CJEU - C-768/21 - Land Hessen (Obligation of the data protection authority to act)

From GDPRhub
CJEU - C-768/21 Land Hessen (Obligation of the data protection authority to act)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 57(1) GDPR
Article 57(1)(f) GDPR
Article 58(2) GDPR
Article 77(2) GDPR
Decided: 11.04.2024
Parties:
Case Number/Name: C-768/21 Land Hessen (Obligation of the data protection authority to act)
European Case Law Identifier: ECLI:EU:C:2024:291
Reference from:
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: nzm


The CJEU held that when a data breach has been established, DPAs are not required to exercise a corrective power under Article 58(2) GDPR, where it is not appropriate, necessary or proportionate to remedy the shortcoming found.  

English Summary

Facts

On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to Article 33 GDPR as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject as (i) it had taken disciplinary measures against the employee concerned, (ii) the employee had also confirmed in writing that she had not copied or retained the data, nor transferred it to third parties and (iii) she also promised not to do so in the future. In addition, (iv) the controller indicated that it would review the length of time for which access logs were kept. Therefore, the controller did not notify the data subject under Article 34 GDPR.

However, the data subject became incidentally aware that his personal data had been improperly accessed and lodged a complaint with the HBDI regarding, inter alia, the failure to communicate the data breach to him in violation of Article 34 GDPR.

On 3 September 2023, the HBDI informed the data subject that the controller did not infringe Article 34 GDPR, since the controller's assessment regarding the risk for the data subject was not manifestly incorrect. No corrective measures were adopted against the controller.

The data subject lodged an action against this decision with the Administrative Court of Wiesbaden (Verwaltungsgericht Wiesbaden) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR.

The Administrative Court of Wiesbaden referred a question to the CJEU:

  • When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with Article 58(2) GDPR?

Advocate General Opinion

Advocate General Priit Pikamäe delivered his opinion on the matter on 11 April 2024.

Firstly, regarding the obligations of the supervisory authority when handling a complaint, the Advocate General referenced the SCHUFA judgement and indicated that under this case law, in accordance with Article 8(3) of the Charter and Article 51(1) and 57(1)(a) GDPR, national DPAs are responsible for monitoring compliance with the GDPR (§35 of the Opinion).

Under Article 57(1)(f) GDPR, each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint "with all due diligence" (§37 of the Opinion).

Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate General considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. Therefore, "it would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected." (§40 of the Opinion). This generally means identifying the most appropriate corrective measures in order to address the infringement.

Articles 57(1)(f) and 77(2) GDPR impose certain obligations to the DPA, namely to "inform the complainant of the progress and the outcome of the investigation" (§42 of the Opinion). The Advocate General held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by Article 58(2) GDPR in order to bring the situation back to compliance with EU law.

Thirdly, the Advocate General noted that the question of whether a DPA should intervene in the event of a personal data breach must be distinguished from the question of how it should act (§43 of the Opinion). Indeed, under Article 58(2) GDPR, the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate General considered that the discretionary power also implies the power not to take any of the corrective measures referred to in Article 58(2) GDPR.

In particular, this implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary (§51 of the Opinion).

However, in certain cases, this degree of latitude is limited: indeed, the Advocate General agreed with the Austrian Government that in a multitude of cases, the adoption of a specific corrective measure is required. For example, in the case of the failure to comply with an erasure request, the DPA will, in this case, be obliged to order erasure (§60 of the Opinion). Therefore in some cases, the DPA's discretion could be confined to adopting the only measure appropriate to protect the data subject's rights (§61 of the Opinion).

A part from this case, the Advocate General noted that if the DPA chooses to refrain from applying corrective measures while favoring recourse to ‘autonomous’ measures taken by the controller, legal requirements should be complied with: (i) there should be a requirement for the DPA to give its express consent to the autonomous measure which should (ii) be preceded by a rigorous examination of the situation in light of the conditions set out in Recital 129 and (iii) the DPA should have a right to intervene if the instructions are not complied with (§53 of the Opinion).

He also added that although the data subject has certain rights with regard to the DPA in the context of the procedure, in particular the right to be informed of the progress and outcome of the investigation within a reasonable period, those rights do not include the right to require the adoption of a specific measure (§54 of the Opinion).

Fourthly, regarding the obligation to impose administrative fines, the Advocate general noted that Article 83(2) GDPR establishes that a DPA may refrain from imposing an administrative fine if the circumstances justify such an approach. Therefore, this Article does not indicate that it is mandatory in all cases to impose an administrative fine (§67 of the Opinion).

Finally, regarding the obligation to issue administrative fines at the data subject’s express request, the Advocate general considered that depending on each individual case, the DPA may consider various corrective measures, without the data subject being able to demand the adoption of a specific measure. However, the data subject may propose recourse to a corrective measure, providing arguments and evidence to support their point of view (§81 of the Opinion).

Therefore, the Advocate general concluded that when a DPA finds that a processing has infringed the data subject’s rights, the DPA must take action under Article 58(2) GDPR to the extent necessary to ensure full compliance with the GDPR (§83 of the Opinion).

Holding

On 26 September 2024, the CJEU rendered the ruling.

The CJEU answered the preliminary question, stating that DPAs are not required to exercise a corrective power (in particular impose an administrative fine), where it is not appropriate, necessary or proportionate under Article 58(2) GDPR to remedy the shortcoming found and to ensure that the GDPR is fully enforced.

At the beginning, the CJEU referred to the duties of DPAs regarding handling complaints lodged before them, especially the duty of due diligence mentioned in the Schufa case. In particular, the overarching purpose of DPAs proceedings is to react accordingly to remedy the violation found.

Article 58(2) GDPR lists potential forms of the DPA's action. However, the DPAs’ enjoys the discretion to choose the appropriate and necessary remedy. Thus, the DPA must assess all the circumstances of the specific case. Nevertheless, neither Article 58(2) GDPR, nor Article 83 GDPR imposes an obligation on the DPAs to use corrective measure every time a breach of personal data is found. The CJEU emphasized that as the AG mentioned in his opinion, an individual does not enjoy the right to seek imposition of a fine by the DPA.

Consequently, the CJEU explained that, in exceptional cases, having analysed all the circumstances of the case, the DPAs may refrain from exercising a corrective power even though a data breach has been established. This could be the case where the data breach has not continued and the controller had, in principle, implemented appropriate technical and organisational measures to ensure that the breach is stopped and does not recur.

According to the CJEU such an interpretation is supported by objective of Article 58(2) GDPR, which is ensuring compliance with the GDPR. Hence, where the GDPR was violated, but the controller already restored the GDPR’s compliance, the corrective powers may not be required.

In the case at hand, it’s then the referring court task to assess whether or not the HBDI reacted appropriately, in particular, within the limits of the discretion conferred upon.  

Comment

In this Opinion, the Advocate General highlights several times that his Opinion in the Schufa judgement was almost entirely endorsed by the CJEU, and that this Opinion resumes where the Schufa Opinion was left off.

Further Resources

Share blogs or news articles here!