By Shan Nanayakkara
In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to impose an administrative fine, where such action is not appropriate or necessary or proportionate to the infringement of the EU General Data Protection Regulation (“GDPR”).