Skip to content

A Closer Look at the GDPR’s Security Requirements and Assessing the (In)Appropriateness of Technical and Organisational Measures (TOMs)

Suzanne Nusselder


Keywords: Article 32 GDPR, security requirements, technical and organisational measures, non-material damages, cybersecurity

Case C-340/21 VB v Natsionalna agentsia za prihodite (NAP), Judgement of the Court of Justice (Third Chamber) of 14 December 2023
In the first judgement specifically dealing with the GDPR’s security requirements, the CJEU provides clarity on the interpretation of Article 32 GDPR. The occurrence of a personal data breach does not in itself demonstrate the inappropriateness of the TOMs implemented by the data controller. Instead, the data controller bears the burden of proof for demonstrating the appropriateness of TOMs, which is to be checked in a substantive manner by national courts. Furthermore, a data subject’s fear of potential future misuse of personal data following a hacking attack can constitute non-material damage, provided it is well-founded and specific.

Suzanne Nusselder, PhD researcher at Tilburg University, Tilburg Institute of Law, Technology and Society (TILT). For correspondence: <>.


Lx-Number Search

(e.g. A | 000123 | 01)

Export Citation