Advocate General: Infringement of data protection rights of natural persons

In a preliminary request from the Administrative Court Wiesbaden (Germany) the Advocate General (AG) is of the opinion that the supervisory authority has an obligation to act when it finds a breach while investigating a complaint. However, the decision as to what corrective action to take depends on the specific circumstances of each individual case.

Background

A customer of a savings bank asked the Data Protection and Freedom of Information Commissioner for the Land Hessen (Germany) to take action against the savings bank because of a breach of his personal data. One of the employees of the savings bank had consulted his data on several occasions, without being authorized to do so.

The Data Protection Commissioner identified a breach of data protection under the General Data Protection Regulation (GDPR). However, the Commissioner concluded that there were no grounds for action against the savings bank, which had already taken disciplinary measures against the employee concerned.

The customer challenged that refusal before a German court, asking it to order the Data Protection Commissioner to take action against the savings bank.

Opinion

Advocate General Pikamäe considers that the supervisory authority has an obligation to act when it finds a personal data breach while investigating a complaint. In particular, it would be required to define the most appropriate corrective measure(s) to remedy the infringement and ensure that the data subject’s rights are respected.

In that regard, while leaving some discretion to the supervisory authority, the GDPR would require that such measures be appropriate, necessary and proportionate. The result would be, on the one hand, that discretion in the choice of means is limited where the protection required can only be ensured by taking specific measures, and – on the other hand - that the supervisory authority could, under certain conditions, dispense with the measures listed in the GDPR when this is justified by the specific circumstances of the individual case. This could be the case where the controller has taken certain measures on its own initiative. In any event, the data subject would not have the right to require the adoption of a particular measure. Those principles would also apply to the method of imposing administrative fines.

Reference:

ECJ case reference C‑768/21 Land Hessen - Opinion of 11 April 2024.

ECJ, press release No 63/24 of 11 April 2024.