NederWoon Verhuurmakelaars B.V. – Court Ruling (Netherlands, 2021)

In May 2019, a hacker obtained unauthorised access to the webserver and website of Nederwoon.nl and exported personal data of users of the website to his personal computer. The hacker was found guilty for unauthorised intrusion in a different case. The plaintiff argued that NederWoon is in breach of Article 5 GDPR because the plaintiff's personal data should have been deleted because it was no longer necessary in relation to the purposes it was processed for, and because there were no appropriate technical and organisational measures in place to protect the data. The plaintiff therefore requested a compensation for the damages due to a breach of the GDPR. NederWoon claimed that there was no breach of the GDPR and that there was no damage on the plaintiff's side. The court held that the plaintiff must prove why Article 5 GDPR was breached. The simple fact that a hacker obtained access to personal data does not mean that NederWoon was acting in breach of Article 5 GDPR. Furthermore, the plaintiff must prove that he in fact has (immaterial) damages on his side. A breach of the GDPR does not automatically lead to damages. (Also see: [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:HR:2019:376 Dutch Supreme Court (Hoge Raad) ECLI:NL:HR:2019:376]). The simple statement that the plaintiff experienced distress is insufficient without further elaborating on why this bothered him or how the distress expressed itself. Because the damage was not substantiated, the claims cannot be upheld. Therefore, the breach of the GDPR is not further discussed.