CJEU - C-683/21 - Nacionalinis visuomenės sveikatos centras

From GDPRhub
CJEU - C-683/21 Nacionalinis visuomenės sveikatos centras
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(2) GDPR
Article 4(7) GDPR
Article 83 GDPR
Decided: 05.12.2023
Parties: Lithuanian National Public Health Centre for the Ministry of Health
IT sprendimai sėkmei
Case Number/Name: C-683/21 Nacionalinis visuomenės sveikatos centras
European Case Law Identifier: ECLI:EU:C:2023:949
Reference from: Vilnius Regional Administrative Court (Lithuania)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a

The CJEU held that an administrative fine pursuant to Article 83 GDPR, may only be imposed where it is established that the controller has, intentionally or negligently, committed an infringement of Article 83(4)-(6) GDPR.

English Summary

Facts

On 24 March 2020, the Lithuanian Minister of Health approved the development and implementation of an IT system for the purposes of recording and monitoring the data of persons exposed to the COVID-19 Virus, for epidemiological monitoring purposes.

On 27 March 2020, a representative of the Lithuanian National Public Health Centre for the Ministry of Health (‘CNSP’) informed the IT company ‘IT sprendimai sėkmei’ (‘ITSS’) that the CNSP had selected it to create a mobile application for the above purpose.

Once the mobile application was created, a privacy policy was developed in which the CNSP and ITSS were designated as joint-controllers. The application was available for download and functional between early April and the end of May 2020, during which it was used by 3802 persons. The application collected the following personal data from data subjects: their national identity number, geographical location, residential address, name and telephone number.

On 10 April 2020, the Minister of Health entrusted the Director of the CNSP with the task of organising the acquisition of the mobile application in question from ITSS. Consideration was given to ITSS for the acquisition under domestic law, but no public contract for the formal acquisition of the application was concluded between the CNSP and ITSS.

On 18 May 2020, the Lithuanian DPA opened an investigation into the mobile application and the data collected by it. By letter of 4 June 2020, the CNSP informed ITSS that due to lack of funding for the acquisition, the procurement process was terminated.

On 24 February 2021, the Lithuanian DPA issued a decision which found that the application violated Articles 5, 13, 32 and 35 GDPR. As a result, the DPA imposed an administrative fine of €12,000 on the CNSP and €3,000 on ITSS as joint-controller, under Article 83 GDPR.

The CNSP challenged the decision before the Vilnius Regional Administrative Court, arguing that ITSS must be regarded as the sole controller for the purposes of Article 4(7) GDPR. In response, ITSS argued that it was the processor and not the controller. The Vilnius Regional Administrative Court decided to stay proceedings and to refer the following questions to the CJEU for a preliminary ruling. There were 6 questions in total; however, the main issues were the following:

  1. The concept of 'controller' for the purposes of Article 4(7) GDPR was disputed because no formal procurement of the mobile application had been completed, and CNSP had not acquired an official right of ownership over the product. Moreover, CNSP had not performed processing operations.
  2. The court asked whether the definition of ‘processing’ of personal data under Article 4(2) GDPR can be interpreted to include situations in which copies of personal data have been used for the testing of IT systems in the process for the acquisition of a mobile application.
  3. The court asked whether the joint control of data in accordance with Article 4(7) and Article 26(1) GDPR must be interpreted 'exclusively' as involving deliberately coordinated actions for the determination of the purpose and means of data processing, or can that concept also be interpreted as meaning that joint control also covers situations in which there is no clear arrangement between the entities in respect of the purpose and means of data processing and/or actions are not coordinated between the entities.
  4. Finally, the court asked whether Article 83(1) GDPR give rise to strict liability, namely liability without intent or negligence.

Holding

On the first issue

The Court held that in order to establish whether an entity, such as the CNSP, can be considered to be responsible for the processing for the purposes of Article 4(7) GDPR, it is necessary to examine whether that entity has actually influenced, for its own purposes, the determination of the purposes and means of such processing,[1] regardless of whether formal acquisition of the mobile application occurred.[2]

Moreover, in relation to liability the Court noted that once an entity meets the conditions laid down in Article 4(7) GDPR, it is liable not only for any processing of personal data which it carries out itself, but also for that which is carried out on its behalf.[3] The Court concluded that for the purposes of Article 4(7) GDPR, an entity may be considered responsible for processing, which has participated in the determination of the purposes and means of the processing of personal data carried out, even if that entity had not itself carried out the processing operations.[4]

On the second issue

The Court held that the use of personal data for the computer testing of a mobile application constitutes ‘processing’ for the purposes of Article 4(2) GDPR, unless any such data have been rendered anonymous in such a way that the data subject is not or is no longer identifiable, or if the data do not relate to an existing natural person.[5]

On the third issue

The Court concluded that Article 4(7) and Article 26(1) GDPR must be interpreted as meaning that the classification of two entities as jointly responsible for the processing does not presuppose either the existence of an agreement between those entities on the determination of the purposes and means of the processing of the personal data in question or the existence of an agreement relating to the processing of the personal data in question.[6]

On the fourth issue

The Court noted that Article 83 GDPR does not grant a margin of appreciation to Member States to lay down substantive conditions (beyond those outlined in the GDPR), which must be met in order to hold a controller liable and impose an administrative fine under Article 83 GDPR.[7] The conditions for the imposition of administrative fines are thus a matter ‘solely by EU law’.[8] The Court interpreted Article 83 GDPR to establish a condition for the imposition of an administrative fine. It held that an administrative fine may only be imposed if it is established that the controller or processor has committed, intentionally or negligently, a breach referred to in paragraphs 4 to 6 of Article 83 GDPR.[9] This point was affirmed in Case C-807/21, Deutsche Wohnen (a judgment issued on the same day as this one).

Moreover, the Court held that a controller will be held liable for a breach committed by a processor of paragraphs 4 to 6 of Article 83 GDPR, intentionally or negligently, if the processor was carrying out processing operations on its behalf. However, a processor may be held solely liable if the processor carried out processing for its own purposes or had processed data incompatibly with the ‘framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing.’[10]

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

  1. Case C‑683/21, para 31.
  2. Case C‑683/21, para 38.
  3. Case C‑683/21, para 36.
  4. Case C‑683/21, para 38.
  5. Case C‑683/21, para 59.
  6. Case C‑683/21, para 46.
  7. Case C‑683/21, para 69.
  8. Case C‑683/21, para 70.
  9. Case C‑683/21, para 86.
  10. Case C‑683/21, para 86.