In Case C-340/21, CJEU analyses Articles 24, 32 and 5 of the GDPR and finds that, to the extent that an unauthorised person accesses or discloses personal data, this does not automatically mean that the security measures taken by the relevant company have not been appropriate.
In Case C-340/21, recently published in the Official Journal, CJEU analyses Articles 24, 32 and 5 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
As held by CJEU, Articles 24, 32 and 5 of Regulation (EU) 2016/679 must be interpreted as meaning that:
- an unauthorised disclosure of personal data or unauthorised access to such data by “third parties” is not in itself sufficient to consider that the technical and organisational measures implemented by the relevant controller were not “appropriate” within the meaning of these articles;
- the appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks;
- in an action for damages under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate pursuant to Article 32 of that regulation;
- in order to assess the appropriateness of the security measures implemented by the controller under that article, an expert’s report cannot constitute a systematically necessary and sufficient means of proof;
- the controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject, under Article 82(1) and (2) of that regulation, solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a “third party”, within the meaning of Article 4(10) of that regulation, in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned;
- the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting “non-material damage” within the meaning of that provision.