CJEU - C-768/21 - TR v Land Hessen: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 50: Line 50:


=== Facts ===
=== Facts ===
On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to [[Article 33 GDPR|Article 33 GDPR]] as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject and therefore did not notify the latter under [[Article 34 GDPR|Article 34 GDPR]].  
On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to [[Article 33 GDPR|Article 33 GDPR]] as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject as (i) it had taken disciplinary measures against the employee concerned, (ii) the latter had also confirmed in writing that she had read the data but had not copied or retained it, nor transferred it to third parties and (iii) she also promised not to do so in the future. In addition, (iv) the controller indicated that it would review the length of time for which access logs were kept. Therefore, the controller did not notify the data subject under [[Article 34 GDPR|Article 34 GDPR]].  


On 3 September 2023, the HBDI informed the data subject that no corrective measures were to be adopted against the controller. The data subject lodged an action against this decision with the Verwaltungsgericht Wiesbaden (“Administrative Court of Wiesbaden”) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR.  
On 3 September 2023, the HBDI informed the data subject that no corrective measures were to be adopted against the controller. The data subject lodged an action against this decision with the Verwaltungsgericht Wiesbaden (“Administrative Court of Wiesbaden”) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR.  
Line 57: Line 57:


* When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with [[Article 58 GDPR#2|Article 58(2) GDPR]]?
* When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with [[Article 58 GDPR#2|Article 58(2) GDPR]]?
Advocate general Priit Pikamäe delivered his opinion on the matter on 11 April 2024.


Advocate general Priit Pikamäe delivered his opinion on the matter on 11 April 2024.
 
Advocate General Priit Pikamäe delivered his opinion on the matter on 11 April 2024.


=== Advocate General Opinion ===
=== Advocate General Opinion ===
Firstly, regarding the obligations of the supervisory authority when handling a complaint, the Advocate general referenced the [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA SCHUFA judgement] and indicated that under this case law, in accordance with [http://fra.europa.eu/en/eu-charter/article/8-protection-personal-data Article 8(3) of the Charter] and [[Article 51 GDPR#1|Article 51(1)]] and [[Article 57 GDPR#1a|57(1)(a) GDPR]], national DPAs are responsible for monitoring compliance with the GDPR.
Firstly, regarding the obligations of the supervisory authority when handling a complaint, the Advocate General referenced the [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA SCHUFA judgement] and indicated that under this case law, in accordance with [http://fra.europa.eu/en/eu-charter/article/8-protection-personal-data Article 8(3) of the Charter] and [[Article 51 GDPR#1|Article 51(1)]] and [[Article 57 GDPR#1a|57(1)(a) GDPR]], national DPAs are responsible for monitoring compliance with the GDPR (§35 of the Opinion).
 
Under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint "''with all due diligence''" (§ 37 of the Opinion).
 
''In that context, it should be noted that the Court of Justice endorsed the interpretation that I put forward in my Opinion in the SCHUFA cases, that the complaints procedure, which is not similar to that of a petition, is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects. ( § 38)''
 
Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate general considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. Therefore, "''it would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected.''" (§ 40 of the Opinion). This generally means identifying the most appropriate corrective measures in order to address the infringement.  


[[Article 57 GDPR#1f|Articles 57(1)(f)]] and [[Article 77 GDPR#2|77(2) GDPR]] impose certain obligations to the DPA, namely to "''inform the complainant of the progress and the outcome of the investigation''" (§ 42 of the Opinion). The Advocate general held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by [[Article 58 GDPR#2|Article 58(2) GDPR]] in order to bring the situation back to compliance with EU law.
Under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint "''with all due diligence''" (§37 of the Opinion).  


Thirdly, the Advocate general noted that the question of ''whether'' a DPA should intervene in the event of a personal data breach must be distinguished from the question of ''how'' it should act. Indeed, under [[Article 58 GDPR#2|Article 58(2) GDPR]], the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate general considered that the discretionary power also implies the power not to take any of the corrective measures referred to in [[Article 58 GDPR#2|Article 58(2) GDPR]].
Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate General considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. Therefore, "''it would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected.''" (§40 of the Opinion). This generally means identifying the most appropriate corrective measures in order to address the infringement.  


