In its recent judgement the Court of Justice of the European Union ("CJEU") ruling shows why companies should focus on data protection compliance and follow the appropriate procedure in the event of a data breach. At the initiative of a German court, the CJEU examined the question of whether corrective measures, in particular the imposition of administrative fines is mandatory in all cases.
1. Facts - Personal data breach
A German savings bank („Bank”) has reported a data breach to the HBDI[i] following several unauthorised access to a customer's personal data by one of their employees.
Considering that disciplinary action had been taken against the employee and that the employee confirmed in writing that she had not copied, stored or transmitted the personal data, the Bank assessed that there was no high risk to the customer's rights and therefore the customer was not informed of the data breach.
2. The procedure of HBDI
The customer lodged a complaint with the HBDI alleging, inter alia, that he has not been informed of the data breach.
In the HBDI's view, the Bank did not breach the GDPR[ii] as there was no manifest error in the Bank's assessment that the data breach did not pose a high risk to the customer's rights, given that there was no indication that the employee had transferred or used the personal data in a detrimental way.
3. Claim of the customer and reference for a preliminary ruling
The customer brought an action to the competent court against the decision of the HBDI.
In the action, the customer claimed that the HBDI should have imposed a fine on the Bank for having infringed, in various ways, inter alia, the following provisions of the GDPR:
The customer stated that in such cases the HBDI does not have discretionary powers in relation to the procedure, but at most has discretionary powers in relation to the measures it intends to take.
In essence, the German court asked the CJEU whether, in the event of a breach of the provisions on the protection of personal data, the GDPR should be interpreted as meaning that the supervisory authority is obliged to take remedial action, such as imposing an administrative fine, or whether that is a matter for the discretion of the authority.
4. Decision of the CJEU
The CJEU stated that the GDPR confers significant investigative powers on individual supervisory authorities in relation to the handling of complaints.
The GDPR therefore leaves a margin of discretion to the supervisory authority as to the choice of the appropriate and necessary means to be used in relation to a data protection incident, and it is therefore for the supervisory authority to make that choice, taking into account all the circumstances of the case.
However, this discretion is limited by the need to ensure a consistent and high level of protection of personal data through a strict application of the rules.
The CJEU held that it cannot be inferred from the provisions of the GDPR that the supervisory authority is under an obligation to adopt corrective measures, in particular administrative fines, in all cases where it identifies a data breach.
In the present case, as soon as the controller (the Bank) became aware of the breach, it took the necessary measures to ensure that that breach was brought to an end and did not recur, therefore, the CJEU saw no need for further corrective action or the imposition of an administrative fine
In the light of the above, it can be seen that a proper data breach handling procedure can avoid administrative fines being imposed by the supervisory authority in certain cases, so it is important that if a data breach does occur, the company can handle it properly.
In the article, we analysed the Decision C‑768/21 of the CJEU
