CJEU Advocate General’s opinion: data protection authorities’ obligation to act on investigation breaches

Advocate General Pikamäe emphasizes that supervisory authorities must respond to personal data breaches during investigations.

Judge's gavel. Symbol for jurisdiction. Law concept a wooden judges gavel on table in a courtroom

Advocate General (AG) Pikamäe of the Court of Justice of the EU (CJEU) gave his oppinion stating tthat when such breaches are discovered during an investigation, the supervisory authority has an obligation to act. However, AG Pikamäe emphasizes that the measures adopted should be tailored to the specific circumstances of each case.

The case in question pertained to a Land Hessen, Germany, savings bank customer who reported an unauthorized access to their personal data by a bank employee. While the Data Protection Commissioner recognized the breach under General Data Protection Regulation (GDPR), they deemed the bank’s disciplinary actions against the employee sufficient, hence no further action was taken. The customer appealed to a German court, pressing for fines to be imposed on the bank. The German court then reffered to the Court for further clarification on the matter.

Advocate General Pikamäe stated that supervisory authorities must act upon discovering a personal data breach during complaint investigations, defining corrective measures to uphold data subject rights.While acknowledging supervisory discretion. It is highlighted that discretion is constrained when specific protective measures are necessary, and authorities may waive GDPR-listed measures under certain circumstances, particularly if the controller has independently taken corrective actions. Notably, Pikamäe emphasized that data subjects cannot dictate specific measures, and these principles also apply to administrative fines.