CJEU - C‑340/21 - Natsionalna agentsia za prihodite
| CJEU - C‑340/21 Natsionalna agentsia za prihodite | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 5 GDPR Article 24 GDPR Article 32 GDPR Article 82 GDPR |
| Decided: | 14.12.2023 |
| Parties: | |
| Case Number/Name: | C‑340/21 Natsionalna agentsia za prihodite |
| European Case Law Identifier: | ECLI:EU:C:2023:986 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | sh |
The CJEU ruled that the fear of a data subject over the possible misuse of their data from a data breach counts as non-material damages and can lead to financial compensation from the controller. The controller must prove that appropriate measures were adopted against the cyberattack.
English Summary
Facts
Advocate General Opinion
Holding
On the notion of technical and secure measures under Article 24 and 32:
1) The fact that a hacker breached a controller does not automatically mean the TOMs (Technical and Organisational Measures) were inadequate.
2) TOMs must be assessed by national courts. Allowing for a variety of national tests as to what TOMs are adequate.
3) The burden of proof for proving TOMs is on the contoller. Especially in the context of damages under Article 82.
It also clarifies damages:
1) Article 83(2) means that the controller cannot be exempt from liability for damages just because the damage was caused by third parties (hackers). To be excempt the controller must prove that the act which caused the damage is in no way attributable to it.
2) Article 82(1) includes the fear of the potential misuse of personal data that a data subject feels as a result of a breach. This constitutes “moral damage” and is sufficient to give rise to non-material damages.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
