Provisional text
OPINION OF ADVOCATE GENERAL
PIKAMÄE
delivered on 11 April 2024 (1)
Case C‑768/21
TR
v
Land Hessen
(Request for a preliminary ruling from the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany))
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 57(1)(a) and (f) – Tasks of the supervisory authority – Article 58(2) – Powers of the supervisory authority – Article 77(1) – Right to lodge a complaint – Personal data breach – Obligation of supervisory authority to adopt measures)
I. Introduction
1. The present request for a preliminary ruling from the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany) under Article 267 TFEU concerns the interpretation of Article 57(1)(a) and (f), Article 58(2) and Article 77(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2) (‘the GDPR’).
2. The request has been made in proceedings between TR and Land Hessen (Germany), represented by the Hessischer Beauftragte für Datenschutz und Informationsfreiheit (Hessen Commissioner for Data Protection and Freedom of Information; ‘the HBDI’), concerning the latter’s refusal to take action against the savings bank in respect of a personal data breach. The referring court asks whether, where the supervisory authority finds that data processing has infringed the data subject’s rights, the supervisory authority must always take action in accordance with the powers conferred on it by Article 58(2) of the GDPR or whether, in a particular case, it may – despite an infringement – refrain from taking action.
3. The present case raises a number of novel questions of law which require careful consideration. The Court of Justice will have to rule, in substance, on the role played by the principles of legality and expediency in the administrative practice of the supervisory authorities and, in particular, in pursuit of their task of monitoring the application of the GDPR and ensuring compliance with it. The interpretative guidance that will emerge from the Court of Justice’s case-law will influence that administrative practice, thereby contributing to a consistent application of the that regulation within the European Union.
II. Legal framework
4. Recitals 129, 141, 148 and 150 of the GDPR are worded as follows:
‘129. In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. …
…
(141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the [Charter of Fundamental Rights of the European Union, ‘the Charter’] if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. …
…
(148) In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. …
…
(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. …’
5. Article 33(1) of that regulation provides:
‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. …’
6. Article 34(1) of the regulation provides:
‘When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
7. Article 57(1) of the regulation provides:
‘Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:
(a) monitor and enforce the application of this Regulation;
…
(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
…’
8. Article 58 of the GDPR provides:
‘1. Each supervisory authority shall have all of the following investigative powers:
(a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;
…
2. Each supervisory authority shall have all of the following corrective powers:
(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;
(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
(e) to order the controller to communicate a personal data breach to the data subject;
(f) to impose a temporary or definitive limitation including a ban on processing;
…
(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
…’
9. Article 77 of the regulation provides:
‘1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.’
10. Article 78 provides, in paragraphs 1 and 2:
‘1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an [an] effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.’
11. Article 83 of the GDPR states, in paragraphs 1 and 2:
‘1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.’
III. The facts, the main proceedings and the question referred for a preliminary ruling
12. The savings bank is a communal institution governed by public law, whose tasks include the settlement of banking and credit transactions. On 15 November 2019, it notified the HBDI of a personal data breach, pursuant to Article 33 of the GDPR, since one of its employees had, on several occasions, unlawfully accessed personal data of TR, one of its customers. Taking the view that this was not a personal data breach likely to result in a high risk for TR, the savings bank did not, however, notify TR under Article 34 of that regulation.
13. After becoming aware of the incident, TR sent a letter dated 27 July 2020 to the HBDI, reporting a breach of Article 34 of the GDPR and complaining of the short period of three months for which the savings bank’s access logs were retained, and the fact that all savings bank employees had comprehensive access rights.
14. In the course of the proceedings before the HBDI, the savings bank indicated that its data protection officer had assumed that there was no risk to TR, as disciplinary measures had been taken against the employee concerned. She had confirmed in writing that she had read the data, but had not copied or retained them or transferred them to third parties, and she promised not to do so in future either. In addition, the savings bank indicated that it would review the length of time for which access logs were kept.
15. By a decision of 3 September 2020, the HBDI informed TR that in the case in question the savings bank had not infringed Article 34 of the GDPR. According to that authority, the decision to be taken under that article was a provisional one. With regard to the data protection supervision system, it was necessary to investigate whether that decision was manifestly incorrect. The savings bank had stated that, although the data had been accessed, there was no evidence that the employee in question had disclosed the data to third parties or used them to TR’s disadvantage. Thus, it had been unlikely that a high risk existed. In addition, the savings bank had been asked to retain its access logs for longer henceforth. According to the HBDI, a systematic review of all access types was not necessary, since extensive access rights could in principle be granted, provided each user was told which conditions of access applied to which data.
16. TR lodged an action against the decision of 3 September 2020 before the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden), the referring court, asking it to order the HBDI to take action against the savings bank.
