In its judgment in the Case no. C‑768/21 of September 26, 2024 on the question of what freedom the supervisory authorities have when a data breach is detected.
You do have to take action when a complaint is received:
32 In particular, any supervisory authority pursuant to Art. 57(1)(f) GDPR is obligatedin their territory to deal with complaintswhich any person may lodge pursuant to Article 77(1) GDPR if they consider that the processing of personal data relating to them infringes this Regulation, to investigate the subject matter of the complaint to a reasonable extent and to inform the complainant of the progress and the outcome of the investigation within a reasonable period. The supervisory authority must handle such a complaint with all due diligence […].
They have a certain, but not unlimited, discretion in exercising their powers:
37 In this respect, it should be noted that the GDPR grants the supervisory authority discretion as to the manner in which it remedies the identified inadequacy […]. The Court of Justice has already ruled that it is for the supervisory authority, taking into account all the circumstances of the specific case, to choose the appropriate and necessary meansand it is obliged to exercise all due care in fulfilling its task of ensuring full compliance with the GDPR […].
38 However, this discretion is limited by the need to ensure a consistent and high level of protection of personal data through a clearly enforceable legal framework […].
However, this does not mean that the authority
41 […] would be obliged to take a corrective measure, in particular to impose a fine […], in any case where it finds a breach of the protection of personal data. Therefore, […] the complainant […] is entitled to no subjective right that the supervisory authority imposes a fine on the controller.
The authority may also refrain from taking remedial actionwhen it is no longer required:
43 In this respect, it is not excluded that the supervisory authority may exceptionally, and taking into account the specific circumstances of the case, refrain from taking remedial action even though a personal data breach has been established. Such a case could exist in particular if the identified breach has not persisted, for example if the controller, who had in principle implemented appropriate technical and organizational measures within the meaning of Art. 24 of this Regulation, has taken appropriate and necessary measures to ensure that the breach is remedied and does not recur, taking into account the obligations incumbent upon it, in particular under Art. 5 para. 2 and Art. 24 GDPR, as soon as it has become aware of this breach.
Whether this is applicable in the present case must be examined by this court (the Wiesbaden Administrative Court).