Referral C-340/21 (Natsionalna agentsia za prihodite, 2 Jun 2021)

1. Are Articles 24 and 32 of Regulation (EU) 2016/679 to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of point 12 of Article 4 of Regulation (EU) 2016/679 by persons who are not employees of the controller’s administration and are not subject to its control is sufficient for the presumption that the technical and organisational measures implemented are not appropriate?

2. If the first question is answered in the negative, what should be the subject matter and scope of the judicial review of legality in the examination as to whether the technical and organisational measures implemented by the controller are appropriate pursuant to Article 32 of Regulation (EU) 2016/679?

3. If the first question is answered in the negative, is the principle of accountability under Article 5(2) and Article 24 of Regulation (EU) 2016/679, read in conjunction with recital 74 thereof, to be interpreted as meaning that, in legal proceedings under Article 82(1) of Regulation (EU) 2016/679, the controller bears the burden of proving that the technical and organisational measures implemented are appropriate pursuant to Article 32 of that regulation? Can the obtaining of an expert’s report be regarded as a necessary and sufficient means of proof to establish whether the technical and organisational measures implemented by the controller were appropriate in a case such as the present one, where the unauthorised access to, and disclosure of, personal data are the result of a ‘hacking attack’?

4. Is Article 82(3) of Regulation (EU) 2016/679 to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of point 12 of Article 4 of Regulation (EU) 2016/679 by means of, as in the present case, a ‘hacking attack’ by persons who are not employees of the controller’s administration and are not subject to its control constitutes an event for which the controller is not in any way responsible and which entitles it to exemption from liability?

5. Is Article 82(1) and (2) of Regulation (EU) 2016/679, read in conjunction with recitals 85 and 146 thereof, to be interpreted as meaning that, in a case such as the present one, involving a personal data breach consisting in unauthorised access to, and dissemination of, personal data by means of a ‘hacking attack’, the worries, fears and anxieties suffered by the data subject with regard to a possible misuse of personal data in the future fall per se within the concept of non-material damage, which is to be interpreted broadly, and entitle him or her to compensation for damage where such misuse has not been established and/or the data subject has not suffered any further harm?