CJEU - C-683/21 - Nacionalinis visuomenės sveikatos centras: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
 
(8 intermediate revisions by 3 users not shown)
Line 31: Line 31:
|National_Law_Link_2=
|National_Law_Link_2=


|Party_Name_1=
|Party_Name_1=Lithuanian National Public Health Centre for the Ministry of Health
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=IT sprendimai sėkmei
|Party_Link_2=
|Party_Link_2=


|Reference_Body=Vilnius Regional Administrative Court
|Reference_Body=Vilnius Regional Administrative Court (Lithuania)
|Reference_Case_Number_Name=
|Reference_Case_Number_Name=


Line 52: Line 52:
On 27 March 2020, a representative of the Lithuanian National Public Health Centre for the Ministry of Health (‘''CNSP''’) informed the IT company ‘IT sprendimai sėkmei’ (‘''ITSS''’) that the CNSP had selected it to create a mobile application for the above purpose.  
On 27 March 2020, a representative of the Lithuanian National Public Health Centre for the Ministry of Health (‘''CNSP''’) informed the IT company ‘IT sprendimai sėkmei’ (‘''ITSS''’) that the CNSP had selected it to create a mobile application for the above purpose.  


Once the mobile application was created, a privacy policy was developed in which the CNSP and ITSS were designated as joint-controllers. The application was available for download and functional between early April and the end of May 2020, during which it was used by 3802 persons. The application collected the following personal data from data subjects, their national identity number, geographical location, residential address, name and telephone number.  
Once the mobile application was created, a privacy policy was developed in which the CNSP and ITSS were designated as joint-controllers. The application was available for download and functional between early April and the end of May 2020, during which it was used by 3802 persons. The application collected the following personal data from data subjects: their national identity number, geographical location, residential address, name and telephone number.  


On 10 April 2020, the Minister of Health entrusted the Director of the CNSP with the task of organising the acquisition of the mobile application in question from ITSS. Consideration was given to ITSS for the acquisition under domestic law, but no public contract for the formal acquisition of the application was concluded between the CNSP and ITSS.  
On 10 April 2020, the Minister of Health entrusted the Director of the CNSP with the task of organising the acquisition of the mobile application in question from ITSS. Consideration was given to ITSS for the acquisition under domestic law, but no public contract for the formal acquisition of the application was concluded between the CNSP and ITSS.  
Line 60: Line 60:
On 24 February 2021, the Lithuanian DPA issued a decision which found that the application violated Articles 5, 13, 32 and 35 GDPR. As a result, the DPA imposed an administrative fine of €12,000 on the CNSP and €3,000 on ITSS as joint-controller, under [[Article 83 GDPR]].  
On 24 February 2021, the Lithuanian DPA issued a decision which found that the application violated Articles 5, 13, 32 and 35 GDPR. As a result, the DPA imposed an administrative fine of €12,000 on the CNSP and €3,000 on ITSS as joint-controller, under [[Article 83 GDPR]].  


The CNSP challenged the decision before the Vilnius Regional Administrative Court, arguing that ITSS must be regarded as the sole controller for the purposes of [[Article 4 GDPR#7|Article 4(7) GDPR]]. The Vilnius Regional Administrative Court decided to stay proceedings and to refer the following questions to the CJEU for a preliminary ruling:
The CNSP challenged the decision before the Vilnius Regional Administrative Court, arguing that ITSS must be regarded as the sole controller for the purposes of [[Article 4 GDPR#7|Article 4(7) GDPR]]. In response, ITSS argued that it was the processor and not the controller. The Vilnius Regional Administrative Court decided to stay proceedings and to refer the following questions to the CJEU for a preliminary ruling. There were 6 questions in total; however, the main issues were the following:


