Determining who qualifies as the data controller in relation to a data processing operation is of crucial importance, as the controller is the primary party responsible for ensuring data protection. It is a general principle that the data controller is the one who determines the purpose – and at least the essential means – of the processing. Recently, however, this understanding appears to have become more nuanced. In this article, we analyse a recent decision of the CJEU, which includes some surprising findings.
Smartlegal Schmidt&Partners reports from Hungary:
- Facts
The Amt der Tiroler Landesregierung (“Office”) which is an administrative entity of the Governor of Tirol sent a “vaccination reminder letter” to the adult residents of Tirol who had not yet been vaccinated against COVID-19. The Office appointed two private companies to help him identify the possible addressees by conducting a cross-check of data in the central vaccination register and the patient index.
On of the addressees filed a complaint with the Austrian Data Protection Authority against the Office alleging unlawful processing of his personal data.
- Procedure in Austria
The Austrian Data Protection Authority found that the Office unlawfully processed the addressee’s personal data as it had no right to access the personal data stored in the vaccination register or in the patient index.
The Office attacked this decision in front of the Federal Administrative Court. The court, in agreement with the data protection authority, concluded that the Office qualifies as a controller and that the data processing lacked a valid legal basis.
The Supreme Administrative Court with whom the Office brought an appeal on a point of law however was uncertain whether the Office may be considered as a controller. Therefore, it stayed the proceedings and referred the case to the Court of Justice of the European Union in order to interpret notion of controller as provided for by Article 4 (7) of the GDPR[i].
- Question to the CJEU
The Austrian Supreme Administrative Court questioned the Office’s capacity as a controller for more reasons. First, because the Office lacks legal personality and legal capacity of its own which makes it questionable if it can be considered as “agency or other body” based on Article 4 (7) of the GDPR. Second, the Austrian legislation that supposedly confers controller status on the Office does not define the purposes and means of data processing.
Based on the above, the Luxembourg Court basically had to answer the below two questions:
- Does the GDPR preclude national legislation which designates as a controller an entity without a legal personality and legal capacity of its own without defining the specific processing operations and their purpose for which that entity is responsible?
- Does a controller designated by national law actually have to decide on the purposes and means of processing to be required to respond, as a controller, to data subject requests?
- Finding of the CJEU
The CJEU – bearing in mind the objectives of the GDPR, namely the high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy – made the following finding.
- Legal personality is not a must
When it comes to the necessity of a legal personality, the Court reminded to its earlier jurisprudence[ii] and ruled that a legal personality is not a necessary condition for being classified as a controller. According to the CJEU, the only relevant factor is that the controller must be able to fulfil in fact and law the obligations set forth be the GDPR, without being irrelevant whether the entity has legal personality or legal capacity on his own.
In the present case, in order for the referring court to decide whether the Office is to be considered as a controller, the court shall take into account that the Office may be subject of a complaint before the DPA, and it may bring an action against the decision of the DPA. Further, the CJEU also suggested considering the fact that the Office appointed two private companies.
The Luxembourg Court added that when the national law designates an entity as a controller, it does not need to expressly list all the specific processing operations of personal data for which that entity is responsible. The only requirement imposed on national law is that it determines at least implicitly the scope of processing of personal data for which the entity is designated as responsible.
- Influence over the purposes and means of processing is not necessary
The Court ruled that an entity, designated by national law as controller, does not have to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to data subject requests. The objectives of the GDPR would be compromised if data subjects had to verify that the entity designated as a controller has the power to determine itself the purposes and means of processing.
However, the above does not deprive data subjects of the possibility of sending requests to another entity which they consider responsible for the processing of their personal data due to the influence it exercised over the determination of the purposes and means of the processing.
- Comment
In his judgment, the CJEU made is clear that legal personality or legal capacity is not necessary for an entity to be considered as a controller.
Further, in case a controller is designated by national law, the specification of the processing operations for which the controller is responsible, is not a must, and the controller does not have to decide itself the purposes and means of processing.
The surprising twist in the judgment is the Court’s finding that data subjects may also address their requests to a person other than the one designated as the controller by national law. This finding appears to contradict the position of the European Data Protection Board, according to which: “where the controller has been specifically identified by law, this will be determinative for establishing who is acting as controller”[iii].
In this article we analysed the judgement C-638/23 of the CJEU.
Written by Anita Vereb
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at Smartlegal.hu
[i] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
[ii] judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7
[iii] Guidelines 07/2020 on the concepts of controller and processor in the GDPR