Following a cyber-attack, an intrusion into an authority’s computer system has been reported, resulting in the personal data of millions of people being released into the public domain. In this context, a person whose data was recorded by the authority filed a legal claim seeking compensation for the non-material damage caused by the fear that his data could be misused in the future.
As a result of the cyber-attack, the plaintiff has motivated that he fears a potential misuse of his data due to the failure of the authority to comply with its obligations as a personal data controller.
The Court of Justice of the European Union has held that the fear of possible misuse of personal data experienced by a data subject as a result of a breach of personal data obligations may constitute non-material damage.
Nevertheless, it was established that an unauthorised disclosure of personal data is not sufficient to consider that the technical and organisational measures implemented by the controller concerned would not be adequate. Thus, an unauthorised disclosure of data does not automatically give rise to a legitimate fear of a possible misuse of the data which are stored by the entity in question.