# Can the concept of ''controller''’ set out in [[Article 4 GDPR|Article 4(7) GDPR]] be interpreted as meaning that a person who is planning to acquire a data collection tool (mobile application) by way of public procurement, irrespective of the fact that a public procurement contract has not been concluded and that the created product (mobile application), for the acquisition of which a public procurement procedure had been used, has not been transferred, is also to be regarded as a controller?
# The concept of '<nowiki/>''controller'''  for the purposes of [[Article 4 GDPR|Article 4(7) GDPR]] was disputed because no formal procurement of the mobile application had been completed, and CNSP had not acquired an official right of ownership over the product. Moreover, CNSP had not performed processing operations.
# Can the concept of ‘''controller''’ set out in [[Article 4 GDPR|Article 4(7) GDPR]] be interpreted as meaning that a contracting authority which has not acquired the right of ownership of the created IT product and has not taken possession of it, but where the final version of the created application provides links or interfaces to that public entity and/or the confidentiality policy, which was not officially approved or recognised by the public entity in question, specified that public entity itself as a controller, is also to be regarded as a controller?
# The court asked whether the definition of ‘''processing''’ of personal data under [[Article 4 GDPR|Article 4(2) GDPR]] can be interpreted to include situations in which copies of personal data have been used for the testing of IT systems in the process for the acquisition of a mobile application.
# Can the concept of ‘''controller''’ set out in [[Article 4 GDPR|Article 4(7) GDPR]] be interpreted as meaning that a person who has not performed any actual data processing operations as defined in [[Article 4 GDPR|Article 4(2) GDPR]] and/or has not provided clear permission/consent to the performance of such operations is also to be regarded as a controller? Is the fact that the IT product used for the processing of personal data was created in accordance with the assignment formulated by the contracting authority significant for the interpretation of the concept of ‘controller’?
# The court asked whether the joint control of data in accordance with [[Article 4 GDPR|Article 4(7)]] and [[Article 26 GDPR|Article 26(1) GDPR]] must be interpreted '''exclusively''<nowiki/>' as involving deliberately coordinated actions for the determination of the purpose and means of data processing, or can that concept also be interpreted as meaning that joint control also covers situations in which there is no clear arrangement between the entities in respect of the purpose and means of data processing and/or actions are not coordinated between the entities.
# If the determination of actual data processing operations is relevant for the interpretation of the concept of ‘''controller''’, is the definition of ‘''processing''’ of personal data under [[Article 4 GDPR|Article 4(2) GDPR]] to be interpreted as also covering situations in which copies of personal data have been used for the testing of IT systems in the process for the acquisition of a mobile application?
# Finally, the court asked whether [[Article 83 GDPR|Article 83(1) GDPR]] give rise to strict liability, namely liability without intent or negligence.
# Can joint control of data in accordance with [[Article 4 GDPR|Article 4(7)]] and [[Article 26 GDPR|Article 26(1) GDPR]] be interpreted exclusively as involving deliberately coordinated actions in respect of the determination of the purpose and means of data processing, or can that concept also be interpreted as meaning that joint control also covers situations in which there is no clear ‘arrangement’ in respect of the purpose and means of data processing and/or actions are not coordinated between the entities? Are the circumstance relating to the stage in the creation of the means of personal data processing (IT application) at which personal data were processed and the purpose of the creation of the application legally significant for the interpretation of the concept of joint control of data? Can an ‘arrangement’ between joint controllers be understood exclusively as a clear and defined establishment of terms governing the joint control of data?
# Is the provision in [[Article 83 GDPR|Article 83(1) GDPR]] to the effect that ‘''administrative fines … shall … be effective, proportionate and dissuasive''’ to be interpreted as also covering cases of imposition of liability on the ‘''controller''’ when, in the process of the creation of an IT product, the developer also performs personal data processing actions, and do the improper personal data processing actions carried out by the processor always give rise automatically to legal liability on the part of the controller? Is that provision to be interpreted as also covering cases of no-fault liability on the part of the controller?


=== Holding ===
=== Holding ===
'''<u>On the first, second, and third questions</u>'''  
'''<u>On the first issue</u>'''  


The Court examined the first, second and third questions together and held that, in order to establish whether an entity, such as the CNSP, can be considered to be responsible for the processing for the purposes of [[Article 4 GDPR#7|Article 4(7) GDPR]], it is necessary to examine whether that entity has actually influenced, for its own purposes, the determination of the purposes and means of such processing,<ref>Case C‑683/21, para 31. </ref> regardless of whether formal acquisition of the mobile application occurred.<ref>Case C‑683/21, para 38.</ref>
The Court held that in order to establish whether an entity, such as the CNSP, can be considered to be responsible for the processing for the purposes of [[Article 4 GDPR#7|Article 4(7) GDPR]], it is necessary to examine whether that entity has actually influenced, for its own purposes, the determination of the purposes and means of such processing,<ref>Case C‑683/21, para 31. </ref> regardless of whether formal acquisition of the mobile application occurred.<ref>Case C‑683/21, para 38.</ref>


