(10) Third party
1 preliminary rulingJudgment of 14 Dec 2023, C-340/21 (Natsionalna agentsia za prihodite) 
Articles 24 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a ‘third party’, within the meaning of Article 4(10) of that regulation, are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not ‘appropriate’, within the meaning of Articles 24 and 32.
Article 82(3) of Regulation 2016/679 must be interpreted as meaning that the controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject, under Article 82(1) and (2) of that regulation, solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a ‘third party’, within the meaning of Article 4(10) of that regulation, in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned.
