The Advocate General of the Court of Justice of the European Union (CJEU) provided an opinion regarding Case C-340/21, which concerns the 2019 data breach suffered by Bulgaria's National Revenue Agency (NAP). The breach led to the posting of taxpayers' and social security information on the internet. The opinion stated that a data breach was not a sufficient condition to determine whether the controller had adopted appropriate and legally required measures. Many individuals, including V.B., filed claims for non-material damages of worry and fear of their personal data being misused in the future.
The court of first instance dismissed the application, ruling that the dissemination of the data was not attributable to the agency and that non-material damage was not eligible for compensation. On appeal, the Supreme Administrative Court referred several questions to the CJEU regarding the interpretation of the General Data Protection Regulation (GDPR) in defining the conditions for awarding compensation for non-material damage to individuals whose personal data was published on the internet following a hacking attack.
The Advocate General stated that a controller is responsible for implementing appropriate technical and organizational measures to ensure that the processing of personal data is performed by the GDPR and noted that non-material damage might constitute a right to compensation, provided that it is a matter of actual and specific emotional damage and not simply trouble or inconvenience.