European Union: Issued judgment in lawsuit challenging Land Hessen Commissioner's response to personal data breach at a German savings bank (TR v Land Hessen) (C-768/21)

On 26 September 2024, the Court of Justice of the European Union issued a judgment clarifying the obligations of supervisory authorities under the General Data Protection Regulation (GDPR) in the lawsuit challenging Land Hessen Commissioner for Data Protection's response to a personal data breach at a German savings bank. The case involved a German savings bank where an employee unlawfully accessed a customer's data but did not inform the customer, believing there was no significant risk, as disciplinary measures had been taken against the employee. The bank notified the Land Hessen’s Commissioner for Data Protection, who decided not to impose corrective measures, leading the customer to challenge this decision in court. The Court ruled that supervisory authorities are not obliged to exercise corrective powers, such as imposing fines, if it is deemed unnecessary to remedy the breach. The Court reaffirmed that GDPR allows supervisory authorities discretion in addressing shortcomings but requires adherence to consistent, high levels of data protection.