CJEU - C-768/21 - Land Hessen (Obligation of the data protection authority to act): Difference between revisions

From GDPRhub
No edit summary
m (ManTechnologist moved page CJEU - C-768/21 - TR v Land Hessen to CJEU - C-768/21 - Land Hessen (Obligation of the data protection authority to act): common name a/t https://curia.europa.eu/jcms/upload/docs/application/pdf/2024-09/cp240149en.pdf)
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{CJEUdecisionBOX
{{CJEUdecisionBOX


|Case_Number_Name=C-768/21 TR v Land Hessen
|Case_Number_Name=C-768/21 Land Hessen (Obligation of the data protection authority to act)
|ECLI=ECLI:EU:C:2024:291
|ECLI=ECLI:EU:C:2024:291


|Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=284655&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3361833
|Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?docid=284655&doclang=en
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=284655&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3361833
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?docid=290402&doclang=en


|Date_Decided=11.04.2024
|Date_Decided=11.04.2024
Line 45: Line 45:
}}
}}


The Advocate General published an opinion in which he considered that when a DPA finds that a processing infringed a data subject’s rights, it must take action to the extent necessary to ensure compliance with the GDPR.
The CJEU held that when a data breach has been established, DPAs are not required to exercise a corrective power under [[Article 58 GDPR|Article 58(2) GDPR,]] where it is not appropriate, necessary or proportionate to remedy the shortcoming found.  


==English Summary==
==English Summary==


=== Facts ===
=== Facts ===
On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to [[Article 33 GDPR|Article 33 GDPR]] as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject and therefore did not notify the latter under [[Article 34 GDPR|Article 34 GDPR]].  
On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to [[Article 33 GDPR|Article 33 GDPR]] as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject as (i) it had taken disciplinary measures against the employee concerned, (ii) the employee had also confirmed in writing that she had not copied or retained the data, nor transferred it to third parties and (iii) she also promised not to do so in the future. In addition, (iv) the controller indicated that it would review the length of time for which access logs were kept. Therefore, the controller did not notify the data subject under [[Article 34 GDPR|Article 34 GDPR]].  


On 3 September 2023, the HBDI informed the data subject that no corrective measures were to be adopted against the controller. The data subject lodged an action against this decision with the Verwaltungsgericht Wiesbaden (“Administrative Court of Wiesbaden”) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR.  
However, the data subject became incidentally aware that his personal data had been improperly accessed and lodged a complaint with the HBDI regarding, inter alia, the failure to communicate the data breach to him in violation of [[Article 34 GDPR]]. 
 
On 3 September 2023, the HBDI informed the data subject that the controller did not infringe Article 34 GDPR, since the controller's assessment regarding the risk for the data subject was not manifestly incorrect. No corrective measures were adopted against the controller.
 
The data subject lodged an action against this decision with the Administrative Court of Wiesbaden (Verwaltungsgericht Wiesbaden) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR.  


The Administrative Court of Wiesbaden referred a question to the CJEU:  
The Administrative Court of Wiesbaden referred a question to the CJEU:  


* When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with [[Article 58 GDPR#2|Article 58(2) GDPR]]?
* When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with [[Article 58 GDPR#2|Article 58(2) GDPR]]?
Advocate general Priit Pikamäe delivered his opinion on the matter on 11 April 2024.
=== Advocate General Opinion ===
 
 
Advocate General Priit Pikamäe delivered his opinion on the matter on 11 April 2024.


Advocate general Priit Pikamäe delivered his opinion on the matter on 11 April 2024.
Firstly, regarding the obligations of the supervisory authority when handling a complaint, the Advocate General referenced the [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA SCHUFA judgement] and indicated that under this case law, in accordance with [http://fra.europa.eu/en/eu-charter/article/8-protection-personal-data Article 8(3) of the Charter] and [[Article 51 GDPR#1|Article 51(1)]] and [[Article 57 GDPR#1a|57(1)(a) GDPR]], national DPAs are responsible for monitoring compliance with the GDPR (§35 of the Opinion).


