• Home 
  • -
  • Privacy 
  • -
  • ECJ (Case C‑768/21): No sub­jec­ti­ve right to reme­dies vis-à-vis super­vi­so­ry authorities 

ECJ (Case C‑768/21): No sub­jec­ti­ve right to reme­dies vis-à-vis super­vi­so­ry authorities

In its judgment in the Case no. C‑768/21 of Sep­tem­ber 26, 2024 on the que­sti­on of what free­dom the super­vi­so­ry aut­ho­ri­ties have when a data breach is detected.

You do have to take action when a com­plaint is received:

32 In par­ti­cu­lar, any super­vi­so­ry aut­ho­ri­ty pur­su­ant to Art. 57(1)(f) GDPR is obli­ga­tedin their ter­ri­to­ry to deal with com­plaintswhich any per­son may lodge pur­su­ant to Artic­le 77(1) GDPR if they con­sider that the pro­ce­s­sing of per­so­nal data rela­ting to them inf­rin­ges this Regu­la­ti­on, to inve­sti­ga­te the sub­ject mat­ter of the com­plaint to a rea­sonable ext­ent and to inform the com­plainant of the pro­gress and the out­co­me of the inve­sti­ga­ti­on within a rea­sonable peri­od. The super­vi­so­ry aut­ho­ri­ty must hand­le such a com­plaint with all due diligence […].

They have a cer­tain, but not unli­mi­t­ed, dis­creti­on in exer­cis­ing their powers:

37 In this respect, it should be noted that the GDPR grants the super­vi­so­ry aut­ho­ri­ty dis­creti­on as to the man­ner in which it reme­dies the iden­ti­fi­ed ina­de­qua­cy […]. The Court of Justi­ce has alre­a­dy ruled that it is for the super­vi­so­ry aut­ho­ri­ty, taking into account all the cir­cum­stances of the spe­ci­fic case, to choo­se the appro­pria­te and neces­sa­ry meansand it is obli­ged to exer­cise all due care in ful­fil­ling its task of ensu­ring full com­pli­ance with the GDPR […].

38 Howe­ver, this dis­creti­on is limi­t­ed by the need to ensu­re a con­si­stent and high level of pro­tec­tion of per­so­nal data through a cle­ar­ly enforceable legal framework […].

Howe­ver, this does not mean that the authority

41 […] would be obli­ged to take a cor­rec­ti­ve mea­su­re, in par­ti­cu­lar to impo­se a fine […], in any case whe­re it finds a breach of the pro­tec­tion of per­so­nal data. The­r­e­fo­re, […] the com­plainant […] is entit­led to no sub­jec­ti­ve right that the super­vi­so­ry aut­ho­ri­ty impo­ses a fine on the controller.

The aut­ho­ri­ty may also refrain from taking reme­di­al actionwhen it is no lon­ger required:

43 In this respect, it is not exclu­ded that the super­vi­so­ry aut­ho­ri­ty may excep­tio­nal­ly, and taking into account the spe­ci­fic cir­cum­stances of the case, refrain from taking reme­di­al action even though a per­so­nal data breach has been estab­lished. Such a case could exist in par­ti­cu­lar if the iden­ti­fi­ed breach has not per­si­sted, for exam­p­le if the con­trol­ler, who had in prin­ci­ple imple­men­ted appro­pria­te tech­ni­cal and orga­nizatio­nal mea­su­res within the mea­ning of Art. 24 of this Regu­la­ti­on, has taken appro­pria­te and neces­sa­ry mea­su­res to ensu­re that the breach is reme­di­ed and does not recur, taking into account the obli­ga­ti­ons incum­bent upon it, in par­ti­cu­lar under Art. 5 para. 2 and Art. 24 GDPR, as soon as it has beco­me awa­re of this breach.

Whe­ther this is appli­ca­ble in the pre­sent case must be exami­ned by this court (the Wies­ba­den Admi­ni­stra­ti­ve Court).