Moreover, in relation to liability the Court noted that once an entity meets the conditions laid down in [[Article 4 GDPR#7|Article 4(7) GDPR]], it is liable not only for any processing of personal data which it carries out itself, but also for that which is carried out on its behalf.<ref>Case C‑683/21, para 36.</ref> The Court concluded that for the purposes of [[Article 4 GDPR#7|Article 4(7) GDPR]], an entity may be considered responsible for processing, which has participated in the determination of the purposes and means of the processing of personal data carried out, even if that entity had not itself carried out the processing operations.<ref>Case C‑683/21, para 38. </ref>  
Moreover, in relation to liability the Court noted that once an entity meets the conditions laid down in [[Article 4 GDPR#7|Article 4(7) GDPR]], it is liable not only for any processing of personal data which it carries out itself, but also for that which is carried out on its behalf.<ref>Case C‑683/21, para 36.</ref> The Court concluded that for the purposes of [[Article 4 GDPR#7|Article 4(7) GDPR]], an entity may be considered responsible for processing, which has participated in the determination of the purposes and means of the processing of personal data carried out, even if that entity had not itself carried out the processing operations.<ref>Case C‑683/21, para 38. </ref>  


<u>'''On the fourth question'''</u>  
<u>'''On the second issue'''</u>  


In response to the fourth question, the Court held that the use of personal data for the computer testing of a mobile application constitutes ‘''processing''’ for the purposes of [[Article 4 GDPR#2|Article 4(2) GDPR]], unless any such data have been rendered anonymous in such a way that the data subject is not or is no longer identifiable, or if the data do not relate to an existing natural person.<ref>Case C‑683/21, para 59. </ref>  
The Court held that the use of personal data for the computer testing of a mobile application constitutes ‘''processing''’ for the purposes of [[Article 4 GDPR#2|Article 4(2) GDPR]], unless any such data have been rendered anonymous in such a way that the data subject is not or is no longer identifiable, or if the data do not relate to an existing natural person.<ref>Case C‑683/21, para 59. </ref>  


<u>'''On the fifth question'''</u>
<u>'''On the third issue'''</u>


The Court concluded that Article 4(7) and Article 26(1) of the GDPR must be interpreted as meaning that the classification of two entities as jointly responsible for the processing does not presuppose either the existence of an agreement between those entities on the determination of the purposes and means of the processing of the personal data in question or the existence of an agreement relating to the processing of the personal data in question.<ref>Case C‑683/21, para 46.</ref>  
The Court concluded that [[Article 4 GDPR|Article 4(7)]] and [[Article 26 GDPR|Article 26(1) GDPR]] must be interpreted as meaning that the classification of two entities as jointly responsible for the processing does not presuppose either the existence of an agreement between those entities on the determination of the purposes and means of the processing of the personal data in question or the existence of an agreement relating to the processing of the personal data in question.<ref>Case C‑683/21, para 46.</ref>  


