Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
EU: CJEU publishes opinion on obligation of supervisory authorities to act on discovery of a data breach
On April 11, 2024, the Court of Justice of the European Union (CJEU) published the Advocate General's Opinion in case C-768/21 regarding the obligation of a supervisory authority to act when it finds a personal data breach in the course of investigating a complaint.
Background
The Advocate General clarified that the Data Protection Commissioner identified a data breach under the General Data Protection Regulation (GDPR), however, it did not take further actions against the savings bank as the bank already implemented disciplinary measures against the employee concerned.
The Advocate General further outlined that a customer of the bank challenged the said decision before a German court, and the German court asked the CJEU to clarify the powers and obligations of a supervisory authority.
Opinion of the Advocate General
The Advocate General considered that the supervisory authority must act when it discovers a personal data breach in the course of investigating a complaint. However, it was highlighted that the actions of the supervisory authorities must be appropriate, necessary, and proportionate to the situation. In this sense, the Advocate General points out that the GDPR leaves the supervisory authorities with little discretion if the measures are necessary to ensure protection, but allows them to waive the measures if justified by specific circumstances of the case, such as cases where the data controller has already taken certain measures.
Lastly, the Advocate General excludes any right of the data subject to the imposition of any particular measure, including a fine on the controller.
You can read the press release here and the full opinion here.