) and on www.ruimtelijkeplannen.nl. On 2 December 2018 a local journalist twitted about the fact that the municipality has published claimant’s data on its website, including the social security number and phone number. On the same day the claimant reported the data breach to the municipality under GDPR, telling the municipality to remove his data and mentioning non-material and material damages (for the costs involving increased house security). On 3 December 2018 the municipality has included the claimant’s environmental permission application as an agenda item in the council’s meeting and published the agenda on its site, including the claimant’s email, phone number and social security number. Social security and phone numbers were removed from the site on 4 December 2018. The municipality has admitted that personal data breach took place but asked the claimant to substantiate any material damage resulting from the municipality's actions, as it was not prepared to pay non-material damages. The claimant responded with a list of security measures that would be necessary to prevent burglary, blackmail and/or threats. On 10 April 2019, the municipality rejected the claims for material and non-material damages as not sufficiently substantiated.
Dispute
Should the claimant be awarded a (non-)material damage compensation from the municipality for the data breach?
Holding
The Subdistrict Court concluded that the municipality has violated the GDPR by causing data leaks and is therefore liable for damages towards the claimant. In the circumstances of this case there was no reason to award material damages compensation, but there is reason to award (limited) immaterial damages to the claimant. The Court considered the damage compensation claim based on the Dutch Civil Code. The Subdistrict Court arrived at the conclusion that the security measures taken by the claimant could not be regarded as reasonable costs to prevent or limit damage because of the data leaks. The municipality can only be responsible for the breach of the social security number, phone number and email address of the claimant, and nothing else. It was taken it account that the claimant opted in for the public application process, making his address and name publicly available. Against this background it cannot be seen that, because of the data leaks, claimant was forced to secure his home to protect himself, his family, and his possessions. When it comes to the non-material damage compensation, the Subdistrict Court rules that the claimant had not, or at least insufficiently, demonstrated that he has suffered psychological injury because of the unlawful actions of the municipality. Only a strong psychological discomfort, such as temporary feelings of stress or anxiety, is insufficient for compensation of immaterial damage. However, the privacy of the claimant has been violated repeatedly by the municipality because of the unlawful publication of his social security number, the e-mail address, and the telephone number without his consent. These data are sensitive by nature, especially the social security number. The adverse consequences of leaking these, such as identity fraud, are obvious. Therefore, the Court ruled that the claimant was eligible for 500 EUR in non-material damages compensation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
