On 8 February, the ICAM Foundation and six individuals launched a collective action against the Dutch State, more specifically the Dutch Minister of Health, Welfare and Sport (hereinafter the “State”), with regard to a data breach that took place at the Dutch Public Health Service (“GGD”).^[1]https://icamcdn.linuxpingops.nl/datalek-ggd.nl/wp-content/uploads/2022/02/20220208_DEF_ANONIEM_Brief_aan_de_Staat_der_Nederlanden_inzake_GGD-datalek_ICAM_c.s._vs_De_Staat_c.s..pdf The Minister of Health, Welfare and Sport is responsible for the IT systems of the GGD. The data breach resulted from the abuse of private data that Dutch citizens had shared with the GGD for the purpose of making a coronavirus vaccination or test appointment, or for the purpose of source and contact testing. Due to a lack of security, call centre employees were able to view and download bulk sensitive information, such as citizen service numbers (BSN), health data and address details. As a result of the data breach, the personal data of at least 6.5 million people were accessible and available for illegal data trafficking. It has been established that the personal data of at least 1,250 people were actually stolen and probably sold.

The ICM Foundation represents the Dutch victims both on the basis of WAMCA and on the basis of participation agreements. The ICAM Foundation, as well as the individual claimants, holds the State liable for the damage suffered by the victims. In addition, the ICAM Foundation summons the State to take adequate measures to prevent this type of incident from recurring in the future.

The class action is based on the grounds that there was a violation of the principle of data minimisation of Article 5 GDPR, the principles of privacy by design and privacy by default of Article 25 GDPR, the security obligation as laid down in Article 32 GDPR and the NEN 7510 standard for information security in healthcare, the Medical Treatment Contracts Act and the Act on Additional Provisions for Processing Personal Data in Healthcare.