21 February 2024

I often hear from clients when we are discussing their role in relation to personal data processing that “we cannot be controllers, we do not hold and process the data, but an agent does”. This idea may seem logical at first sight, but is this indeed the case? Let’s find out from a recent judgement of the Court of Justice of the European Union, which addresses the issues of controller and joint controller status.

1. Facts

During the first wave of the COVID-19 pandemic, the Lithuanian National Public Health Centre (“NVSC”) selected an IT company to create a mobile application for the registration and monitoring of the data of persons exposed to the COVID-19.

The NVSC instructed the IT company on several aspects of the application, such as the content of the questions asked, however the parties did not conclude a procurement contract.

The IT company made available the application to the public in the Google Play and Apple App Store and thousands of persons used it to provide the requested personal data. After a short period of time, the NVSC asked the IT company not to make any reference to the NVSC in the mobile application and terminated the acquisition procedure.

The Lithuanian GDPR watchdog imposed administrative fines on both the IT company and the NVSC because of GDPR infringements, and the latter challenged it before the administrative court. The court needed guidance in interpreting the concept of controller, so it referred the case to the Court of Justice of the European Union (“CJEU”).

2. Controller – a wide approach

At first, the Luxembourg Court examined whether the NVSC shall be regarded as a controller taking into account especially that he entrusted the IT company to create the mobile application for the purposes of tracking COVID-19 infections, however the NVSC did not perform any data processing operations.

The CJEU first highlighted that it was the NVSC who envisaged that, for the purposes of epidemiological follow-up, the personal data of the users of the mobile application would be processed. Further, the NVSC actively participated in the determination of the parameters of the application, such as the questions asked and thus the categories of the processed personal data. This means that the NVSC actually participated in the determination of the purposes and means of the processing.

Other circumstances, namely that the NVSC did not itself process any personal data, there was no contract between the NVSC and the IT company and that the dissemination of the application through online shops was not authorized by the NVSC are not decisive factors and do not preclude the NVSC from being classified as a controller.

The situation would be different if, prior to the application being made available, the NVSC expressly objected to it, as in this case the NVSC could not be regarded as a controller.

3. Joint controllers – an agreement is not a precondition

In relation to the classification of two or more entities as joint controllers the CJEU came to the following conclusions.

According to the Court, the joint controller status is based on the facts and not on the existence of an arrangement between the parties which determines the joint controllers’ respective responsibilities for compliance with the obligations under the GDPR. That is to say, the joint controllers’ agreement is not a precondition for two or more entities to be classified as joint controllers but rather an obligation which the GDPR imposes on the joint controllers.

To sum up, the qualification as joint controller(s) arises solely form the fact that more entities have participated in the determination of the purposes and means of processing. The CJEU recalled his well-established practice that the participation of the joint controllers in that determination can take different forms and can result from their common or converging decisions. Nevertheless, in order to be classified as joint controllers, the said entities shall each have a tangible impact on the determination of the purposes and means of processing.

4. Conclusion

In the analysed decision the CJEU confirmed its previous practice in several respects. The Court pointed out that, to be qualified as a controller, the most important condition is that the person concerned must be involved in determining the purposes of the processing, while the fact that he is not processing the data himself is irrelevant. Further, the Luxembourg Court clearly ruled that the classification as joint controllers is based solely on the facts, and the agreement between the parties is not a precondition, but an obligation arising from the joint controller status.

In this article we analysed decision C-683/21 of the CJEU.