CJEU - C‑638/23 - Amt der Tiroler Landesregierung
| CJEU - C‑638/23 Amt der Tiroler Landesregierung | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4(7) GDPR |
| Decided: | 27.02.2025 |
| Parties: | Amt der Tiroler Landesregierung DSB |
| Case Number/Name: | C‑638/23 Amt der Tiroler Landesregierung |
| European Case Law Identifier: | ECLI:EU:C:2025:127 |
| Reference from: | VwGH (Austria) |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | tjk |
The CJEU ruled, that national legislation can designate a controller so long as this entity can legally fulfil, the obligations of a controller and the scope of the processing of personal data for which that entity is responsible is determined.
English Summary
Facts
During the COVID-19 pandemic, the Office, an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol, sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address.
One of those addressees (the data subject), filed a complaint with the DPA against the Office alleging unlawful processing of his personal data. Before that authority, the Office stated that it had the status of ‘controller’ and that it was behind the letter sent to data subject.
The DPA found that the Office had violated the GDPR when it had consulted the data of the data subject in the vaccination register to send the ‘vaccination reminder’ even though it did not have a right to access that register or the patient index. The Office appealed that decision before the Federal Administrative Court (Bundesverwaltungsgericht - BVwG) which held that the Office had the status of controller on the basis of national law but did not have a right to consult the vaccination register for the purposes of sending a reminder letter. Consequently the Office brought an appeal before the Supreme Administrative Court (Verwaltungsgerichtshof -VwGH).
That court found that, in order to enable it to rule in the case before it, it must be determined whether the Office, in the context of that case, has the status of ‘controller’, within the meaning of Article 4(7) GDPR and decided to stay the proceedings and to request a preliminary ruling asking in essence, whether Article 4(7) GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations. That court also seeks to ascertain whether Article 4(7) GDPR must be interpreted as meaning that an entity designated as controller by national law, in accordance with that provision, must actually decide on the purposes and means of the processing of personal data to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.
Holding
As a preliminary point, it must be recalled that, under Article 4(7) GDPR, the concept of ‘controller’ covers natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. That provision also states that, where the purposes and means of such processing are determined, inter alia, by the law of a Member State, the controller may be nominated or the specific criteria for its nomination may be provided for by that law.
It is apparent from the case-law of the Court that that provision is intended to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects (see, to that effect, judgments of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraph 29, and of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 40).
26 The objective pursued by the GDPR, as is set out in Article 1 thereof and in recitals 1 and 10 thereof, consists, inter alia, in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, as enshrined in Article 8(1) of the Charter of Fundamental Rights and Article 16(1) TFEU (judgment of 7 March 2024, IAB Europe, C‑604/22, EU:C:2024:214, paragraph 53 and the case-law cited).
27 Having regard to the wording of Article 4(7) GDPR, read in the light of that objective, in order to establish whether a person or entity is to be classified as a ‘controller’ within the meaning of that provision, it must be examined whether that person or entity determines, alone or jointly with others, the purposes and means of the processing or whether those purposes and means are determined by national law. Where such determination is made by national law, it must then be ascertained whether that law nominates the controller or provides for the specific criteria for its nomination (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 29).
28 Having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 30).
29 It is in the light of those preliminary considerations that the question referred is to be examined. To that effect, it is necessary, first, to determine to what extent the national legislature can validly designate an auxiliary administrative entity in the service of public authorities as controller, within the meaning of the second part of Article 4(7) GDPR, where that entity lacks legal personality and legal capacity of its own.
extent the national legislature can validly designate an auxiliary administrative entity
30 In that regard, it should be noted that the Court has already ruled that it is apparent from the clear wording of Article 4(7) of the GDPR that a controller may be not only a natural or legal person, but also a public authority, an agency or a body, and such entities do not necessarily have legal personality under national law (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 36).
31 Accordingly, it cannot be ruled out that an entity may be classified as a ‘controller’, within the meaning of that provision, even if that entity lacks legal personality.
32 Moreover, as regards the question of whether the classification of an entity as ‘controller’ requires that entity to have legal capacity of its own, or if it is sufficient, for that purpose, that the entity concerned is provided with a certain capacity to decide and to act in the context of the protection of personal data, the Court notes that it is apparent from recital 74 GDPR that the EU legislature intended that the responsibility of the controller be identical whether the processing of personal data that it carries out is undertaken by the controller itself or by a third party, but on its behalf. That legislature also intended to ensure that the controller is obliged to implement appropriate and effective measures and is able to demonstrate the compliance of processing activities with that regulation, including the effectiveness of the measures in question, and that those measures should take into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of natural persons.
33 It is to that extent that Article 5(2) GDPR establishes a principle of accountability, under which the controller is responsible for compliance with the principles relating to the processing of personal data set out in Article 5(1) GDPR and provides that that controller must be able to demonstrate compliance with those principles.
