European Union: Issued Opinion of Advocate General on GDPR Enforcement by Data Protection Authorities (Case C-768/21)

On 11 April 2024, the Advocate General issued an opinion concerning the obligations of Data Protection Authorities (DPAs) under the General Data Protection Regulation (GDPR). This followed a request for a preliminary ruling from the Administrative Court of Wiesbaden, Germany, regarding a case where the Hessian Data Protection Officer (HBDI) refused to take action against a savings bank after a reported data protection breach. The Administrative Court of Wiesbaden asked the Court of Justice of the European Union (CJEU) to clarify the roles and responsibilities of the Data Protection Commissioner as defined under the GDPR, specifically in their capacity as a "supervisory authority". The Advocate General stated that DPAs have a mandatory duty to act upon finding a GDPR violation during the investigation of a complaint. The ruling clarified that while DPAs have some discretion in choosing corrective measures, such measures must be appropriate, necessary, and proportionate to the infringement. The data subject does not have the right to require the adoption of a particular measure.