17. In support of his action, TR submits that the HBDI failed to handle his complaint in accordance with the requirements of the GDPR. He asserts that he is entitled to have his complaint handled and to be informed of the outcome. He submits that the HBDI was obliged to establish the facts underpinning the savings bank’s risk assessment without confining itself to the measures expressly requested, and that it should have fined the savings bank. According to TR, where a breach is established, the principle of expediency does not apply, so that the HBDI did not have the discretion to decide whether or not to act but that, at most, its discretion extended to which measures it was considering adopting.
18. The referring court states that, in the present case, the HBDI, as supervisory authority, had concluded that although a personal data breach had occurred no action was required under Article 58(2) of the GDPR. However, that approach is only lawful if a supervisory authority is not required to take action whenever a personal data breach is established. If one were to accept TR’s view that the supervisory authority has no discretion, then there would, as a consequence, be a right to demand action and corrective measures, and thus the supervisory authority would have to take action in every case. If it refused, the court would then have to order the supervisory authority to issue a measure or a selection of measures.
19. The referring court states that such an argument, which is also put forward by some commentators, is based on the fact that the corrective powers conferred under Article 58(2) of the GDPR were intended to restore a lawful situation when data processing infringes a citizen’s rights. The provision is therefore to be understood as a standard imposing an obligation which establishes the citizen’s right to official action where an undertaking or an authority has unlawfully processed the citizen’s personal data or has infringed rights in some other way. Where a personal data breach is established, the supervisory authority is required to take corrective action, its discretion being limited to choosing which of the measures referred to it intends to issue.
20. However, the referring court has doubts as to that interpretation, which it considers goes too far. It is inclined, rather, to grant that the supervisory authority has the latitude to refrain from imposing penalties even where a breach is established. Article 57(1)(f) of the GDPR merely stipulates that the supervisory authority is to handle complaints and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period. In the referring court’s view, the supervisory authority therefore has a duty to conduct a careful substantive investigation and to examine each individual case, but it does not follow that action is always necessary, without exception, where a breach is established.
21. It is in those circumstances that the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Are Article 57(1)(a) and (f), Article 58(2)(a) to (j) and Article 77(1) [of the GDPR], to be understood as meaning that, where the supervisory authority finds that data processing has infringed the data subject’s rights, the supervisory authority must always take action in accordance with Article 58(2) [of that regulation]?
IV. Procedure before the Court
22. The order for reference dated 10 December 2021 was received at the Court Registry on 14 December 2021.
23. The parties to the main proceedings, the Austrian, Portuguese, Romanian and Norwegian Governments and the European Commission submitted written observations within the period prescribed by Article 23 of the Statute of the Court of Justice of the European Union.
24. At the general meeting of 16 January 2024, the Court decided not to hold a hearing.
V. Legal analysis
A. Preliminary remarks
25. Since the GDPR came into force, many organisations have had to implement a number of measures in order to comply with the new regulations on the processing of personal data. Where organisations fail to comply with such measures, they are liable to penalties of varying levels, depending on the severity of the breach. Administrative fines are at the heart of the enforcement system introduced by the GDPR. They are an effective part of the toolbox available to supervisory authorities to enforce compliance with the rules, alongside the other corrective powers provided for in Article 58(2) of the GDPR. Since that regulation authorises the supervisory authorities to impose fines that are sometimes very high, it seems appropriate to specify, in the interests of legal certainty, the circumstances that justify recourse to such a corrective action. The present opinion should therefore be understood as a contribution to that aim.
26. The Opinion in the present case resumes, so to speak, where my Opinion in Joined Cases C‑26/22 and C‑64/22 (SCHUFA Holding) (‘the SCHUFA cases’ (3)) left off. Whereas, in those cases, I explained the supervisory authority’s obligations when examining a complaint lodged under Article 77 of the GDPR, in the present case I will deal with its obligations when a breach of personal data is detected, and its power to adopt corrective actions, including by imposing administrative fines. Then, I will consider whether the GDPR imposes an obligation on the supervisory authority to issue such a fine in all cases, or at least where the complainant expressly so requests. On the basis of a summary of my analysis, I will answer the question put by the referring court concerning the possibility of the supervisory authority refraining from taking corrective action.
B. Admissibility of the request for a preliminary ruling
27. Before examining all those aspects, it is necessary to address TR’s argument that the request for a preliminary ruling is inadmissible. More specifically, TR submits that an answer to the question posed is not necessary in order to decide the dispute in the main proceedings. He argues that his action merely asks the referring court to order the HBDI to rule on the objections raised in the complaint before it, and not for the HBDI to be ordered to make use of the powers conferred by Article 58(2) of the GDPR.
