Mon, Apr
44 New Articles

Does the Fear of Misuse of Personal Data Give Rise to Compensation?

Does the Fear of Misuse of Personal Data Give Rise to Compensation?

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Under the GDPR, data subjects may claim compensation if they suffered damages because the controller infringed his obligations under the GDPR. Does a data theft by cybercriminals mean that the controller has not adopted appropriate data security measures meaning that he failed to comply with his data protection obligations? Can the data subject claim compensation if his only damage is the fear that his personal data was misused? The Court of Justice of the European Union answered these questions in a fresh decision which will be analysed in this short article.


In 2019, the media revealed that the IT system of the Bulgarian authority NAP has been hacked and personal data contained by the IT system was published on the internet. More than 6 million persons were affected by the data breach.

The appellant sued the NAP for compensation claiming that the fear that her personal data leaked because of the data breach might be misused (she might be blackmailed, assaulted or even kidnapped) constitutes a non-material damage.

The first instance court dismissed the appellant action. The court held that the appellant failed to prove that the NAP has not adopted appropriate security measures, further the appellant did not suffer any non-material damage.

The appellant filed an appeal against this decision and the Supreme Administrative Court sent the case to Luxembourg to the CJEU to clarify the provisions of the GDPR as regards to the adequacy of data security measures and the conditions of compensation including the concept of non-material damage.

The adequacy of data security measures

First, the CJEU established that based on the GDPR an unauthorized access to or disclosure of personal data by a third party is not sufficient to conclude that the data security measures adopted by the controller were not appropriate. The EU legislator only expects controllers to mitigate the risks of personal data breaches, however there is no indication in the text of the GDPR that it would be possible to eliminate them.

According to the Luxembourg court, the national courts shall assess the appropriateness of data security measures in two stages. First, it is necessary to identify the risks of a data breach and their consequences for the rights and freedoms of natural persons. Secondly, is shall be ascertained whether the implemented data security measures are appropriate to the identified risks, considering the state of art, the costs of implementation and the parameters of the processing.

Further, the CJEU clarified that in relation to the appropriateness of the data security measures, the burden of proof lies with the controller.

The conditions of compensation

When it comes to the conditions of the compensation to be paid based on the GDPR, the Luxembourg judges shed light on two important questions.

The CJEU recalled that a controller may only be exempted from paying compensation if he is able to demonstrate that the damage is not attributable to him. In the Court’s view, if the personal data breach has been committed by cybercriminals (therefore a third party), the infringement of the GDPR cannot be attributed to the controller unless he failed to comply with his obligations laid down by the GDPR, specifically to adopt appropriate data security measures.

In addition, the Luxembourg court interpreted the concept of damage under the GDPR. According to the Court, by analysing the wording of the GDPR, it is clear that the EU legislature intended to include in those concepts the mere ‘loss of control’ over the personal data even if there had been no misuse of the data to the detriment of the affected data subjects. Thus, the fear experienced by a data subject with regard to the possible misuse of his personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of consulting non-material damage.


To shortly analyse the decision, on the one hand controllers may welcome the CJEU’ attitude regarding the appropriateness of data security measures, namely that even in case of a data breach, controllers may prove that the adopted data security measures were appropriate. On the other, it seems to be a rather high standard of liability that data subjects can claim damages for the mere fear of their data being misused without suffering actual damages.

By Anita Vereb, Attorney-at-law, SmartLegal Schmidt & Partners

Hungary Knowledge Partner

Nagy és Trócsányi was founded in 1991, turned into limited professional partnership (in Hungarian: ügyvédi iroda) in 1992, with the aim of offering sophisticated legal services. The firm continues to seek excellence in a comprehensive and modern practice, which spans international commercial and business law. 

The firm’s lawyers provide clients with advice and representation in an active, thoughtful and ethical manner, with a real understanding of clients‘ business needs and the markets in which they operate.

The firm is one of the largest home-grown independent law firms in Hungary. Currently Nagy és Trócsányi has 26 lawyers out of which there are 8 active partners. All partners are equity partners.

Nagy és Trócsányi is a legal entity and registered with the Budapest Bar Association. All lawyers of the Budapest office are either members of, or registered as clerks with, the Budapest Bar Association. Several of the firm’s lawyers are admitted attorneys or registered as legal consultants in New York.

The firm advises a broad range of clients, including numerous multinational corporations. 

Our activity focuses on the following practice areas: M&A, company law, litigation and dispute resolution, real estate law, banking and finance, project financing, insolvency and restructuring, venture capital investment, taxation, competition, utilities, energy, media and telecommunication.

Nagy és Trócsányi is the exclusive member firm in Hungary for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+countries worldwide.

The firm advises a broad range of clients, including numerous multinational corporations. Among our key clients are: OTP Bank, Sberbank, Erste Bank, Scania, KS ORKA, Mannvit, DAF Trucks, Booking.com, Museum of Fine Arts of Budapest, Hungarian Post Pte Ltd, Hiventures, Strabag, CPI Hungary, Givaudan, Marks & Spencer, CBA.

Firm's website.

Our Latest Issue