Personal data protection: The supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine

In its Judgment in Case C-768/21 (Land Hessen/ 26.9.2024) the Court of Justice ruled that, the data protection supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine. It may refrain from doing so where the controller has already taken the necessary measures on its own initiative. 

In Germany, a savings bank found that one of its employees had consulted a customer's personal data on several occasions without being authorised to do so. The savings bank did not inform the customer of this, as its data protection officer had taken the view that there was no high risk for him. The employee had confirmed in writing that she had neither copied nor retained the data, that she had not transferred them to third parties and that she would not do so in the future. 

In addition, the savings bank had taken disciplinary measures against her. The savings bank nevertheless notified the Land Hessen’s Commissioner for Data Protection of this breach. After incidentally becoming aware of this breach, the customer lodged a complaint with that Commissioner for Data Protection. 

After hearing the savings bank, the Commissioner for Data Protection informed the customer that it did not consider it necessary to exercise any corrective powers in respect of the savings bank. The customer then brought an action before a German court, asking it to order the Commissioner for Data Protection to take action against the savings bank and, in particular, to impose on it a fine. 

The German court has asked the Court of Justice to interpret the General Data Protection Regulation (GDPR) in this respect. The Court answers that when a breach of personal data has been established, the supervisory authority (Land Hessen's Commissioner for Data Protection), is not obliged to exercise a corrective power [1] , in particular the power to impose an administrative fine, where this is not necessary to remedy the shortcoming found and to ensure that the GDPR is fully enforced. 

This could be the case, inter alia, where, as soon as the controller became aware of the breach, it took the necessary measures to ensure that that breach was brought to an end and did not recur. The GDPR leaves the supervisory authority a discretion as to the manner in which it must remedy the shortcoming found. 

That discretion is limited by the need to ensure a consistent and high level of protection of personal data through strong enforcement of the GDPR. It is for the German court to ascertain whether the Commissioner for Data Protection complied with those limits. (curia.europa.eu/photo freepik.com)

Full text of judgement is available here

____________

[1] The supervisory authority may, inter alia, issue reprimands to the controller, order it to comply with the data subject’s requests and bring processing operations into compliance with the RGPD or, in addition to, or instead of those measures, impose on it an administrative fine.

Comments

Post a Comment

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld her find
Read more

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)

Image
In its Judgment of 26.9.2024 in Case C-792/22 (Energotehnica) the Court of Justice ruled as regards the right to an effective remedy that a national court is not required to apply a decision of its constitutional court that infringes EU law. In such a case, the national court may not be penalised.  Following the death of an electrician by electrocution during a maintenance operation, an administrative procedure was initiated against his employer. At the same time, criminal proceedings for negligence and manslaughter were initiated against the supervisor. The victim’s next of kin also became civil parties to the criminal proceedings.  The administrative court hearing the dispute concluded that the present case did not involve an ‘accident at work’. It annulled the administrative penalties imposed on the employer. According to national legislation, as interpreted by the Romanian Constitutional Court, that administrative decision prevents the criminal court from reconsidering whether the
Read more

The name Pablo Escobar may not be registered as an EU trade mark

Image
According to the Judgment of the General Court in Case T-255/23 (Escobar v EUIPO) the name Pablo Escobar may not be registered as an EU trade mark. The public would associate that name with drug trafficking and narco-terrorism.  On 30 September 2021, Escobar Inc., established in Puerto Rico (United States), filed an application with the European Union Intellectual Property Office (EUIPO) for registration of the word sign Pablo Escobar as an EU trade mark for a wide range of goods and services.  The Colombian national named Pablo Escobar, who was born on 1 December 1949 and died on 2 December 1993, is presumed to be a drug lord and a narco-terrorist who founded and was the sole leader of the Medellín cartel (Colombia).  EUIPO rejected the application for registration on the ground that the mark was contrary to public policy and to accepted principles of morality. It relied on the perception of the Spanish public, as it is the most familiar with Pablo Escobar due to the links between Spa
Read more

ECHR President: Covid-19 pandemic has raised a number of important human rights issues

Image
Increased polarisation and challenges to Europe’s fundamental principles, together with the global COVID-19 pandemic, are likely to create the most difficult period we have seen in many years, according to the President of the European Court of Human Rights (ECHR). Speaking at the court’s annual press conference in Strasbourg, ECHR President Robert Spano said that democracy, the independence of the judiciary and the rule of law are increasingly being called into question at both the European and global levels. He added that the on-going pandemic has already raised a number of important human rights issues, including the proportionality of measures taken by Council of Europe member states, the legal basis of those measures and the use of domestic procedures to sanction actions or inaction. President Spano underlined that the ECHR has been able to continue its work despite the pandemic, deciding on over 39,190 applications in 2020 and holding online public hearings for the first time.
Read more

Legal Officer's position in the International Labour Organization

Image
ILO - International Labour Organization, based in Geneva, Switzerland seeks to recruit a Legal Officer. The Off ice of the Legal Adviser/Office of Legal Services (JUR) provides a wide range of legal services to the International Labour Organization and its various organs (in particular the Office, the International Labour Conference and the Governing Body of the ILO).   The work is carried out by a small, dedicated team at ILO headquarters. The unit reports directly to the Director-General.  It is responsible for furthering and defending the legal interests of the Organization. The Development Cooperation position of Legal Officer will report to the Legal Adviser.  This position will provide the Office of the Legal Adviser with the necessary capacity to provide legal support for the increasing development cooperation demand from headquarters and field units of the ILO. The position will better enable JUR to respond in a sound and timely manner to the demands placed upon it. Educati
Read more

Imposition of fines and order to comply following a leak of expats’ personal data file by Greek Data Protection Authority

Image
The Greek Supervisory Authority for Data Protection imposed on the Greek Ministry of the Interior,  an administrative fine totalling EUR 400,000 and on a Member of European Parliament an administrative fine totalling EUR 40,000 for infringements of GDPR. The Hellenic Data Protection Authority received a large number of complaints regarding unsolicited political communication via e-mail sent on 1/3/2024 and entitled "100 days before the European elections", by Member of European Parliament Anna-Michelle Asimakopoulou. Following this, the Authority investigated the case ex officio, exercising immediately its powers of investigation and auditing the bodies involved. Following a series of on-the-spot audits and the receipt of evidence and data in the context of the audit, it was found that a file containing personal data of all registered Greek expatriate voters for the June 2023 elections, for which the Hellenic Ministry of the Interior is the controller, and for which the leg
Read more

Gigantic fine for unfair practices imposed on Booking.com by the Competition Authority of Hungary

Image
One of the highest fines for violation of unfair competition law has been imposed (28/4/2020) on online hotel booking platform ‘’Booking.com’’ by the Hungarian Competition Authority. The amount of the fine (approximately EUR 6 million / HUF 2.5 billion) imposed by the Authority illustrates the seriousness of the Dutch company's violations. The Hungarian Competition Authority (GVH) imposed a fine of HUF 2.5 billion on the operator of the online booking portal booking.com, and at the same time banned the Dutch company from continuing its aggressive sales methods. According to the decision of the competition authority, Booking.com B.V. engaged in unfair commercial practices against consumers by, among other things, misleadingly advertising some of its accommodations with a free cancellation option and exerting undue psychological pressure on consumers to make early bookings. As a result of the Competition Authority’s competition supervision proceeding  initiated in 2018, the autho
Read more