The Bulgarian National Agency for Revenue (NAP) is subordinate to the Bulgarian Minister of Finance. Among other things, it is responsible for determining, securing and collecting public receivables. In this context, it is responsible for the processing of personal data. On July 15, 2019, it was reported in the media that the NAP's IT system had been breached and that personal data of millions of people contained in this system had been published on the internet as a result of this cyberattack. Numerous people sued the NAP for compensation for the non-material damage they allegedly suffered due to fears that their data could be misused.
The Bulgarian Supreme Administrative Court has referred several questions on the interpretation of the General Data Protection Regulation (GDPR) to the Court of Justice for a preliminary ruling. It wishes to clarify the conditions under which a person whose personal data held by a public agency has been published on the internet following an attack by cybercriminals can claim compensation for non-material damage.
In its judgment, the Court responded as follows:
1. in the event of unauthorized disclosure of or access to personal data, the courts cannot infer from this fact alone that the protective measures taken by the data controller were not appropriate. The courts must specifically assess the suitability of these measures.
2. the person responsible bears the burden of proof that the protective measures taken were appropriate.
3. in the event of unauthorized disclosure of or unauthorized access to personal data by "third parties" (such as cybercriminals), the controller may be liable to pay compensation to the persons who have suffered damage, unless he proves that he is not responsible for the damage in any way.
4. the mere fact that a data subject fears that their personal data could be misused by third parties as a result of a breach of the GDPR may constitute "non-material damage".
Judgment of the Court of Justice in Case C-340/21 | Natsionalna agentsia za prihodite