28. In that regard, it must be observed that, in the context of the cooperation between the Court of Justice and the national courts provided for in Article 267 TFEU, it is solely for the national court before which a dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine in the light of the particular circumstances of the case both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court. Consequently, where the questions submitted by the national court concern the interpretation of EU law, the Court of Justice is, in principle, bound to give a ruling. (4)
29. It follows that questions on the interpretation of EU law referred by a national court in the factual and legislative context which that court is responsible for defining, the accuracy of which is not a matter for the Court of Justice to determine, enjoy a presumption of relevance. The Court of Justice may refuse to rule on a question referred by a national court only where it is quite obvious that the interpretation of EU law that is sought is unrelated to the actual facts of the main action or its object, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it. (5)
30. In the present case, the national court, while clearly setting out the reasons why it has doubts as to the interpretation of the provisions of EU law referred to in its question for a preliminary ruling, states that the answer to that question is decisive for the outcome of the main proceedings, in so far as TR asked the HBDI to take action against the savings bank. As is apparent from the statement of reasons contained in the request for a preliminary ruling, TR had asserted a ‘right’ to demand such action. In particular, in TR’s view, ‘the HBDI should have fined the savings bank’. It is in that context that the referring court refers to the calculations made by TR to determine the amount of the fines to be imposed.
31. All that information, provided by the referring court, clearly contradicts TR’s claims as to the alleged inadmissibility of the request for a preliminary ruling. In the light of those circumstances, there is, in my view, no doubt that a response to the question referred by the referring court is necessary in order for judgment to be given. It is essential to establish the scope of the supervisory authority’s powers and its obligations towards the complainant. Consequently, the request for a preliminary ruling is admissible.
C. Consideration of the question referred
32. As regards the substance, the question referred for a preliminary ruling seeks to determine, in essence, what the supervisory authority’s obligations are when a personal data breach has been detected. Such a situation usually occurs when the breach in question has been established in the course of an investigation initiated following a complaint.
33. The statements of the referring court reveal some vagueness as regards the obligations which the GDPR imposes on the supervisory authority when investigating a complaint, which is explained, in my view, by the fact that the request for a preliminary ruling was made before delivery of the SCHUFA judgment (6), in which the Court established a number of important principles governing the complaints procedure. It is therefore reasonable to assume that the referring court did not have the opportunity to become acquainted with that case-law.
34. With a view to presenting as fully as possible the legal framework relating to the supervisory system established by the GDPR and in order to provide a useful response to the referring court, I consider it essential to recall, first, the principles applicable to the complaints procedure (7) and to explain, second, how a supervisory authority should proceed when it has identified a personal data breach. (8)
1. Obligations of the supervisory authority when handling a complaint
35. As the Court of Justice held in the judgment in SCHUFA, in accordance with Article 8(3) of the Charter and Article 51(1) and Article 57(1)(a) of the GDPR, the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. (9)
36. In particular, under Article 57(1)(f) of the GDPR, each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and is required to examine the nature of that complaint as necessary. (10)
37. The supervisory authority must deal with such a complaint with all due diligence. The Court of Justice has also held that, in order to handle complaints lodged, Article 58(1) of the GDPR confers extensive investigative powers on each supervisory authority. (11)
38. In that context, it should be noted that the Court of Justice endorsed the interpretation that I put forward in my Opinion in the SCHUFA cases, that the complaints procedure, which is not similar to that of a petition, is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects. (12)
39. Furthermore, it should be noted that the Court also shared my interpretation of Article 78(1) of the GDPR, by holding that a decision on a complaint adopted by a supervisory authority is subject to full judicial review. (13)
2. Obligations of the supervisory authority when a personal data breach is identified
40. When the supervisory authority finds a personal data breach in the course of investigating a complaint, the question then arises as to how it should proceed. As I will explain below, such a finding results, first, in an obligation for the supervisory authority to take action in the interests of the principle of legality. Generally speaking, that means identifying the most appropriate corrective measure(s) in order to address the infringement. (14) Such an interpretation seems to me to be a reasonable one, given that Article 57(1)(a) of the GDPR entrusts the authority with the task of ‘monitor[ing] and enforc[ing] the application of [the] Regulation’. It would be incompatible with that mandate for the supervisory authority to have the option of simply ignoring the infringement detected. (15)
41. Moreover, the supervisory authority’s investigative powers under Article 58(1) of the GDPR would be of little value if the supervisory authority were forced to confine itself to carrying out an investigation even where a personal data breach had been found. Enforcement of EU law on personal data protection is an essential component of the notion of ‘control’ included in Article 16(2) TFEU and Article 8(3) of the Charter. (16) In that context, it should not be forgotten that the supervisory authority also acts in the interests of the person or entity whose rights have been infringed. In that regard, it should be noted that Article 57(1)(f) and Article 77(2) of the GDPR impose certain obligations with regard to the complainant, namely to ‘inform the complainant of the progress and the outcome of the investigation’.