=== Advocate General Opinion ===
Under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint "''with all due diligence''" (§37 of the Opinion).  
Firstly, regarding the obligations of the supervisory authority when handling a complaint, the Advocate general referenced the [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA SCHUFA judgement] and indicated that under this case law, in accordance with [http://fra.europa.eu/en/eu-charter/article/8-protection-personal-data Article 8(3) of the Charter] and [[Article 51 GDPR#1|Article 51(1)]] and [[Article 57 GDPR#1a|57(1)(a) GDPR]], national DPAs are responsible for monitoring compliance with the GDPR.


Under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint "''with all due diligence''" (§ 37 of the Opinion).  
Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate General considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. Therefore, "''it would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected.''" (§40 of the Opinion). This generally means identifying the most appropriate corrective measures in order to address the infringement.  


''In that context, it should be noted that the Court of Justice endorsed the interpretation that I put forward in my Opinion in the SCHUFA cases, that the complaints procedure, which is not similar to that of a petition, is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects. ( § 38)''
[[Article 57 GDPR#1f|Articles 57(1)(f)]] and [[Article 77 GDPR#2|77(2) GDPR]] impose certain obligations to the DPA, namely to "''inform the complainant of the progress and the outcome of the investigation''" (§42 of the Opinion). The Advocate General held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by [[Article 58 GDPR#2|Article 58(2) GDPR]] in order to bring the situation back to compliance with EU law.


Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate general considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. Therefore, "''it would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected.''" (§ 40 of the Opinion). This generally means identifying the most appropriate corrective measures in order to address the infringement.  
Thirdly, the Advocate General noted that the question of ''whether'' a DPA should intervene in the event of a personal data breach must be distinguished from the question of ''how'' it should act (§43 of the Opinion). Indeed, under [[Article 58 GDPR#2|Article 58(2) GDPR]], the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate General considered that the discretionary power also implies the power not to take any of the corrective measures referred to in [[Article 58 GDPR#2|Article 58(2) GDPR]].  


[[Article 57 GDPR#1f|Articles 57(1)(f)]] and [[Article 77 GDPR#2|77(2) GDPR]] impose certain obligations to the DPA, namely to "''inform the complainant of the progress and the outcome of the investigation''" (§ 42 of the Opinion). The Advocate general held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by [[Article 58 GDPR#2|Article 58(2) GDPR]] in order to bring the situation back to compliance with EU law.
In particular, this implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary (§51 of the Opinion).  


Thirdly, the Advocate general noted that the question of ''whether'' a DPA should intervene in the event of a personal data breach must be distinguished from the question of ''how'' it should act. Indeed, under [[Article 58 GDPR#2|Article 58(2) GDPR]], the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate general considered that the discretionary power also implies the power not to take any of the corrective measures referred to in [[Article 58 GDPR#2|Article 58(2) GDPR]].
However, in certain cases, this degree of latitude is limited: indeed, the Advocate General agreed with the Austrian Government that in a multitude of cases, the adoption of a specific corrective measure is required. For example, in the case of the failure to comply with an erasure request, the DPA will, in this case, be obliged to order erasure (§60 of the Opinion). Therefore in some cases, the DPA's discretion could be confined to adopting the only measure appropriate to protect the data subject's rights (§61 of the Opinion).  


  I''n that regard, it is appropriate to recall, first of all, the judgment in Case C‑311/18 (Facebook Ireland and Schrems), in which the Court of Justice suggested that such a situation might indeed exist. More specifically, the Court of Justice held that the supervisory authority is required, where appropriate, to take some of the measures listed in Article 58(2) of the GDPR, in particular where it considers that the protection required by EU law cannot be ensured by other means. Consequently, to that extent, the supervisory authority’s discretion is confined to some or even, where appropriate, to one of the measures referred to in that provision. (24)''
A part from this case, the Advocate General noted that if the DPA chooses to refrain from applying corrective measures while favoring recourse to ‘autonomous’ measures taken by the controller, legal requirements should be complied with: (i) there should be a requirement for the DPA to give its express consent to the autonomous measure which should (ii) be preceded by a rigorous examination of the situation in light of the conditions set out in Recital 129 and (iii) the DPA should have a right to intervene if the instructions are not complied with (§53 of the Opinion).


