The CJEU rules on the liability of controllers

January 5th, 2024

The Court of Justice of the European Union has been busy untangling the threads of GDPR in recent cases. One such notable instance is C-683/21, where a significant clarification emerged: a controller’s liability for a processor’s actions.

Here are the key takeaways:

𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫’𝐬 𝐋𝐢𝐚𝐛𝐢𝐥𝐢𝐭𝐲: Controllers can be held responsible for a processor’s actions, but certain conditions apply. If a processor acts beyond the agreed-upon scope or for personal reasons, the controller might not be held liable. 𝐂𝐥𝐞𝐚𝐫 𝐀𝐫𝐫𝐚𝐧𝐠𝐞𝐦𝐞𝐧𝐭𝐬 𝐌𝐚𝐭𝐭𝐞𝐫: Controllers must maintain clear oversight of their processors. Lack of documentation or unclear instructions might leave controllers struggling to prove a processor acted against their directives. 𝐓𝐡𝐞 𝐋𝐢𝐭𝐡𝐮𝐚𝐧𝐢𝐚𝐧 𝐂𝐚𝐬𝐞: In the context of a COVID-19 app developed by an IT service provider for the National Public Health Centre, the absence of a contract between parties didn’t absolve the Centre of controllership responsibility. Even without a formal agreement, their involvement in determining the app’s parameters made them a controller. 𝐉𝐨𝐢𝐧𝐭 𝐂𝐨𝐧𝐭𝐫𝐨𝐥 𝐂𝐥𝐚𝐫𝐢𝐟𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬: Joint control doesn’t mandate equal responsibility. The level of responsibility for each party in a joint control situation depends on various circumstances. 𝐉𝐨𝐢𝐧𝐭 𝐂𝐨𝐧𝐭𝐫𝐨𝐥 𝐀𝐫𝐫𝐚𝐧𝐠𝐞𝐦𝐞𝐧𝐭𝐬: While it’s preferable to have documented joint control arrangements, their absence doesn’t negate the joint control status. It’s a consequence rather than a prerequisite for joint control. 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐅𝐢𝐧𝐞𝐬: Controllers can face fines only for intentional or negligent GDPR violations. Lack of direct involvement or knowledge of the management team doesn’t absolve responsibility. 𝐏𝐫𝐨𝐜𝐞𝐬𝐬𝐨𝐫 𝐀𝐜𝐜𝐨𝐮𝐧𝐭𝐚𝐛𝐢𝐥𝐢𝐭𝐲: A controller may be fined for a processor’s unlawful actions, but exceptions exist. If a processor acts for personal gain or contrary to the controller’s instructions, they might become the liable party.

Understanding these clarifications is important for businesses engaging with processors. Maintaining clarity, oversight, and documented agreements can help shield against potential liabilities. Staying updated is key to successfully navigating the GDPR landscape!