42. That final phrase implies that the supervisory authority must also report on the measures taken in relation to the personal data breach it has identified. Clearly, the complaints procedure would serve no purpose if the supervisory authority could remain passive in the face of a legal situation contrary to EU law. For that reason, in order to give the supervisory authority an effective means of dealing with breaches of such a kind, Article 58(2) of the GDPR sets out a list of corrective measures, graduated by the extent of the intervention. The obligation to intervene in all cases, whatever the severity of the breach means that the supervisory authority must have recourse to that list of corrective measures in order to bring the situation back into compliance with EU law. (17)
3. The supervisory authority’s power to adopt corrective measures
43. Having said that, it must be made clear that the question of whether the authority should intervene in the event of a personal data breach must be clearly distinguished from the question of specifically how it should act. With regard to the latter question, there are a number of indications that the supervisory authority has a degree of latitude, which must nevertheless be exercised in accordance with the objectives of the GDPR and within the limits set by it. Although I have already presented a number of arguments in support of such an interpretation in the SCHUFA cases, (18) it is nevertheless necessary to address the issue in detail in the present Opinion.
44. At the outset, it should be observed that, pursuant to Article 58(2) of the GDPR, the supervisory authority ‘shall have … the … powers’ to adopt all the corrective measures listed in that provision, which means that an option exists, as the referring court rightly points out. Moreover, that connotation is found in all the language versions that I examined as part of my analysis. (19)
45. Article 58(2) of the GDPR must be interpreted in the light of recital 129 of that regulation, which states that ‘each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case’ (emphasis added). In other words, the ‘power’ conferred on the supervisory authority to have recourse to the list of corrective measures set out in that provision is subject to various conditions, including the condition that the measure taken by the authority must be ‘appropriate’. I interpret that indeterminate legal concept, which confers on the authority a degree of latitude, as meaning that the measure chosen must be capable, by virtue of its properties and mode of action, of bringing the situation back into compliance with EU law. (20)
46. That interpretation is in line with the case-law of the Court of Justice, which has held that, where a supervisory authority finds that the processing of personal data has infringed the GDPR, ‘it is required to react appropriately in order to remedy the shortcoming found’. (21) As the Commission observes, the obligation imposed on the supervisory authority therefore relates first and foremost to the result to be achieved, namely remedying the infringement found, by adopting a measure that is ‘appropriate’ for that purpose. Furthermore, it should be noted that the decision as to the measure to be taken depends on the specific circumstances of each individual case, as is clear from the abovementioned recital 129 of the GDPR. Consequently, the decisions taken by the supervisory authority in the context of its administrative practice may vary significantly from case to case, depending on the situation.
47. In so far as Article 58(2) of the GDPR merely states that each supervisory authority ‘shall have […] the […] powers’ to adopt all the corrective measures listed in that provision, the supervisory authority enjoys a degree of latitude in that it is, in principle, free to choose from among those corrective measures in order to remedy the infringement found. As the Court of Justice emphasised in its judgment in Case C‑311/18 (Facebook Ireland and Schrems), ‘the supervisory authority must determine which action is appropriate and necessary’, and in doing so must take into consideration all the circumstances of the specific case. (22)
48. The granting of a discretionary power also implies, in my view, the power not to take any of the corrective measures referred to in Article 58(2) of the GDPR, where such an approach is justified by the specific circumstances of the individual case. Since recourse to the list of corrective measures is also subject to the condition that the measure in question is ‘necessary’ in view of ensuring compliance with that regulation, it cannot be ruled out that a specific intervention on the part of the supervisory authority might not meet that condition, for example if the problem had in the meantime been resolved or overcome and the infringement had ceased to exist. Clearly, intervention by the supervisory authority would be meaningless in such circumstances.
49. Similarly, as the Portuguese Government rightly points out, recourse to corrective measures may no longer be justified if the conduct of the controller or processor is manifestly not very reprehensible, or if the case presents mitigating circumstances, for example because the complainant bears some share of responsibility. However, that presupposes that the supervisory authority has the power to set a threshold below which an intervention is not considered ‘necessary’ within the meaning of the GDPR.
50. In that context, I would like to draw attention to recital 141 of the GDPR, which expressly refers to the possibility of the supervisory authority deciding not to act in cases where it considers that action is not ‘necessary’ in order to guarantee protection of the data subject’s rights (‘where [it] does not act where such action is necessary’) (emphasis added). That recital specifies that the supervisory authority’s decision is also subject to judicial review in the event that the complainant does not agree with the supervisory authority’s assessment of the ‘necessity’ of taking action, in addition to the other scenarios listed in the recital, namely where the complainant’s rights under that regulation are infringed or where the supervisory authority does not act on a complaint or partially or wholly rejects or dismisses a complaint.
