CJEU ruling: authorities do not always have to impose financial penalties for GDPR violations

 On September 26, 2024, the Court of Justice of the European Union (CJEU) issued an important ruling regarding a GDPR violation. The Court indicated that national data protection authorities are not always automatically obliged to impose sanctions, including financial penalties, for breaches of personal data protection regulations. This decision particularly concerns situations where the institutions involved in the breaches have independently taken appropriate remedial actions.

Facts of the Case

The case brought before the CJEU concerned a German savings bank, where an employee repeatedly accessed the personal data of one client without authorization. The savings bank responded to this breach by taking disciplinary measures against the employee and requiring her to sign a declaration that she had neither copied nor shared the data.
The client was not informed about the incident because the institution considered that no violation of his rights had occurred that would require intervention. However, the client learned about the breach by other means and filed a complaint with the data protection officer of the federal state. The inspector did not impose a fine on the savings bank, judging that the remedial measures taken were sufficient. The client decided to bring the matter to court, demanding a financial penalty on the institution, which led to a preliminary ruling request to the CJEU.

Court’s Decision

The CJEU ruled that national data protection authorities are not obliged to impose fines every time a GDPR breach occurs, including financial penalties. The principle of proportionality and the effectiveness of remedial actions are key. If the data controller has taken appropriate steps to remedy the violations and punishment is not necessary to ensure full GDPR compliance, supervisory authorities may refrain from imposing additional sanctions.
The Court emphasized that the GDPR provisions leave supervisory authorities some discretion in choosing measures to ensure a high level of personal data protection. Financial penalties are one tool, but do not always have to be applied if other actions suffice.

Consequences of the Ruling

The CJEU ruling may significantly impact data protection practices across the European Union. The decision confirms that supervisory authorities can adopt a flexible approach depending on the nature of the breach and remedial actions taken by data controllers. Not every case must end with a financial penalty, which is especially beneficial for smaller entities that may lack resources to cover large fines.
Now the German court will need to decide whether the data protection officer of the federal state of Hesse correctly applied the GDPR rules and whether the measures taken by the savings bank were sufficient.

Summary

The CJEU ruling highlights the importance of proportionality and flexibility in enforcing the GDPR. Data protection authorities are not required to impose fines in every case, and the responsibility of institutions to undertake remedial actions is crucial. This signals that GDPR rules may be applied with consideration of the specifics of each breach, which could influence how companies manage data protection violation cases in the future.
If you have any questions or concerns, we encourage you to contact our Law Firm. You can count on comprehensive support and full commitment at every stage of your case.