CJEU case C‑340/21 Natsionalna agentsia za prihodite – CJEU Judgment (European Union, 2023)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
With its first question, the referring court asked whether the fact that a GDPR violation effectively occurred automatically entails that the controller did not comply with its obligations to implement appropriate measures under Articles 24 and 32 GDPR. According to the Advocate General, appropriate measures shall be in line with the state of the art. However, this cannot guarantee that in exceptional situations they will always be effective. In addition, Article 32(1) GDPR specifically mentions that the controller may take into account the “cost of implementations” that a certain security measure entails. With its second question, the Supreme Administrative Court tried to ascertain what kind of test should a judicial authority perform when assessing the suitability of the measures adopted by the controller. The Advocate General stressed that judicial scrutiny cannot be limited to the existence of measures in place. The third question concerned how to allocate the burden of proof concerning the suitability of the security measures. In the Advocate General’s Opinion, it is the controller who has to bear such a burden. The data subject, in the context of an action pursuant to Article 82 GDPR, shall prove a GDPR infringement, the existence of a damage and a causal link between the former elements. However, a burden of proof on the data subject concerning the suitability of the measures would make the fulfillment of the action almost impossible in practice. With the fourth question, the referring court asked whether the fact that the data breach occurred because of third parties’ actions entails that the controller was no longer liable under Article 82(3) GDPR. The Advocate General categorically excluded this interpretation, highlighting that a controller ceases to be liable only when it shows the lack of fault on his side. The fifth question concerned the notion of non-material damage. In particular, the court wondered whether the data subject’s concern that their data
GDPR Articles Cited
National Law Articles
With its first question, the referring court asked whether the fact that a GDPR violation effectively occurred automatically entails that the controller did not comply with its obligations to implement appropriate measures under Articles 24 and 32 GDPR. According to the Advocate General, appropriate measures shall be in line with the state of the art. However, this cannot guarantee that in exceptional situations they will always be effective. In addition, Article 32(1) GDPR specifically mentions that the controller may take into account the “cost of implementations” that a certain security measure entails. With its second question, the Supreme Administrative Court tried to ascertain what kind of test should a judicial authority perform when assessing the suitability of the measures adopted by the controller. The Advocate General stressed that judicial scrutiny cannot be limited to the existence of measures in place. The third question concerned how to allocate the burden of proof concerning the suitability of the security measures. In the Advocate General’s Opinion, it is the controller who has to bear such a burden. The data subject, in the context of an action pursuant to Article 82 GDPR, shall prove a GDPR infringement, the existence of a damage and a causal link between the former elements. However, a burden of proof on the data subject concerning the suitability of the measures would make the fulfillment of the action almost impossible in practice. With the fourth question, the referring court asked whether the fact that the data breach occurred because of third parties’ actions entails that the controller was no longer liable under Article 82(3) GDPR. The Advocate General categorically excluded this interpretation, highlighting that a controller ceases to be liable only when it shows the lack of fault on his side. The fifth question concerned the notion of non-material damage. In particular, the court wondered whether the data subject’s concern that their data
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case C‑340/21 Natsionalna agentsia za prihodite in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
14 December 2023
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-7427About this data
Cite as: Cookie Fines. CJEU case C‑340/21 Natsionalna agentsia za prihodite - European Union (2023). Retrieved from cookiefines.eu
Last updated: