On May 4, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in case C-683/21, which examines the GDPR concepts of “controller”, “joint controller”, and “processor”, as well as the GDPR’s liability system.

Background

The case arises from a dispute between the Lithuanian National Public Health Centre (“NVSC”) and the Lithuanian Supervisory Authority (“SA”) concerning the NVSC’s development of a mobile application for tracking Covid-19 contacts (“App”).  The NSVC engaged the company ITSS to develop the App with the view of acquiring it at a later stage.  The App was then developed and made available on different digital stores, mentioning both ITSS and NSVC as separate controllers, even though NVSC never “officially approved” the App.  A public procurement procedure was initiated to proceed with NVSC’s acquisition of the App, but the acquisition never materialized.  NVSC never processed personal data and did not formally authorize ITSS’ processing operations, but provided instructions regarding the App’s development.  NVSC and ITSS did not enter into any formal agreement regarding the purposes and means of personal data processing.

Following an investigation, the SA imposed administrative fines on the NVSC and ITSS as “joint controllers” for infringing Articles 5, 13, 14, 24, 32, and 35 of the GDPR.  NSVC appealed the decision to the Vilnius Regional Administrative Court, which referred six questions to the CJEU. 

Questions and Answers

The Lithuanian court’s questions, and the AG’s answers, can be summarized as follows:

(1) Is the NVSC a “controller” under Article 4(7) GDPR?

The NVSC will be a controller if it expressly or implicitly agreed on the App being made available to the public, which initiates the processing of personal data.  This is for the national court to determine.  The mere fact that an entity initiates the development of data collection tools, such as an app, or defines the parameters of these tools does not make it a “controller”.  In order for the entity to be a controller, the influence exercised “must relate to the processing of personal data itself”.

(2) Does the fact that two controllers have not come to any formal arrangement as to the purposes and means of the personal data processing (and/or do not appear to have otherwise coordinated their actions in respect of the determination of the purpose and means of the data processing) preclude them from being considered “joint controllers” under Articles 4(7) and 26 GDPR?

No.  Two controllers will be joint controllers if their “influence over the processing [is] exercised jointly”.  The absence of any agreement, arrangement, common decision, or even coordination cannot exclude the existence of a joint controllership.  Joint participation in the processing can exist in different forms and does not even have to result from a common decision of the controllers.  What matters is that both controllers have a “tangible impact” on the determination of the purposes and means of personal data processing to the extent that, without both controller’s participation, the processing would not be possible.  This is consistent with what the EDPB stated in its guidance on the concepts of controller and processor (para. 53).

(3) Does the definition of “processing” provided in Article 4(2) GDPR cover a situation where personal data are used during the test phase of a mobile application?

The definition of “processing” covers using personal data to test a mobile application.  The purpose for which the personal data are used has no bearing on the question of whether an operation qualifies as “processing”.

(4) May an administrative fine be imposed on a controller that did not intentionally or negligently breach the GDPR?  Can the controller be fined for the processor’s (in this case, if ITSS were a processor instead of a controller) breach of the GDPR (even though the controller itself did not process the personal data)?

An administrative fine presupposes an “intentional or negligent” breach of the GDPR (as was already stated in the AG opinion in the other CJEU case C-807/21).  A controller can be fined if a processor, which by definition processes personal data on the controller’s behalf, breaches the GDPR intentionally or negligently, irrespective of whether the controller itself processed the personal data and provided the processor acts in accordance with the instructions of the controller.

*                             *                             *

The AG’s opinion is not binding on the CJEU.  The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.

(This blog post was written with the contributions of Alberto Vogel.)

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.