Banner2.png

CJEU - C‑638/23 - Amt der Tiroler Landesregierung

From GDPRhub
Revision as of 15:21, 27 February 2025 by Tjk (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑638/23 Amt der Tiroler Landesregierung |ECLI=ECLI:EU:C:2025:127 |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=295847&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=15582938 |Date_Decided=27.02.2025 |Year=2025 |GDPR_Article_1=Article 4(7) GDPR |GDPR_Article_Link_1=Article 4 GDPR#7 |GDPR_Article_2= |GDPR_Article_Link_2= |GDPR_Article_3= |GDPR_Article_Link_3= |EU_Law_Nam...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑638/23 Amt der Tiroler Landesregierung
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(7) GDPR
Decided: 27.02.2025
Parties: Amt der Tiroler Landesregierung
DSB
Case Number/Name: C‑638/23 Amt der Tiroler Landesregierung
European Case Law Identifier: ECLI:EU:C:2025:127
Reference from: VwGH (Austria)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: tjk


The CJEU ruled, that national legislation can designate a controller so long as this entity can legally fulfil, the obligations of a controller and the scope of the processing of personal data for which that entity is responsible is determined.

English Summary

Facts

During the COVID-19 pandemic, the Office, an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol, sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address.

On 21 December 2021, one of those addressees (the data subject), filed a complaint with the Data Protection Authority against the Office alleging unlawful processing of his personal data. Before that authority, the Office stated that it had the status of ‘controller’ and that it was behind the letter sent to CW.

13 By decision of 22 August 2022, that authority found that the Office had breached CW’s right to the protection of his personal data, in so far as, in order to send him a ‘vaccination reminder letter’, the Office had consulted the data of the person concerned in the vaccination register, even though it did not have a right to access that register or the patient index. The processing of CW’s personal data was therefore unlawful.

14 The Office brought an action against that decision before the Bundesverwaltungsgericht (Federal Administrative Court, Austria). That court held that, on the basis of the applicable national law, the Office had the status of controller, but it did not have a right to consult the vaccination register for the purposes of sending a reminder letter such as that sent to CW. Since that court rejected the Office’s action, the Office brought an appeal on a point of law against that judgment before the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), the referring court.

15 That court finds that, in order to enable it to rule in the case before it, it must be determined whether the Office, in the context of that case, has the status of ‘controller’, within the meaning of Article 4(7) GDPR.

16 In that regard, the referring court points out the fact that the Office merely presented the Governor with a proposal to send a ‘vaccination reminder letter’, which the Governor approved in his capacity as President of the Office and representative of the Land of Tyrol, in accordance with Article 58 and Article 56(1) of the Tyrolean Provincial Code 1989 respectively. Therefore, the Office merely informed the Governor, first, what the proposed purpose of the processing of the personal data was, namely an increase in the vaccination rate, and, second, the means that would be implemented on the basis of that processing, namely the sending of such a ‘vaccination reminder letter’ using the data from the central vaccination register and the patient index.

17 According to the referring court, taking that approval from the Governor into account, only the Governor decided on both the purpose and the means of the processing of personal data, with the result that the Office cannot have the status of ‘controller’ within the meaning of the first part of Article 4(7) GDPR.

18 Nevertheless, that court is uncertain whether the Office could validly be designated as such by a provision of national law, namely Paragraph 2(1)(a) TDVG.

19 The Office is not a natural person or an authority responsible for the processing of personal data which gave rise to the sending of a ‘vaccination reminder letter’ to CW. The Office intervened in that processing only as an auxiliary administrative entity in the service of a public authority. The Office lacks legal personality and legal capacity of its own. Therefore, it must be determined whether the Office may, accordingly, be regarded as an ‘agency or other body’, within the meaning of the first part of Article 4(7) GDPR, capable of being designated as controller under national law, in accordance with the second part of Article 4(7) GDPR.

20 In addition, that court notes that, in accordance with the second part of Article 4(7) GDPR, a controller may be designated directly only in so far as the purposes and means of the processing of the personal data concerned are determined by national law. While Paragraph 2(1)(a) of the TDVG designates the Office as controller, it does not state in a precise manner, however, the type of processing of personal data which may be carried out by the Office, the purposes that that processing should pursue or the means that the Office could implement to that effect.

21 The referring court adds that it follows from Article 6(1)(c) and (e) GDPR that processing of personal data is lawful if it is necessary for compliance with a legal obligation to which the controller is subject or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It follows from those conditions of lawfulness and the objective pursued by Article 4(7) GDPR of ensuring effective and extensive protection of data subjects that Member States can only designate as controller a person or entity which is in a position to determine the purposes and the means of the processing of personal data or, at the very least, to participate in that determination.

22 In those circumstances, the Verwaltungsgerichtshof (Supreme Administrative Court) decided to stay the proceedings and to request a preliminary ruling asking in essence, whether Article 4(7) GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations. That court also seeks to ascertain whether Article 4(7) GDPR must be interpreted as meaning that an entity designated as controller by national law, in accordance with that provision, must actually decide on the purposes and means of the processing of personal data to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.

Holding

As a preliminary point, it must be recalled that, under Article 4(7) GDPR, the concept of ‘controller’ covers natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. That provision also states that, where the purposes and means of such processing are determined, inter alia, by the law of a Member State, the controller may be nominated or the specific criteria for its nomination may be provided for by that law.

25 It is apparent from the case-law of the Court that that provision is intended to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects (see, to that effect, judgments of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraph 29, and of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 40).

26 The objective pursued by the GDPR, as is set out in Article 1 thereof and in recitals 1 and 10 thereof, consists, inter alia, in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, as enshrined in Article 8(1) of the Charter of Fundamental Rights and Article 16(1) TFEU (judgment of 7 March 2024, IAB Europe, C‑604/22, EU:C:2024:214, paragraph 53 and the case-law cited).

27 Having regard to the wording of Article 4(7) GDPR, read in the light of that objective, in order to establish whether a person or entity is to be classified as a ‘controller’ within the meaning of that provision, it must be examined whether that person or entity determines, alone or jointly with others, the purposes and means of the processing or whether those purposes and means are determined by national law. Where such determination is made by national law, it must then be ascertained whether that law nominates the controller or provides for the specific criteria for its nomination (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 29).

28 Having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 30).

29 It is in the light of those preliminary considerations that the question referred is to be examined. To that effect, it is necessary, first, to determine to what extent the national legislature can validly designate an auxiliary administrative entity in the service of public authorities as controller, within the meaning of the second part of Article 4(7) GDPR, where that entity lacks legal personality and legal capacity of its own.

30 In that regard, it should be noted that the Court has already ruled that it is apparent from the clear wording of Article 4(7) of the GDPR that a controller may be not only a natural or legal person, but also a public authority, an agency or a body, and such entities do not necessarily have legal personality under national law (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 36).

31 Accordingly, it cannot be ruled out that an entity may be classified as a ‘controller’, within the meaning of that provision, even if that entity lacks legal personality.

32 Moreover, as regards the question of whether the classification of an entity as ‘controller’ requires that entity to have legal capacity of its own, or if it is sufficient, for that purpose, that the entity concerned is provided with a certain capacity to decide and to act in the context of the protection of personal data, the Court notes that it is apparent from recital 74 GDPR that the EU legislature intended that the responsibility of the controller be identical whether the processing of personal data that it carries out is undertaken by the controller itself or by a third party, but on its behalf. That legislature also intended to ensure that the controller is obliged to implement appropriate and effective measures and is able to demonstrate the compliance of processing activities with that regulation, including the effectiveness of the measures in question, and that those measures should take into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of natural persons.

33 It is to that extent that Article 5(2) GDPR establishes a principle of accountability, under which the controller is responsible for compliance with the principles relating to the processing of personal data set out in Article 5(1) GDPR and provides that that controller must be able to demonstrate compliance with those principles.

34 Taking into account the legal obligations to which the controller referred to in Article 4(7) GDPR is subject, the controller must, in accordance with the procedures provided for by the legislation of the Member State to which it belongs, be able to fulfil, in fact and in law, those obligations, without it being relevant, in that regard, whether that entity has legal personality and legal capacity of its own.

35 In the present case, it is for the referring court to determine whether the Office is authorised by Austrian law to assume the responsibilities and obligations that the GDPR imposes on the controller, having regard in particular to the fact, which has not been contested before the national courts hearing the dispute in the main proceedings, that the Office may bring an action against the decision of the Data Protection Authority, in the same way that it may be the subject of a complaint before that authority. The referring court may also take into consideration the fact that the Office appointed two private companies to carry out the processing of personal data in the central vaccination register and in the index of the patients residing in the Province of Tyrol.

