Advocate General (AG) Pikamae of the Court of Justice of the EU (CJEU) gave his oppinion stating tthat when such breaches are discovered during an investigation, the supervisory authority has an obligation to act. However, AG Pikamae emphasizes that the measures adopted should be tailored to the specific circumstances of each case.

The case in question pertained to a Land Hessen, Germany, savings bank customer who reported an unauthorized access to their personal data by a bank employee. While the Data Protection Commissioner recognized the breach under General Data Protection Regulation (GDPR), they deemed the bank's disciplinary actions against the employee sufficient, hence no further action was taken. The customer appealed to a German court, pressing for fines to be imposed on the bank. The German court then reffered to the Court for further clarification on the matter.

Advocate General Pikamae stated that supervisory authorities must act upon discovering a personal data breach during complaint investigations, defining corrective measures to uphold data subject rights.While acknowledging supervisory discretion. It is highlighted that discretion is constrained when specific protective measures are necessary, and authorities may waive GDPR-listed measures under certain circumstances, particularly if the controller has independently taken corrective actions. Notably, Pikamae emphasized that data subjects cannot dictate specific measures, and these principles also apply to administrative fines.