European Union: Announced Request for preliminary ruling regarding Land Hessen Commissioner's response to personal data breach at a German savings bank (TR v Land Hessen) (C-768/21)

On 14 December 2021, the Wiesbaden Administrative Court filed a request for a preliminary ruling with the Court of Justice of the European Union regarding the obligations of supervisory authorities under the General Data Protection Regulation (GDPR) in the context of a lawsuit challenging Land Hessen Commissioner for Data Protection's response to a personal data breach at a German savings bank. The case involved a German savings bank where an employee unlawfully accessed a customer's data but did not inform the customer, believing there was no significant risk, as disciplinary measures had been taken against the employee. The bank notified the Land Hessen’s Commissioner for Data Protection, who decided not to impose corrective measures, leading the customer to challenge this decision in court. The question to the Court of Justice is whether a supervisory authority is required to take corrective powers if a violation of data subject rights is found, or whether it has discretion regarding the exercise of these powers.