In our previous blog post, we explained that the Dutch (highest) courts are fairly strict when assessing claims for non-material damages based on breaches of the EU General Data Protection Regulation (GDPR). If non-material damages were awarded at all, they were mostly in the range of approximately €250 to €500.
However, the administrative court in Rotterdam (in Dutch) recently awarded €2,500 compensation for non-material damages to a claimant who had asked the municipality of Rotterdam several times to delete certain of her personal data. The municipality initially rejected the requests, but subsequently reversed its decision and informed the applicant that her data would be deleted.
The fact that the municipality had initially declined to delete the data, but subsequently reversed its decision (several years later), was sufficient for the Rotterdam court to assume that the data was subject to unlawful processing. Therefore, the court only substantively assessed whether non-material damages were warranted, and if so, what amount would be suitable.
Why does the Court award non-material damages?
The Rotterdam court very succinctly cited the threshold for awarding non-material damages as adopted by the higher Dutch courts (see our earlier blog post on this topic), and then considered that the facts of this case were sufficient to assume non-material damages had been suffered by the applicant. The Rotterdam court needed only a single sentence to come to this conclusion:
'… as the municipality had stored and processed reports containing the applicant's personal data, they have breached the GDPR and thereby violated the applicant's right to privacy.'
The fact that these 'reports' also contained medical data is mentioned elsewhere in the judgment, but the court did not say that this was relevant when determining that the applicant had indeed suffered non-material damages.
After establishing the unlawful processing and the applicant’s right to compensation for the non-material damages suffered, the court only needed to determine an appropriate amount.
How did the court arrive at €2,500?
Unfortunately, the judgment provides hardly any information on the background of the claim. However, it is clear that the applicant had initially claimed €25,000 in non-material damages, and an undisclosed amount of material damages.
In determining the amount, the court took the following circumstances into account:
- the report contained sensitive personal (medical) data;
- the report had been stored for around 10 years; and
- the applicant had made numerous requests to delete the data, with the first request being made in 2014 and the request only being granted in 2018.
The court also assumed (this had not been proven by the applicant) that, due to the long (and unlawful) retention, the applicant's data had been processed by various third parties without a lawful basis.
The court ruled that, under these circumstances, €2,500 should be awarded. In this case, the long duration of the unlawful processing seems to have been an important factor for the court, which considered that, in decisions where €500 non-material damages had been awarded, this related to only short-term unlawful processing (of medical data).
The claim for material damages was denied (without further reasoning).
With the Rotterdam court's decision being rather concise, we still lack clarity on the subject of non-material damages under the GDPR (although there has been some case law in Germany – see this recent blog post).
For this reason, we would have liked the court to explain how it decided on the €2,500 for non-material damages. For example, why did the non-material damages not need to be substantiated to a certain extent? Also, additional guidance on the factors that contributed to the amount of compensation would have been very welcome.