36 Second, the referring court is uncertain whether a national legislature may designate an entity as controller, under the second part of Article 4(7) GDPR, without specifying, in a precise manner, the processing of personal data that that entity may be required to carry out, its purpose or the precise means that it may implement for the purposes of that processing.

37 As recalled in paragraph 28 above, where national law designates an entity as controller, the determination of the purposes and means of the processing by that law may be implicit, provided that that determination is derived with sufficient certainty from the role, task and powers conferred on that entity. That condition is met if those purposes and means arise, in essence, from the provisions of national law governing the activity of that entity.

38 The direct designation, by the national legislature, of an entity as controller contributes to the objective of legal certainty pursued by the GDPR, as is apparent from recital 7 thereof, by allowing natural persons whose personal data are subject to processing to easily identify the entity responsible for ensuring compliance with the rights conferred on them by that regulation.

39 The validity of such a designation is, however, subject to the condition that national legislation determine the scope of the processing of personal data for which that entity is designated as responsible, without it being necessary for that legislature to have listed, exhaustively, all the processing operations for which that entity is thus designated. As set out in recital 45 of that regulation, ‘a law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient.’

40 It follows that national legislation which designates an entity as controller without expressly listing all the specific processing operations of personal data for which it is responsible or the purpose of those processing operations is compatible with Article 4(7) of the GDPR, in so far as that legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is designated as responsible.

41 In the present case, it is for the referring court to determine whether the processing of personal data which the Office carried out for the purposes of preparing and sending the ‘vaccination reminder letters’ at issue in the main proceedings is compatible with the purposes which must be fulfilled by the processing operations of personal data for which the Office has been designated as responsible, as those purposes follow, at least implicitly, from all the provisions of national law governing its activity and, moreover, the means that it may implement to that effect. The sole fact that those national provisions do not specify, where appropriate, in a precise manner, the processing operations that the Office is authorised to carry out cannot preclude the classification of an entity such as the Office as controller within the meaning of Article 4(7) GDPR.

42 Third, the referring court asks whether an entity designated by national legislation as controller, within the meaning of the second part of Article 4(7) of the GDPR, must also decide itself, or with other competent authorities, the purposes and means of the processing of personal data for which it is designated as responsible, in order for it to be required to respond, in that capacity, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.

43 In that regard, it is sufficient to observe that it is in order to establish an entity’s status as a controller, within the meaning of the first part of Article 4(7) GDPR, that it is necessary to examine whether that entity actually exerted influence, for its own purposes, over the determination of the purposes and means of the processing in question (see, to that effect, judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraphs 30 and 31).

44 By contrast, in order to establish an entity’s status as a controller, within the meaning of the second part of Article 4(7) GDPR, as is apparent from the clear wording of that provision, it is not necessary that that entity exercises influence over the determination of the purposes and means of the processing in question.

45 Such an entity, designated by national law as controller, does not therefore have to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.

46 In that regard, the Court has already ruled that the validity of a direct designation was not affected by the fact that, under national law, the entity designated as controller does not exercise any control over the personal data that it is required to process (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraphs 37 and 38).

47 Such an interpretation is in accordance with the objective of legal certainty pursued by the GDPR. As the European Commission pointed out in its written observations, that objective would be compromised if, in order to be able to consider that that designation was validly made by the national legislature, data subjects had to verify that the entity designated as controller of their personal data has the power to determine itself the purposes and means of such processing.

48 It is also important to add that the fact that it is not necessary for an entity designated by national law as controller to be empowered also to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR does not however deprive those data subjects of the possibility of sending those requests to another entity which they consider to be responsible or jointly responsible for the processing of their personal data due to the influence that that other entity exercised over the determination of the purposes and means of the processing in question.

49 In the light of the foregoing, the answer to the question referred is that Article 4(7) GDPR must be interpreted as not precluding national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations in so far as, first, such an entity is able to fulfil, in accordance with that national legislation, the obligations on a controller towards data subjects with respect to the protection of personal data and, second, that national legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is responsible.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C‑638/23_-_Amt_der_Tiroler_Landesregierung&oldid=46055"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki