Facts of the case
An employee of the savings bank accessed the personal data of a customer on several occasions without authorisation. The savings bank refrained from informing the customer concerned about the data breach. However, it initiated disciplinary measures against the employee responsible. The employee also confirmed in writing that she had not copied or saved the personal data or transmitted it to third parties and that she would not do so in future.
When the affected customer learnt of the data protection breach, he lodged a complaint with the national data protection officer in accordance with Art. 77 GDPR. In this complaint, he complained that he had not been notified of the data breach of his personal data in violation of Art. 34 GDPR. However, the state commissioner denied a breach of Art. 34 GDPR because, despite accessing the data, there was no evidence that the employee had passed it on to third parties or used it to the detriment of the customer. The customer then filed a complaint with the Wiesbaden Administrative Court and requested that the data protection officer be obliged to intervene against the savings bank. The Administrative Court then referred the matter to the ECJ for a preliminary ruling.
Decision of the ECJ
According to Art. 57 para. 1 lit. a GDPR, the tasks of a supervisory authority include monitoring and enforcing the application of the regulation. Art. 58 para. 1 GDPR gives each supervisory authority far-reaching powers of investigation. If it identifies a breach of the provisions of the Regulation, it is obliged to respond in an appropriate manner in order to remedy the inadequacy identified. According to the clarification in the 129th recital of the GDPR, the measures must be suitable, necessary and proportionate, in particular with regard to ensuring compliance with the Regulation, and the circumstances of each individual case must be taken into account. To this end, Art. 58 para. 2 GDPR lists the various remedial powers available to the supervisory authority, including the possibility of imposing a fine. It is therefore up to the supervisory authority to choose the appropriate and necessary means, taking into account all the circumstances of the specific individual case (E. 30ff.).
The ECJ therefore concluded that the supervisory authority has a margin of discretion with regard to its reactions to a data protection breach and that it cannot be inferred from either Art. 58 para. 2 GDPR or Art. 83 GDPR that the supervisory authority would be obliged to take remedial action in every case, in particular to impose a fine. In particular, remedial measures may be waived by way of exception if the reported deficiency has already been remedied by the controller and the necessary measures have been taken, provided that it can be expected that this breach will not be repeated in the future (E. 41 et seq.).
Significance for companies
The judgement of the ECJ makes it clear that companies can potentially avoid sanctions if they handle a data protection breach correctly. It is therefore all the more important that companies take appropriate measures immediately and proactively in the event of data protection incidents in order to eliminate the breach and minimise its consequences and the risk of recurrence. To this end, it is essential to define processes and strategies for effective incident report management in advance.
And what is the situation in Switzerland?
According to Art. 4 para. 1 FADP, the Federal Data Protection and Information Commissioner (FDPIC) supervises the application of data protection regulations. A look at the relevant provisions of the FADP shows that the FDPIC also has discretionary powers in his investigations and sanctions.
Art. 49 para. 1 FADP states that the FDPIC may open an investigation ex officio or upon notification if there are sufficient indications that data processing could violate data protection regulations. Paragraph 2 of the FADP grants the FDPIC the discretion to refrain from an investigation if the violation is only of minor importance. Finally, if there has been a data protection breach, the FDPIC is also granted discretionary powers under Art. 51 FADP after the opening of proceedings by means of “optional” provisions. In particular, the FDPIC can limit himself to issuing a warning if the necessary measures have already been taken during the investigation to restore compliance with data protection.
Sources