The CJEU has issued its ruling in Case
C-340/21 | Natsionalna agentsia za prihodite.
This Bulgarian National Revenue Agency (NAP) is responsible for identifying, securing and recovering public debts. In this context, it is a personal data controller. On 15 July 2019, the media reported an intrusion into the NAP IT system, revealing that, following that cyberattack, personal data concerning millions of people had been published on the internet. Many individuals brought legal actions against the NAP for compensation for non-material damage caused by the fear that their data might be misused.
The Bulgarian Supreme Administrative Court referred several questions to the Court of Justice regarding the interpretation of the GDPR. It sought clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals.
The Court ruled as follows:
- If there is unauthorised disclosure of personal data or unauthorised access to the data, courts cannot infer from this fact alone that the protective measures implemented by the controller were not appropriate. The courts must assess the appropriateness of those measures.
- It is for the controller to prove that the protective measures implemented were appropriate.
- If the unauthorised disclosure of personal data or unauthorised access to the data has been committed by a third party (such as cybercriminals), the controller may be required to compensate the data subjects who have suffered damage, unless it can provide that it is no way responsible for that damage.
- The fear experienced by a data subject about a possible misuse of his or her personal data by third parties because of an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.
