Article 32 - Security of processing
3 preliminary rulingsJudgment of 2 Dec 2025, C-492/23 (Russmedia Digital and Inform Media Press) 
Article 32 of Regulation 2016/679must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required to implement appropriate technical and organisational security measures in order to prevent advertisements published there and containing sensitive data, in terms of Article 9(1) of that regulation, from being copied and unlawfully published on other websites.
Judgment of 25 Jan 2024, C-687/21 (MediaMarktSaturn)
Articles 5, 24, 32 and 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together must be interpreted as meaning that in an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Articles 24 and 32.
Judgment of 14 Dec 2023, C-340/21 (Natsionalna agentsia za prihodite)
Article 32 of Regulation 2016/679 must be interpreted as meaning that the appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.
The principle of accountability of the controller, set out in Article 5(2) of Regulation 2016/679 and given expression in Article 24 thereof, must be interpreted as meaning that, in an action for damages under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate pursuant to Article 32 of that regulation.
Article 32 of Regulation 2016/679 and the principle of effectiveness of EU law must be interpreted as meaning that, in order to assess the appropriateness of the security measures implemented by the controller under that article, an expert’s report cannot constitute a systematically necessary and sufficient means of proof.
