Court case 9436020 \ CV EXPL 21-30289 – Court Ruling (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that a company building houses in Zevenhuizen unlawfully shared personal data of 1100 potential buyers in an unencrypted email. The court found this violated GDPR rules as there was no valid reason for this data processing. This case highlights the importance of securing personal data and the potential for damages even if harm isn't easily quantifiable.
What happened
A company sent an unencrypted email containing personal data of 1100 potential house buyers to all registered users.
Who was affected
Potential house buyers who registered on the company's website and had their personal data shared without consent.
What the authority found
The court ruled that the company unlawfully processed personal data by sharing it without a valid legal basis, violating GDPR requirements.
Why this matters
This case emphasizes that companies must ensure data security and have a valid reason for processing personal data. It also shows that courts may award damages for loss of control over personal data, even if the harm isn't directly measurable.
GDPR Articles Cited
The data controller is a company that is building new houses in Zevenhuizen. People who were interested in buying these new houses could register as a candidate-buyer via the website of the controller. About 1100 people, including the data subject, signed up. During the registration, the controller collected confidential personal information of the data subjects (such as the first- and last name; place- and date of birth; email address; phone number; maximum amount they could borrow for the mortgage; yearly income etc.). In April 2021, the controller sent an email to everyone who registered for the project with an unencrypted Excel file attached, which contained the personal information of everyone who registered for the project. Following up on this mistake, the controller sent an email in which they acknowledge the data breach and an apologised for the violation of the privacy and security of the 1100 registered potential buyers. The data subject brought the issue before court and claimed immaterial damages from controller for unlawful processing of their personal data. The Court acknowledged that a substantial amount of personal data was leaked to all of the registered potential buyers. This is a form of processing (Article 4 GDPR) and it is unlawful since there is no ground for this processing (Article 6 GDPR). The controller had thus unlawfully processed the personal data of the data subject in breach of the GDPR. The Court explained that the loss of control over your personal data is a form of damage (Recital 85 GDPR). It also considered that the meaning of 'damage' has to be explained in line with the jurisprudence of the Court of Justice. While the controller claimed that the plaintiff had not suffered any legally relevant damages in line with Dutch civil law, the Court pointed out that Article 82 GDPR has to be interpreted in the context of EU law: the fact that the damages can't be directly quantified do not prevent the allocation of damages. The Court p
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 9436020 \ CV EXPL 21-30289 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 9436020 \ CV EXPL 21-30289 - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: