CJEU - C-768/21 - TR v Land Hessen
| CJEU - C-768/21 TR v Land Hessen | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 57(1) GDPR Article 57(1)(f) GDPR Article 58(2) GDPR Article 77(2) GDPR |
| Decided: | 11.04.2024 |
| Parties: | |
| Case Number/Name: | C-768/21 TR v Land Hessen |
| European Case Law Identifier: | ECLI:EU:C:2024:291 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | nzm |
The Advocate General considered that when a DPA finds that a processing infringed a data subject’s rights, it must take action to the extent necessary to ensure compliance with the GDPR.
English Summary
Facts
On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to Article 33 GDPR as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject as (i) it had taken disciplinary measures against the employee concerned, (ii) the latter had also confirmed in writing that she had read the data but had not copied or retained it, nor transferred it to third parties and (iii) she also promised not to do so in the future. In addition, (iv) the controller indicated that it would review the length of time for which access logs were kept. Therefore, the controller did not notify the data subject under Article 34 GDPR.
On 3 September 2023, the HBDI informed the data subject that no corrective measures were to be adopted against the controller. The data subject lodged an action against this decision with the Verwaltungsgericht Wiesbaden (“Administrative Court of Wiesbaden”) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR.
The Administrative Court of Wiesbaden referred a question to the CJEU:
- When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with Article 58(2) GDPR?
Advocate General Priit Pikamäe delivered his opinion on the matter on 11 April 2024.
Advocate General Opinion
Firstly, regarding the obligations of the supervisory authority when handling a complaint, the Advocate General referenced the SCHUFA judgement and indicated that under this case law, in accordance with Article 8(3) of the Charter and Article 51(1) and 57(1)(a) GDPR, national DPAs are responsible for monitoring compliance with the GDPR (§35 of the Opinion).
Under Article 57(1)(f) GDPR, each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint "with all due diligence" (§37 of the Opinion).
Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate General considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. Therefore, "it would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected." (§40 of the Opinion). This generally means identifying the most appropriate corrective measures in order to address the infringement.
Articles 57(1)(f) and 77(2) GDPR impose certain obligations to the DPA, namely to "inform the complainant of the progress and the outcome of the investigation" (§42 of the Opinion). The Advocate General held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by Article 58(2) GDPR in order to bring the situation back to compliance with EU law.
Thirdly, the Advocate General noted that the question of whether a DPA should intervene in the event of a personal data breach must be distinguished from the question of how it should act (§43 of the Opinion). Indeed, under Article 58(2) GDPR, the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate General considered that the discretionary power also implies the power not to take any of the corrective measures referred to in Article 58(2) GDPR.
In particular, this implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary (§51 of the Opinion).
However, in certain cases, this degree of latitude is limited: indeed, the Advocate General agreed with the Austrian Government that in a multitude of cases, the adoption of a specific corrective measure is required. For example, in the case of the failure to comply with an erasure request, the DPA will, in this case, be obliged to order erasure (§60 of the Opinion). Therefore in some cases, the DPA's discretion could be confined to adopting the only measure appropriate to protect the data subject's rights (§61 of the Opinion).
A part from this case, the Advocate General noted that if the DPA chooses to refrain from applying corrective measures while favoring recourse to ‘autonomous’ measures taken by the controller, legal requirements should be complied with: (i) there should be a requirement for the DPA to give its express consent to the autonomous measure which should (ii) be preceded by a rigorous examination of the situation in light of the conditions set out in Recital 129 and (iii) the DPA should have a right to intervene if the instructions are not complied with (§53 of the Opinion).
He also added that although the data subject has certain rights with regard to the DPA in the context of the procedure, in particular the right to be informed of the progress and outcome of the investigation within a reasonable period, those rights do not include the right to require the adoption of a specific measure (§54 of the Opinion).
Fourthly, regarding the obligation to impose administrative fines, the Advocate general noted that Article 83(2) GDPR establishes that a DPA may refrain from imposing an administrative fine if the circumstances justify such an approach. Therefore, this Article does not indicate that it is mandatory in all cases to impose an administrative fine (§67 of the Opinion).
Finally, regarding the obligation to issue administrative fines at the data subject’s express request, the Advocate general considered that depending on each individual case, the DPA may consider various corrective measures, without the data subject being able to demand the adoption of a specific measure. However, the data subject may propose recourse to a corrective measure, providing arguments and evidence to support their point of view (§81 of the Opinion).
Therefore, the Advocate general concluded that when a DPA finds that a processing has infringed the data subject’s rights, the DPA must take action under Article 58(2) GDPR to the extent necessary to ensure full compliance with the GDPR (§83 of the Opinion).
Holding
The decision has not been adopted yet.
Comment
In this Opinion, the Advocate General highlights several times that his Opinion in the Schufa judgement was almost entirely endorsed by the CJEU, and that this Opinion resumes where the Schufa Opinion was left off.
Further Resources
Share blogs or news articles here!
