Privacy and GDPR: Authorities Not Obliged to Impose Sanctions

The Court of Justice of the European Union (CJEU), in its judgment of 26 September 2024 in case C-768/21, ruled that data protection authorities are not obligated to impose administrative fines for every breach of the GDPR, the General Data Protection Regulation.

This decision highlights the discretionary nature of the measures that supervisory authorities can adopt, while respecting the principles of proportionality, necessity, and adequacy in relation to the processing of personal data.

Context of the Judgment

The case originated in Germany, where a bank discovered that one of its employees had consulted the personal data of a client without authorization on several occasions. Since the data had neither been copied nor transmitted to third parties, the bank considered it unnecessary to inform the client; however, it had taken disciplinary measures against the employee and had duly notified the data protection authority of the breach.

The authority, having found that there had indeed been a violation related to unauthorized access to personal data, decided not to impose sanctions on the bank and invited it to adopt internal corrective measures. The client, who had incidentally learned of this fact, brought legal proceedings to compel the national court to order the supervisory authority to take more decisive action against the bank.

The CJEU’s Decision

The CJEU, asked to clarify the application of the GDPR, emphasized that, although obliged to intervene in the event of breaches, the national authority may choose the measures it deems most appropriate to ensure compliance with the regulation. Among these, there is also the possibility of not imposing financial penalties if other actions are sufficient to restore compliance with the law and protect the rights of data subjects.

The Court clarified that Article 58 of the GDPR grants supervisory authorities a wide range of intervention tools, including warnings, bans on processing, or the imposition of sanctions. However, the imposition of a sanction is not automatic: the authority must assess each case on a case-by-case basis, taking into account the seriousness of the breach, the actions taken by the data controller, and the specific circumstances.

The judgment highlights how the discretionary power of the authorities is balanced by the need to ensure effective protection of personal data, in accordance with the principles of the GDPR, but with the possibility of choosing more flexible solutions for situations that are not particularly serious or have already been remedied.

Reflections and Possible Developments

This interpretation has important implications for the management of privacy by companies and for the activities of supervisory authorities. In the event of a breach of the GDPR, the data protection authority must react appropriately, but this does not mean that the data subject has the right to see an administrative financial penalty applied in the case of a minor breach or if the financial penalty to be imposed constitutes a disproportionate burden.

The judgment encourages companies to demonstrate proactivity in managing breaches, adopting rapid and effective corrective measures and, on the other hand, invites supervisory authorities to act transparently, justifying their decisions even when they choose not to impose sanctions. This approach does not diminish the effectiveness of the GDPR, but underlines a balanced application of the regulation, based on the specific context and the objective of preventing future breaches rather than punishing at all costs.

Teresa Franza