In December 2023, the Court of Justice of the European Union (CJEU) ruled on the matter of data controller liability for processing activities carried out by its processor. In case C-683/21, the Court stated that there are limits to this. In other words, the controller-processor relationship is not by itself sufficient, if:

  • the processor processes personal data for its own purposes
  • the processor acts in a manner that is incompatible with the arrangements set by the controller
  • it is reasonable to conclude that the controller didn’t agree to the processing

Case C-683/21 Background

During the outbreak of COVID-19, the National Public Health Centre of the Lithuanian Ministry of Health (NVSC) commissioned an app to UAB “IT sprendimai sėkmei” (UAB), an IT service provider. Finally, the app was available on Google Play, and its privacy policy referenced NVSC and the service provider as controllers. The NVSC and service provider had not concluded nor signed any contract. Eventually, the NVSC terminated the procurement of the app due to a lack of funds.

As a consequence of these events, the Lithuanian Data Protection Authority imposed administrative fines on the NVSC and UAB as joint controllers. On one hand, the decision was challenged by the NSVC on these grounds:

  • it was not a controller for the processing in question
  • the service provider built the app, although there was no contract between the parties
  • it had not consented to or authorized it to make the app available to the public.

On the other hand, UAB claimed it was merely a processor.

CJEU decision

Firstly, the Court reaffirmed the broad scope of controllership:

  • Facts over formalities: someone can be a controller event without a specific contact. On the other hand, the fact that a person is referenced as a controller in a privacy notice is not in itself sufficient to make that person a controller unless that person had consented — explicitly or implicitly — to this.
  • In this case, the NVSC commissioned the app for its own objectives (COVID-19 management). In doing so, the NVSC had foreseen the data processing that would be carried out and had participated in determining the parameters of that app. Therefore, NVSC should be regarded as a controller.
  • The fact the NVSC did not acquire the app and did not authorize its dissemination to the public is not relevant. It would have been different, however, if the NVSC expressly forbade UAB to make the app available to the public.

Secondly, the Court reaffirms that joint- controllership does not imply equal responsibility. The level of responsibility depends on the circumstances of the case. Moreover, formal arrangements are not necessary, and the party can be joint controllers, nevertheless. In other words, this arrangement is a consequence of the parties being joint controllers, not a pre-condition for the existence of joint control.

Controller Wrongful Behaviour and Liability of a Controller for Acts of the Processor

In conclusion, the Court ruled that:

  • according to Article 83 GDPR, a controller can receive an administrative fine only for an intentional or negligent infringement of the GDPR (i.e. wrongful behaviour). On the other hand, the Court also confirmed the fined controller may not be aware of the GDPR infringement
  • according to Recital 74 GDPR, the controller is responsible for processing carried out on its behalf by the processor
  • the controller would not be liable in the following situations because in these cases the processor would become a controller (Article 28(10) GDPR):
    • where the processor has acted for its own purposes
    • where the processor has processed data in a manner that is incompatible with the arrangements for the processing set by the controller
    • where it cannot be reasonably considered that the controller consented to such processing

Source: https://iapp.org/news/a/the-cjeu-rules-on-the-liability-of-controllers/