CJEU - C‑638/23 - Amt der Tiroler Landesregierung
| CJEU - C‑638/23 Amt der Tiroler Landesregierung | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4(7) GDPR |
| Decided: | 27.02.2025 |
| Parties: | Amt der Tiroler Landesregierung DSB |
| Case Number/Name: | C‑638/23 Amt der Tiroler Landesregierung |
| European Case Law Identifier: | ECLI:EU:C:2025:127 |
| Reference from: | VwGH (Austria) |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | tjk |
The CJEU held that national law can designate a controller without legal personality, provided this entity can fulfil the obligations of a controller and that the scope of its responsibility is generally determined by law. It is not necessary that a designated controller determines the purposes and means of the processing.
English Summary
Facts
During the COVID-19 pandemic, the Office (Amt der Tiroler Landesregierung), an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol, sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address.
One of those addressees of the vaccination reminder letter (the data subject), filed a complaint with the DPA against the Office alleging unlawful processing of his personal data. Before that authority, the Office stated that it had the status of ‘controller’ and that it was responsible for the letter sent to data subject.
The DPA found that the Office had violated the GDPR when it had consulted the data of the data subject in the vaccination register to send the ‘vaccination reminder’ even though it did not have a right to access that register or the patient index. The Office appealed that decision before the Federal Administrative Court (Bundesverwaltungsgericht - BVwG) which held that the Office had the status of controller on the basis of national law but did not have a right to consult the vaccination register for the purposes of sending a reminder letter. Consequently the Office brought an appeal before the Supreme Administrative Court (Verwaltungsgerichtshof -VwGH).
That court found that, to enable it to rule in the case before it, it must be determined whether the Office, in the context of that case, has the status of ‘controller’, within the meaning of Article 4(7) GDPR and decided to stay the proceedings and to request a preliminary ruling asking in essence:
- whether Article 4(7) GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations.
- whether Article 4(7) GDPR must be interpreted as meaning that an entity designated as controller by national law, in accordance with that provision, must actually decide on the purposes and means of the processing of personal data to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.
Holding
Extent the national legislature can validly designate an auxiliary administrative entity
The court recalled that in C-231/22, État belge, 11 Januar 2024 it hat ruled that a legal personality is not a necessary condition for the classification of a ‘controller’. The Court noted that Article 5(2) GDPR establishes a principle of accountability, under which the controller is responsible for compliance with the principles relating to the processing of personal data set out in Article 5(1) GDPR and provides that that controller must be able to demonstrate compliance with those principles. Thus, the court held, the controller must, in accordance with the national law, be able to fulfil, in fact and in law, those obligations, without it being relevant, in that regard, whether that entity has legal personality and legal capacity of its own.
The court stated that the referring court determining whether the Office is authorised by Austrian law to assume those responsibilities may particularly regard that the Office may bring an action against the decision of the DPA, in the same way that it may be the subject of a complaint before it. Additionally, the court stated, that it may take into consideration that the Office appointed two private companies to carry out the processing in question.
No necessity to precisely specify the processing
The court stated, that where national law designates a controller, the determination of the purposes and means of the processing by that law must essentially arise from the provisions of national law governing the activity of that entity. However the court did not find it necessary for that legislature to have listed, exhaustively, all the processing operations for which that entity is thus designated.
Regarding the the present case, the court noted that the the sole fact that the applicable national provisions do not specify in a precise manner, the processing operations that the Office is authorised to carry out cannot preclude the classification of an entity such as the Office as controller within the meaning of Article 4(7) GDPR.
No necessity of influence over purposes and means
The court observed, that to establish an entity’s status as a controller it is necessary to examine only regarding the first sentence of Article 4(7) GDPR whether that entity exerted influence, for its own purposes, over the determination of the purposes and means of the processing not under the second sentence of that provision relating to controllers designated by national law.
Thus, the court stated, that the validity of a direct designation is not affected by the entities total lack of control over the personal data that it is required to process. The court held, that such an interpretation is in accordance with the objective of legal certainty pursued by the GDPR. This would be compromised if data subjects had to verify that the entity designated as controller of their personal data by the national legislature has the power to determine itself the purposes and means of such processing.
However, the court added, that this does not deprive data subjects of the possibility of sending GDPR requests to another entity which they consider to be responsible or jointly responsible for the processing due to the influence that that other entity exercised over the determination of the purposes and means of the processing in question.
Comment
The last statement of the CJEU in which it holds that data subjects could be sending GDPR requests another entity which they consider to be responsible or jointly responsible for the processing due to their influence could mean, that the formal designation by national law does not replace the functional designation of the first sentence of Article 4(7) GDPR, but only complements it.
This seems to contradict the EDPB Guidelines 07/2020 para. 20: "Where the controller has been specifically identified by law this will be determinative for establishing who is acting as controller."
Further Resources
Share blogs or news articles here!
