News and developments
Liability for data breaches and the recognition of non-material damage under the GDPR
in the case of VB v. Natsionalna agentsia za prihodite (C 340/21) whereby the Court examined, among other aspects, liability and non-material damage under the EU General Data Protection Regulation ("GDPR").
Background
A cyber-attack committed against the Bulgarian National Revenue Agency (the “Agency”) resulted in a data breach affecting over 6 million Bulgarian citizens and foreign nationals. The breach prompted legal actions from several hundred affected individuals, including the main appellant in the proceedings, who sought compensation from the Agency claiming non-material damages incurred due to the fear of the possible misuse and potential harm that could arise as a result of the unauthorized disclosure of their personal data.
The Supreme Administrative Court of Bulgaria raised several questions to the CJEU for a preliminary ruling, aiming to seek clarification on the following points:
Author: Eliza Azzopardi
- Whether the unauthorised disclosure of personal data inherently indicates insufficient technical and organisational measures implemented by the controller;
- The scope of judicial review for the adequacy of technical and organisational measures under article 32 GDPR;
- Who bears the burden of proving that the technical and organisational measures adopted by the controller are appropriate, and whether an expert’s report constitutes necessary and sufficient means of proof;
- Whether the controller is liable for the unauthorised disclosure of, or access to, personal data, resulting from third party actions;
- Whether the fear suffered by a data subject regarding the possible misuse of personal data in the future, falls within the scope of non-material damage.
Author: Eliza Azzopardi