Date: March 11, 2022
Modified November 14, 2023
Written by: Annemarie van Woudenberg
Reading time: +/- 2 minutes
The General Data Protection Regulation (AVG) forces business owners to carefully handle personal data of customers or employees, for example. Combined with the enactment of the Law on Settlement of Mass Damages in Collective Action, this paves the way for filing collective claims against organizations that process personal data on a large scale. How does this work? More importantly, how can you prevent class actions from being filed against your organization in the event of a data breach?
Effective Jan. 1, 2020, the Law on Settlement of Mass Damages in Collective Action, or WAMCA, went into effect. The enactment of the WAMCA expanded the possibilities of collective action. Whereas previously the courts in the Netherlands could only rule on collective liability, under the WAMCA it is possible to collectively claim monetary damages. In addition, the court's ruling is also generally binding on those who have not made it known that they do not wish to be bound by the outcome of the proceedings.
In practice, it often comes down to setting up a claims foundation to represent the interests of injured parties. These claims foundations regularly receive financial help from a litigation financier. This pays the costs of, for example, attorneys and the foundation board, in exchange for a percentage of the claim. This way, comprehensive proceedings can be conducted in a professional manner and do not depend on the individual capacity of the injured parties.
The AVG provides that any person who suffers damage, whether material or immaterial, as a result of a breach of the AVG is entitled to damages. Dutch courts are generally quite reticent in awarding immaterial damages. Case law shows that the award of damages under the AVG is always calculated at a few hundred euros to approximately a maximum of fifteen hundred euros. Annoying of course, but as a company not insurmountable.
However, a violation of the AVG often involves many aggrieved parties and thus not just one individual who suffers damages. The AVG - in combination with the WAMCA - allows these affected parties to collectively claim these damages through a body, organization or association (non-profit). This makes the threshold for injured parties low. This ensures that multiple compensation claims can be handled in one procedure.
In assessing what the judge considers reasonable damages, he or she does not look at the number of people involved in the claim. After all, incurring damages is personal. Suppose that, as a result of a violation of the AVG, the judge considers €300 in damages per data subject to be reasonable, and there is not one injured party but rather 10,000, then a "simple violation" of the AVG can be quite damaging for a company. Many cases even involve claims of several million or even billion euros. For example, 3.2 billion euros was claimed from the GGD in connection with a data breach, 6 billion euros from app manufacturer TikTok and 1 billion euros from Apple and Google for abuse of power.
Regarding this kind of annoying situation, prevention is always better than cure. Below are some practical tips to prevent mass claims under the AVG.
Make sure you are well informed about the rights and obligations that apply to your organization under the AVG. For example, personal data may only be collected for a legitimate purpose and to the extent necessary. There must also be a so-called processing basis that makes the processing of personal data legitimate. In doing so, it is important to clearly describe what the purposes are with respect to the collection of the data in question. For proper preparation, please refer to a previous blog.
In addition, your organization may have put a lot of time and money into proper data storage, a secure software system and a written policy on privacy and the protection of personal data, but violations of the AVG still occur. In fact, a policy can only work well if it is properly implemented in practice by the entire organization. So make sure that all your employees are aware of the established policy by raising awareness of it. After all, many data breaches occur because of human error.
In addition, pay attention to a good access policy to the systems and keep that access as limited as possible (only to the extent necessary). This will minimize the possibility of being hacked, making sensitive information less likely to fall into the hands of malicious third parties.
Finally, it is wise to check to what extent any class action is covered under your liability insurance policy. Many policies have a 'series damage clause'. A series of related events are then seen as one event. This may result in the insurance coverage being limited to only one time the sum insured. If the collective claim is so high that it exceeds the sum insured, this can still have major financial consequences for your company. To avoid this, you can, for example, take out a policy where the sum insured is not per claim, but per claim.
In conclusion, collective action combined with an AVG violation is a powerful weapon. One small carelessness with regard to personal data can result in your organization being involved in a towering claim. To avoid this, we advise you to double-check whether your company processes personal data in accordance with the AVG.
Are you wondering if your company processes personal data correctly, or would you like more information about drafting a privacy policy? Then contact our privacy specialists: Annemarie van Woudenberg or Sander Poelman. They will be happy to help you further.
As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.