''60.      As the Austrian Government rightly points out, there may be a multitude of similar cases requiring the adoption of a specific corrective measure, such as where the supervisory authority finds, in the context of a complaints procedure, that there is an obligation to erase data and that the controller has not yet done so. In the situation described, the supervisory authority will be obliged, in any event, pursuant to Article 58(2)(g) of the GDPR, to order erasure.''
He also added that although the data subject has certain rights with regard to the DPA in the context of the procedure, in particular the right to be informed of the progress and outcome of the investigation within a reasonable period, those rights do not include the right to require the adoption of a specific measure (§54 of the Opinion).


''61.      The examples mentioned in the preceding paragraphs show that it cannot be ruled out that, depending on the specific circumstances of the particular case, only the adoption of a specific corrective measure would bring the situation back into compliance with EU law. In particular, it seems to me that, in circumstances where there would otherwise be a risk of a serious breach of the data subject’s rights, the supervisory authority’s discretion could be confined to adopting the only measure that is appropriate to protect that data subject’s rights''.  
Fourthly, regarding the obligation to impose administrative fines, the Advocate general noted that [[Article 83 GDPR#2|Article 83(2) GDPR]] establishes that a DPA may refrain from imposing an administrative fine if the circumstances justify such an approach. Therefore, this Article does not indicate that it is mandatory in all cases to impose an administrative fine (§67 of the Opinion).  


In particular, this implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary.  
Finally, regarding the obligation to issue administrative fines at the data subject’s express request, the Advocate general considered that depending on each individual case, the DPA may consider various corrective measures, without the data subject being able to demand the adoption of a specific measure. However, the data subject may propose recourse to a corrective measure, providing arguments and evidence to support their point of view (§81 of the Opinion).  


However, the Advocate general noted that if the DPA chooses to refrain from applying corrective measures while favoring recourse to ‘autonomous’ measures taken by the controller, legal requirements should be complied with: (i) there should be a requirement for the DPA to give its express consent to the autonomous measure which should (ii) be preceded by a rigorous examination of the situation in light of the conditions set out in Recital 129 and (iii) the DPA should have a right to intervene if the instructions are not complied with.  
Therefore, the Advocate general concluded that when a DPA finds that a processing has infringed the data subject’s rights, the DPA must take action under [[Article 58 GDPR#2|Article 58(2) GDPR]] to the extent necessary to ensure full compliance with the GDPR (§83 of the Opinion).


He also added that although the data subject has certain rights with regard to the DPA in the context of the procedure, in particular the right to be informed of the progress and outcome of the investigation within a reasonable period, those rights do not include the right to require the adoption of a specific measure.
=== Holding ===
On 26 September 2024, the CJEU rendered the ruling.  


Fourthly, regarding the obligation to impose administrative fines, the Advocate general noted that [[Article 83 GDPR#2|Article 83(2) GDPR]] establishes that a DPA may refrain from imposing an administrative fine if the circumstances justify such an approach. Therefore, this Article does not indicate that it is mandatory in all cases to impose an administrative fine.  
The CJEU answered the preliminary question, stating that DPAs are not required to exercise a corrective power (in particular impose an administrative fine), where it is not appropriate, necessary or proportionate under [[Article 58 GDPR|Article 58(2) GDPR]] to remedy the shortcoming found and to ensure that the GDPR is fully enforced.  


Finally, regarding the obligation to issue administrative fines at the data subject’s express request, the Advocate general considered that depending on each individual case, the DPA may consider various corrective measures, without the data subject being able to demand the adoption of a specific measure. However, the data subject may propose recourse to a corrective measure, providing arguments and evidence to support their point of view.  
At the beginning, the CJEU referred to the duties of DPAs regarding handling complaints lodged before them, especially the duty of due diligence mentioned in the [[CJEU - C-26/22 - SCHUFA Holding|Schufa case]]. In particular, the overarching purpose of DPAs proceedings is to react accordingly to remedy the violation found.  


Therefore, the Advocate general concluded that when a DPA finds that a processing has infringed the data subject’s rights, the DPA must take action under [[Article 58 GDPR#2|Article 58(2) GDPR]] to the extent necessary to ensure full compliance with the GDPR.
[[Article 58 GDPR|Article 58(2) GDPR]] lists potential forms of the DPA's action. However, the DPAs’ enjoys the discretion to choose the appropriate and necessary remedy. Thus, the DPA must assess all the circumstances of the specific case. Nevertheless, neither [[Article 58 GDPR|Article 58(2) GDPR]], nor [[Article 83 GDPR]] imposes an obligation on the DPAs to use corrective measure every time a breach of personal data is found. The CJEU emphasized that as the AG mentioned in his opinion, an individual does not enjoy the right to seek imposition of a fine by the DPA.  


