On September 2, 2019, the District Court of Amsterdam ruled in a case in which the plaintiff was awarded EUR 250 as compensation for the immaterial damage she suffered as a result of a breach of the AVG. This is the second time in the Netherlands that compensation for immaterial damages has been awarded to a natural person in a civil law case due to a breach of the right to the protection of personal data and the right to respect for privacy.
author: Orlec, Nina
In this case, the employee was awarded EUR 250 for non-material damages she suffered as a result of the UWV's unlawful sharing of her previous illness data with her new employer.
The employee in question had been reported sick to the UWV by her former employer, but during her second year of illness she had joined another employer on a one-year contract. However, the UWV had never been informed that she was no longer sick, with the result that after 88 weeks of illness an automatically generated letter was sent to the employee's new employer, informing the new employer (who was not aware of the employee's previous illness) that the employee was close to becoming eligible for WIA benefits.
Although the letter did not explicitly mention the nature of the employee's illness, the court nevertheless considered the information provided therein to be of a sensitive nature, as it contained information about the employee's (former) state of health. Under Dutch labor and data protection law, employees are in principle not obliged to provide health or medical information to their (new) employers. The letter therefore constituted a breach of the employee's personal data protection (a data leak), as her personal data had been unlawfully made available to her new employer by sending the letter, with possible adverse consequences. In fact, the new employer received the letter around the time when a decision had to be made on renewing the employment contract with the employee, resulting in feelings of stress and anxiety on her part. Although the employment contract was still extended by her new employer, the court considered that the employee had suffered real immaterial damage as a result of this course of events and therefore awarded her compensation of EUR 250. To this end, the court considered the following:
The data breach was due to an error by the UWV, as the letter was sent through an automated system without a (substantive) check on the legality or appropriateness of its sending;
The data breach compromised the UWV's control over the employee's personal data because it caused her personal data to be provided by the UWV to her new employer without her intent or consent;
The data breach posed a real risk to the employee because the unlawful communication could adversely affect her employer's decision to continue employment with the employee;
From the time the data breach occurred until the time the new employer decided to continue her employment, the employee suffered real harm because the data breach caused her anxiety and stress;
The employee claimed damages of EUR 500 in court, but only half of that was awarded by the judge. In fact, the judge considered that although the data breach had created a substantial risk for the employee, this risk did not materialize because her employment contract was extended and therefore the damage suffered by her was limited.
Although EUR 250 may not seem substantial, the consequences of this judgment may be significant. First, because the court continues the position previously taken, by the District Court of Overijssel, that a violation of the right to protection of personal data can indeed be considered a violation of a fundamental right, which can lead to an award of compensation for immaterial damage suffered. Second, this case may have additional implications for the UWV, as the UWV is already subject to an order under penalty from the Autoriteit Persoonsgegevens to put its health data security measures in order (see also our previous blog on this topic). The issue raised in this case is very close to the data protection problems already identified within the UWV and may trigger additional enforcement action by the Autoriteit Persoonsgegevens. Finally, this ruling could also be considered a starting point and possibly serve as a precedent for further claims, or possibly, class actions (for damages) in the future. We will continue to closely monitor developments in this area, stay tuned!
This article can also be found in the file AVG and Privacy in the Workplace
More articles by Loyens & Loeff
