Judgment of the Court in Case C-340/21
The Bulgarian National Revenue Agency (the NAP) is attached to the Bulgarian Minister for Finance. In particular, it is responsible for identifying, securing and recovering public debts. In this context, it is a personal data controller. On 15 July 2019, the media reported an intrusion into the NAP IT system, revealing that, following that cyberattack, personal data concerning millions of persons had been published on the internet. Many individuals brought legal actions against the NAP for compensation for non-material damage caused by the fear that their data might be misused.
The Bulgarian Supreme Administrative Court refers several questions to the Court of Justice for a preliminary ruling on the interpretation of the General Data Protection Regulation (GDPR)1. It seeks clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals.
In its judgment, the Court answers the questions referred as follows:
- In the event of unauthorised disclosure of personal data or unauthorised access to those data, courts cannot infer from this fact alone that the protective measures implemented by the controller were not appropriate. The courts must assess the appropriateness of those measures in a concrete manner.
- It is for the controller to prove that the protective measures implemented were appropriate.
- In the event that the unauthorised disclosure of personal data or unauthorised access to those data has been committed by a ‘third party’ (such as cybercriminals), the controller may be required to compensate the data subjects who have suffered damage, unless it can prove that it is in no way responsible for that damage.
- The fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of EU law or the validity of an EU act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.