New Advocate General opinion in case C-768/21: Data subjects' rights and supervisory obligations in data breach cases
22 Jul 2024
|
On 11 April 2024, the Advocate General Priit Pikamäe (Advocate General) rendered an opinion in case C-768/21 Land Hessen, shedding light on the obligations of data protection authorities when addressing breaches of personal data (the Opinion).
Background
The case originated when a customer of a savings bank in Germany discovered unauthorised access to his personal data by a bank employee. Although the bank had taken disciplinary action against the employee, the Data Protection Commissioner (DPC) found a breach of the General Data Protection Regulation (GDPR). However, no further action was taken by the DPC, prompting the customer to challenge this decision before a German court.
The Advocate General’s Opinion
The Opinion considers the powers and obligations of the DPC as a supervisory authority under the GDPR. Key points outlined in the Opinion include:
- When a breach is found during an investigation, the supervisory authority must take action.
- This action involves defining appropriate corrective measures to address the breach and uphold the rights of the data subject.
- Corrective measures must be appropriate, necessary, and proportionate, ensuring effective resolution without undue burden on the controller.
- Supervisory authorities may deviate from prescribed measures if justified by the specific circumstances of the case, such as if the controller has already taken adequate remedial steps.
- Data subjects do not have the right to dictate specific measures; the supervisory authority determines the most suitable course of action.
- These principles extend to the imposition of administrative fines, ensuring penalties align with the severity of the breach and the controller's response.
The CJEU’s press release can be found here.
The full text of the Opinion can be found here.