The letter, which has already been delivered to more than 400,000 (!) women in the Netherlands, has caused quite a stir (and rightly so). Shock, anger and a dent in confidence in an essential public service are understandable reactions. But does this mean that you are also entitled to compensation – individually or through a class action? And how is this handled in practice?
Data breach ≠ automatic right to compensation
In 2023 (UI/Österreichische Post), the Court of Justice of the EU clarified that a breach of the GDPR does not automatically entitle the victim to compensation. Although Article 82 of the GDPR provides a basis for compensation for both material and immaterial damage, the existence of a breach alone is insufficient.
In short: the letter on your doormat is not a claim ticket. To be eligible for compensation, there must be actual damage and a causal link between the data breach and that damage. And in the case of a large-scale data breach, without demonstrable identity fraud committed as a result of this breach, for example, this is a very difficult case to prove.
Special personal data can make a difference
If special or sensitive personal data has been leaked, there is a greater chance that immaterial damages will be awarded. This is also the case here, as it concerns (among other things) medical data. The courts have ruled as follows in this regard.
- District Court of Gelderland, 4 October 2023 (ECLI:NL:RBGEL:2023:5435): a former student received €300 in compensation after medical data about his study delay was stolen in a hack at HAN University of Applied Sciences. The court ruled that the leak of general personal data was insufficient in itself, but that the leak of medical data did constitute a significant invasion of privacy. The fact that the student had shared this data with great effort and trust weighed heavily in the decision.
- \District Court of Northern Netherlands, 12 January 2021 (ECLI:NL:RBNNE:2021:106): A person involved received €500 in compensation after, among other things, his citizen service number (BSN) was unlawfully disclosed. Although he did not convincingly demonstrate psychological damage, the judge considered the sensitive nature of the data (risk of identity fraud) sufficient to assume damage.
These rulings demonstrate that in cases involving sensitive personal data, such as medical information or national insurance numbers, the threshold for non-material damages is lower, but even in these cases, the amounts awarded are unsatisfactory.
Collective action: little chance of success for damages
In theory, collective action can be useful in establishing that an organisation has acted unlawfully. However, in practice, collective compensation is difficult to achieve. After all, damage and causality vary greatly from one individual to another.
Consequently, broad claims for damages under the Mass Damage Settlement Act in collective actions will often fail. Only in individual cases, where specific personal data has been leaked and concrete, in this case likely immaterial, damage has been demonstrated, will compensation actually be awarded.
What can you do as a person affected?
- Stay alert: change passwords, enable two-factor authentication, and watch out for suspicious messages.
- Document: keep the letter and any consequences (phishing, stress, medical impact).
- Check the nature of the data: the more sensitive it is, the stronger your legal position.
- Seek advice: especially if you are experiencing demonstrable intangible damage, such as stress, anxiety or loss of confidence.
Conclusion
A data breach is serious and should never be trivialised. However, compensation is not automatic. Only when special or sensitive personal data is exposed and there is a demonstrable invasion of privacy will judges sometimes award (limited) compensation. Collective claims for damages, on the other hand, often have little chance of success in court.
For questions about privacy law, please contact Guldemond Advocaten.
