Type: Judgment

Authority: European Authorities: Euopean Union' Court of Justice

Date: 12/14/2023

Subject: According to the Court, in the event of unauthorised disclosure of personal data or unauthorised access to those data, courts cannot infer from this fact alone that the protective measures implemented by the controller were not appropriate. The courts must assess the appropriateness of those measures in a concrete manner. It is for the controller to prove that the protective measures implemented were appropriate. In the event that the unauthorised disclosure of personal data or unauthorised access to those data has been committed by a ‘third party’ (such as cybercriminals), the controller may be required to compensate the data subjects who have suffered damage, unless it can prove that it is in no way responsible for that damage. Finally, according to the Court, the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the General Data Protection Regulation is capable, in itself, of constituting ‘non-material damage’

Parties: Natsionalna agentsia za prihodite

Classification: Freedoms - Art. 8 Personal data: fairly processing - Personal data: consent - Personal data: access - Personal data: rectification - Personal data: independent authority

Text