Auditors ✓ Lawyers ✓ Tax advisors ✓ and business consultants ✓ : Four perspectives. One solution. Worldwide. Learn …
Auditing and audit-related advice for companies ✓ Experienced auditors ✓ Excellent advice ✓ Tailor-made solutions » …
Our clients entrust us with their most important legal matters. Learn more about our legal services!
Tax laws are complex and dynamic. We face the challenge of tax law together with you - find out more.
Business consulting for companies ✓ Experienced consultants ✓ Excellent advice ✓ Tailor-made solutions » more
In-house or outsourcing? Strategic decisions in accounting
Avoid shareholder conflicts: Structure instead of ambiguity
How far can the rights of a criminal defense insurer extend?
EU “Omnibus” Package: Less effort for sustainability reporting?
Baker Tilly starts the year 2025 with 23 new Directors
Challenges in corporate finance: Baker Tilly at Structured FINANCE 2024
Pay slips are purely information documents
Financing and funding: realignment in the coalition agreement
Accounting in corporate groups: Standardized structures instead of isolated solutions
Survey: Two thirds of German automotive suppliers anticipate a market shakeout
NIS-2 and no end in sight: implementation in Germany delayed further
Public procurement: Legally compliant procurement of cyber insurance
Cross-industry expertise for individual solutions ✓ Our interdisciplinary teams combine expertise & market …
Baker Tilly advises biotech startup Real Collagen GmbH investment by US investor
Energy study: Uncertainty slows down investments by industry and utilities in Germany
Risk management ✓ Compliance and controls ✓ Increase and ensure security & conformity ✓ more»
Baker Tilly offers a wide range of individual and innovative consulting services. Find out more!
On December 14, 2023, the European Court of Justice (ECJ) issued a groundbreaking decision that significantly expands consumer rights in the EU.
ECJ defines new criteria for non-material damage after hacker attacks
The judgment (case no. C-340/21) concerns a hacker attack from 2019 in which a Bulgarian authority exposed millions of personal data on the internet. A large number of data subjects had sued the authority under Article 82 (1) of the GDPR for compensation for the non-material damage they suffered due to the fear of possible misuse of their data. The Bulgarian court referred the question to the ECJ as to when a person whose personal data was published on the internet following a cyberattack is entitled to compensation for non-material damage. The ECJ ruled that the mere concern about the possible misuse of personal data following a hacker attack can be considered non-material damage. This makes it easier for those affected by data breaches to assert their claims in court.
Reversal of the burden of proof: companies must provide evidence of their safety measures’ effectiveness
Another important aspect of the decision concerns the burden of proof in connection with hacker attacks. Companies and authorities whose systems have been hacked must now prove that their protective measures were appropriate and effective. Companies must not only prove the adequacy of their protective measures, but also that they are “in no way liable for the damage”. What this looks like in practice is entirely unclear. Even with technically comprehensive and up-to-date protective measures, hacker attacks cannot be ruled out, as these always include human error.
Consequences of the decision: Claim for damages much easier to enforce
With its decision, the ECJ has established clear criteria for the punishment of data protection breaches that are attributable to cyber-attacks. Companies and authorities are urgently required to review their security measures and ensure that they meet their responsibilities in the event of hacker attacks. The current case law further increases the risk, as hacker attacks continue to increase.
View all news