The case originated when a customer of a savings bank in Germany discovered unauthorised access to his personal data by a bank employee. Although the bank had taken disciplinary action against the employee, the Data Protection Commissioner (DPC) found a breach of the General Data Protection Regulation (GDPR). However, no further action was taken by the DPC, prompting the customer to challenge this decision before a German court.

The Opinion considers the powers and obligations of the DPC as a supervisory authority under the GDPR. Key points outlined in the Opinion include:

• When a breach is found during an investigation, the supervisory authority must take action.
• This action involves defining appropriate corrective measures to address the breach and uphold the rights of the data subject.
• Corrective measures must be appropriate, necessary, and proportionate, ensuring effective resolution without undue burden on the controller.
• Supervisory authorities may deviate from prescribed measures if justified by the specific circumstances of the case, such as if the controller has already taken adequate remedial steps.
• Data subjects do not have the right to dictate specific measures; the supervisory authority determines the most suitable course of action.
• These principles extend to the imposition of administrative fines, ensuring penalties align with the severity of the breach and the controller's response.

The CJEU’s press release can be found here.

The full text of the Opinion can be found here.