Held, (1) having regard to their wording, articles 24 and 32 of the GDPR merely required the controller to adopt “technical and organisational measures” intended to avoid any personal data breach. The appropriateness of such measures had to be assessed in a concrete manner, by deciding whether they were implemented by that controller, taking into account the various criteria referred to in those articles, the data protection needs specifically inherent in the processing concerned and the risks arising from the latter. Therefore, articles 24 and 32 did not mean that unauthorised disclosure of, or access to, personal data by a third party were sufficient to conclude that the measures adopted by the data controller were not “appropriate”, within the meaning of those provisions, without even allowing that controller to adduce evidence to the contrary. Further, the context of the provisions supported that interpretation since the obligation upon the data controller to demonstrate the appropriateness of the measures it had implemented would make no sense if that controller were obliged to prevent all breaches of those data. It followed from article 82(2) and (3) of the GDPR that, although a controller was liable for the damage caused by processing which infringed that Regulation, it was nevertheless exempt from liability if it proved that it was not in any way responsible for the event giving rise to the damage. Accordingly, unauthorised disclosure of, or access to, personal data by a “third party”, within the meaning of article 4(10) of the GDPR, were not sufficient, in themselves, to conclude that the technical and organisational measures implemented by the controller in question were not “appropriate”, within the meaning of articles 24 and 32 of the Regulation (judgment, paras 26, 30, 33, 34, 39, operative part, para 1).

(2) The appropriateness of the “technical and organisational measures” implemented by the data controller had to be assessed in two stages. First, the risks of a personal data breach caused by the data processing concerned and the possible consequences for the individuals’ rights and freedoms had to be identified. That assessment had to be carried out in a concrete manner, taking into account the likelihood of the risks and their severity. Second, it had to be ascertained whether the measures were appropriate to those risks, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the data processing. Whilst the data controller had some discretion in determining the appropriate measures to ensure a level of security appropriate to the risk, the national court had to be able to evaluate the complex assessment carried out by the data controller and, in so doing, make sure that the measures adopted were appropriate for the purposes of ensuring such a level of security. Accordingly, in order to review the appropriateness of the measures implemented under article 32 of the GDPR, the national court was not confined to finding out how the controller concerned intended to fulfil its obligations under that article, but had to carry out an examination of the substance of those measures, in the light of all the criteria referred to in the article, the circumstances of the case and the evidence. Such an examination required a concrete analysis of both the nature and the content of the measures implemented, the manner in which those measures were applied and their practical effects on the level of security that the controller was required to guarantee, having regard to the risks inherent in that data processing (judgment, paras 42, 43, 45–47, operative part, para 2).

(3) First, it was clear from the wording of articles 5(2), 24(1) and 32(1) of the GDPR that the data controller concerned bore the burden of proving that the personal data were processed so as to ensure appropriate security of those data. Those three articles set out a rule of general application, which, in the absence of any indication to the contrary in the GDPR, also had to be applied in the context of an action for damages under article 82. That literal interpretation of the provisions was supported by the objectives of the GDPR. Accordingly, the principle of accountability of the data controller, set out in article 5(2) of the GDPR and given expression in article 24, meant that, in an action for damages under article 82, the data controller bore the burden of proving that the security measures implemented were appropriate pursuant to article 32. Second, since the GDPR did not lay down rules relating to the admission and probative value of evidence, such as an expert’s report, when a national court heard an action for damages under article 82, it was for the legal system of each member state to prescribe the detailed rules for safeguarding rights which individuals derived from article 82. A national procedural rule under which it was systematically “necessary” for national courts to order that an expert’s report be obtained would be liable to conflict with the principle of effectiveness. Accordingly article 32 of the GDPR and the principle of effectiveness of EU law meant that an expert’s report did not constitute a systematically necessary and sufficient means of proof, in order to assess the appropriateness of the security measures implemented by the data controller under article 32 (judgment, paras 52–54, 57, 60, 62–64, operative part, paras 3, 4).

(4) The circumstances in which a data controller could claim to be exempt from civil liability under article 82(3) of the GDPR had to be strictly limited to those in which the controller was able to demonstrate that the damage was not attributable to it. Where, as in the present case, a “personal data breach” within the meaning of article 4(12) of the GDPR, had been committed by cyber criminals, and therefore by a “third party” within the meaning of article 4(10), that infringement could not be attributed to the controller unless it had made that infringement possible by failing to comply with an obligation under the GDPR, and in particular the data protection obligation in articles 5(1)(f), 24 and 32. Thus, in the event of a personal data breach by a third party, the controller could be exempt from liability by proving that there was no causal link between its possible breach of the data protection obligation and the damage suffered by the individual. Accordingly, article 82(3) of the GDPR meant that the data controller could not be exempt from its obligation to pay compensation for the damage suffered by a data subject under article 82(1) and (2), solely because that damage was a result of unauthorised disclosure of, or access to, personal data by a “third party”, in which case that controller had then to prove that it was in no way responsible for the event that gave rise to the damage concerned (judgment, paras 69–72, 74, operative part, para 5).

(5) Article 82(1) of the GDPR did not distinguish between situations in which the “non-material damage” alleged by the data subject, first, was linked to a misuse of their personal data by third parties that had already occurred at the date of the claim for compensation, or, second, was linked to that person’s fear that such use may occur in the future. Therefore, the wording of article 82(1) did not rule out the possibility that the concept of “non-material damage” in that provision encompassed a situation in which the data subject invoked a fear that their personal data would be misused by third parties as a result of an infringement of the Regulation. That analysis was consistent with a broad interpretation of the concept of “non-material damage”, as intended by the EU legislature. Further that interpretation was supported by the objectives of the GDPR, namely, to guarantee a high level of protection of natural persons with regard to the processing of personal data within the EU. However, where a person claimed compensation on the basis that their personal data would be misused in the future, the national court had to verify that that fear could be well founded. Accordingly, the fear experienced by a data subject with regard to a possible misuse of their personal data by third parties as a result of an infringement of the GDPR was capable, in itself, of constituting “non-material damage” within the meaning of article 82(1) (judgment, paras 79–80, 81, 83, 85, 86, operative part, para 6).