- 23 Sep 2019
An employee had been employed by an employer from 2012 onwards. During that period of employment, she became long-term unfit for work due to a burn-out. The employee received a letter from the UWV at a certain moment with the statement: “Are you fully recovered at this time? And have you returned to work? In that case, no action is required on your part. After all, you are not required to report to us that you are fit for work”. The employee did indeed recover, and shortly thereafter entered into employment of a new employer on the basis of a temporary contract.
Subsequently, the UWV sent a letter, by mistake, to this new employer mentioning the employee's long-term illness. The new employer had not been aware of this and in an interview asked the employee for an explanation, since, coincidentally, it was at that time also the moment for the employer to decide on whether or not to offer her a follow-up contract (which, incidentally, the employer did offer in the end).
The employee made a claim against the UWV for violation of the GDPR. The employee claimed damages in the amount of EUR 500 for non-material damage as a result of the stress incurred by the incident.
Judgment District Court Amsterdam
In this judgment, the court considers that it concerned personal data of a sensitive nature (not to be confused with the special personal data separately regulated by law) since the mere mention of long-term illness is itself of a sensitive nature.
The court subsequently ruled that the UWV did indeed violate the GDPR. The GDPR obliges the controller to, among other things, take appropriate technical and organizational measures to safeguard the integrity and confidentiality of the personal data that it processes, including explicitly protection against accidental loss. The UWV decided to send letters with content such as this via an automated system that uses available address data from current employers, therefore without prior assessment whether sending the letter is correct. According to the court, a check as to the accuracy of the communication and/or of the addressee was, especially in light of the sensitive nature of the data, necessary, and also possible for an organization such as UWV. By applying this working method, UWV acted contrary to the GDPR vis-à-vis the employee by infringing on her right to have her privacy respected and her personal data protected.
The employee entered a claim for damages in the amount of EUR 500 to compensate for the fact that there was great uncertainty during the period from the occurrence of the data breach, until the moment when her employer decided to extend her contract. After all, there was a considerable risk that the new employer might not renew the contract as a result of the facts about the burnout brought to the employer’s attention. The fact that this risk did not ultimately materialize was reason for the court to consider the damages limited. Attempts on the part of the UWV to argue that immaterial compensation should only be granted in very serious situations, were waived by the court.
On the contrary, the court referred to the GDPR considerations, that show that, according to the GDPR, the concept of damage must be interpreted broadly (consideration 146). The court points to the possibility of an individual concerned to claim damages in court for violation of the GDPR: immaterial damages are explicitly mentioned. In short, the court finds that the fact that major damage could have been incurred (no contract extension) had understandably led to stress, and therefore to compensable damages. The judge ultimately estimated these to be EUR 250.
What does this mean in practice?
The claim did not turn out to be a "gravy train" for the employee in question, but she had after all only claimed modest damages. Apparently, this had been a question of principle for the employee concerned. However, despite the modest damages, the UWV will have to examine its processes, because it apparently makes use of a system of sending letters with a certain content, which system does not stand up the GDPR requirements and scrutiny.
All other responsible parties, such as health and safety services, but also employers, must be aware that, according to this judgment, the risks of claims for compensation for damages resulting from violation of the GDPR are very real.