=== Holding ===
Consequently, the CJEU explained that, in exceptional cases, having analysed all the circumstances of the case, the DPAs may refrain from exercising a corrective power even though a data breach has been established. This could be the case where the data breach has not continued and the controller had, in principle, implemented appropriate technical and organisational measures to ensure that the breach is stopped and does not recur. 
The decision has not been adopted yet.
 
According to the CJEU such an interpretation is supported by objective of [[Article 58 GDPR|Article 58(2) GDPR]], which is ensuring compliance with the GDPR. Hence, where the GDPR was violated, but the controller already restored the GDPR’s compliance, the corrective powers may not be required.
 
In the case at hand, it’s then the referring court task to assess whether or not the HBDI reacted appropriately, in particular, within the limits of the discretion conferred upon.  


== Comment ==
== Comment ==
''Share your comments here!''
In this Opinion, the Advocate General highlights several times that his Opinion in the Schufa judgement was almost entirely endorsed by the CJEU, and that this Opinion resumes where the Schufa Opinion was left off.


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''

Latest revision as of 10:45, 19 October 2024

CJEU - C-768/21 Land Hessen (Obligation of the data protection authority to act)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 57(1) GDPR
Article 57(1)(f) GDPR
Article 58(2) GDPR
Article 77(2) GDPR
Decided: 11.04.2024
Parties:
Case Number/Name: C-768/21 Land Hessen (Obligation of the data protection authority to act)
European Case Law Identifier: ECLI:EU:C:2024:291
Reference from:
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: nzm

The CJEU held that when a data breach has been established, DPAs are not required to exercise a corrective power under Article 58(2) GDPR, where it is not appropriate, necessary or proportionate to remedy the shortcoming found.  

English Summary

Facts

On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to Article 33 GDPR as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject as (i) it had taken disciplinary measures against the employee concerned, (ii) the employee had also confirmed in writing that she had not copied or retained the data, nor transferred it to third parties and (iii) she also promised not to do so in the future. In addition, (iv) the controller indicated that it would review the length of time for which access logs were kept. Therefore, the controller did not notify the data subject under Article 34 GDPR.

However, the data subject became incidentally aware that his personal data had been improperly accessed and lodged a complaint with the HBDI regarding, inter alia, the failure to communicate the data breach to him in violation of Article 34 GDPR.

On 3 September 2023, the HBDI informed the data subject that the controller did not infringe Article 34 GDPR, since the controller's assessment regarding the risk for the data subject was not manifestly incorrect. No corrective measures were adopted against the controller.

The data subject lodged an action against this decision with the Administrative Court of Wiesbaden (Verwaltungsgericht Wiesbaden) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR.

The Administrative Court of Wiesbaden referred a question to the CJEU:

  • When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with Article 58(2) GDPR?

Advocate General Opinion

Advocate General Priit Pikamäe delivered his opinion on the matter on 11 April 2024.

Firstly, regarding the obligations of the supervisory authority when handling a complaint, the Advocate General referenced the SCHUFA judgement and indicated that under this case law, in accordance with Article 8(3) of the Charter and Article 51(1) and 57(1)(a) GDPR, national DPAs are responsible for monitoring compliance with the GDPR (§35 of the Opinion).

Under Article 57(1)(f) GDPR, each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint "with all due diligence" (§37 of the Opinion).

Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate General considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. Therefore, "it would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected." (§40 of the Opinion). This generally means identifying the most appropriate corrective measures in order to address the infringement.

Articles 57(1)(f) and 77(2) GDPR impose certain obligations to the DPA, namely to "inform the complainant of the progress and the outcome of the investigation" (§42 of the Opinion). The Advocate General held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by Article 58(2) GDPR in order to bring the situation back to compliance with EU law.

Thirdly, the Advocate General noted that the question of whether a DPA should intervene in the event of a personal data breach must be distinguished from the question of how it should act (§43 of the Opinion). Indeed, under Article 58(2) GDPR, the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate General considered that the discretionary power also implies the power not to take any of the corrective measures referred to in Article 58(2) GDPR.