  I''n that regard, it is appropriate to recall, first of all, the judgment in Case C‑311/18 (Facebook Ireland and Schrems), in which the Court of Justice suggested that such a situation might indeed exist. More specifically, the Court of Justice held that the supervisory authority is required, where appropriate, to take some of the measures listed in Article 58(2) of the GDPR, in particular where it considers that the protection required by EU law cannot be ensured by other means. Consequently, to that extent, the supervisory authority’s discretion is confined to some or even, where appropriate, to one of the measures referred to in that provision. (24)''
[[Article 57 GDPR#1f|Articles 57(1)(f)]] and [[Article 77 GDPR#2|77(2) GDPR]] impose certain obligations to the DPA, namely to "''inform the complainant of the progress and the outcome of the investigation''" (§42 of the Opinion). The Advocate General held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by [[Article 58 GDPR#2|Article 58(2) GDPR]] in order to bring the situation back to compliance with EU law.


''60.      As the Austrian Government rightly points out, there may be a multitude of similar cases requiring the adoption of a specific corrective measure, such as where the supervisory authority finds, in the context of a complaints procedure, that there is an obligation to erase data and that the controller has not yet done so. In the situation described, the supervisory authority will be obliged, in any event, pursuant to Article 58(2)(g) of the GDPR, to order erasure.''
Thirdly, the Advocate General noted that the question of ''whether'' a DPA should intervene in the event of a personal data breach must be distinguished from the question of ''how'' it should act (§43 of the Opinion). Indeed, under [[Article 58 GDPR#2|Article 58(2) GDPR]], the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate General considered that the discretionary power also implies the power not to take any of the corrective measures referred to in [[Article 58 GDPR#2|Article 58(2) GDPR]].  


''61.      The examples mentioned in the preceding paragraphs show that it cannot be ruled out that, depending on the specific circumstances of the particular case, only the adoption of a specific corrective measure would bring the situation back into compliance with EU law. In particular, it seems to me that, in circumstances where there would otherwise be a risk of a serious breach of the data subject’s rights, the supervisory authority’s discretion could be confined to adopting the only measure that is appropriate to protect that data subject’s rights''.  
However, in certain cases, this is limited: indeed, the Advocate General agreed with the Austrian Government that in a multitude of cases, the adoption of a specific corrective measure is required. For example, in the case of the failure to comply with an erasure request, the DPA will, in this case, be obliged to order erasure (§60 of the Opinion).


In particular, this implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary.  
In particular, this implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary.  
Line 96: Line 90:


== Comment ==
== Comment ==
''Share your comments here!''
In this Opinion, the Advocate General highlights several times that his Opinion in the Schufa judgement was almost entirely endorced by the CJEU, and that this Opinion resumes where the Schufa Opinion was left off.


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''

Revision as of 11:18, 23 April 2024

CJEU - C-768/21 TR v Land Hessen
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 57(1) GDPR
Article 57(1)(f) GDPR
Article 58(2) GDPR
Article 77(2) GDPR
Decided: 11.04.2024
Parties:
Case Number/Name: C-768/21 TR v Land Hessen
European Case Law Identifier: ECLI:EU:C:2024:291
Reference from:
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: nzm

The Advocate General considered that when a DPA finds that a processing infringed a data subject’s rights, it must take action to the extent necessary to ensure compliance with the GDPR.

English Summary

Facts

On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to Article 33 GDPR as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject as (i) it had taken disciplinary measures against the employee concerned, (ii) the latter had also confirmed in writing that she had read the data but had not copied or retained it, nor transferred it to third parties and (iii) she also promised not to do so in the future. In addition, (iv) the controller indicated that it would review the length of time for which access logs were kept. Therefore, the controller did not notify the data subject under Article 34 GDPR.

On 3 September 2023, the HBDI informed the data subject that no corrective measures were to be adopted against the controller. The data subject lodged an action against this decision with the Verwaltungsgericht Wiesbaden (“Administrative Court of Wiesbaden”) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR.

The Administrative Court of Wiesbaden referred a question to the CJEU:

  • When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with Article 58(2) GDPR?


Advocate General Priit Pikamäe delivered his opinion on the matter on 11 April 2024.

Advocate General Opinion

Firstly, regarding the obligations of the supervisory authority when handling a complaint, the Advocate General referenced the SCHUFA judgement and indicated that under this case law, in accordance with Article 8(3) of the Charter and Article 51(1) and 57(1)(a) GDPR, national DPAs are responsible for monitoring compliance with the GDPR (§35 of the Opinion).

Under Article 57(1)(f) GDPR, each DPA is required to handle complaints on its territory and examine the nature of that complaint as necessary. The Advocate general added that the DPA must deal with such a complaint "with all due diligence" (§37 of the Opinion).

Secondly, regarding the obligations of the supervisory authority when a personal data breach is identified, the Advocate General considered that when a DPA finds a personal data breach in the course of investigating a complaint, it has an obligation to take action in the interests of the principle of legality. Therefore, "it would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected." (§40 of the Opinion). This generally means identifying the most appropriate corrective measures in order to address the infringement.

Articles 57(1)(f) and 77(2) GDPR impose certain obligations to the DPA, namely to "inform the complainant of the progress and the outcome of the investigation" (§42 of the Opinion). The Advocate General held that this implies that a DPA must also report on the measures taken in relation to the personal data breach it has identified. The DPA has the obligation to intervene in all cases, no matter the severity of the breach meaning that it must have recourse to the list of corrective measures provided by Article 58(2) GDPR in order to bring the situation back to compliance with EU law.

Thirdly, the Advocate General noted that the question of whether a DPA should intervene in the event of a personal data breach must be distinguished from the question of how it should act (§43 of the Opinion). Indeed, under Article 58(2) GDPR, the DPA has the option to adopt all the corrective measures listed, meaning that the latter has a degree of latitude. The Advocate General considered that the discretionary power also implies the power not to take any of the corrective measures referred to in Article 58(2) GDPR.

However, in certain cases, this is limited: indeed, the Advocate General agreed with the Austrian Government that in a multitude of cases, the adoption of a specific corrective measure is required. For example, in the case of the failure to comply with an erasure request, the DPA will, in this case, be obliged to order erasure (§60 of the Opinion).

In particular, this implies that minor breaches may also be remedied by measures taken by the controller itself. For example, in the present case the controller adopted discretionary measures against the employee who committed the infringement. Therefore, when the liability for the infringement has been accepted and when it has been ensured that a further data breach will not occur, the imposition of further corrective measures by the DPA may appear unnecessary.

However, the Advocate general noted that if the DPA chooses to refrain from applying corrective measures while favoring recourse to ‘autonomous’ measures taken by the controller, legal requirements should be complied with: (i) there should be a requirement for the DPA to give its express consent to the autonomous measure which should (ii) be preceded by a rigorous examination of the situation in light of the conditions set out in Recital 129 and (iii) the DPA should have a right to intervene if the instructions are not complied with.

He also added that although the data subject has certain rights with regard to the DPA in the context of the procedure, in particular the right to be informed of the progress and outcome of the investigation within a reasonable period, those rights do not include the right to require the adoption of a specific measure.

Fourthly, regarding the obligation to impose administrative fines, the Advocate general noted that Article 83(2) GDPR establishes that a DPA may refrain from imposing an administrative fine if the circumstances justify such an approach. Therefore, this Article does not indicate that it is mandatory in all cases to impose an administrative fine.

Finally, regarding the obligation to issue administrative fines at the data subject’s express request, the Advocate general considered that depending on each individual case, the DPA may consider various corrective measures, without the data subject being able to demand the adoption of a specific measure. However, the data subject may propose recourse to a corrective measure, providing arguments and evidence to support their point of view.

Therefore, the Advocate general concluded that when a DPA finds that a processing has infringed the data subject’s rights, the DPA must take action under Article 58(2) GDPR to the extent necessary to ensure full compliance with the GDPR.

Holding

The decision has not been adopted yet.

Comment

In this Opinion, the Advocate General highlights several times that his Opinion in the Schufa judgement was almost entirely endorced by the CJEU, and that this Opinion resumes where the Schufa Opinion was left off.

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-768/21_-_TR_v_Land_Hessen&oldid=40942"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki