CJEU’s Advocate General Issues Opinion on Concept of Controller, Joint Controller, Processor, and Administrative Fines
On May 4, 2023, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) released an opinion in case C-683/21, exploring the concepts of “controller”, “joint controller” and “processor”, and also liability system established by the GDPR.
The Vilnius Regional Administrative Court referred six questions to the CJEU concerning the case arising from dispute between Lithuanian National Public Health Centre (NVSC) and the Lithuanian data protection authority (DPA). Case concerns an unapproved mobile app used to track Covid-19 contacts (App).
The NSVC commissioned the company ITSS to develop the App with the intention of purchasing it at a later stage. After the App was created it was distributed via digital stores with both parties listed as separate controllers – even though NVSC never gave their authorization for the App’s release. An endeavor to procure the App then followed; however, the acquisition was not realized as NVSC had never processed any personal data nor officially endorsed ITSS’ data handling activities. Despite this, they had provided guidance in relation to the App’s development and neither NSVC nor ITSS formalized any agreement in regards to the processing of personal data.
The DPA subsequently executed their investigation, determining both NVSC and ITSS to be “joint controllers”. NVSC appealed the decision to the Vilnius Regional Administrative Court.
In AG’s opinion NVSC may be considered a controller if it has implicitly or explicitly agreed to the public availability of an application, thus beginning the processing of personal data. To attain this status, the entity must have real influence over the actual processing of this data. As well, two controllers can be considered joint controllers when there is shared participation in the processing – even in the absence of formal agreement or coordination. Ultimately, what matters is that both entities have a tangible role in how the processing of personal data is conducted and that without their involvement, such activity would not be possible.
Further, AG concluded that utilizing personal information to analyze the performance of a mobile app is categorically classified as “processing”, regardless of the underlying intention. Indeed, the definition of processing encompasses any purposeful usage of an individual’s data for assessment or research.
And finally, GDPR states that an administrative penalty may be imposed on a controller where there has been a breach of the GDPR, either as a result of neglect or intentional action. This extends to any processors they have appointed, regardless of whether the controller themselves was involved in the processing – providing they acted in accordance with the instructions relayed by the controller.