Skip to content Skip to sidebar Skip to footer
Rplt Rp Legalitax
Rplt Rp Legalitax
Close
Privacy & Data Protection

Update | Moral damage and data breach: the recent judgement of the European Court of Justice

Moral damage and data breach: the European Court of Justice (ECJ) has ruled on the interpretation of certain articles of the European Regulation on data protection (“GDPR”) to define the conditions for compensating damages to an individual whose personal data, held by a public agency, were published on the Internet following a hacker attack.

Specifically, the Court has established that:

  • in the event of unauthorized disclosure or unauthorized access to personal data (such as in cases of attacks by cybercriminals), judges must examine the adequacy of security measures concretely, without automatically assuming that they were inadequate under Articles 24 and 32 of the GDPR;
  • the burden of proving the adequacy of the measures falls on the data controller, and resorting to judicial appraisal cannot systematically constitute a necessary and sufficient means of proof;
  • the data controller may be liable to compensate for damages suffered by individuals, even in cases where the act was committed by cybercriminals, unless they can prove that the damage is not attributable to them;
  • the fear of future potential misuse of the data by third parties can constitute a moral harm in itself, entitling to compensation.

To read the whole italian verditic, click here.

The case arises from media reporting that the Bulgarian National Revenue Agency (NRA), responsible for safeguarding and recovering debts, was subject to a hacker attack resulting in the online publication of personal data of over six million individuals, both Bulgarian and foreign nationals.

Following the event, numerous individuals sued the NRA for compensation for moral damages, and among them, one individual claimed damages for an amount just over €500 (in local currency, 1000 BGN).

If you wish to read the Italian version of this article, click here.

Hide comments

Leave a comment

You May Also Like

Privacy & Data Protection, TMT - Technology, Media & Telecommunications
Update | Pay or OK: the EDPB’s Opinion
Privacy & Data Protection
Video | Partner Luca Egitto discusses with PrivacyRules the present and future of Google Analytics

La “Certificazione B Corporation” è un marchio che viene concesso in licenza da B Lab, ente privato no profit, alle aziende che, come la nostra, hanno superato con successo il B Impact Assessment (“BIA”) e soddisfano quindi i requisiti richiesti da B Lab in termini di performance sociale e ambientale, responsabilità e trasparenza.

Si specifica che B Lab non è un organismo di valutazione della conformità ai sensi del Regolamento (UE) n. 765/2008 o un organismo di normazione nazionale, europeo o internazionale ai sensi del Regolamento (UE) n. 1025/2012.

I criteri del BIA sono distinti e autonomi rispetto agli standard armonizzati risultanti dalle norme ISO o di altri organismi di normazione e non sono ratificati da parte di istituzioni pubbliche nazionali o europee.

“Certified B Corporation” is a trademark licensed by B Lab, a private non-profit organization, to companies like ours that have successfully completed the B Impact Assessment (“BIA”) and therefore meet the requirements set by B Lab for social and environmental performance,accountability, and transparency.

It is specified that B Lab is not a conformity assessment body as defined by Regulation (EU) no. 765/2008, nor is it a national, European, or international standardization body as per Regulation (UE) no. 1025/2012.

The criteria of the BIA are distinct and independent from the harmonized standards resulting from ISO norms or other standardization bodies, and they are not ratified by national or European public institutions.