CJEU - C-683/21 - Nacionalinis visuomenės sveikatos centras
| CJEU - C-683/21 Nacionalinis visuomenės sveikatos centras | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4(2) GDPR Article 4(7) GDPR Article 83 GDPR |
| Decided: | 05.12.2023 |
| Parties: | Lithuanian National Public Health Centre for the Ministry of Health IT sprendimai sėkmei |
| Case Number/Name: | C-683/21 Nacionalinis visuomenės sveikatos centras |
| European Case Law Identifier: | ECLI:EU:C:2023:949 |
| Reference from: | Vilnius Regional Administrative Court (Lithuania) |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | n/a |
The CJEU held that an administrative fine pursuant to Article 83 GDPR, may only be imposed where it is established that the controller has, intentionally or negligently, committed an infringement of Article 83(4)-(6) GDPR.
English Summary
Facts
On 24 March 2020, the Lithuanian Minister of Health approved the development and implementation of an IT system for the purposes of recording and monitoring the data of persons exposed to the COVID-19 Virus, for epidemiological monitoring purposes.
On 27 March 2020, a representative of the Lithuanian National Public Health Centre for the Ministry of Health (‘CNSP’) informed the IT company ‘IT sprendimai sėkmei’ (‘ITSS’) that the CNSP had selected it to create a mobile application for the above purpose.
Once the mobile application was created, a privacy policy was developed in which the CNSP and ITSS were designated as joint-controllers. The application was available for download and functional between early April and the end of May 2020, during which it was used by 3802 persons. The application collected the following personal data from data subjects: their national identity number, geographical location, residential address, name and telephone number.
On 10 April 2020, the Minister of Health entrusted the Director of the CNSP with the task of organising the acquisition of the mobile application in question from ITSS. Consideration was given to ITSS for the acquisition under domestic law, but no public contract for the formal acquisition of the application was concluded between the CNSP and ITSS.
On 18 May 2020, the Lithuanian DPA opened an investigation into the mobile application and the data collected by it. By letter of 4 June 2020, the CNSP informed ITSS that due to lack of funding for the acquisition, the procurement process was terminated.
On 24 February 2021, the Lithuanian DPA issued a decision which found that the application violated Articles 5, 13, 32 and 35 GDPR. As a result, the DPA imposed an administrative fine of €12,000 on the CNSP and €3,000 on ITSS as joint-controller, under Article 83 GDPR.
The CNSP challenged the decision before the Vilnius Regional Administrative Court, arguing that ITSS must be regarded as the sole controller for the purposes of Article 4(7) GDPR. In response, ITSS argued that it was the processor and not the controller. The Vilnius Regional Administrative Court decided to stay proceedings and to refer the following questions to the CJEU for a preliminary ruling. There were 6 questions in total; however, the main issues were the following:
- The concept of 'controller' for the purposes of Article 4(7) GDPR was disputed because no formal procurement of the mobile application had been completed, and CNSP had not acquired an official right of ownership over the product. Moreover, CNSP had not performed processing operations.
- The court asked whether the definition of ‘processing’ of personal data under Article 4(2) GDPR can be interpreted to include situations in which copies of personal data have been used for the testing of IT systems in the process for the acquisition of a mobile application.
- The court asked whether the joint control of data in accordance with Article 4(7) and Article 26(1) GDPR must be interpreted 'exclusively' as involving deliberately coordinated actions for the determination of the purpose and means of data processing, or can that concept also be interpreted as meaning that joint control also covers situations in which there is no clear arrangement between the entities in respect of the purpose and means of data processing and/or actions are not coordinated between the entities.
- Finally, the court asked whether Article 83(1) GDPR give rise to strict liability, namely liability without intent or negligence.
Holding
On the first issue
The Court held that in order to establish whether an entity, such as the CNSP, can be considered to be responsible for the processing for the purposes of Article 4(7) GDPR, it is necessary to examine whether that entity has actually influenced, for its own purposes, the determination of the purposes and means of such processing,[1] regardless of whether formal acquisition of the mobile application occurred.[2]
Moreover, in relation to liability the Court noted that once an entity meets the conditions laid down in Article 4(7) GDPR, it is liable not only for any processing of personal data which it carries out itself, but also for that which is carried out on its behalf.[3] The Court concluded that for the purposes of Article 4(7) GDPR, an entity may be considered responsible for processing, which has participated in the determination of the purposes and means of the processing of personal data carried out, even if that entity had not itself carried out the processing operations.[4]
On the second issue
The Court held that the use of personal data for the computer testing of a mobile application constitutes ‘processing’ for the purposes of Article 4(2) GDPR, unless any such data have been rendered anonymous in such a way that the data subject is not or is no longer identifiable, or if the data do not relate to an existing natural person.[5]
On the third issue
The Court concluded that Article 4(7) and Article 26(1) GDPR must be interpreted as meaning that the classification of two entities as jointly responsible for the processing does not presuppose either the existence of an agreement between those entities on the determination of the purposes and means of the processing of the personal data in question or the existence of an agreement relating to the processing of the personal data in question.[6]
On the fourth issue
The Court noted that Article 83 GDPR does not grant a margin of appreciation to Member States to lay down substantive conditions (beyond those outlined in the GDPR), which must be met in order to hold a controller liable and impose an administrative fine under Article 83 GDPR.[7] The conditions for the imposition of administrative fines are thus a matter ‘solely by EU law’.[8] The Court interpreted Article 83 GDPR to establish a condition for the imposition of an administrative fine. It held that an administrative fine may only be imposed if it is established that the controller or processor has committed, intentionally or negligently, a breach referred to in paragraphs 4 to 6 of Article 83 GDPR.[9] This point was affirmed in Case C-807/21, Deutsche Wohnen (a judgment issued on the same day as this one).
Moreover, the Court held that a controller will be held liable for a breach committed by a processor of paragraphs 4 to 6 of Article 83 GDPR, intentionally or negligently, if the processor was carrying out processing operations on its behalf. However, a processor may be held solely liable if the processor carried out processing for its own purposes or had processed data incompatibly with the ‘framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing.’[10]
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
