By Ilse Baijens, Philip Nabben, Firm: Deur Advocaten

The Netherlands Employee Insurance Agency has been ordered to pay EUR 250 damages to an employee whose personal health information was accidentally sent to her new employer.

On 2 September 2019, the Amsterdam District Court rendered an interesting ruling on compensation for damages after a violation of the GDPR by the UWV (the Employee Insurance Agency). It is one of the first judgments about a claim for damages as a result of violation of the GDPR in an employment law context and the court has taken the time to elaborate this carefully in the judgment.

The facts

An employee had been employed from 2012 onwards. During that period of employment, she became long-term unfit for work as a result of a burnout. The employee received a letter from the UWV at one point which included the statement:

‘Are you fully recovered at this time? And have you returned to work? In that case, no action is required on your part. After all, you are not required to report to us that you are fit for work.’

The employee did indeed recover, and shortly after that entered into employment with a new employer on the basis of a temporary contract.

Subsequently, the UWV sent a letter, by mistake, to her new employer mentioning the employee's long-term illness. The new employer had not been aware of this and asked the employee for an explanation in an interview, since, coincidentally, the letter was received at the time the employer was deciding on whether or not to offer her a follow-up contract (which, incidentally, the employer did offer in the end).

The employee made a claim against the UWV for breach of the GDPR. The employee claimed damages in the amount of EUR 500 for non-material damage as a result of the stress incurred by the incident.

Amsterdam District Court judgment

In its judgment, the Court states that the incident concerned personal data of a sensitive nature (not to be confused with the special personal data separately regulated by law), since the mere mention of long-term illness is itself of a sensitive nature.

The court subsequently ruled that the UWV did indeed violate the GDPR. The GDPR obliges the controller to, among other things, take appropriate technical and organisational measures to safeguard the integrity and confidentiality of the personal data that it processes, explicitly including protection against accidental loss.

The UWV decided to send letters with content such as this via an automated system that uses available address data from current employers, therefore without making a prior assessment of whether sending the letter is correct or appropriate. According to the court, a check as to the accuracy of the communication and/or of the addressee was, especially in light of the sensitive nature of the data, necessary, and also possible for an organisation such as the UWV. By applying this working method, UWV had acted contrary to the GDPR vis-à-vis the employee by infringing her right to have her privacy respected and her personal data protected.

The employee claimed EUR 500 damages to compensate for the fact that there was great uncertainty during the period from the moment the data breach occurred until the moment when her employer decided to extend her contract. There was a considerable risk that the new employer might not renew her contract based on the facts about the burnout that were brought to the employer’s attention. The fact that this risk did not ultimately materialise meant the court considered the damage was limited. Attempts on the part of the UWV to argue that immaterial damages should only be granted in very serious situations were waived by the court.

On the contrary, the court referred to the GDPR recitals (the texts that precede an EU regulation and set out the reasoning behinds its provisions) that show that, according to the GDPR, the concept of damage must be interpreted broadly (recital 146). The court pointed to the possibility of an individual concerned claiming damages in court for violation of the GDPR: immaterial damages are explicitly mentioned. In short, the court found that the fact that major damage could have been incurred (no contract extension) had understandably led to stress, and therefore to damage that could be compensated. The judge ultimately estimated the appropriate level for damages as EUR 250.

What does this mean in practice?

The claim did not turn out to be a ‘gravy train’ for the employee in question, but she had only claimed modest damages. Apparently, the legal action was a question of principle for the employee concerned. However, despite the modest level of the damages award, the UWV will have to examine its processes, because it apparently uses a system of sending letters, including those with sensitive content, which does not stand up to the GDPR requirements and scrutiny.

All other responsible parties, such as health and safety services, but also employers, must be aware that, according to this judgment, the risks of claims for compensation for damages resulting from violations of the GDPR are very real.