The Court of Justice of the European Union (CJEU) has clarified in case C‑340/21 that non-material damage under Article 82 of the EU General Data Protection Regulation (GDPR) and the rules governing burden of proof. The ruling confirms that unauthorized disclosure or access of personal data doesn't necessarily mean that the technical and organisational measures implemented by the controller to comply with Articles 24 and 32 of the GDPR were not appropriate. It is up to the national courts to assess the appropriateness of the measures and for the controller to prove their suitability.
The CJEU also noted that an infringement resulting from the actions of a third party doesn't exempt the controller from liability and that the burden of proving the implemented measures were appropriate falls on the controller. Additionally, the fear experienced by individuals regarding the possible misuse of their personal data by third parties may in itself constitute non-material damage.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 4,350 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.
