In case C-683/21, handed down on December 5, 2023, the Court of Justice of the European Union clarified the concept and scope of joint controllers’ liability.
In March 2020, the National Public Health Center at the Lithuanian Ministry of Health (NVSC) had commissioned a company with the task of developing a traceability application for people affected by COVID-19. Several exchanges then took place between the parties concerning the NVSC’s expectations and requirements.
This app was released to the Google Playstore and App Store between April 4 and May 20, 2020.
In the absence of sufficient financial resources, however, on May 15, 2020 the NVSC informed the mandated company that it was no longer in a position to acquire the application, and invited the company to make no further mention of it in any way in the application in question.
As the Lithuanian data protection authority considered that the operation of this application led to the processing of personal data that did not meet the requirements laid down by the GDPR, it ordered the NVSC to pay a fine of 12,000 euros.
The NVSC challenged this decision before the Vilnius Regional Administrative Court, arguing that the development company alone had to be considered as the data controller. The development company, for its part, considered that it had only acted as a subcontractor, on the instructions of the NVSC.
The referring court found the following facts:
The question submitted to the ECJ was whether the NVSC should be considered a controller despite this context.
Unsurprisingly, the Court found that :
The Court concluded that the NVSC was indeed a joint data controller (the development company having also carried out certain processing operations for its own purposes).
In this respect, the Court notes that joint liability does not necessarily mean equivalent liability for the various operators involved in a personal data processing operation. These operators may be involved at different stages of processing and to different degrees, entailing different levels of responsibility.
In this way, the data controller can be held liable not only for the processing operations he carries out himself, but also for those carried out by a third party on his behalf, as in the case of a subcontractor.
All in all, the ECJ’s decision comes as no surprise. A Swiss court hearing the same case would, in my view, reach the same conclusions under the Federal Data Protection Act.
Anyone who mandates an IT company to carry out a specific development for a specific purpose is therefore considered a data controller, even if the company is then entitled to exploit the development itself, or to process the resulting data on behalf of the company that has mandated it to do so.
A contract clearly delineating roles and responsibilities is therefore all the more important in cases of joint responsibility.
It should also be emphasized that any renunciation to the said development by the principal, particularly in the case of a public entity, is not sufficient to exclude its qualification as a controller if it tolerates the commercialization of the development, the purpose and means of which it has determined. In such cases, it is important that it clearly dissociates itself from the development by prohibiting its commercialization.
Do you have questions about his topic?