On 2 September 2019, the court of Amsterdam gave judgment in a case in which EUR 250 was granted to the plaintiff as a compensation for immaterial damages suffered due to breach with the GDPR (link to judgment, Dutch only). In the Netherlands, this is the second time that an individual was granted a compensation in a civil law case for immaterial damages suffered due to a breach with data protection rights.
In this case, an employee was granted EUR 250 for immaterial damages suffered, due to the unlawful sharing of her prior illness records by the UWV (the Dutch Employee Insurance Agency) with her new employer.
The employee in question had been reported ill with the UWV by her former employer, but during her second year of illness, the employee entered into employment with a new employer on the basis of a one year contract. However, the UWV was never notified of the fact that the employee ceased being ill, as a result whereof an automatically generated letter was sent to the employee’s new employer after 88 weeks’ of sickness, informing the new employer (unaware of the employee’s previous illness) that the employee would almost become eligible to the WIA social benefit.
Although the letter did not explicitly state the nature of the employee’s illness, the information provided therein was considered by the court to be of a sensitive nature as it disclosed information regarding the employee’s (former) health status. Pursuant to Dutch employment and data protection laws, employees are generally not required to disclose any health or medical information with their (new) employers. The letter therefore resulted in a data breach as her personal data was unlawfully made available to the new employer, while having a potential adverse effect vis-à-vis the employee. The new employer received the letter around the time that it had to decide on prolonging the employee’s term of employment, resulting in increased stress and anxiety for the employee. Although her employment agreement was continued by her new employer, the court considered that the employee had suffered real immaterial damages by this course of events and consequently awarded her a EUR 250 compensation, based on the following:
- The data breach occurred by fault of the UWV, as the letter was sent through an automated system without any (substantive) checks on whether the sending thereof was legitimate or opportune;
- The employee’s personal data was compromised due to this data breach caused by the UWV, as her personal data was made available to her new employer without the employee’s intent or consent thereto;
- The data breach materialized a realistic risk for the employee, as the exposed personal data could adversely affect the employer’s decision on continuing her employment;
- The employee suffered real damages to the mental well-being from the moment that the data breach occurred until the moment the decision was made by the new employer to continue the her employment;
- Although the employee petitioned the court for EUR 500 in damages, but was granted only half thereof by the court, because the court considered that, although a substantial risk materialized for the employee due to the data breach, this risk was not realized as the employment agreement was continued and therefore, the damages suffered were limited.
Although EUR 250 might not seem substantial, the implications of this judgment might be far reaching. First, because the court is continuing the previously rendered view that a breach with data protection laws, can indeed be considered a breach of a fundament law which may result in the granting of compensation for non-material damages. Second, this case may have additional implications for the UWV, since the UWV is already subject to an order imposed by the Dutch Data Protection Authority to improve its security measures regarding health data (see our previous blog on this topic). The issue addressed in this case is very near to the data protection issues that have already been identified within the UWV and might fuel additional enforcement measures from the Dutch Data Protection Authority. Finally, this judgment might just give an opening and serve as precedent for further claims, or possibly, collective actions in the future. We will continue to closely monitor the development in this field, stay tuned!