Rb. Rotterdam - 9436020 \ CV EXPL 21-30289

From GDPRhub
Revision as of 10:09, 18 March 2022 by Gr (talk | contribs) (→‎Facts: Restructered a bit, changed present tense to past tense and changed wording of "defendant" to "controller" and "plaintiff" to "data subject")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Rb. Rotterdam - 9436020 \ CV EXPL 21-30289
Courts logo1.png
Court: Rb. Rotterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 4(2) GDPR
Article 6 GDPR
Article 9 GDPR
Article 82 GDPR
Article 99 GDPR
Article 288 TFEU
Decided: 25.02.2022
Published: 03.03.2022
Parties:
National Case Number/Name: 9436020 \ CV EXPL 21-30289
European Case Law Identifier: ECLI:NL:RBROT:2022:1420
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: Robin Verhoef

Lower Dutch court orders controller to pay € 250 in damages after data breach due to Excel file sent to all potential buyers of a new housing project.

English Summary[edit | edit source]

Facts[edit | edit source]

The data controller is a company that is building new houses in Zevenhuizen. People who were interested in buying these new houses could register as a candidate-buyer via the website of the controller. About 1100 people, including the data subject, signed up. During the registration, the controller collected confidential personal information of the data subjects (such as the first- and last name; place- and date of birth; email address; phone number; maximum amount they could borrow for the mortgage; yearly income etc.). In April 2021, the controller sent an email to everyone who registered for the project with an unencrypted Excel file attached, which contained the personal information of everyone who registered for the project. Following up on this mistake, the controller sent an email in which they acknowledge the data breach and an apologised for the violation of the privacy and security of the 1100 registered potential buyers.

The data subject brought the issue before court and claimed immaterial damages from controller for unlawful processing of their personal data.

Holding[edit | edit source]

The Court acknowledged that a substantial amount of personal data was leaked to all of the registered potential buyers. This is a form of processing (Article 4 GDPR) and it is unlawful since there is no ground for this processing (Article 6 GDPR). The controller had thus unlawfully processed the personal data of the data subject in breach of the GDPR. The Court explained that the loss of control over your personal data is a form of damage (Recital 85 GDPR). It also considered that the meaning of 'damage' has to be explained in line with the jurisprudence of the Court of Justice.

While the controller claimed that the plaintiff had not suffered any legally relevant damages in line with Dutch civil law, the Court pointed out that Article 82 GDPR has to be interpreted in the context of EU law: the fact that the damages can't be directly quantified do not prevent the allocation of damages. The Court pointed out that control over your own personal data is one of the main goals of the GDPR. The data subject lost control due to the actions of the controller, and thus the Court found this to be a ground for damages. The Court weighed the fact that confidential personal data was leaked, but only to a small group and due to a human mistake. The Court also took into account the fact that the defendant acted immediately and that the leak did not include sensitive personal data. Hence, the Court decided that the amount € 250 in damages sufficed.

Comment[edit | edit source]

The consideration of the Court that the fact that the data subject losses control of their personal data, is sufficient to allocate damages, is in conflict with some earlier court cases.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

COURT ROTTERDAM

case number: 9436020 \ CV EXPL 21-30289

verdict: February 25, 2022

judgment of the subdistrict court, sitting in Rotterdam,

in the case of

[plaintiff] ,

living in [place of residence] ,

plaintiff,

hereinafter referred to as: [plaintiff] ,

authorized representative: mr. A.C. van 't Hek,

against

[defendant]

†

located in [establishment] , municipality [municipality] ,

defendant,

hereinafter referred to as: [defendant] ,

authorized representatives: mr. O.A. Sleeking and mr. A.W.D. lensink.

1. The process

1.1.

The course of the procedure follows from the following procedural documents:

†

the summons with productions of September 2, 2021;

†

the statement of reply with exhibits;

†

the interlocutory judgment of 11 October 2021, in which an oral hearing is determined;

†

the letters from [plaintiff] of 30 December 2021 with additional productions and a USB stick.

1.2.

The oral hearing took place on January 31, 2022. [Plaintiff] appeared in person, assisted by her authorized representative. The representatives appeared on behalf of [defendant], accompanied by [person A 1] and [person B] (employees of [defendant]).

1.3.

The district court has ruled that a verdict will be delivered today.

2. The established facts

The following established facts are assumed.

2.1.

[defendant] is carrying out the new construction project 'Koningskwartier' in Zevenhuizen. In 2021, people who were interested in the possible purchase of a new-build home could register as a candidate buyer via a website. About 1,100 persons, including [plaintiff], have made use of this option. Various confidential, personal data of the interested parties were collected during this registration.

2.2.