51. The discretion granted to the supervisory authority under Article 58(2) of the GDPR implies that minor breaches may also be remedied by other measures taken by the controller itself. As the circumstances of the present case demonstrate, corrective measures to be taken by the undertakings responsible ‘autonomously’ may consist in the adoption of disciplinary measures against employees who have committed infringements. In circumstances where liability for the infringement has been accepted and in which it has been ensured that a further data breach will not occur, the imposition by the supervisory authority of further corrective measures may appear unnecessary.
52. In certain circumstances, it may even prove to be counter-productive to use the power to adopt corrective measures against a controller, if that is neither appropriate nor necessary. If the supervisory authority were obliged to use the powers to adopt corrective measures provided for in Article 58(2) of the GDPR in every case of infringement, that would result in a reduction in the resources available for monitoring other cases and tasks which merit more attention with regard to data protection. Accordingly, I consider that recourse to ‘autonomous’ measures taken by the controller itself would enable the supervisory authority to focus on serious cases that deserve priority, while ensuring that personal data breaches may be continuously combated in a decentralised manner, namely through a partial delegation of its tasks.
53. If the supervisory authority chooses to refrain from applying the corrective measures set out in Article 58(2) of the GDPR, while favouring recourse to ‘autonomous’ measures taken by the controller, it seems to me that some legal requirements must nevertheless be complied with. In the first place, there should be a requirement for the supervisory authority to give its express consent to such a measure in order to avoid any circumvention of the supervisory system put in place by the GDPR. In the second place, such consent should be preceded by a rigorous examination of the situation in the light of the conditions set out in recital 129 of the GDPR, so as not to relieve the supervisory authority of its responsibility to ensure compliance with the regulation. In the third place, the agreement with the entity that is to carry out the ‘autonomous’ measure should provide for the supervisory authority’s right to intervene if its instructions are not complied with. If the Court of Justice were to agree with such an interpretation and to hold that such ‘autonomous’ measures are, in principle, compliant with the GDPR, I believe that the Court should also insist on the need to comply with the abovementioned requirements in the interests of ensuring that the supervisory system is coherent.
54. Since Article 58(2) of the GDPR grants discretion to the supervisory authority as regards the choice of the ‘appropriate’ corrective measure in a particular case, it is logical to rule out any right on the part of the complainant to require the adoption of a specific measure. Although the complainant has certain rights with regard to the supervisory authority in the context of the procedure, in particular the right to be informed of the progress and outcome of the investigation within a reasonable period, those rights do not include the right to require the adoption of a specific measure.
55. Nor can such a right be inferred from the fact that the complainant enjoys the right to an effective judicial remedy against a supervisory authority under Article 78 of the GDPR, since the authority’s main obligation towards the complainant in the context of the complaints procedure is to give sufficiently precise and detailed reasons for its decision whether or not to intervene in the case, taking into account the findings made in the course of the investigation carried out by the authority.
56. Furthermore, it should be noted that, pursuant to Article 78(2) of the GDPR, a judicial remedy may be requested on the grounds that the competent supervisory authority has not handled the complaint or has not informed the data subject, within three months, on the progress or outcome of a complaint lodged pursuant to Article 77 of that regulation. However, it should be noted that none of the grounds mentioned indicate that the data subject has any subjective right to request the adoption of a specific measure in the context of a judicial review.
57. The same applies to the possibility, referred to in recital 141 of the GDPR, of seeking a judicial remedy by challenging the supervisory authority’s assessment of the ‘necessity’ of taking action to protect the rights of the data subject. Even if the ‘necessity’ for action in a particular case were ultimately to be established by the competent court, that does not necessarily mean that a specific measure would have to be adopted by the supervisory authority. Rather, the supervisory authority would be obliged to exercise its discretion, where appropriate, taking into account the assessment by the court.
58. It should nevertheless be made clear that it is also possible that the supervisory authority, as an administrative organ, will be forced to adopt a certain measure on account of the particular circumstances of the case, especially where there is a serious risk of an infringement of the fundamental rights of the data subject. I referred specifically to that scenario in my Opinion in the SCHUFA cases. (23) The present request for a preliminary ruling thus offers the opportunity to further explore the subject.
