Saltar al contenido
The CJEU rules on the liability of controllers Resource Center
News

The CJEU rules on the liability of controllers

2 min read
Placeholder image

The Court of Justice of the European Union has been busy untangling the threads of GDPR in recent cases. One such notable instance is C-683/21, where a significant clarification emerged: a controller's liability for a processor's actions.

Here are the key takeaways:

  • ๐‚๐จ๐ง๐ญ๐ซ๐จ๐ฅ๐ฅ๐ž๐ซ'๐ฌ ๐‹๐ข๐š๐›๐ข๐ฅ๐ข๐ญ๐ฒ: Controllers can be held responsible for a processor's actions, but certain conditions apply. If a processor acts beyond the agreed-upon scope or for personal reasons, the controller might not be held liable.
  • ๐‚๐ฅ๐ž๐š๐ซ ๐€๐ซ๐ซ๐š๐ง๐ ๐ž๐ฆ๐ž๐ง๐ญ๐ฌ ๐Œ๐š๐ญ๐ญ๐ž๐ซ: Controllers must maintain clear oversight of their processors. Lack of documentation or unclear instructions might leave controllers struggling to prove a processor acted against their directives.
  • ๐“๐ก๐ž ๐‹๐ข๐ญ๐ก๐ฎ๐š๐ง๐ข๐š๐ง ๐‚๐š๐ฌ๐ž: In the context of a COVID-19 app developed by an IT service provider for the National Public Health Centre, the absence of a contract between parties didn't absolve the Centre of controllership responsibility. Even without a formal agreement, their involvement in determining the app's parameters made them a controller.
  • ๐‰๐จ๐ข๐ง๐ญ ๐‚๐จ๐ง๐ญ๐ซ๐จ๐ฅ ๐‚๐ฅ๐š๐ซ๐ข๐Ÿ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ: Joint control doesn't mandate equal responsibility. The level of responsibility for each party in a joint control situation depends on various circumstances.
  • ๐‰๐จ๐ข๐ง๐ญ ๐‚๐จ๐ง๐ญ๐ซ๐จ๐ฅ ๐€๐ซ๐ซ๐š๐ง๐ ๐ž๐ฆ๐ž๐ง๐ญ๐ฌ: While it's preferable to have documented joint control arrangements, their absence doesn't negate the joint control status. It's a consequence rather than a prerequisite for joint control.
  • ๐‚๐จ๐ง๐ญ๐ซ๐จ๐ฅ๐ฅ๐ž๐ซ ๐…๐ข๐ง๐ž๐ฌ: Controllers can face fines only for intentional or negligent GDPR violations. Lack of direct involvement or knowledge of the management team doesn't absolve responsibility.
  • ๐๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐จ๐ซ ๐€๐œ๐œ๐จ๐ฎ๐ง๐ญ๐š๐›๐ข๐ฅ๐ข๐ญ๐ฒ: A controller may be fined for a processor's unlawful actions, but exceptions exist. If a processor acts for personal gain or contrary to the controller's instructions, they might become the liable party.

Understanding these clarifications is important for businesses engaging with processors. Maintaining clarity, oversight, and documented agreements can help shield against potential liabilities. Staying updated is key to successfully navigating the GDPR landscape!