In case C-683/21, handed down on December 5, 2023, the Court of Justice of the European Union clarified the concept and scope of joint controllers’ liability.
I. Facts
In March 2020, the National Public Health Center at the Lithuanian Ministry of Health (NVSC) had commissioned a company with the task of developing a traceability application for people affected by COVID-19. Several exchanges then took place between the parties concerning the NVSC’s expectations and requirements.
This app was released to the Google Playstore and App Store between April 4 and May 20, 2020.
In the absence of sufficient financial resources, however, on May 15, 2020 the NVSC informed the mandated company that it was no longer in a position to acquire the application, and invited the company to make no further mention of it in any way in the application in question.
As the Lithuanian data protection authority considered that the operation of this application led to the processing of personal data that did not meet the requirements laid down by the GDPR, it ordered the NVSC to pay a fine of 12,000 euros.
The NVSC challenged this decision before the Vilnius Regional Administrative Court, arguing that the development company alone had to be considered as the data controller. The development company, for its part, considered that it had only acted as a subcontractor, on the instructions of the NVSC.
The referring court found the following facts:
The question submitted to the ECJ was whether the NVSC should be considered a controller despite this context.
II. Recitals
Unsurprisingly, the Court found that :
The Court concluded that the NVSC was indeed a joint data controller (the development company having also carried out certain processing operations for its own purposes).
In this respect, the Court notes that joint liability does not necessarily mean equivalent liability for the various operators involved in a personal data processing operation. These operators may be involved at different stages of processing and to different degrees, entailing different levels of responsibility.
In this way, the data controller can be held liable not only for the processing operations he carries out himself, but also for those carried out by a third party on his behalf, as in the case of a subcontractor.
III. Comment
All in all, the ECJ’s decision comes as no surprise. A Swiss court hearing the same case would, in my view, reach the same conclusions under the Federal Data Protection Act.
Anyone who mandates an IT company to carry out a specific development for a specific purpose is therefore considered a data controller, even if the company is then entitled to exploit the development itself, or to process the resulting data on behalf of the company that has mandated it to do so.
A contract clearly delineating roles and responsibilities is therefore all the more important in cases of joint responsibility.
It should also be emphasized that any renunciation to the said development by the principal, particularly in the case of a public entity, is not sufficient to exclude its qualification as a controller if it tolerates the commercialization of the development, the purpose and means of which it has determined. In such cases, it is important that it clearly dissociates itself from the development by prohibiting its commercialization.
Do you have questions about his topic?
Our lawyers benefit from their perfect understanding of Swiss and international business law. They are highly responsive and work hard to find the best legal and practical solution to their clients’ cases. They have acquired years in international experience in business law. They speak several foreign languages and have access to correspondents all over the world.
Avenue de Rumine 13
PO Box
CH – 1001 Lausanne
+41 21 711 71 00
info@wg-avocats.ch
©2024 Wilhelm Attorneys-at-Law Corp. Privacy Policy – Made by Mediago