Court of Justice, Grand Chamber
5 December 2023, Case C‑683/21
(Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos Ministerijos v Valstybinė duomenų apsaugos inspekcija; interveners: UAB ‘IT sprendimai sėkmei’, Lietuvos Respublikos sveikatos apsaugos ministerija)
Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 4(2) and (7) – Concepts of ‘processing’ and ‘controller’ – Development of a mobile IT application – Article 26 – Joint control – Article 83 – Imposition of administrative fines – Conditions – Requirement that the infringement be intentional or negligent – Responsibility and liability of the controller for the processing of personal data carried out by a processor
1. Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that an entity which has entrusted an undertaking with the development of a mobile IT application and which has, in that context, participated in the determination of the purposes and means of the processing of personal data carried out through that application may be regarded as a controller, within the meaning of that provision, even if that entity has not itself performed any processing operations in respect of such data, has not expressly agreed to the performance of specific operations for such processing or to that mobile application being made available to the public, and has not acquired the abovementioned mobile application, unless, prior to that application being made available to the public, that entity expressly objected to such making available and to the resulting processing of personal data.
2. Article 4(7) and Article 26(1) of Regulation 2016/679
must be interpreted as meaning that the classification of two entities as joint controllers does not require that there be an arrangement between those entities regarding the determination of the purposes and means of the processing of personal data in question; nor does it require that there be an arrangement laying down the terms of the joint control.
3. Article 4(2) of Regulation 2016/679
must be interpreted as meaning that the use of personal data for the purposes of the IT testing of a mobile application constitutes ‘processing’, within the meaning of that provision, unless such data have been rendered anonymous in such a manner that the subject of those data is not or is no longer identifiable, or unless it involves fictitious data which do not relate to an existing natural person.
4. Article 83 of Regulation 2016/679
must be interpreted as meaning that (i) an administrative fine may be imposed pursuant to that provision only where it is established that the controller has intentionally or negligently committed an infringement referred to in paragraphs 4 to 6 of that article, and (ii) such a fine may be imposed on a controller in respect of personal data processing operations performed by a processor on behalf of that controller, unless, in the context of those operations, that processor has carried out processing for its own purposes or has processed such data in a manner incompatible with the framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing.
categoria:European Case Law