Unlawful Processing of Personal Data in Leiden
In Leiden, unlawful processing of personal data by local organizations, such as shops or the Municipality of Leiden, can violate your privacy. This occurs without a valid basis under the GDPR, potentially leading to fines and damage claims. Discover your rights as a Leiden resident and steps via the Leiden District Court or the Leiden Legal Aid Desk.
What does unlawful processing of personal data entail?
Personal data includes information about you, such as name, Leiden address, email or medical data from LUMC. Processing means everything from collecting to sharing. In Leiden, organizations must comply with the GDPR for lawful, fair and transparent processing.
Issues arise with processing without consent, contractual necessity or legal obligation. Consider a Leiden webshop sharing your postcode without approval, or an employer leaking health information – risks include theft or discrimination.
Legal Framework
Central are the GDPR (EU 2016/679) and GDPR Implementation Act. Key articles:
- Art. 5 GDPR: Principles such as lawfulness and data minimisation.
- Art. 6 GDPR: Legal bases (consent, contract, etc.).
- Art. 9 GDPR: Strict rules for sensitive data such as health.
- Art. 82 GDPR: Compensation for infringements.
The Data Protection Authority (AP) supervises and imposes fines up to 4% of turnover. In Leiden, you can litigate via the Leiden District Court or object to AP decisions.
Lawful vs. Unlawful: Overview
A handy comparison:
| Lawful | Unlawful | |
|---|---|---|
| Legal Basis | Art. 6 GDPR (consent/contract) | No or incorrect basis |
| Purpose Limitation | Only for intended purpose (art. 5(1)b) | Different purpose without consent |
| Transparency | Privacy statement | Incomplete information |
| Leiden Example | LUMC stores file for care | Municipality of Leiden shares income with club without necessity |
Examples from a Leiden Perspective
1. Advertising without opt-in: A Leiden supermarket sends promotional emails without subscription (art. 6(1)a GDPR).
2. Hack with breach: Insecure storage at local firm leads to theft (art. 32 GDPR).
3. Municipality of Leiden: Shares your address with association without basis – administrative law issue.
4. Work in Leiden: Boss leaks salary with colleagues, against art. 9 GDPR.
Your Rights as a Leiden Resident
Data subject rights (art. 15-22 GDPR):
- Access to processed data.
- Rectification of errors.
- Erasure ('right to be forgotten').
- Restriction, objection and portability.
Organizations must report breaches within 72 hours (art. 33-34). Processing data yourself? Follow GDPR rules.
Taking Action in Leiden
1. Demand cessation from the organization.
2. Complaint to AP: File a complaint.
3. Damage claim at Leiden District Court (art. 82 GDPR; court fee ~€85).
4. Free advice: Leiden Legal Aid Desk. Objection to AP via General Administrative Law Act art. 7:1.
Frequently Asked Questions
Is every data breach unlawful?
No, but failing security (art. 32) makes it so. Report to AP within 72 hours if risks involved.
Claiming damages in Leiden?
Yes, material and non-material (art. 82). Prove the link; no threshold after Schrems II. Via Leiden District Court.
Government like Municipality of Leiden?
GDPR applies plus Implementation Act. Complaint to AP or administrative court.
How long does a procedure take?
AP complaint: weeks to months. Leiden District Court: several months; expedited possible.