CJEU case C-768/21 Land Hessen (Obligation of the data protection authority to act) – CJEU Judgment (European Union, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to Article 33 GDPR as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject as (i) it had taken disciplinary measures against the employee concerned, (ii) the employee had also confirmed in writing that she had not copied or retained the data, nor transferred it to third parties and (iii) she also promised not to do so in the future. In addition, (iv) the controller indicated that it would review the length of time for which access logs were kept. Therefore, the controller did not notify the data subject under Article 34 GDPR. However, the data subject became incidentally aware that his personal data had been improperly accessed and lodged a complaint with the HBDI regarding, inter alia, the failure to communicate the data breach to him in violation of Article 34 GDPR. On 3 September 2023, the HBDI informed the data subject that the controller did not infringe Article 34 GDPR, since the controller's assessment regarding the risk for the data subject was not manifestly incorrect. No corrective measures were adopted against the controller. The data subject lodged an action against this decision with the Administrative Court of Wiesbaden (Verwaltungsgericht Wiesbaden) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR. The Administrative Court of Wiesbaden referred a question to the CJEU: * When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with Article 58(2) GDPR? Advocate General Priit P
GDPR Articles Cited
On 15 November 2019, the controller notified the Hessian DPA (“HBDI”) of a personal data breach pursuant to Article 33 GDPR as one of its employees had, on several occasions, unlawfully accessed personal data of one of the controller’s customers (“data subject”). The controller considered that this personal data breach was not likely to result in a high risk for the data subject as (i) it had taken disciplinary measures against the employee concerned, (ii) the employee had also confirmed in writing that she had not copied or retained the data, nor transferred it to third parties and (iii) she also promised not to do so in the future. In addition, (iv) the controller indicated that it would review the length of time for which access logs were kept. Therefore, the controller did not notify the data subject under Article 34 GDPR. However, the data subject became incidentally aware that his personal data had been improperly accessed and lodged a complaint with the HBDI regarding, inter alia, the failure to communicate the data breach to him in violation of Article 34 GDPR. On 3 September 2023, the HBDI informed the data subject that the controller did not infringe Article 34 GDPR, since the controller's assessment regarding the risk for the data subject was not manifestly incorrect. No corrective measures were adopted against the controller. The data subject lodged an action against this decision with the Administrative Court of Wiesbaden (Verwaltungsgericht Wiesbaden) asking it to order the HBDI to take action against the controller. The data subject indicated that the DPA had failed to handle his complaint in accordance with the requirements of the GDPR and, in particular, to adopt a measure under Article 58 GDPR. The Administrative Court of Wiesbaden referred a question to the CJEU: * When a DPA finds that a data processing has infringed the data subject’s rights, must the DPA always take action in accordance with Article 58(2) GDPR? Advocate General Priit P
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case C-768/21 Land Hessen (Obligation of the data protection authority to act) in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
11 April 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-7814About this data
Cite as: Cookie Fines. CJEU case C-768/21 Land Hessen (Obligation of the data protection authority to act) - European Union (2024). Retrieved from cookiefines.eu
Last updated: