Bulgaria's Supreme Administrative Court submits several questions to the Court of Justice for a preliminary ruling on the interpretation of the General Data Protection Regulation (GDPR). The court seeks clarification of the conditions for awarding compensation for non-material damage invoked by a data subject whose personal data, held by a public authority, was published on the Internet following an attack by cyber criminals.

In its ruling, the Court answered the questions raised as follows:

In cases of unauthorized disclosure of personal data or unauthorized access to such data, courts cannot infer from this fact alone that the protective measures taken by the controller were not appropriate. Courts must specifically assess the adequacy of those measures.

It is up to the responsible party to demonstrate that the protective measures taken were appropriate.

In the event that the unauthorized disclosure of personal data or unauthorized access to that data has been committed by a "third party" (such as cybercriminals), the data controller may be required to compensate data subjects who have suffered harm, unless it can be shown that it is in no way responsible for that harm.

The fear experienced by a data subject regarding possible misuse of his or her personal data by third parties as a result of an AVG violation is itself capable of constituting "intangible harm.