CJEU - C-768/21 - TR v Land Hessen: Difference between revisions

Revision as of 11:27, 22 April 2024

CJEU - C-768/21 TR v Land Hessen

Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 57(1) GDPR Article 57(1)(f) GDPR Article 58(2) GDPR Article 77(2) GDPR
Decided:	11.04.2024
Parties:
Case Number/Name:	C-768/21 TR v Land Hessen
European Case Law Identifier:	ECLI:EU:C:2024:291
Reference from:
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	nzm

The Advocate general published an opinion in which he considered that when a DPA finds that a processing infringed a data subject’s rights, it must take action to the extent necessary to ensure compliance with the GDPR.

English Summary

Facts

On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to Article 33 GDPR as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject and therefore did not notify the latter under Article 34 GDPR.

On 3 September 2023, the HBDI informed the data subject that the controller had not infringed Article 34 GDPR. The data subject lodged an action against this decision with the Verwaltungsgericht Wiesbaden (“Administrative Court of Wiesbaden”) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR.

The Administrative Court of Wiesbaden referred a question to the CJEU:

When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with Article 58(2) GDPR?

Advocate general Priit Pikamäe delivered his opinion on the matter on 11 April 2024.

Advocate General Opinion

Firstly, regarding the obligations of the supervisory authority when handling a complaint, he Advocate general referenced the SCHUFA judgement and indicated that under this case law, in accordance with Article 8(3) of the Charter and Article 51(1) and 57(1)(a) GDPR, national DPAs are responsible for monitoring compliance with the GDPR.

Under Article 57(1)(f) GDPR, each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint with all due diligence.

Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate general considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. This generally means identifying the most appropriate corrective measures in order to address the infringement.

Articles 57(1)(f) and 77(2) GDPR impose certain obligations to the DPA, namely to ‘inform the complainant of the progress and the outcome of the investigation’. The Advocate general held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by Article 58(2) GDPR in order to bring the situation back to compliance with EU law.

Thirdly, the Advocate general noted that the question of whether a DPA should intervene in the event of a personal data breach must be distinguished from the question of how it should act. Indeed, under Article 58(2) GDPR, the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate general considered that the discretionary power also implies the power not to take any of the corrective measures referred to in Article 58(2) GDPR.

He also indicated that the discretion provided by Article 58(2) GDPR implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary.

However, the Advocate general noted that if the DPA chooses to refrain from applying corrective measures while favoring recourse to ‘autonomous’ measures taken by the controller, legal requirements should be complied with: (i) there should be a requirement for the DPA to give its express consent to the autonomous measure which should (ii) be preceded by a rigorous examination of the situation in light of the conditions set out in Recital 129 and (iii) the DPA should have a right to intervene if the instructions are not complied with.

He also added that although the data subject has certain rights with regard to the DPA in the context of the procedure, in particular the right to be informed of the progress and outcome of the investigation within a reasonable period, those rights do not include the right to require the adoption of a specific measure.

Fourthly, regarding the obligation to impose administrative fines, the Advocate general noted that Article 83(2) GDPR establishes that a DPA may refrain from imposing an administrative fine if the circumstances justify such an approach. Therefore, this Article does not indicate that it is mandatory in all cases to impose an administrative fine.

Finally, regarding the obligation to issue administrative fines at the data subject’s express request, the Advocate general considered that depending on each individual case, the DPA may consider various corrective measures, without the data subject being able to demand the adoption of a specific measure. However, the data subject may propose recourse to a corrective measure, providing arguments and evidence to support their point of view.

Therefore, the Advocate general concluded that when a DPA finds that a processing has infringed the data subject’s rights, the DPA must take action under Article 58(2) GDPR to the extent necessary to ensure full compliance with the GDPR.

Holding

The decision has not been adopted yet.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

@@ Line 56: / Line 56: @@
 The Administrative Court of Wiesbaden referred a question to the CJEU:
-* When a supervisory authority finds that a data processing has infringed the data subject’s rights, must the supervisory authority always take action in accordance with [[Article 58 GDPR#2|Article 58(2) GDPR]]?
+* When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with [[Article 58 GDPR#2|Article 58(2) GDPR]]?
@@ Line 62: / Line 62: @@
 === Advocate General Opinion ===
-Firstly, regarding the obligations of the supervisory authority when handling a complaint, he Advocate general referenced the SCHUFA judgement and indicated that under this case law, in accordance with Article 8(3) of the Charter and Article 51(1) and 57(1)(a) GDPR, national DPAs are responsible for monitoring compliance with the GDPR.
+Firstly, regarding the obligations of the supervisory authority when handling a complaint, he Advocate general referenced the [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA SCHUFA judgement] and indicated that under this case law, in accordance with Article 8(3) of the Charter and Article 51(1) and 57(1)(a) GDPR, national DPAs are responsible for monitoring compliance with the GDPR.
 Under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint with all due diligence.