Court case 9435922 – Court Ruling (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court found that a company unlawfully shared personal data of people interested in buying homes by emailing an unencrypted file. The court ruled the company had no legal basis for this data breach. This case underscores the need for businesses to protect personal data and avoid careless mistakes.
What happened
A company sent an unencrypted email containing personal data of potential homebuyers, leading to a data breach.
Who was affected
Individuals who registered interest in purchasing homes in the new Koningskwartier neighborhood.
What the authority found
The court ruled that the company unlawfully processed personal data without a valid legal basis, violating GDPR.
Why this matters
This case serves as a reminder for businesses to handle personal data with care and ensure proper security measures are in place. It highlights the potential consequences of human error in data handling.
GDPR Articles Cited
The controller is a company that is contracted to plan and build a new neighborhood (called the “Koningskwartier”) in the village Zevenhuizen. In 2021, people that were interested to potentially purchase a house in this neighborhood, could register on the website of the company. Approximately 1,100 persons, including the data subject, made use of this possibility. During the registration, various confidential personal data of these persons were collected, such as the first- and last name; place- and date of birth; email address; phone number; maximum amount they could borrow for the mortgage; yearly income etc. On 12 April 2021, the controller sent out an email to all persons that registered and attached an unencrypted excel file to this email, that contained all the personal data listed above. The data subject then replied to the email and notified the controller of the fact that they wanted to be reimbursed for the damages of the data breach. The controller tried to repair their mistake by sending out an email to all recipients regarding the mistake. However, they refused to comply with the data subject’s request, so the data subject brought the matter before court. The data subject requested the court to order the controller to pay him € 750 in material damages to purchase a new phone since he was being harassed by an unknown number via WhatsApp. Moreover, he wanted € 20,000 in immaterial damages because he feels “watched” and he lost his trust in other people. The controller explained this data breach was caused due to a human error and requested the Court to reject the data subject’s claim. First, the Court considered that the controller had no legal basis in Article 6 GDPR to send out an email that contained data subject’s personal data, and thus unlawfully processed the data subject’s personal data. Moreover, the Court noted that it follows from Recital 146 GDPR that the notion of “damage” must be interpreted broadly, and found that data subject’s damages
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 9435922 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 9435922 - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: