The General Data Protection Regulation (GDPR) has been in effect in the Netherlands since 2018. Under the GDPR , fines can be imposed to punish privacy breaches. Apart from this fining option available to the Dutch Data Protection Authority, victims of a privacy breach can also claim compensation. In the meantime, several compensations have already been awarded based on GDPR breaches. Below, we discuss a number of practical examples. These compensations are in addition to any GDPR fines. They demonstrate that it is best to have your privacy affairs in order.
UWV wrongfully shares medical data with a new employer: €250
A first example can be found in a ruling by the Amsterdam District Court in 2019 (ECLI:NL:RBAMS:2019:6490). At that time, the UWV had wrongly shared medical data with a new employer of the employee concerned. Information regarding the employee's burnout was wrongly shared with the new employer. The UWV had left the disclosure entirely to an automated system without conducting a substantive review. The UWV was ordered to pay the employee compensation of 250 euros.
Company shares address details of a journalist: €250
In early 2020, the District Court of Northern Netherlands also issued a ruling regarding damages under the GDPR (ECLI:NL:RBNNE:2020:247). A submitted Facebook post revealed that a company, which possessed a BRP extract of a journalist in the context of legal proceedings, had unlawfully provided this extract to a third party. The journalist's address details were visible on this extract. The court was strict because the personal data was shared with a third party without the journalist's consent. The journalist was awarded damages of 250 euros.
Director shares strictly personal data of a detainee: €500
In April 2020, a new ruling followed, this time from the Administrative Jurisdiction Division of the Council of State (ECLI:NL:RVS:2020:898). In this case, the director of the Pieter Baan Centre had provided documents containing the detainee's health data to the Regional Disciplinary Board for Healthcare without the detainee's permission or knowledge. This concerned strictly confidential personal data of the detainee. In the first instance, the detainee was awarded compensation of 300 euros. On appeal, the compensation was set at 500 euros.
Municipality publishes BSN and other personal data: €500
In 2021, too, there were cases in which compensation was awarded on the basis of a GDPR violation. For example, in early 2021, there was a case (ECLI:NL:RBNNE:2021:106) involving a data breach on a public municipal website. The aggrieved party's email address, telephone number, and BSN were published online. He was awarded compensation of 500 euros.
Municipality ignores removal requests: €2,500
On July 12, 2021, the District Court of Rotterdam awarded exceptionally generous damages (ECLI:NL:RBROT:2021:6822). In this case, the aggrieved party had requested the Municipality of Rotterdam twice to remove health data from a file. This request was rejected on both occasions. Subsequently, the municipality decided to remove the data anyway. There had been unlawful data processing. Over a period of ten years, various individuals or entities were able to access this improperly processed personal data. Compensation of 2,500 euros was awarded.
Medical information is published in a book: €2,000
Naturally, there were also a number of cases in 2022 in which damages were awarded due to GDPR breaches. Recently, for example, there was the ruling by the District Court of Zeeland-West-Brabant (ECLI:NL:RBZWB:2022:5457). In this case, the plaintiff was being treated as a patient in a hospital. A hospital employee, namely the lover of the patient's ex-partner, repeatedly and unlawfully accessed the patient's medical file. As a result, medical information concerning the plaintiff ended up in a book. The plaintiff was awarded €2,000 in damages for non-pecuniary damage.
