On 26 September 2024, the Court of Justice of the European Union issued a ruling stating data protection authorities are not obligated to render a fine or order corrective action following a data breach if the controller has taken remedial actions. The case originated after a German bank employee accessed a customer's personal data without being authorized, however, the employee testified that she neither copied the customer's data nor sold it to a third party.
This ruling reveals quite an interesting approach, as it is the first from the ECJ tampering a bit down the discretionary powers of the DPAs over the issuing of fines based on GDPR and recognising that fines may not be necessary where the controller has already taken the necessary measures on its own initiative. The GDPR leaves the supervisory authority a discretion as to the manner in which it must remedy the shortcoming found. That discretion is limited by the need to ensure a consistent and high level of protection of personal data through strong enforcement of the GDPR. This could result in more comprehensive approaches from DPAs on the balancing test and on taking into account the data controller’s quick actions and reactions to a data breach.
For more information, you can see the ECJ press release here.
The text of the ruling can also be accessed here.
Source: CJEU Press Release
Write a comment