Incident Details
The CJEU issued a judgment on December 14, 2023, in the case of VB v. Natsionalna agentsia za prihodite (C‑340/21), providing clarity on the interpretation of non-material damage according to Article 82 of the EU GDPR and the principles related to burden of proof within the regulation. In the aftermath of a cyber incident targeting the Bulgarian National Revenue Agency, an individual among the over six million affected parties filed a lawsuit with the Administrative Court of Sofia seeking compensation. The individual contended that they had experienced non-material harm due to a breach of personal data resulting from the Agency's failure to comply with various GDPR provisions, including Articles 5(1)(f), 24, and 32. The claimed non-material harm comprised concerns about potential misuse of their personal information, which was disclosed without consent, leading to fears of future exploitation, blackmail, physical harm, or abduction.
Incident
How Did the Breach Happen?
The breach occurred due to a cyber intrusion targeting the Bulgarian National Revenue Agency.
What Data has been Compromised?
Over six million people had their personal information exposed.
Why Did the company's Security Measures Fail?
The security measures of the company were compromised because the Agency did not meet its responsibilities outlined in Articles 5(1)(f), 24, and 32 of the GDPR.
What Immediate Impact Did the Breach Have on the company?
Once the breach occurred, the company faced immediate consequences when one of the individuals impacted initiated legal proceedings at the Administrative Court of Sofia to seek compensation.
How could this have been prevented?
The breach could have been avoided if the Agency had put in place suitable technical and organizational measures to adhere to the requirements of Articles 24 and 32 of the GDPR.
What have we learned from this data breach?
The recent incident of data exposure has taught us that the anxiety felt by people about the potential misuse of their personal information by external parties can be considered as a form of intangible harm.
Summary of Coverage
The European Union's Court of Justice has determined that anxiety can be considered as harm according to the General Data Protection Regulation (GDPR) in a situation related to a breach of personal data at the Bulgarian National Revenue Agency. This breach, caused by a cyber attack, impacted over six million people, emphasizing the necessity of adopting suitable security protocols to adhere to the GDPR and the potential psychological distress that can be a result of concerns about the misuse of personal information.