Estrella Arana, Head of the Privacy and Data Protection Area at PONS IP

Introduction | Background

The Court of Justice of the European Union has established in a recent judgment (Case C-768/21 of 12 September) in which it resolved a preliminary ruling that a supervisory authority is not obliged to impose an administrative fine if such a measure is not appropriate, necessary or proportionate to remedy the effects of a security breach and thus ensure full compliance with the GDPR.

A savings bank notified the data protection authority of the Land of Hesse, Germany, (hereinafter ”HBDI”) of a breach of personal data security, whereby one of its employees had, on several occasions, unlawfully accessed personal data of one of its customers. The savings bank refrained from notifying the customer of the personal data breach, but the customer – upon incidentally becoming aware of what had occurred – lodged a complaint with the HBDI for breach of Article 34 of the GDPR. The HBDI considered that there had been no breach, since, although the data had been consulted by the employee, there was nothing to indicate that she had used them to the detriment of the customer or had communicated them to third parties, so that there was no obligation on the part of the savings bank to notify the data subject of the breach and it had acted in accordance with the law.

However, the data subject appealed against the HBDI’s decision before the competent court (Wiesbaden Administrative Court), stating that the data protection authority did not address his complaint in the light of all the factual circumstances and added that it should have imposed an administrative fine on the savings bank.

That being so, the referring court decides to raise a question for a preliminary ruling, in which it asks essentially whether, in the case of a proven breach of provisions relating to the protection of personal data (in this case, a breach of the security of personal data), the GDPR must be interpreted as meaning that the supervisory authority is required to exercise corrective powers under Article 58(2) of that regulation, such as an administrative fine, or as meaning that that authority has discretion authorising it, depending on the circumstances, to refrain from exercising such powers.

Analysis

First, the CJEU points out that the GDPR leaves the supervisory authority a margin of discretion as to the manner in which it must remedy the deficiency found (for example, a breach of security), since Article 58(2) of the GDPR confers on the supervisory authority the power to adopt various corrective measures. Thus, the Court of Justice recalls that it has already stated on previous occasions that the choice of the appropriate and necessary means is a matter for the supervisory authority, that such a choice must be made taking into account all the circumstances of the particular case and that all due care must be exercised in order to ensure full compliance with the GDPR.

Secondly, and as regards the administrative fines referred to in Article 58(2)(i) of the GDPR and Article 83(2) of the same Regulation, the CJEU establishes that they are imposed, depending on the particular characteristics of each case, in addition to or instead of, the other measures referred to in Article 58(2) of the GDPR. In addition, Article 83(2) specifies that, when deciding whether to impose an administrative fine and deciding on the amount thereof, the supervisory authority must have due regard, in each individual case, to certain elements such as the nature, gravity and duration of the infringement.

In that regard, it cannot be ruled out that, exceptionally and in the light of the particular circumstances of the specific case, the supervisory authority may refrain from exercising a corrective power even though a breach of personal data has been established This may be the case where the breach established has not persisted or, for example, where the data controller, who, in principle, had implemented appropriate technical and organisational measures within the meaning of Article 24 of the GDPR, has, as soon as it became aware of that breach, taken appropriate and necessary measures to ensure that that breach is brought to an end and does not recur, in accordance with its obligations under Articles 5(2) (“accountability”) and 24 (“responsibility of the controller”) of the GDPR.

Accordingly, the CJEU establishes in this judgment that the adoption of a fine against a data controller may, exceptionally and having regard to the particular circumstances of the case, not be imposed where the following conditions are met:

• the infringement of the GDPR has already been made good,
• the compliance of the processing of personal data with the GDPR by the controller is ensured, and
• that such non-exercise on the part of the supervisory authority is not liable to undermine the requirement of strong enforcement of the rules, i.e. ensuring a consistent and high level of protection of personal data.

Conclusions

In conclusion, the CJEU has made it clear that a supervisory authority is not obliged to impose an administrative fine, even if a breach of security has been established, provided that the breach has been remedied by other means, the circumstances of the specific case are taken into consideration, and finally where such intervention is not appropriate, necessary or proportionate to remedy the shortcoming found and ensure full compliance with the GDPR.