Municipality Not Required to Pay Compensation for Data Breach Under GDPR

Join us on June 13 and 14 in Amsterdam to gain unparalleled insights and network with peers from diverse sectors who are all committed to advancing our digital world. This is a unique opportunity to engage with thought leaders, innovators, and policymakers, enhancing your understanding and influence in the increasingly complex and rapidly evolving landscape of digital law and policy.

---

Under the General Data Protection Regulation (GDPR), individuals have the right to claim compensation for both material and non-material damages resulting from data breaches. However, recent court decisions have clarified that simply proving a GDPR infringement is not enough to automatically receive compensation. Claimants must demonstrate the existence of actual damage and a causal link between the damage and the infringement.

Heemskerk municipal council

The court has issued a ruling rejecting the appellant's request to condemn the council to pay damages. The appellant has appealed against this decision by the Administrative Jurisdiction Division of the Raad van State. The dispute centers around a data breach in which the appellant's personal data was obtained by third parties due to an error by the Heemskerk municipal council in the Netherlands. The case files include decisions containing name and address details, the citizen service number (BSN), and medical information.

Non-material damage

The appellant claims to have suffered non-material damage due to the loss of control over her personal data and demands compensation of 2.000 euros. The council does not dispute that the data breach occurred due to blameworthy behaviour, but argues that the appellant has not sufficiently demonstrated that she has suffered damage.

In her appeal, the appellant asserts that she has suffered severe psychological damage as a result of the data breach. She supports this claim with conversations with various professionals and references to her psychological complaints. However, the Division also rules that the appellant has insufficiently substantiated her claimed psychological damage with concrete data, leading the court to rightly reject the claim for compensation. The appeal is therefore dismissed, and the earlier decision is upheld (ECLI:NL:RVS:2024:2311).

Concrete evidence

This case highlights the importance of not only alleging that damage has occurred due to a data breach but also providing concrete evidence to substantiate the claim. Under the General Data Protection Regulation (GDPR), individuals can seek compensation for damages resulting from data breaches. However, it is essential to prove the actual extent and impact of the damage to succeed in obtaining compensation. Simply asserting that damage has occurred is not sufficient; substantial proof is required to demonstrate the specific harm suffered.

---

Location: Roommate Aitana Boutique Hotel with special rates for participants.

---

The FCLA was founded in December 1986 to promote international collaboration and exchange of information in computer law. Its members national computer law associations and its current members are computer law advocates, being legal professionals as either attorney at law, general and/or legal counsel or compliance specialist specialised in IT, data processing and the law.