The intention of the General Data Protection Regulation (GDPR) is to lay down a framework of rules protecting the basic rights and fundamental freedoms of individual persons, particularly where the right to protection of their personal data is concerned. Where these rules are perceived to be infringed upon, the GDPR offers multiple options for data subjects to assert their rights. In this blog, I will discuss one of these options, which is the right to indemnification, or compensation for damages suffered.
Article 82 of the GDPR
Article 82 of the GDPR describes the data subject’s right to compensation for material and non-material damages suffered as a result of the controller or processor acting in violation of the GDPR. Admittedly, it is not always easy to allocate specific amounts of financial compensation to specific cases of privacy violations and the resulting damages incurred by the data subject, but the important thing here is for the concept of ‘damage’ to be broadly interpreted, in the light of the case-law of the Court of Justice of the European Union, in a manner which fully reflects the objectives of the GDPR.1
First compensation for damages in The Netherlands
Normally, compensation claims must be brought before a civil court presided over by a civil judge. However, the first claim granted in The Netherlands on grounds related to the GDPR has been assigned by an administrative court, as the issue at stake was a decision made by a governing body. In this case, the plaintiff had, in 2017, requested access to his personal data from the municipality of Deventer. He now claimed that the information provided to him in response to his request, was incomplete. What was missing from the report was the fact, which he happened to know about, that his personal data had also been shared, by email, with other municipalities. The court ruled in favour of the plaintiff, judging that a violation of privacy had occurred, which the municipality had failed to act on, as it should have, by investigating possible instances of further processing of the plaintiff’s personal data by way of electronic mail. Apart from this, the court ruled that the transfer of data to other municipalities was not justified by necessity.2 Thereupon, in a separate procedure, the court of Overijssel ruled that the plaintiff’s loss of control over his personal data had resulted in ‘a violation of his personal sphere’ and awarded damages of 500 Euros.3 The court did not specify why it felt this particular amount of compensation to be reasonable.
Administrative Law Division of the Council of State
The municipality of Deventer appealed against this decision at the highest civil authority, which, in The Netherlands, is the Administrative Jurisdiction Division of the Council of State. Here, on April 1 2020, the Overijssel court’s decision was overturned in a ruling which denied the plaintiff justification in his claim to damages. In doing so, the Division did not overlook the fact that an infringement on privacy can result in (non-)material damage for which actual and full compensation may then be due. However, according to civil damages law, the extent of the damage suffered must be supported by specific data. In other words, plaintiff should have advanced valid arguments to justify why the mention of his name and address in an email from one municipality to another qualifies as a violation of his person and what specific damages he suffered as a direct result. Which he had failed to do.4
That same day, the Division passed judgement on three additional cases of compensation claims on grounds related to the GDPR,5 actually granting compensation in only one of them. That case dealt with the unauthorised provision of medical data to the disciplinary committee for health care, which, according to the Division, warranted an indemnification of 500 Euros. In deciding on the amount of compensation, the Division, on the one hand, argued that personal data of a particularly sensitive nature had been provided to a third party with no legitimate justification, while, on the other hand, taking into account that the data had only been disclosed to a select group of medical professionals.
Apart from this, in all of its four rulings, the Division stipulated that individuals invoking Article 82 of the GDPR in claiming compensation for damages suffered as a result of illegitimate processing of personal data by a governing body, may choose to submit such claims to the administrative court or seek compensation in a civil court. If, however, the compensation claimed is for an amount in excess of 25,000 Euros, the only judicial body authorised to rule on such claims is the civil court.
All in all, there is not much to go on when it comes to GDPR-based claims of compensation. The only element of clarity, in the Dutch situation at least, is related to the choice of specific legal venue under the circumstances at hand and to the requirement of claims being supported according to civil damages law. Whichever court is authorised to rule on any particular claim, will in its ruling take into account the nature of the personal data involved and the duration and severity of the infringement.
1. See Recital 146 to the GDPR.
2. Court of Overijssel July 18 2018, ECLI:NL:RBOVE:2018:2496.
3. Court of Overijssel May 28 2019, ECLI:NL:RBOVE:2019:1827. Remarkably, by the way, this administrative court finds an infringement of privacy only to be present in the transfer of personal data, without commenting on the incompleteness of the overview provided in response to the access request. See also, for instance, Court of Amsterdam September 2 2019, ECLI:NL:RBAMS:2019:6490, in which the civil court granted a compensation of 250 Euros to be be paid by UWV for having unjustly shared information on a former employee’s burn-out with that person’s new employer.
4. ABRvS April 1 2020, ECLI:NL:RVS:2020:899.
5. See ABRvS April 1 2020, ECLI:NL:RVS:2020:898, ECLI:NL:RVS:2020:900 & ECLI:NL:RVS:2020:901.