<u>'''On the sixth question'''</u>
<u>'''On the fourth issue'''</u>


The Court noted that [[Article 83 GDPR]] does not grant a margin of appreciation to Member States to lay down substantive conditions (beyond those outlined in the GDPR), which must be met in order to hold a controller liable and impose an administrative fine under [[Article 83 GDPR]].<ref>Case C‑683/21, para 69.</ref>  The conditions for the imposition of administrative fines are thus a matter ‘''solely by EU law''’.<ref>Case C‑683/21, para 70.</ref> The Court interpreted [[Article 83 GDPR]] to establish a condition for the imposition of an administrative fine. It held that an administrative fine may only be imposed if it is established that the controller or processor has committed, intentionally or negligently, a breach referred to in paragraphs 4 to 6 of [[Article 83 GDPR]].<ref>Case C‑683/21, para 86.</ref>  
The Court noted that [[Article 83 GDPR]] does not grant a margin of appreciation to Member States to lay down substantive conditions (beyond those outlined in the GDPR), which must be met in order to hold a controller liable and impose an administrative fine under [[Article 83 GDPR]].<ref>Case C‑683/21, para 69.</ref>  The conditions for the imposition of administrative fines are thus a matter ‘''solely by EU law''’.<ref>Case C‑683/21, para 70.</ref> The Court interpreted [[Article 83 GDPR]] to establish a condition for the imposition of an administrative fine. It held that an administrative fine may only be imposed if it is established that the controller or processor has committed, intentionally or negligently, a breach referred to in paragraphs 4 to 6 of [[Article 83 GDPR]].<ref>Case C‑683/21, para 86.</ref> This point was affirmed in Case C-807/21, ''[https://gdprhub.eu/index.php?title=CJEU_-_C807/21_-_Deutsche_Wohnen Deutsche Wohnen]'' (a judgment issued on the same day as this one).


Moreover, the Court held that a controller will be held liable for a breach committed by a processor of paragraphs 4 to 6 of [[Article 83 GDPR]], intentionally or negligently, if the processor was carrying out processing operations on its behalf. However, a processor may be held solely liable if the processor carried out processing for its own purposes or had processed data incompatibly with the ‘''framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing''.’<ref>Case C‑683/21, para 86.</ref>  
Moreover, the Court held that a controller will be held liable for a breach committed by a processor of paragraphs 4 to 6 of [[Article 83 GDPR]], intentionally or negligently, if the processor was carrying out processing operations on its behalf. However, a processor may be held solely liable if the processor carried out processing for its own purposes or had processed data incompatibly with the ‘''framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing''.’<ref>Case C‑683/21, para 86.</ref>  

Latest revision as of 12:48, 25 January 2024

CJEU - C-683/21 Nacionalinis visuomenės sveikatos centras
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(2) GDPR
Article 4(7) GDPR
Article 83 GDPR
Decided: 05.12.2023
Parties: Lithuanian National Public Health Centre for the Ministry of Health
IT sprendimai sėkmei
Case Number/Name: C-683/21 Nacionalinis visuomenės sveikatos centras
European Case Law Identifier: ECLI:EU:C:2023:949
Reference from: Vilnius Regional Administrative Court (Lithuania)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a

The CJEU held that an administrative fine pursuant to Article 83 GDPR, may only be imposed where it is established that the controller has, intentionally or negligently, committed an infringement of Article 83(4)-(6) GDPR.

English Summary

Facts

On 24 March 2020, the Lithuanian Minister of Health approved the development and implementation of an IT system for the purposes of recording and monitoring the data of persons exposed to the COVID-19 Virus, for epidemiological monitoring purposes.

On 27 March 2020, a representative of the Lithuanian National Public Health Centre for the Ministry of Health (‘CNSP’) informed the IT company ‘IT sprendimai sėkmei’ (‘ITSS’) that the CNSP had selected it to create a mobile application for the above purpose.

Once the mobile application was created, a privacy policy was developed in which the CNSP and ITSS were designated as joint-controllers. The application was available for download and functional between early April and the end of May 2020, during which it was used by 3802 persons. The application collected the following personal data from data subjects: their national identity number, geographical location, residential address, name and telephone number.

On 10 April 2020, the Minister of Health entrusted the Director of the CNSP with the task of organising the acquisition of the mobile application in question from ITSS. Consideration was given to ITSS for the acquisition under domestic law, but no public contract for the formal acquisition of the application was concluded between the CNSP and ITSS.

On 18 May 2020, the Lithuanian DPA opened an investigation into the mobile application and the data collected by it. By letter of 4 June 2020, the CNSP informed ITSS that due to lack of funding for the acquisition, the procurement process was terminated.

On 24 February 2021, the Lithuanian DPA issued a decision which found that the application violated Articles 5, 13, 32 and 35 GDPR. As a result, the DPA imposed an administrative fine of €12,000 on the CNSP and €3,000 on ITSS as joint-controller, under Article 83 GDPR.

