Auditors, lawyers, tax consultants and management consultants: Four perspectives. One solution. Worldwide. Find out …
We review your past and advise you on the implementation of future requirements and projects. Find out more!
Our clients entrust us with their most important legal matters. Learn more about our legal services!
Tax laws are complex and dynamic. We face the challenge of tax law together with you - find out more.
We support you with customised solutions so that your company can continue to operate successfully on the market in …
Shared service centers in SMEs: structure for greater efficiency
Pillar 2: Mandatory registration in the UK and discussions in the EU Parliament
Accounting vs. tax law: Why more coordination is needed
EU “Omnibus” Package: Less effort for sustainability reporting?
Baker Tilly starts the year 2025 with 23 new Directors
Challenges in corporate finance: Baker Tilly at Structured FINANCE 2024
Pay slips are purely information documents
Financing and funding: realignment in the coalition agreement
Labor and social law: What the new coalition agreement contains
Public procurement: Legally compliant procurement of cyber insurance
Countdown to September – The EU Data Act and its implications
Procurement law – legal framework for emergency procurements in the event of a cyberattack
Industry-specific knowledge is essential in order to create the best conditions for customised solutions. Find out …
Baker Tilly advises biotech startup Real Collagen GmbH investment by US investor
Energy study: Uncertainty slows down investments by industry and utilities in Germany
After ECJ ruling: Financial investors still have no direct access to medical care centers
Benefit from bundled interdisciplinary competencies, expert teams and individual solutions. Learn more!
Baker Tilly offers a wide range of individual and innovative consulting services. Find out more!
On December 14, 2023, the European Court of Justice (ECJ) issued a groundbreaking decision that significantly expands consumer rights in the EU.
ECJ defines new criteria for non-material damage after hacker attacks
The judgment (case no. C-340/21) concerns a hacker attack from 2019 in which a Bulgarian authority exposed millions of personal data on the internet. A large number of data subjects had sued the authority under Article 82 (1) of the GDPR for compensation for the non-material damage they suffered due to the fear of possible misuse of their data. The Bulgarian court referred the question to the ECJ as to when a person whose personal data was published on the internet following a cyberattack is entitled to compensation for non-material damage. The ECJ ruled that the mere concern about the possible misuse of personal data following a hacker attack can be considered non-material damage. This makes it easier for those affected by data breaches to assert their claims in court.
Reversal of the burden of proof: companies must provide evidence of their safety measures’ effectiveness
Another important aspect of the decision concerns the burden of proof in connection with hacker attacks. Companies and authorities whose systems have been hacked must now prove that their protective measures were appropriate and effective. Companies must not only prove the adequacy of their protective measures, but also that they are “in no way liable for the damage”. What this looks like in practice is entirely unclear. Even with technically comprehensive and up-to-date protective measures, hacker attacks cannot be ruled out, as these always include human error.
Consequences of the decision: Claim for damages much easier to enforce
With its decision, the ECJ has established clear criteria for the punishment of data protection breaches that are attributable to cyber-attacks. Companies and authorities are urgently required to review their security measures and ensure that they meet their responsibilities in the event of hacker attacks. The current case law further increases the risk, as hacker attacks continue to increase.
View all news