The case to be decided on 14 December 2023 C-340/21 (curia.europa.eu/juris/documents.jsf?num=C-340/21) was based on a situation in which unauthorized access had been gained to an IT system and personal data contained in this system had been published on the internet as a result of this cyberattack. The persons concerned then sought compensation.
In its judgement, the Court first states the following:
1. In the event of unauthorized disclosure of personal data or unauthorized access to those data, courts cannot infer from this fact alone that the protective measures implemented by the controller were not appropriate. The courts must assess the appropriateness of those measures in a concrete manner.
2. It is for the controller to prove that the protective measures implemented were appropriate.
3. In the event that the unauthorized disclosure of personal data or unauthorized access to those data has been committed by a ‘third party’ (such as cybercriminals), the controller may be required to compensate the data subjects who have suffered damage, unless it can prove that it is in no way responsible for that damage.
4. The fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.
(Extract from the ECJ’s press release).