It may refrain from doing so where the controller has already taken the necessary measures on its own initiative.
In Germany, a savings bank found that one of its employees had consulted a customer’s personal data on several occasions without being authorised to do so. The savings bank did not inform the customer of this, as its data protection officer had taken the view that there was no high risk for him. The employee had confirmed in writing that she had neither copied nor retained the data, that she had not transferred them to third parties and that she would not do so in the future. In addition, the savings bank had taken disciplinary measures against her. The savings bank nevertheless notified the Land Hessen’s Commissioner for Data Protection of this breach.
After incidentally becoming aware of this breach, the customer lodged a complaint with that Commissioner for Data Protection. After hearing the savings bank, the Commissioner for Data Protection informed the customer that it did not consider it necessary to exercise any corrective powers in respect of the savings bank.
The customer then brought an action before a German court, asking it to order the Commissioner for Data Protection to take action against the savings bank and, in particular, to impose on it a fine.
The German court has asked the Court of Justice to interpret the General Data Protection Regulation (GDPR)[1] in this respect.
The Court answers that when a breach of personal data has been established, the supervisory authority[2] is not obliged to exercise a corrective power[3], in particular the power to impose an administrative fine, where this is not necessary to remedy the shortcoming found and to ensure that the GDPR is fully enforced. This could be the case, inter alia, where, as soon as the controller became aware of the breach, it took the necessary measures to ensure that that breach was brought to an end and did not recur.
The GDPR leaves the supervisory authority a discretion as to the manner in which it must remedy the shortcoming found. That discretion is limited by the need to ensure a consistent and high level of protection of personal data through strong enforcement of the GDPR.
It is for the German court to ascertain whether the Commissioner for Data Protection complied with those limits.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
[2] In the present case, the Land Hessen’s Commissioner for Data Protection.
[3] The supervisory authority may, inter alia, issue reprimands to the controller, order it to comply with the data subject’s requests and bring processing operations into compliance with the RGPD or, in addition to, or instead of those measures, impose on it an administrative fine.