On April 12, 2021 at 5.14 pm [defendant] sent an e-mail to all persons who registered for the Koningskwartier project. [Defendant] enclosed an unsecured Excel file with this e-mail containing the data of all approximately 1,100 people who have registered for the new construction project. The Excel list contains, among other things, the following information about the registered person and his/her partner, if any:

†

First and last name;

†

Birthdate and place;

†

address;

†

e-mail address and telephone number;

†

desired purchase price;

†

maximum amount to be borrowed;

†

annual income;

†

own resources that the prospective buyer wishes to contribute;

†

the new-build homes in which the prospective buyer is interested.

2.3.

A minute later, at 5.15 pm, [defendant] attempted to withdraw the e-mail message sent.

2.4.

That same evening, at 10.19 pm, [defendant] sent an e-mail to all persons who have registered. It states, among other things, the following:

“(…) This afternoon you received an e-mail from [defendant] ([e-mail address 1]) stating that you have not been drawn and that you are on the reserve list. Unfortunately, an Excel attachment with personal data has been added. Attempts have been made to withdraw the message, but this has not been successful in all cases. We would like to urge you to delete the said e-mail with attachment immediately. Despite this request, it is possible that approximately 1100 recipients have received and viewed the e-mail message. We deeply regret this incident and of course take immediate measures to prevent this from happening again.

In view of the personal data included in the Excel file, including name and address details, telephone number, e-mail address and salary data, we consider this a data breach and we report this to the Dutch Data Protection Authority in accordance with the legal obligation. Since your e-mail address is also included in the attachment, we would like to advise you to be extra alert to possible phishing e-mails in the name of [defendant] in the coming period. If you have any doubts about the correctness of a message, please contact the commercial manager [person A 2] (email [e-mail address 2] phone number [o6 number] ).

All that remains for me to do is offer you our sincere apologies on behalf of [defendant] and the Zuidplaspolder II CV Area Development Company. We take privacy and security very seriously. Unfortunately, we were unable to achieve this in your case, but we will do everything we can to protect your data as well as possible from now on.

†

2.5.

Plaintiff's attorney wrote to Defendant and claimed damages. [defendant] refused to pay compensation.

3. The Dispute

3.1.

[plaintiff] has claimed by judgment, provisionally enforceable, to declare that [defendant] has acted unlawfully towards her, and to order [defendant] to pay her € 20,000, at least an equitable estimate amount, in immaterial compensation, plus the statutory interest from the day of the summons until the day of full payment.

3.2.

In summary, the claimant based its claim on the following. Sending the Excel list with personal data must be regarded as unlawful act, namely in violation of Article 6 paragraph 1 of the General Data Protection Regulation (hereinafter: AVG). The damage [claimant] has suffered as a result of this must compensate [defendant] on the basis of Article 82 of the GDPR. She suffers € 20,000 intangible damage. [plaintiff] has in fact been affected in her person, because her (most) intimate personal data are now known to at least 1099 others.

3.3.

[defendant] has concluded to (primarily) complete rejection, or (in the alternative) moderation of the compensation, without granting the provisional enforceability, at least on the condition that [claimant] must provide security for this, with conviction of [claimant] in the (after) costs of these proceedings, plus interest.

3.4.

[Defendant] has submitted the following in support of its defence. Due to a human error, the Excel list has been added to the e-mail. However, the mere fact that personal data of [plaintiff] have been distributed does not mean that [defendant] must pay compensation to [plaintiff]. [plaintiff] must specify that there is material and/or immaterial damage. She didn't. Nor can this damage be assumed on the basis of the nature and seriousness of the violation of standards and its consequences. The claimed damages must therefore be dismissed. The declaratory judgment must also be rejected, because [plaintiff] has no interest in doing so.

3.5.

Insofar as it is important for the assessment, what further arguments have been put forward by the parties will be discussed below.

4. The assessment

statement of law

4.1.

There is no discussion about the fact that [defendant] has distributed a significant amount of [plaintiff]'s personal data to a large group of people. The dissemination of personal data is a form of processing as referred to in the GDPR (article 4 sub 2 GDPR). Article 6 of the GDPR provides that the processing of personal data is only lawful if one of the processing bases referred to in that article applies. It has not been argued or shown that in this case one of those principles applies. The conclusion is that [defendant] has unlawfully processed the personal data of [plaintiff]. [defendant] has therefore infringed the GDPR. In principle, the claimed declaration of law is therefore admissible. However, [defendant] has disputed that [plaintiff] has an interest in that statement. [Buyer] did not further substantiate what its interest in that statement lies in. This interest cannot be understood without further explanation. In the absence of importance, the claimed declaratory judgment is therefore rejected (Article 3:303 of the Dutch Civil Code).

Legal framework

4.2.

