CJEU - C‑340/21 - Natsionalna agentsia za prihodite

From GDPRhub
Revision as of 15:07, 19 December 2023 by 84.113.103.211 (talk)
CJEU - C‑340/21 Natsionalna agentsia za prihodite
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5 GDPR
Article 24 GDPR
Article 32 GDPR
Article 82 GDPR
Decided: 14.12.2023
Parties:
Case Number/Name: C‑340/21 Natsionalna agentsia za prihodite
European Case Law Identifier: ECLI:EU:C:2023:986
Reference from:
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: sh


The CJEU ruled that the fear of a data subject over the possible misuse of their data from a data breach counts as non-material damages and can lead to financial compensation from the controller. The controller must prove that appropriate measures were adopted against the cyberattack.

English Summary

Facts

The Bulgarian Tax Agency (the controller) suffered a data breach. As a result, more than 6 million people's personal data was leaked online, including that of the complainant.

The complainant sued the controller in the Aministrative Court Sofia under the basis of Article 82 GDPR. She requested around €510 as compensation for the non-material damage[1] resulting from the breach. She argued that the controller had caused the damage because they had failed to implement adequate security measures in breach of Article 5(1)(f) , 24 and 32 GDPR. Her non-material damage was the fear that her personal data, might be misused in the future and that she could be threatened as a consequence.

The Administrative Court Sofia dismissed the action. Firstly, the controller had not caused the breach because the breach had resulted from the actions of third parties. Secondly, the complainant had not proved that the controller had failed to implement security measures. Laslty, in the courts opinion the complainant had not suffered an actual non-material damage, since her fear was only hypothetical she could not be granted compensation.

The complainant appealed this decision before the Supreme Administrative Court Bulgaria, who reffered the case to the CJEU with the following questions:

1) Do Articles 24 and 32 GDPR mean that a data breach, as defined by Article 4(12) GDPR by third parties, sufficient to pressume that the Technical and Organisational Measures (TOMs) implemented by the controller are insufficient?

2) If the above is answered in the negative,

Holding

The CJEU granted the complainant damages for the data breach.

On the notion of technical and secure measures under Article 24 and 32:

1) The fact that a hacker breached a controller does not automatically mean the TOMs (Technical and Organisational Measures) were inadequate.

2) TOMs must be assessed by national courts. Allowing for a variety of national tests as to what TOMs are adequate.

3) The burden of proof for proving TOMs is on the contoller. Especially in the context of damages under Article 82.

It also clarifies damages:

1) Article 83(2) means that the controller cannot be exempt from liability for damages just because the damage was caused by third parties (hackers). To be excempt the controller must prove that the act which caused the damage is in no way attributable to it.

2) Article 82(1) includes the fear of the potential misuse of personal data that a data subject feels as a result of a breach. This constitutes “moral damage” and is sufficient to give rise to non-material damages.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

  1. The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).