The case underlying a request for a preliminary ruling from the European Court of Justice (ECJ) was that an employee of a credit institution had repeatedly accessed a customer’s data without authorisation. After this incident was discovered, a report was made to the data protection supervisory authority. However, the data subject was not informed because the controller classified the matter as low-risk. When the data subject learned of the incident, he complained to the competent data protection supervisory authority and demanded that it take remedial action. However, the data protection supervisory authority refused to do so on the basis of measures already initiated and taken by the credit institution. The data subject then brought an action against this. The question of whether a data protection supervisory authority is always under an obligation to initiate remedial action was at the centre of the request for a preliminary ruling from the referring court to the ECJ. However, the ECJ denied this and granted the data protection supervisory authority discretion as to whether and how it initiates remedial action in the event of a personal data breach (ECJ Case C – 768/21). This decision is of great importance in practice, because it means that the data protection supervisory authority is not obliged to impose certain remedial measures or fines in the event of a breach of the protection of personal data. This applies in particular if the controller itself takes immediate action. It is therefore worthwhile taking such action immediately in the event of a breach. |