[Buyer] further claims compensation for her damage. In that context, the following legal framework is important. The GDPR entered into force on 25 May 2018 and is directly applicable in the Netherlands (Article 99 AVG and 288 TFEU). Article 82 GDPR provides that anyone who has suffered material or immaterial damage as a result of a breach of the GDPR has the right to receive compensation from the processor for the damage suffered. It follows from recital 85 of the preamble that this may include loss of control over personal data, identity theft or fraud, reputational damage, or any other significant economic or social disadvantage for the person in question. Recital 146 explains that the concept of "damage" should be interpreted broadly in the light of the case law of the Court of Justice, in a way that fully reflects the objectives of this Regulation. It further follows from that consideration that the persons concerned must receive full and effective compensation for the damage suffered by them. It follows from the aforementioned legal provision and the accompanying explanatory notes that the concept of damage must be interpreted autonomously at Community level in order to ensure effective compliance with the GDPR, with an equivalent level of protection in all Member States (recitals 10 and 11 GDPR).

immaterial damage

4.3.

[Buyer] claims compensation for her non-material damage. She explained at the hearing that she feels unsafe, partly because shortly after this incident she was alerted by neighbors that someone had taken pictures of her apartment. She has also been receiving spam emails and text messages lately. According to her, both this unwanted visit and the unwanted messages are probably related to the e-mail of [defendant], although she is aware that this cannot be proven. She also pointed out that her name is at the very top of the alphabetically sorted Excel list, which makes her data stand out even more. She also pointed out that it is not known where these data are still circulating and that she therefore does not know what to expect, which makes her feel very uncomfortable. At the hearing, both the attorneys and the employees of [defendant] indicated that they understand these feelings.

4.4.

[Defendant] has therefore not disputed that the unlawful processing led to unpleasant consequences for [Plaintiff]. However, it takes the position that this is not legally relevant damage, within the meaning of Article 6:106(1)(b) of the Dutch Civil Code. However, it ignores the fact that Article 82 of the GDPR must be interpreted autonomously in a way that does full justice to the objectives of this regulation, as considered above under r.o. 4.2. In the opinion of the subdistrict court, the consequences that the unlawful processing have had for [claimant] can indeed cause damage as referred to in Article 82 of the GDPR. The fact that the damage in itself cannot be substantiated directly, as argued by [defendant], is no obstacle to this. One of the main goals of the GDPR is that every person remains in control of their own personal data (Recital 7 GDPR). [plaintiff] has lost this control because [defendant] forwarded the data to a significant group of people. As [plaintiff] argued undisputedly during the hearing, it is not possible to determine where this information is now circulating. In the context of effective compliance with the GDPR, the Subdistrict Court is of the opinion that this should be regarded as damage suffered by [plaintiff].

amount of compensation

4.5.

With regard to the extent of this damage, the Subdistrict Court considers the following. [defendant] forwarded a large amount of personal data of [plaintiff], which, in addition to contact details, also contain sensitive financial data about the income and assets of [plaintiff]. The scope of the data and the combination in which it is provided entail risks for [plaintiff]. [Defendant] also recognizes this, since she warns in her e-mail against phishing messages as a result of the unlawful processing (ground 2.4). In short, the nature and seriousness of the unlawful processing affects the awardable compensation.

4.6.

On the other hand, the subdistrict court took into account that the data was not made public to a general public, but only to a limited group of approximately 1,100 people. It is also important that it is undisputed that adding the attachment to the e-mail is a human error, that [defendant] acted immediately to limit damage and that she reported the infringement. After all, [defendant] requested all recipients that same evening to delete the e-mail and also reported the incident to the Dutch Data Protection Authority. It is also important that the personal data do not concern special personal data, as referred to in Article 9 of the GDPR.

4.7.

In view of the foregoing, the subdistrict court awards compensation of €250. The statutory interest on that amount is awarded as undisputed and founded on the law.

feasibility at stock

4.8.

[Buyer] has requested that this judgment be declared provisionally enforceable. Pursuant to Article 233(1) DCCP, the court may, if demanded, declare the judgment provisionally enforceable, unless the law or the nature of the case dictate otherwise. Neither the law nor the nature of the case precludes the claimed provisional declaration of enforceability. It follows from settled case law that [plaintiff] has an interest in the declaration of enforceability, since the judgment relates to payment of a sum of money (HR 27 February 1998, NJ 1998, 512). [Defendant] has filed a defense against the declaration of enforceability. However, the subdistrict court judge does not consider the restitution risk that it has alleged with regard to this amount of compensation. The circumstance further advanced that [defendant] will certainly appeal in the event of a granting judgment does not in itself constitute a well-founded reason. The advanced stock enforceability is therefore awarded.

4.9.

For the same reason, the sub-district court sees no reason for the requested security (Article 233(3) DCCP).

litigation costs

4.10.

Since both parties have been partially unsuccessful, the Subdistrict Court sees reason to compensate the costs of the proceedings, in the sense that both parties bear their own costs.

5. The decision

The subdistrict court judge:

orders [defendant] to pay [plaintiff] an amount of €250, plus the statutory interest from 2 September 2021 until the day of full payment;

compensates the costs of the proceedings, in the sense that both parties bear their own costs;

declares this judgment provisionally enforceable and rejects the more or otherwise claimed.

This judgment was rendered by mr. F. Aukema-Hartog and was pronounced in public.

33394