Benefit agency UWV must pay a victim of a data breach compensation of 500 euros for damages suffered. According to the court, it is established that the claimant experienced psychological problems and stress due to mistakes made by the UWV. A financial compensation of 500 euros is "fair and appropriate" in this situation, according to the court.
For the beginning of this case, we must go back to the summer of 2021. In July of that year, the UWV sent a letter to the victim, in which the benefits agency said that five letters intended for her had accidentally been sent to the wrong address. In early August, the woman held the UWV liable for the data breach and asked for compensation. The benefits agency acknowledged liability and offered to pay a sum of 250 euros as compensation.
In late September, the victim replied not to accept the amount of compensation. She herself was thinking of an amount of 3,000 euros. She also demanded access to all personal data the benefits agency possessed about her, as well as correspondence with the Autoriteit Persoonsgegevens about the incident. In November, the UWV handed over the requested data. In January 2022, the UWV formally rejected the counter-proposal of 3,000 euros.
The victim then decided to go to court. The court ruled that the UWV had acknowledged liability for the occurrence of the data breach. The only point on which the two sides differ is the amount of compensation.
The plaintiff says the amount offered is "disproportionate to the anxiety and depression" she has endured. The five letters that were misdelivered included medical records. As a result, she missed deadlines and suffered psychiatric symptoms that had a greater impact on her than on healthy people.
To support her claim, she submitted a report from her psychologist to the court. It states the following: "The problems with mail from the UWV to her old address have been co-stressors in recent months. Patient seems to suffer from cognitive flooding when tension mounts, where she has difficulty thinking and keeping an overview. In contact with the UWV, this happened frequently."
The benefits agency defended itself by arguing that the misdirected letters were all returned unopened. Therefore, there is no evidence that anyone else accessed her medical records, or that they were misused by a third party.
"The circumstances that the five letters were returned in sealed envelopes and that there was no evidence that the information was used by third parties do not detract from the fact that the claimant experienced an increase in the severe psychiatric symptoms already present in her and were therefore not of decisive weight for the court," the judge said.
All things considered, the court decided that the UWV should pay damages of 500 euros to the claimant. That amount, it said, is "fair and appropriate" and gives recognition to the fact that the data breach caused psychological problems and stress to the claimant. The UWV must also reimburse the plaintiff for the legal costs and court fees paid.
This is the second time in a short time that a court has ruled that an agency must pay compensation to a victim of a data breach. Last week, a former student of the Hogeschaal Arnhem-Nijmegen (HAN) was told that he is entitled to compensation of 300 euros because of a data breach.
The court ruled that HAN's security level at the time of the data breach was inadequate. This allowed a hacker to access personal and privacy-sensitive data of hundreds of thousands of students and former students via an SQL injection. Because the attacker was able to view the former student's medical data, he suffered damages, according to the court. "The fact that the hacker was able to view/distribute this specific data is sufficient for the assumption of damage due to the breach of the AVG," the judge said.
The former student said he was "super happy" with the court ruling. "The fact that even the judge now rules that HAN made mistakes shows that I was right. I better put a stop to it now," he told the press.