59. In that regard, it is appropriate to recall, first of all, the judgment in Case C‑311/18 (Facebook Ireland and Schrems), in which the Court of Justice suggested that such a situation might indeed exist. More specifically, the Court of Justice held that the supervisory authority is required, where appropriate, to take some of the measures listed in Article 58(2) of the GDPR, in particular where it considers that the protection required by EU law cannot be ensured by other means. Consequently, to that extent, the supervisory authority’s discretion is confined to some or even, where appropriate, to one of the measures referred to in that provision. (24)
60. As the Austrian Government rightly points out, there may be a multitude of similar cases requiring the adoption of a specific corrective measure, such as where the supervisory authority finds, in the context of a complaints procedure, that there is an obligation to erase data and that the controller has not yet done so. In the situation described, the supervisory authority will be obliged, in any event, pursuant to Article 58(2)(g) of the GDPR, to order erasure.
61. The examples mentioned in the preceding paragraphs show that it cannot be ruled out that, depending on the specific circumstances of the particular case, only the adoption of a specific corrective measure would bring the situation back into compliance with EU law. In particular, it seems to me that, in circumstances where there would otherwise be a risk of a serious breach of the data subject’s rights, the supervisory authority’s discretion could be confined to adopting the only measure that is appropriate to protect that data subject’s rights.
62. Any other interpretation would, in my view, be incompatible with the obligation to ensure respect for the fundamental rights of the Charter, by which, pursuant to Article 51(1) of the Charter, the authorities of the Member States are bound when implementing EU law. That obligation is also incumbent on the supervisory authorities, as follows from Article 58(4) of the GDPR. (25) Seen in that light, it is reasonable to argue that EU law grants the data subject a subjective right to demand that the authority adopt the measure in question. However, I wish to emphasise that, in the present case, I see no indication that the conditions for such a limitation of the supervisory authority’s discretion are met.
63. In summary, it should be noted that a supervisory authority to which a complaint has been referred under Article 77 of the GDPR is required, where it finds that there has been a breach of the rights of the data subject, to take appropriate action to remedy the inadequacies identified that still exist and to ensure that the rights of the data subject are protected. Where the supervisory authority intervenes in that regard, it is required to choose the appropriate, necessary and proportionate measure from among the measures referred to in Article 58(2) of that regulation. Discretion in the choice of means is thus limited where the protection required can only be ensured by taking specific measures.
4. No obligation imposed on the supervisory authority to impose administrative fines in all cases
64. Following the above general statement regarding the supervisory authority’s power to adopt corrective measures, it is necessary to consider whether the supervisory authority is obliged to impose administrative fines in all cases. Although the foregoing observations may have clarified certain aspects of the issue, a few further explanations appear to me to be necessary. Although the EU legislature included administrative fines among the ‘corrective measures’ set out in Article 58(2) of the GDPR, such measures nonetheless have a number of special characteristics compared with other measures. For that reason, this part of the analysis will focus on the specific rules set out in Article 58(2)(i) and Article 83 of that regulation.
65. As the Court of Justice has recently pointed out, administrative fines are part of the system of sanctions put in place by the GDPR, providing an incentive for controllers and processors to comply with that regulation. Through their dissuasive effect, administrative fines contribute to strengthening the protection of natural persons with regard to the processing of personal data, and are therefore a key element in ensuring respect for the rights of those persons, in accordance with the purpose of that regulation, which is to ensure a high level of protection for such persons with regard to the processing of personal data. (26)
66. Article 83 of the GDPR provides for a two-tier system, explicitly stating that certain breaches are more serious than others. The first tier includes infringement of the articles governing the responsibilities of the various players (controller, processor, certification bodies, and so forth). The second tier includes breaches of individual rights protected by that regulation, such as fundamental rights, the basic principles of processing, data subjects’ rights to information, rules on data transfer, and so on. In both tiers, two assessments must be carried out: one to decide whether to impose a fine and the second to decide on the amount of the administrative fine. In both assessments, the supervisory authorities must consider all the individual factors listed in Article 83(2) of that regulation. However, the conclusions reached in the first stage of the assessment may be used in the second step concerning the amount of the fine, thereby avoiding the need to make a second assessment using the same criteria. (27)
67. Having set out the foregoing preliminary explanations, I will now consider the issue of the possible obligation to impose administrative fines in all cases. In that regard, it should be noted, from the outset, that Article 58(2)(i) of the GDPR provides that the supervisory authority may impose an administrative fine ‘depending on the circumstances of each individual case’. That provision should be read together with Article 83(2) of that regulation, which not only provides for the same restriction on the application of such a corrective measure, but suggests that the supervisory authority may even refrain from doing so (‘when deciding whether to impose an administrative fine’) (emphasis added) if the circumstances justify such an approach. The same wording is found – in more or less similar terms – in other language versions. (28) In short, the wording of Article 83(2) of the GDPR itself indicates that it is not mandatory in all cases to impose an administrative fine.
