Judgment of the Court (Third Chamber) of 14 December 2023 (request for a preliminary ruling from the Varhoven administrativen sad – Bulgaria) – VB v Natsionalna agentsia za prihodite

(Case C-340/21, ¹ Natsionalna agentsia za prihodite)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 5 – Principles relating to that processing – Article 24 – Accountability of the controller – Article 32 – Measures implemented to ensure security of processing – Assessment of the appropriateness of such measures – Scope of judicial review – Taking of evidence – Article 82 – Right to compensation and liability – Possible exemption from liability of the controller in the event of infringement by third parties – Claim for compensation for non-material damage based on fear of potential misuse of personal data)

Language of the case: Bulgarian

Referring court

Varhoven administrativen sad

Parties to the main proceedings

Applicant: VB

Defendant: Natsionalna agentsia za prihodite

Operative part of the judgment

Articles 24 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a ‘third party’, within the meaning of Article 4(10) of that regulation, are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not ‘appropriate’, within the meaning of Articles 24 and 32.

Article 32 of Regulation 2016/679

must be interpreted as meaning that the appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.

The principle of accountability of the controller, set out in Article 5(2) of Regulation 2016/679 and given expression in Article 24 thereof,

must be interpreted as meaning that, in an action for damages under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate pursuant to Article 32 of that regulation.

Article 32 of Regulation 2016/679 and the principle of effectiveness of EU law

must be interpreted as meaning that, in order to assess the appropriateness of the security measures implemented by the controller under that article, an expert’s report cannot constitute a systematically necessary and sufficient means of proof.

Article 82(3) of Regulation 2016/679

must be interpreted as meaning that the controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject, under Article 82(1) and (2) of that regulation, solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a ‘third party’, within the meaning of Article 4(10) of that regulation, in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned.

Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’ within the meaning of that provision.

____________