The Court of Justice of the European Union has ruled in the case of Case C-768/21 | Land Hessen.
A German savings bank found that one of its employees had accessed a customer’s personal data on several occasions without authorisation. The savings bank did not inform the customer of this, as its data protection officer believed there was no particular risk for the customer. The employee had confirmed in writing that she had neither copied nor retained the data, that she had not transferred the data to third parties and that she would not do so in the future. In addition, the savings bank had taken disciplinary measures against her. However, it still reported the breach to its local Commissioner for Data Protection.
The customer became aware of the breach by chance, and lodged a complaint with the Commissioner for Data Protection. It informed the customer that it did not consider it necessary to exercise any corrective powers against the savings bank. The customer then brought an action before a German court, asking it to order the Commissioner for Data Protection to act against the savings bank and to impose a fine on it.
The German court then sought guidance from the CJEU on how to interpret the GDPR in this context.
The Court of Justice ruled that supervisory authorities are not always required to impose fines or take corrective actions when a data breach happens. If the data controller (in this case, the bank) promptly addresses the breach and ensures it will not happen again, the supervisory authority has the discretion to decide the appropriate course of action.
However, that discretion must align with the need to ensure a consistent and high level of protection of personal data through strong enforcement of the GDPR.
It is now for the German courts to assess if the Commissioner for Data Protection complied with those limits.