Do data protection authorities have to impose fines for breaches of the General Data Protection Regulation (GDPR)? The European Court of Justice (ECJ) has now addressed this question. Its almost Solomonic ruling also provides practical recommendations for companies.
ECJ: Supervisory authority does not have to impose a sanction
In case C-768/21, the ECJ dealt with a central issue of data protection: What obligations does a supervisory authority have in the event of a personal data breach? In particular, it was clarified whether a supervisory authority must take remedial action, such as imposing a fine, if it identifies a breach of the GDPR.
The ECJ ruled that the supervisory authority has discretion and does not have to impose a sanction in every case.
The starting point of the proceedings was a request for a preliminary ruling from the Wiesbaden Administrative Court. At the heart of the case was the question of whether the supervisory authority must always take remedial action, in particular impose a fine, once a breach of the GDPR has been established. The plaintiff in the main proceedings had complained that Sparkasse X had not reported unauthorized access to his personal data in accordance with Art. 34 GDPR. The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) confirmed the breach but refrained from taking remedial action. He shared the savings bank's assessment that there was no high risk for the complainant.
Fines as a discretionary decision
The ECJ had to rule on the interpretation of Art. 57 (1) (a) and (f) and Art. 58 (2) GDPR. These provisions concern the tasks and powers of the supervisory authorities in relation to data protection breaches. The central question was whether a supervisory authority must take action for every breach identified.
The Court ruled that the supervisory authority has discretionary powers. It is not obliged to take remedial action in every case. The measures must be appropriate, necessary and proportionate to remedy the identified inadequacy. This means that in certain cases, a supervisory authority may refrain from imposing sanctions, including fines, if the identified deficiencies have been remedied and no further violations are to be expected.
The ECJ clarified that the aim of the GDPR is to ensure a high and uniform level of protection for personal data. The supervisory authority has a duty to ensure compliance with the regulation. However, it is not obliged to impose sanctions in each individual case. For example, sanctions may be waived in the event of a minor breach or if measures have already been taken to prevent future breaches.
Reading tip: The five highest GDPR fines in August 2024
Effects of the ECJ ruling for companies
The ECJ ruling is also of considerable importance for the strategic planning of data protection measures in companies.
1. Stronger focus on comprehensive compliance programs
Companies must go beyond mere compliance with legal requirements and consider data protection as an integral part of their business strategy. The implementation of data protection measures must be proactive and documented.
2. Dealing with inconsistencies within the EU
The differing application of the GDPR by the data protection authorities in various EU member states can pose challenges for companies operating internationally. A consistent but flexible data protection strategy is required to meet these challenges.
3. Need for legal advice
Companies should regularly seek legal advice to ensure that their data protection practices are up to date and in line with the interpretations of the various national authorities.
4. responsibility and accountability
The decision emphasizes the importance of accountability and transparency in the handling of personal data. Companies must be able to prove that their processing activities comply with the principles of the General Data Protection Regulation.
Avoid GDPR fines: Recommendations for action for companies
- Review of the data protection guidelines: It is crucial that companies regularly review and adapt their data protection policies to ensure compliance and stay up to date.
- Training and sensitization: Through regular training, companies can ensure that their employees are informed about and understand the data protection regulations.
- Creation and updating of response plans: An effective plan for dealing with data breaches is essential. This should include clear guidelines for immediate action and communication strategies.
- Observation of the regulatory landscape: Companies should actively monitor the developments and guidelines of the various data protection authorities in order to be able to adapt their strategies accordingly.
Adapt data protection management now
The ECJ ruling marks an important point in the application of the GDPR and emphasizes the need for a differentiated approach to data protection management. Companies are called upon not only to rethink their data protection procedures, but also to proactively design them in order to meet the requirements and expectations.
Take the opportunity to strengthen your data protection strategies. A proactive approach and constant adaptation to the legal framework are essential to secure the trust of your customers and minimize regulatory risks. Engage data protection experts to continuously improve your practices and processes and adapt to the dynamic data protection landscape.