The CJEU interpreted GDPR provisions on technical and organizational measures, controller’s responsibility for their appropriateness and non-material damages to data subjects



The data protection team of DJINGOV, GOUGINSKI, KYUTCHUKOV & VELICHKOV notes that on 14 December 2023, the Court of Justice of the European Union (the “CJEU”) issued a preliminary ruling (the “Ruling”) on questions concerning controversial issues  surrounding:

     (i) the responsibility of a controller to implement appropriate technical and organizational measures under Articles 24 and 32 of the General Data Protection Regulation (“GDPR”), and

    (ii) the concept of “non-material damage” and compensation of such type of damages to data subjects under Article 82 of GDPR.

The request for the Ruling was lodged by the Bulgarian Supreme Administrative Court (“SAC”) on 2 June 2021 in the context of an action brought by a data subject against the Bulgarian National Revenue Agency for payment of compensation for non-material damages manifesting in fears, worry, anxiety, stress and feelings of insecurity with regard to a possible future misuse of personal data following a massive leak of personal data including tax and social security information as a result of an unauthorized access to the Agency’s information system back in 2019.

The Ruling reaffirms the view of the CJEU that data subject protection under GDPR shall be robust, the standard of controllers’ responsibility, high and, in case of infringement, their liability to data subjects, strict.

    (1) Further to the Ruling, when deciding on technical and organizational measures securing personal data processing operations, data controllers and nationals courts deciding on data subject damage claims shall bear in mind the following:

           (i) Unauthorized access to or disclosure of personal data by a third party does not, by itself, mean that the organizational and technical measures put in place by the controller have not been appropriate as per Articles 24 and 32 of GDPR.

          (ii) When assessing appropriateness of technical and organizational measures adopted by a controller pursuant to Article 32, national courts must take into consideration the risks associated with the processing concerned and assess whether the nature, content and implementation of those measures are appropriate to the identified risks. The examination requires an assessment of the nature and content of the measures, the manner in which these measures are applied, and their practical effect on the level of security that the controller is required to ensure based on the risks inherent to the specific data processing.

          (iii) The data protection principle of accountability means that in an action for damages under Article 82 of GDPR, the data controller, and not the data subject(s), bears the burden of proof to demonstrate that the security measures it has put in place are appropriate as set forth in Article 32 of GDPR in order to limit or avoid liability.

         (iv) An expert’s report cannot constitute a systematically necessary and sufficient means of proof in the assessment of appropriateness of the security measures implemented by the controller under Article 32 GDPR. The appropriateness of the data protection measures of a data controller is a matter of law and, therefore, must be assessed by the court. Accordingly, when judging on damage claims brought by data subjects, the national court shall assess the appropriateness of the measures concerned using any permissible and available types of evidence the court finds suitable.

      (2) In respect of controllers’ exposure to liability for damages to data subjects, the CJEU confirms that a controller must prove that it is in no way responsible for the event that gave rise to the damage concerned to be exempt from its obligation to pay compensation for the damage suffered by a data subject. In this relation, for example, the controller must prove that the security measures it has put in place are appropriate in accordance with Article 32 of GDPR. The CJEU expressly holds that the controller cannot be exempt from liability solely because the damage is a result of a data breach committed by a “third party”.

      (3) The CJEU interprets the important concept of “non-material damage” broadly and in a manner which fully reflects the objectives of GDPR. The CJEU recognizes that non-material damages of data subjects can include any loss of their personal data as a result of a GDPR infringement, “even if there had been no misuse of the data…to the detriment of those data subjects.” The CJEU interprets Article 82(1) of GDPR as meaning that the fear experienced by a data subject regarding a possible misuse of his/her personal data by third parties as a result of a GDPR infringement can, in itself, constitute ‘non-material damage’ subject to compensation as per the rules of GDPR and applicable national laws. It is for the national courts to “verify that that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject.”

We find the Ruling and the interpretation of GDPR provisions provided in it by the CJEU equally important to data controllers, data subjects, legal counsels, data protection supervisory authorities, and EU Member State courts deciding on data protection claims. Notably, the Ruling opens the door to data subjects to seek compensation when suffering non-material damages as a result of a controller’s infringement of GDPR.