Netherlands, Administrative Jurisdiction Division of the Council of State of the Netherlands, 2 April 2020 201901006/1/A2

Identification of the case

• Right to an effective remedy and to a fair trial (art. 47 CFREU)

• Article 8:88 General Administrative Law Act jo. Article 34 Dutch GDPR Implementation Act

• Articles 15 to 22, 79, 82, and Article 99(3), of the General Data Protection Regulation (GDPR)
• Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
• CFREU, article 47

Summary of the case

The appellant in this case claims compensation for the unlawful transfer of his medical data to the Healthcare Disciplinary Board. From the prevailing privacy legislation (since 25 May 2018 the GDPR and the Dutch GDPR Implementation Act), the Administrative Jurisdiction Division of the Council of State (Division) understands that it must be possible to appeal to both the administrative and civil courts 'to submit a claim to compensation for damage as a result of a breach of the GDPR by an administrative body.’ In such a case, however, the administrative court must follow the rules laid down in Article 6:106 of the Civil Code and the case law of the Supreme Court.

• Administrative judicial enforcement

The Division judges that there is - in this type of cases about claiming damages - a choice possible between the civil court and the administrative court. However, the administrative court must then apply the criteria from the Dutch Civil Code for compensation (in this case the rules for compensation of non-material damages laid down in article 6:106 DCC) and follow on this matter the case law of the Supreme Court, which is the highest civil court in the Netherlands. But the Division is only competent for damages up to € 25.000,- and the civil court is also competent for damages exceeding € 25,000.

The Division comes to this judgment in four different cases (the other three cases are: ECLI:NL:RVS:2020:899, ECLI:NL:RVS:2020:900 and ECLI:NL:RVS:2020:901). The Division rules that only in the first case, the man whose medical data has been sent to the disciplinary court, is entitled to compensation of non-material damages. His privacy has been violated in such a way that justifies compensation of € 500, taken into account the fact that this information only came to a small group of professionals with professional secrecy.

The Division considers that the GDPR is directly applicable in every Member State (Article 99(3) GDPR). The claim for compensation in the event of acting contrary to the GDPR arises directly from the GDPR itself (Article 82(6) GDPR jo. Article 79(2) GDPR). In the absence of EU procedural rules it is settled case-law of the ECJ that it is for the Member States to designate the competent judicial authorities and to apply their national procedural law in cases of enforcement of Union law (see judgment in 16 December 1976, C-33/76, Rewe, ECLI:EU:C:1976:188, and Judgment of 13 July 2006, C-295/04 - 298/04, Manfredi, ECLI:EU:C:2006:461 point 62). A procedural rule must (inter alia) comply with the principle of effective judicial protection, as set out in Article 47 Charter of the fundamental rights of the EU (Charter) (see judgments of the Court of Justice of 18 March 2010, C-317/08, C-318/08, C-319/08 and C-320/08, Alassini and Others, ECLI:EU:C:2010:146). The Division infers from Article 8:88 General Administrative Law Act jo. Article 34 Dutch GDPR Implementation Act that it has been the intention of the national legislator that the same judge, which rules on, inter alia, decisions of administrative bodies, on a request as referred to in Articles 15 to 22 GDPR, may also be asked to rule on the reimbursement of related damages. The Division finds this in the interest of concentration of legal protection and therefore also in the interest of an effective legal protection as stipulated in Article 47 Charter (effectiveness principle). This means that in these cases a litigant has a choice whom to ask for damages: the administrative judge or the civil law judge. With this restriction that a litigant can only bring a claim for damages over € 25.000,- before the civil law judge.

Role of the Charter and role of the general principles on enforcement

The case deals with the application of EU-law. Pursuant to Article 51(1) of the Charter, the Charter is applicable.

• Explicit reference to Art. 47, CFREU (right to an effective remedy and a fair trial)

• Right to an effective remedy before a tribunal

A procedural rule - in this case which court is competent - must (inter alia) comply with the principle of effective judicial protection, as set out in Article 47 Charter of the fundamental rights of the EU (Charter) (see judgments of the Court of Justice of 18 March 2010, C-317/08, C-318/08, C-319/08 and C-320/08, Alassini and Others, ECLI:EU:C:2010:146).

• Effectiveness

In the absence of EU procedural rules it is settled case-law of the ECJ that it is for the Member States to designate the competent judicial authorities and to apply their national procedural law in cases of enforcement of Union law (see judgment in 16 December 1976, C-33/76, Rewe, ECLI:EU:C:1976:188, and Judgment of 13 July 2006, C-295/04 - 298/04, Manfredi, ECLI:EU:C:2006:461 point 62). A procedural rule must (inter alia) comply with the principle of effective judicial protection, as set out in Article 47 Charter of the fundamental rights of the EU (Charter) (see judgments of the Court of Justice of 18 March 2010, C-317/08, C-318/08, C-319/08 and C-320/08, Alassini and Others, ECLI:EU:C:2010:146). Finally, the Division infers from Article 8:88 General Administrative Law Act jo. Article 34 Dutch GDPR Implementation Act that it has been the intention of the national legislator that the same judge, which rules on, inter alia, decisions of administrative bodies, on a request as referred to in Articles 15 to 22 GDPR, may also be asked to rule on the reimbursement of related damages.

Elements of judicial dialogue

• Dialogue between high court - lower instance court at national level

• CJEU C-33/76, Rewe
• CJEU C-295/04 - 298/04, Manfredi
• CJEU C-317/08, C-318/08, C-319/08 and C-320/08, Alassini and Others

Conform interpretation with EU law as interpreted by the CJEU.

To solve a conflict between different trends of national case law.

From now on there is a choice possible for the litigant between the civil court and the administrative court in cases with a compensation for damages as a result of a breach of the GDPR by an administrative body. However, the administrative court must then apply the criteria from the Dutch Civil Code for compensation (DCC 6:106) and follow on this matter the case law of the Supreme Court, which is the highest civil court in the Netherlands. Only the civil court is competent for damages of more than € 25,000.

Additional notes on the decision

The lower (District) Courts will have to abide to the outcome of this judgment.

The Division comes to this judgment in four different cases (the other three cases are: ECLI:NL:RVS:2020:899, ECLI:NL:RVS:2020:900 and ECLI:NL:RVS:2020:901). The Division rules that only in the first case, the man whose medical data has been sent to the disciplinary court, is entitled to compensation. His privacy has been violated in such a way that justifies compensation of € 500, taken into account the fact that this information only came to a small group of professionals with professional secrecy.