In particular, this implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary (§51 of the Opinion).

However, in certain cases, this degree of latitude is limited: indeed, the Advocate General agreed with the Austrian Government that in a multitude of cases, the adoption of a specific corrective measure is required. For example, in the case of the failure to comply with an erasure request, the DPA will, in this case, be obliged to order erasure (§60 of the Opinion). Therefore in some cases, the DPA's discretion could be confined to adopting the only measure appropriate to protect the data subject's rights (§61 of the Opinion).

A part from this case, the Advocate General noted that if the DPA chooses to refrain from applying corrective measures while favoring recourse to ‘autonomous’ measures taken by the controller, legal requirements should be complied with: (i) there should be a requirement for the DPA to give its express consent to the autonomous measure which should (ii) be preceded by a rigorous examination of the situation in light of the conditions set out in Recital 129 and (iii) the DPA should have a right to intervene if the instructions are not complied with (§53 of the Opinion).

He also added that although the data subject has certain rights with regard to the DPA in the context of the procedure, in particular the right to be informed of the progress and outcome of the investigation within a reasonable period, those rights do not include the right to require the adoption of a specific measure (§54 of the Opinion).

Fourthly, regarding the obligation to impose administrative fines, the Advocate general noted that Article 83(2) GDPR establishes that a DPA may refrain from imposing an administrative fine if the circumstances justify such an approach. Therefore, this Article does not indicate that it is mandatory in all cases to impose an administrative fine (§67 of the Opinion).

Finally, regarding the obligation to issue administrative fines at the data subject’s express request, the Advocate general considered that depending on each individual case, the DPA may consider various corrective measures, without the data subject being able to demand the adoption of a specific measure. However, the data subject may propose recourse to a corrective measure, providing arguments and evidence to support their point of view (§81 of the Opinion).

Therefore, the Advocate general concluded that when a DPA finds that a processing has infringed the data subject’s rights, the DPA must take action under Article 58(2) GDPR to the extent necessary to ensure full compliance with the GDPR (§83 of the Opinion).

Holding

On 26 September 2024, the CJEU rendered the ruling.

The CJEU answered the preliminary question, stating that DPAs are not required to exercise a corrective power (in particular impose an administrative fine), where it is not appropriate, necessary or proportionate under Article 58(2) GDPR to remedy the shortcoming found and to ensure that the GDPR is fully enforced.

At the beginning, the CJEU referred to the duties of DPAs regarding handling complaints lodged before them, especially the duty of due diligence mentioned in the Schufa case. In particular, the overarching purpose of DPAs proceedings is to react accordingly to remedy the violation found.

Article 58(2) GDPR lists potential forms of the DPA's action. However, the DPAs’ enjoys the discretion to choose the appropriate and necessary remedy. Thus, the DPA must assess all the circumstances of the specific case. Nevertheless, neither Article 58(2) GDPR, nor Article 83 GDPR imposes an obligation on the DPAs to use corrective measure every time a breach of personal data is found. The CJEU emphasized that as the AG mentioned in his opinion, an individual does not enjoy the right to seek imposition of a fine by the DPA.

Consequently, the CJEU explained that, in exceptional cases, having analysed all the circumstances of the case, the DPAs may refrain from exercising a corrective power even though a data breach has been established. This could be the case where the data breach has not continued and the controller had, in principle, implemented appropriate technical and organisational measures to ensure that the breach is stopped and does not recur.

According to the CJEU such an interpretation is supported by objective of Article 58(2) GDPR, which is ensuring compliance with the GDPR. Hence, where the GDPR was violated, but the controller already restored the GDPR’s compliance, the corrective powers may not be required.

In the case at hand, it’s then the referring court task to assess whether or not the HBDI reacted appropriately, in particular, within the limits of the discretion conferred upon.  

Comment

In this Opinion, the Advocate General highlights several times that his Opinion in the Schufa judgement was almost entirely endorsed by the CJEU, and that this Opinion resumes where the Schufa Opinion was left off.

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-768/21_-_Land_Hessen_(Obligation_of_the_data_protection_authority_to_act)&oldid=43724"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki