On 14 December 2023, the ECJ delivered its judgment in Case C-340/21 (Natsionalna agentsia za prihodite) in which it clarifies the conditions for compensation for non-material damage resulting from a cyberattack pursuant to the General Data Protection Regulation (GDPR).

The case concerns a cyberattack against the Bulgarian National Revenue Agency (NAP), which is attached to the Bulgarian Minister for Finance. Following the cyberattack on the NAP's IT system and the unauthorized disclosure of personal data on the Internet, several individuals, fearing potential misuse of their data. They filed legal actions against the NAP for compensation for non-material damage. The Bulgarian Supreme Administrative Court referred several questions to the ECJ seeking clarification of the conditions for awarding compensation to data subjects whose personal data, held by a public agency, were published on the internet following the attack from cybercriminals.

Key points from the judgment include:

• Assessment of protective measures: National courts cannot automatically assume that the protective measures implemented by the data controller were inadequate based solely on the unauthorized disclosure of data. The appropriateness of these measures must be evaluated on a case-by-case basis;
• Burden of proof on the controller: The data controller is responsible for demonstrating that the protective measures implemented were appropriate;
• Liability for third-party actions: If a third party was responsible for the unauthorized disclosure of data, the controller may be obligated to compensate affected data subjects, unless it can prove that it was not responsible for the damage;
• Fear of misuse as non-material damage: The fear experienced by a data subject regarding the potential misuse of his/her personal data by third parties, resulting from a GDPR infringement, can itself constitute non-material damage.

It is now for the Bulgarian Supreme Administrative Court to dispose of the case in accordance with the ECJ’s replies.