DATA PROTECTION – The ECJ on liability for “non-material damage” caused to data subjects

On 14 December 2023, the European Court of Justice (ECJ) issued its judgment in case C‑340/21 (VB v Natsionalna agentsia za prihodite) regarding a cyberattack against the Bulgarian National Revenue Agency’s IT system, following which millions of citizen’s data had been published on the internet. In its judgment, the ECJ provided guidelines on the conditions for awarding compensation for non-material damage to data subjects. In particular, the ECJ clarified that, in the event of unauthorised disclosure of, or access to, personal data, the controller is under the obligation to compensate any data subjects claiming to have experienced fear with regard to a possible misuse of their personal data by third parties, to the extent that no proof is produced by the controller on the adequacy of its protective measures under the specific circumstances. If such proof is produced, the controller bears no responsibility.

Newsletter n. 92 – January 2024