34 Taking into account the legal obligations to which the controller referred to in Article 4(7) GDPR is subject, the controller must, in accordance with the procedures provided for by the legislation of the Member State to which it belongs, be able to fulfil, in fact and in law, those obligations, without it being relevant, in that regard, whether that entity has legal personality and legal capacity of its own.
35 In the present case, it is for the referring court to determine whether the Office is authorised by Austrian law to assume the responsibilities and obligations that the GDPR imposes on the controller, having regard in particular to the fact, which has not been contested before the national courts hearing the dispute in the main proceedings, that the Office may bring an action against the decision of the DPA, in the same way that it may be the subject of a complaint before that authority. The referring court may also take into consideration the fact that the Office appointed two private companies to carry out the processing of personal data in the central vaccination register and in the index of the patients residing in the Province of Tyrol.
Need to presicely specify the processing
Second, the referring court is uncertain whether a national legislature may designate an entity as controller, under the second part of Article 4(7) GDPR, without specifying, in a precise manner, the processing of personal data that that entity may be required to carry out, its purpose or the precise means that it may implement for the purposes of that processing.
37 As recalled in paragraph 28 above, where national law designates an entity as controller, the determination of the purposes and means of the processing by that law may be implicit, provided that that determination is derived with sufficient certainty from the role, task and powers conferred on that entity. That condition is met if those purposes and means arise, in essence, from the provisions of national law governing the activity of that entity.
38 The direct designation, by the national legislature, of an entity as controller contributes to the objective of legal certainty pursued by the GDPR, as is apparent from recital 7 thereof, by allowing natural persons whose personal data are subject to processing to easily identify the entity responsible for ensuring compliance with the rights conferred on them by that regulation.
39 The validity of such a designation is, however, subject to the condition that national legislation determine the scope of the processing of personal data for which that entity is designated as responsible, without it being necessary for that legislature to have listed, exhaustively, all the processing operations for which that entity is thus designated. As set out in recital 45 of that regulation, ‘a law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient.’
40 It follows that national legislation which designates an entity as controller without expressly listing all the specific processing operations of personal data for which it is responsible or the purpose of those processing operations is compatible with Article 4(7) of the GDPR, in so far as that legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is designated as responsible.
41 In the present case, it is for the referring court to determine whether the processing of personal data which the Office carried out for the purposes of preparing and sending the ‘vaccination reminder letters’ at issue in the main proceedings is compatible with the purposes which must be fulfilled by the processing operations of personal data for which the Office has been designated as responsible, as those purposes follow, at least implicitly, from all the provisions of national law governing its activity and, moreover, the means that it may implement to that effect. The sole fact that those national provisions do not specify, where appropriate, in a precise manner, the processing operations that the Office is authorised to carry out cannot preclude the classification of an entity such as the Office as controller within the meaning of Article 4(7) GDPR.
Decision on purposes
Third, the referring court asks whether an entity designated by national legislation as controller, within the meaning of the second part of Article 4(7) of the GDPR, must also decide itself, or with other competent authorities, the purposes and means of the processing of personal data for which it is designated as responsible, in order for it to be required to respond, in that capacity, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.
43 In that regard, it is sufficient to observe that it is in order to establish an entity’s status as a controller, within the meaning of the first part of Article 4(7) GDPR, that it is necessary to examine whether that entity actually exerted influence, for its own purposes, over the determination of the purposes and means of the processing in question (see, to that effect, judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraphs 30 and 31).
44 By contrast, in order to establish an entity’s status as a controller, within the meaning of the second part of Article 4(7) GDPR, as is apparent from the clear wording of that provision, it is not necessary that that entity exercises influence over the determination of the purposes and means of the processing in question.
45 Such an entity, designated by national law as controller, does not therefore have to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.
46 In that regard, the Court has already ruled that the validity of a direct designation was not affected by the fact that, under national law, the entity designated as controller does not exercise any control over the personal data that it is required to process (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraphs 37 and 38).
47 Such an interpretation is in accordance with the objective of legal certainty pursued by the GDPR. As the European Commission pointed out in its written observations, that objective would be compromised if, in order to be able to consider that that designation was validly made by the national legislature, data subjects had to verify that the entity designated as controller of their personal data has the power to determine itself the purposes and means of such processing.
48 It is also important to add that the fact that it is not necessary for an entity designated by national law as controller to be empowered also to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR does not however deprive those data subjects of the possibility of sending those requests to another entity which they consider to be responsible or jointly responsible for the processing of their personal data due to the influence that that other entity exercised over the determination of the purposes and means of the processing in question.
49 In the light of the foregoing, the answer to the question referred is that Article 4(7) GDPR must be interpreted as not precluding national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations in so far as, first, such an entity is able to fulfil, in accordance with that national legislation, the obligations on a controller towards data subjects with respect to the protection of personal data and, second, that national legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is responsible.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
