Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: CJEU publishes opinion on obligation of supervisory authorities to act on discovery of a data breach

On April 11, 2024, the Court of Justice of the European Union (CJEU) published the Advocate General's Opinion in case C-768/21 regarding the obligation of a supervisory authority to act when it finds a personal data breach in the course of investigating a complaint.

Background

The Advocate General clarified that the Data Protection Commissioner identified a data breach under the General Data Protection Regulation (GDPR), however, it did not take further actions against the savings bank as the bank already implemented disciplinary measures against the employee concerned.

The Advocate General further outlined that a customer of the bank challenged the said decision before a German court, and the German court asked the CJEU to clarify the powers and obligations of a supervisory authority.

Opinion of the Advocate General

The Advocate General considered that the supervisory authority must act when it discovers a personal data breach in the course of investigating a complaint. However, it was highlighted that the actions of the supervisory authorities must be appropriate, necessary, and proportionate to the situation. In this sense, the Advocate General points out that the GDPR leaves the supervisory authorities with little discretion if the measures are necessary to ensure protection, but allows them to waive the measures if justified by specific circumstances of the case, such as cases where the data controller has already taken certain measures.  

Lastly, the Advocate General excludes any right of the data subject to the imposition of any particular measure, including a fine on the controller.

You can read the press release here and the full opinion here.