68. Moreover, it should be noted that that provision requires the supervisory authority to take account, in each individual case, of various factors when deciding whether to impose an administrative fine. Those factors are circumstances – which may be aggravating or mitigating – that influence the decision of the supervisory authority, such as the nature, gravity and duration of the infringement, but also circumstances relating to the conduct of the controller, such as whether the infringement was committed intentionally or negligently. (29)
69. In that context, the second and third sentences of recital 148 seem to me to be relevant for the purposes of interpreting Article 83(2) of the GDPR, in so far as they give indications as to the characteristics which should be taken into account in reaching a decision. The recital introduces the concept of a ‘minor infringement’, which has significant consequences for the administrative practice of the supervisory authority. (30) It states, inter alia, that ‘in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine’ (emphasis added).
70. In my view, one may infer from that statement that the EU legislature was aware that an administrative fine is a particularly severe corrective measure which should not be used in all cases, as that might diminish its effectiveness, but that it should only be applied where the circumstances of a particular case so require. Recital 148 of the GDPR refers to the principle of proportionality to be observed by supervisory authorities when applying that regulation in the specific context of sanctions, including administrative fines. As I have already noted in my analysis, that principle is reflected in recital 129 of that regulation, which concerns the adoption of corrective measures in general. (31) The system of sanctions which the legislature meant to provide for is therefore flexible and differentiated. (32)
71. It follows from the interpretation of Article 83(2) of the GDPR, read in the light of recital 148 thereof, that, even when it has identified an infringement, the assessment of the criteria in that provision may lead the supervisory authority to believe that in the concrete circumstances of the case, the breach does not pose a significant risk to the rights of the data subjects concerned, for example, and does not affect the essence of the obligation in question. In such cases, the fine may in some cases – but not always – be replaced by a reprimand. (33)
72. However, it is important to point out that recital 148 does not contain an obligation for the supervisory authority to replace a fine by a reprimand in the case of a minor infringement in all circumstances, but leaves it free to do so after an assessment of all the specific circumstances of the case. Lastly, it follows from recital 148 that the supervisory authority may refrain from imposing a fine, even if recourse to such a corrective measure would a priori be necessary on the basis of the assessment it has made, if that fine constitutes a disproportionate burden to a natural person. (34)
73. Thus, the circumstances of each individual case, which are referred to in Article 83(2) of the GDPR, ultimately determine whether to impose a fine and, if so, the amount of that fine. All those indications support my view that the decision is ultimately taken at the discretion of the supervisory authority. (35) The supervisory authority is responsible for exercising the discretion conferred on it conscientiously and in accordance with the requirements of the GDPR. The limits on that discretion derive from the general principles of EU law and the law of the Member States, in particular the principle of equal treatment. It follows that there is a need to develop an administrative practice of imposing fines for similar cases in a comparable manner.
74. I would also like to point out that, in the case of the cumulative imposition of financial penalties of a criminal nature, there is even a risk of infringing the principle of ‘ne bis in idem’, as interpreted by the Court of Justice, which is referred to in recital 149 of the GDPR. That principle constitutes a fundamental right, protected by Article 50 of the Charter, and it may only be restricted under strict conditions, referred to in Article 52 of the Charter. In other words, there may also be legal barriers to the imposition of administrative fines.
5. No obligation imposed on the supervisory authority to issue administrative fines where the complainant expressly so requests
75. The final aspect to consider is whether the supervisory authority is obliged to impose administrative fines where the complainant expressly so requests. As I noted when considering the admissibility of the request for a preliminary ruling, it is apparent from the file that TR had asked the HBDI to take action against the savings bank and to impose administrative fines on it. In support of his claim, TR had made calculations to determine the amount of the fines to be imposed. (36) That request is apparently based on the view that a complainant has a subjective right vis-à-vis the supervisory authority to request the adoption of a specific measure. However, as I will explain below, I consider that such a position has no legal foundation.
76. First, my analysis has shown that the supervisory authority has discretion to choose the appropriate measure in each individual case. Unless there are particular circumstances that could lead to a limitation of that discretion, such as the gravity or continuing impact of a personal data breach – which do not seem to me to be present in the case at hand – the supervisory authority retains that discretion. In view of the fact that administrative fines are among the corrective measures that the supervisory authority may adopt under Article 58(2) of the GDPR, it is logical to infer that that discretion also extends to them. It follows that there is no obligation imposed on the supervisory authority to act in the interests of the complainant by adopting a particular corrective measure.
77. Second, even if the circumstances of the case were so different as to justify the adoption of a specific corrective measure, it seems to me that it could not reasonably be argued that the imposition of an administrative fine would be necessary. Like the Austrian Government, I consider that account should be taken of the objectives pursued by the various corrective measures listed in Article 58(2) of the GDPR and, in particular, by the administrative fine. More specifically, it seems to me that its legal nature precludes the recognition of a subjective right on the part of a data subject in the sense referred to above, since one of the measure’s aims is to punish conduct considered to be contrary to EU law. I consider that, by virtue of its punitive purpose, at least in certain situations, (37) and in view of the high degree of severity that it may involve, an administrative fine is likely to be criminal in nature. (38) It should be remembered that the right to punish (ius puniendi) belongs exclusively to the State and its organs.
78. In that context, it should be noted that Article 83(1) of the GDPR requires, inter alia, that fines should, in each individual case, be ‘effective, proportionate and dissuasive’. It is for the supervisory authority to assess whether the proposed fine meets those conditions in a particular case; the authority acts on its own responsibility. It is for the supervisory authority to decide whether recourse to an administrative fine is required in a particular case. To that end, the EU legislature provides it with a detailed legal framework. Thus, Article 83 of the GDPR lays down the general conditions for imposing such fines, which are supplemented by the guidelines on the application and setting of administrative fines for the purposes of the GDPR, drawn up by the EDPB pursuant to Article 70(1)(k) of that regulation. In that regard, it should be noted that none of those rules or guidelines supports the inference that complainants whose rights have been infringed have a particular legal status enabling them to request the supervisory authority to impose an administrative fine on the infringing party.
79. Admittedly, certain criteria referred to in Article 83(2) of the GDPR – such as the level of damage suffered – suggest that the supervisory authority must also take account of the situation of the data subject when taking a decision. However, those criteria do not in themselves constitute sufficient evidence of a subjective right to seek the imposition of a fine. It follows from an interpretation of that provision, read in the light of recital 75 of that regulation, that the purpose of those criteria is to provide the supervisory authority with useful information to enable it to assess the nature, gravity and duration of the infringement and to choose the appropriate corrective measure. (39) Consequently, depending on each individual case, the supervisory authority may consider various corrective measures – not just an administrative fine – without the data subject being able to demand the adoption of a specific measure. It is for the supervisory authority alone to decide whether to adopt a measure with the aim of reestablishing compliance with the rules or punishing unlawful conduct.
80. Third, although the EU legislature was inspired by the powers held by the Commission in the field of competition law when it defined the role of the supervisory authority in the system of fines created by the GDPR, that fact does not support a different conclusion. (40) In that respect, it will be recalled that the Commission’s power to impose fines on undertakings that commit infringements within the meaning of Articles 101 and 102 TFEU is one of the means conferred on the Commission in order to enable it to carry out the task of supervision entrusted to it by EU law. (41) However, it should be noted that the Commission has discretion, and in exercising it the Commission is limited only by the requirement to observe the general principles of EU law, including the principles of proportionality and equal treatment. (42) Furthermore, it should be noted that Regulation (EC) No 1/2003 on the implementation of the competition rules (43)does not provide for any right to apply for the adoption of fines under Article 23 for complainants or third parties whose interests may be affected by a decision in the context of an administrative procedure initiated by the Commission, (44) the latter being, under Article 27 of that regulation, merely obliged to grant any requests for a hearing submitted by such complainants or third parties prior to the adoption of such a sanction.
81. On the basis of the considerations set out above, I consider that it is not possible, in the current state of development of EU law, to conclude that a complainant whose rights have been infringed has a subjective right to seek the imposition of an administrative fine. That conclusion is without prejudice to the possibility for complainants to propose recourse to such a corrective measure, providing arguments and evidence to support their point of view. However, the final decision is at the discretion of the supervisory authority.
D. Summary of analysis of the question referred for a preliminary ruling
82. It follows from the above analysis that the supervisory authority has an obligation to act when it finds a personal data breach in the course of investigating a complaint. In particular, it is required to define the most appropriate corrective measure(s) to remedy the infringement and ensure that the data subject’s rights are respected. In that regard, while leaving some discretion to the supervisory authority, the GDPR requires that such measures be appropriate, necessary and proportionate. Under certain conditions, the supervisory authority may dispense with the measures referred to in Article 58(2) of that regulation in favour of ‘autonomous’ measures taken by the controller itself. In any event, the data subject does not have the right to require the adoption of a particular measure. Those principles also apply to the system of administrative fines.
VI. Conclusion
83. In the light of the above considerations, I propose that the Court of Justice answer the question referred for a preliminary ruling by the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany) as follows:
The combined provisions of Article 57(1)(a) and (f), Article 58(2)(a) to (j) and Article 77(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that where the supervisory authority finds that data processing has infringed the data subject’s rights, the supervisory authority must take action under Article 58(2) of Regulation 2016/679 to the extent necessary to ensure full compliance with that regulation. In that respect, it is required to select, taking into account the specific circumstances of each individual case, the appropriate, necessary and proportionate action to remedy the infringement and ensure that the data subject’s rights are respected.