DATA PROTECTION
Cybercrime: the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage.
The Bulgarian National Revenue Agency (the NAP) is attached to the Bulgarian Minister for Finance. In particular, it is responsible for identifying, securing and recovering public debts. In this context, it is a personal data controller. On 15 July 2019, the media reported an intrusion into the NAP IT system, revealing that, following that cyberattack,
personal data concerning millions of persons had been published on the internet. Many individuals brought legal actions against the NAP for compensation for non-material damage caused by the fear that their data might be
misused.
The Bulgarian Supreme Administrative Court refers several questions to the Court of Justice for a preliminary ruling on the interpretation of the General Data Protection Regulation (GDPR).
It seeks clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals.
In its judgment, the Court answers the questions referred as follows:
In the event of unauthorised disclosure of personal data or unauthorised access to those data, courts
cannot infer from this fact alone that the protective measures implemented by the controller were not
appropriate. The courts must assess the appropriateness of those measures in a concrete manner.
It is for the controller to prove that the protective measures implemented were appropriate.
In the event that the unauthorised disclosure of personal data or unauthorised access to those data
has been committed by a ‘third party’ (such as cybercriminals), the controller may be required to
compensate the data subjects who have suffered damage, unless it can prove that it is in no way
responsible for that damage.
The fear experienced by a data subject with regard to a possible misuse of his or her personal data by
third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material
damage’.
personal data concerning millions of persons had been published on the internet. Many individuals brought legal actions against the NAP for compensation for non-material damage caused by the fear that their data might be
misused.
The Bulgarian Supreme Administrative Court refers several questions to the Court of Justice for a preliminary ruling on the interpretation of the General Data Protection Regulation (GDPR).
It seeks clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals.
In its judgment, the Court answers the questions referred as follows:
In the event of unauthorised disclosure of personal data or unauthorised access to those data, courts
cannot infer from this fact alone that the protective measures implemented by the controller were not
appropriate. The courts must assess the appropriateness of those measures in a concrete manner.
It is for the controller to prove that the protective measures implemented were appropriate.
In the event that the unauthorised disclosure of personal data or unauthorised access to those data
has been committed by a ‘third party’ (such as cybercriminals), the controller may be required to
compensate the data subjects who have suffered damage, unless it can prove that it is in no way
responsible for that damage.
The fear experienced by a data subject with regard to a possible misuse of his or her personal data by
third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material
damage’.