The CNSP challenged the decision before the Vilnius Regional Administrative Court, arguing that ITSS must be regarded as the sole controller for the purposes of Article 4(7) GDPR. In response, ITSS argued that it was the processor and not the controller. The Vilnius Regional Administrative Court decided to stay proceedings and to refer the following questions to the CJEU for a preliminary ruling. There were 6 questions in total; however, the main issues were the following:

  1. The concept of 'controller' for the purposes of Article 4(7) GDPR was disputed because no formal procurement of the mobile application had been completed, and CNSP had not acquired an official right of ownership over the product. Moreover, CNSP had not performed processing operations.
  2. The court asked whether the definition of ‘processing’ of personal data under Article 4(2) GDPR can be interpreted to include situations in which copies of personal data have been used for the testing of IT systems in the process for the acquisition of a mobile application.
  3. The court asked whether the joint control of data in accordance with Article 4(7) and Article 26(1) GDPR must be interpreted 'exclusively' as involving deliberately coordinated actions for the determination of the purpose and means of data processing, or can that concept also be interpreted as meaning that joint control also covers situations in which there is no clear arrangement between the entities in respect of the purpose and means of data processing and/or actions are not coordinated between the entities.
  4. Finally, the court asked whether Article 83(1) GDPR give rise to strict liability, namely liability without intent or negligence.

Holding

On the first issue

The Court held that in order to establish whether an entity, such as the CNSP, can be considered to be responsible for the processing for the purposes of Article 4(7) GDPR, it is necessary to examine whether that entity has actually influenced, for its own purposes, the determination of the purposes and means of such processing,[1] regardless of whether formal acquisition of the mobile application occurred.[2]

Moreover, in relation to liability the Court noted that once an entity meets the conditions laid down in Article 4(7) GDPR, it is liable not only for any processing of personal data which it carries out itself, but also for that which is carried out on its behalf.[3] The Court concluded that for the purposes of Article 4(7) GDPR, an entity may be considered responsible for processing, which has participated in the determination of the purposes and means of the processing of personal data carried out, even if that entity had not itself carried out the processing operations.[4]

On the second issue

The Court held that the use of personal data for the computer testing of a mobile application constitutes ‘processing’ for the purposes of Article 4(2) GDPR, unless any such data have been rendered anonymous in such a way that the data subject is not or is no longer identifiable, or if the data do not relate to an existing natural person.[5]

On the third issue

The Court concluded that Article 4(7) and Article 26(1) GDPR must be interpreted as meaning that the classification of two entities as jointly responsible for the processing does not presuppose either the existence of an agreement between those entities on the determination of the purposes and means of the processing of the personal data in question or the existence of an agreement relating to the processing of the personal data in question.[6]

On the fourth issue

The Court noted that Article 83 GDPR does not grant a margin of appreciation to Member States to lay down substantive conditions (beyond those outlined in the GDPR), which must be met in order to hold a controller liable and impose an administrative fine under Article 83 GDPR.[7] The conditions for the imposition of administrative fines are thus a matter ‘solely by EU law’.[8] The Court interpreted Article 83 GDPR to establish a condition for the imposition of an administrative fine. It held that an administrative fine may only be imposed if it is established that the controller or processor has committed, intentionally or negligently, a breach referred to in paragraphs 4 to 6 of Article 83 GDPR.[9] This point was affirmed in Case C-807/21, Deutsche Wohnen (a judgment issued on the same day as this one).

Moreover, the Court held that a controller will be held liable for a breach committed by a processor of paragraphs 4 to 6 of Article 83 GDPR, intentionally or negligently, if the processor was carrying out processing operations on its behalf. However, a processor may be held solely liable if the processor carried out processing for its own purposes or had processed data incompatibly with the ‘framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing.’[10]

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

  1. Case C‑683/21, para 31.
  2. Case C‑683/21, para 38.
  3. Case C‑683/21, para 36.
  4. Case C‑683/21, para 38.
  5. Case C‑683/21, para 59.
  6. Case C‑683/21, para 46.
  7. Case C‑683/21, para 69.
  8. Case C‑683/21, para 70.
  9. Case C‑683/21, para 86.
  10. Case C‑683/21, para 86.
Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-683/21_-_Nacionalinis_visuomenės_sveikatos_centras&oldid=39431"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki