Nacionalinis visuomenės sveikatos centras (Protection of personal data - Concept of 'controller' - Opinion) [2023] EUECJ C-683/21_O (04 May 2023)


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Court of Justice of the European Communities (including Court of First Instance Decisions)


You are here: BAILII >> Databases >> Court of Justice of the European Communities (including Court of First Instance Decisions) >> Nacionalinis visuomenės sveikatos centras (Protection of personal data - Concept of 'controller' - Opinion) [2023] EUECJ C-683/21_O (04 May 2023)
URL: http://www.bailii.org/eu/cases/EUECJ/2023/C68321_O.html
Cite as: ECLI:EU:C:2023:376, EU:C:2023:376, [2023] EUECJ C-683/21_O

[New search] [Contents list] [Help]


OPINION OF ADVOCATE GENERAL

EMILIOU

delivered on 4 May 2023(1)

Case C683/21

Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos

v

Valstybinė duomenų apsaugos inspekcija,

joined parties:

‘IT sprendimai sėkmei’ UAB,

Lietuvos Respublikos sveikatos apsaugos ministerija

(Request for a preliminary ruling from the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania))

(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Development of a mobile application in the context of the COVID-19 pandemic – Responsibility of the public authority in charge of organising the tendering procedure for the acquisition of the mobile application – Article 4(2) – Concept of ‘processing’ – Use of personal data during the test phase of a mobile application – Article 26(1) – Joint control – Article 83 – Imposition of administrative fines – Conditions – Need for the infringement to be deliberate or negligent – Responsibility of the controller for the processing of personal data undertaken by a processor)






I.      Introduction

1.        In a world where personal data have become a bargaining chip and constitute a newly found goldmine for businesses, under what conditions can administrative fines be imposed to controllers or processors for breach of the data protection rules set out in Regulation (EU) 2016/679? (2) More specifically, is a ‘fault’ element required to be fulfilled before they can be subject to such fines? That is the core issue raised by the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania) in the present case.

2.        The dispute before that court, which arises between the Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos (National Public Health Centre under the Ministry of Health, Lithuania; ‘the NVSC’) and the Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate, Lithuania; ‘the Inspectorate’), concerns, in essence, the role played by the NVSC in the development and making publicly available of a mobile application which collected, in April and May 2020, the personal data of people who had been in contact with COVID-19-infected patients.

3.        Within that context, the present case gives the Court an opportunity to provide additional clarity on the concepts of ‘controller’, ‘joint controllers’ and ‘processing’, defined respectively in Article 4(7), Article 26(1) and Article 4(2) of the GDPR, and to consider, for the first time, whether it is possible, in application of Article 83 of that regulation, to impose an administrative fine on a controller that has not intentionally or negligently committed any breach of the rules contained in the GDPR. That question requires the Court to clarify whether that provision allows fines to be imposed in the absence of any fault, on the basis of strict liability.

II.    Legal framework

A.      European Union law

4.        Recital 148 of the GDPR states:

‘In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation … In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.’

5.        Pursuant to recital 150 of that regulation:

‘In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. … Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.’

6.        Article 4(7) of the GDPR defines the concept of ‘controller’ as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data …’.

7.        Article 26 of that regulation, entitled ‘Joint controllers’, states in the relevant part:

‘1.      Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. …

…’

8.        Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, provides:

‘1.      Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2.      Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a)      the nature, gravity and duration of the infringement taking into account the nature[,] scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)      the intentional or negligent character of the infringement;

(k)      any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3.      If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

…’

B.      Lithuanian law

9.        Article 72(2) of the Viešųjų pirkimų įstatymas (Law on Public Procurement) states:

‘The contracting authority shall carry out a negotiated procedure without publication of a contract notice in the following stages:

(1)      written invitation to the selected economic operators to submit tenders;

(2)      verification as to whether there are any grounds for the exclusion of economic operators as laid down in the procurement documents, and verification as to whether the economic operators fulfil the qualification requirements imposed and, where applicable, meet the required quality assurance standards and/or environmental management standards;

(3)      conduct of negotiations with the tenderers in accordance with the procedure established in Article 66 of this law and the request for them to submit final tenders. The contracting authority shall not be required to request the submission of a final tender in the case of one economic operator participating in the negotiated procedure without publication of a prior notice;

(4)      evaluation of the final tenders and determination of the successful candidate.’

III. Facts, national proceedings and the questions referred

10.      In order to respond to the situation resulting from the spread of COVID-19, the Minister for Health of the Republic of Lithuania (‘the Minister for Health’) instructed, by decision of 24 March 2020, the Director of the NVSC to organise the development and acquisition of a mobile application, namely KARANTINAS. That mobile application was designed to collect and monitor the personal data of individuals who had been in contact with COVID-19-infected patients. (3)

11.      On 27 March 2020, a person claiming to be an agent representing the NVSC informed the company ‘IT sprendimai sėkmei’ UAB (‘ITSS’) that it had been selected to be the developer of KARANTINAS. Emails were exchanged between ITSS and that person as well as between ITSS and a number of employees and the Director of the NVSC in relation to the development of that mobile application. A confidentiality agreement was also drawn up at that stage, mentioning both ITSS and the NVSC as controllers.

12.      The mobile application that was eventually developed was made available for download by the public from Google Play Store on 4 April 2020, and from Apple App Store on 6 April 2020. Both ITSS and the NVSC were again mentioned as controllers in the version of KARANTINAS that was made available for download by the public. At that time, that mobile application had not yet been purchased by the NVSC.

13.      By decision of 10 April 2020, the Minister for Health instructed the Director of the NVSC to proceed with the acquisition of KARANTINAS by negotiated procedure without publication of a contract notice, in application of Article 72(2) of the Law on Public Procurement.

14.      That procedure was initiated but, having failed to receive the necessary funding, the NVSC terminated it. No public contract for purchase was thus concluded. KARANTINAS, however, continued to be available for download by the public.

15.      On 15 May 2020, the NVSC requested ITSS not to use any details of the NVSC or to draw links with the NVSC in the mobile application. On 18 May 2020, the Inspectorate began an investigation concerning both ITSS and the NVSC for breach of the rules laid down in the GDPR. The operations of KARANTINAS were suspended at the request of the Inspectorate on 26 May 2020. According to ITSS, 3 802 users had provided their personal data via the application between 4 April and 26 May 2020.

16.      By decision of 24 February 2021, the Inspectorate imposed administrative fines on the NVSC and on ITSS, in their capacity as joint controllers, for infringement of Articles 5, 13, 24, 32 and 35 of the GDPR. (4)

17.      That decision was challenged by the NVSC before the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius). That court wonders, in essence, whether the concept of ‘controller’, within the meaning of Article 4(7) of the GDPR, must be interpreted broadly so as to include any natural or legal person or body such as the NVSC which is not the developer of a mobile application but which, with a view to acquiring such a mobile application by way of a tendering procedure, determined ‘the purposes and means of the processing of personal data’, or whether that concept ought to be interpreted more strictly, taking into account the public procurement procedure and its outcome.

18.      In particular, it wonders whether the fact that the tendering procedure was ultimately abandoned, and KARANTINAS never acquired by the NVSC, is relevant in that regard. It also wonders whether the fact that the NVSC did not officially consent to or authorise the making available of that mobile application to the public has any impact on that assessment.

19.      Furthermore, it enquires as to the relationship between the NVSC and ITSS. In that regard, it wonders under which circumstances that entity and that company would have to be regarded as ‘joint controllers’, within the meaning of Article 4(7) and Article 26(1) of the GDPR. Alternatively, if the NVSC and ITSS were not to be regarded as ‘joint controllers’, but as ‘controller’ and ‘processor’ (5) (respectively) within the meaning of the GDPR, it wishes to know when the actions of ITSS could lead to liability for the NVSC. In that regard, it wonders whether Article 83 of the GDPR must be interpreted as meaning that an administrative fine can be imposed on a controller such as the NVSC that has not itself committed any infringement of that regulation intentionally or negligently.

20.      In the light of those considerations, the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Can the concept of “controller” set out in Article 4(7) of the GDPR be interpreted as meaning that a person who is planning to acquire a data collection tool (mobile application) by way of public procurement, irrespective of the fact that a public procurement contract has not been concluded and that the created product (mobile application), for the acquisition of which a public procurement procedure had been used, has not been transferred, is also to be regarded as a controller?

(2)      Can the concept of “controller” set out in Article 4(7) of the GDPR be interpreted as meaning that a contracting authority which has not acquired the right of ownership of the created IT product and has not taken possession of it, but where the final version of the created application provides links or interfaces to that public entity and/or [where] the confidentiality policy, which was not officially approved or recognised by the public entity in question, specified that public entity itself as a controller, is also to be regarded as a controller?

(3)      Can the concept of “controller” set out in Article 4(7) of the GDPR be interpreted as meaning that a person who has not performed any actual data processing operations as defined in Article 4(2) of the GDPR and/or has not provided clear permission/consent to the performance of such operations is also to be regarded as a controller? Is the fact that the IT product used for the processing of personal data was created in accordance with the assignment formulated by the contracting authority significant for the interpretation of the concept of “controller”?

(4)      If the determination of actual data processing operations is relevant for the interpretation of the concept of “controller”, is the definition of “processing” of personal data under Article 4(2) of the GDPR to be interpreted as also covering situations in which copies of personal data have been used for the testing of IT systems in the process for the acquisition of a mobile application?

(5)      Can joint control of data in accordance with Article 4(7) and Article 26(1) of the GDPR be interpreted exclusively as involving deliberately coordinated actions in respect of the determination of the purpose and means of data processing, or can that concept also be interpreted as meaning that joint control also covers situations in which there is no clear “arrangement” in respect of the purpose and means of data processing and/or actions are not coordinated between the entities? Are the circumstance relating to the stage in the creation of the means of personal data processing (IT application) at which personal data were processed and the purpose of the creation of the application legally significant for the interpretation of the concept of joint control of data? Can an “arrangement” between joint controllers be understood exclusively as a clear and defined establishment of terms governing the joint control of data?

(6)      Is the provision in Article 83(1) of the GDPR to the effect that “administrative fines … shall … be effective, proportionate and dissuasive” to be interpreted as also covering cases of imposition of liability on the “controller” when, in the process of the creation of an IT product, the developer also performs personal data processing actions, and do the improper personal data processing actions carried out by the processor always give rise automatically to legal liability on the part of the controller? Is that provision to be interpreted as also covering cases of no-fault liability on the part of the controller?’

21.      The request for a preliminary ruling, dated 22 October 2021, was registered at the Court on 12 November 2021. The NVSC, the Inspectorate, the Lithuanian Government and the European Commission submitted written observations.

22.      The Lithuanian and Netherlands Governments, together with the Commission and the Council, were represented at the hearing which took place on 17 January 2023.

IV.    Analysis

23.      During the COVID-19 pandemic, mobile applications designed to ‘track and trace’ people infected by the virus and/or those who had been in contact with someone infected by the virus were made available for download by the public in many Member States. Such mobile applications were developed in an effort to respond to the emergency of the situation, often with the participation of several public and private entities (such as ministries and other public entities, as well as private companies). Users were required to upload their personal data in the mobile applications, in particular data concerning their health. (6)

24.      The main proceedings concern, precisely, such a mobile application, namely KARANTINAS, which was developed by ITSS (a private company) at the initiative of the NVSC (a public authority) following a decision of the Minister for Health. It is not clear from the information in the case file, nor that provided at the hearing, which other public entities of Lithuania, if any, were involved in the development of the application. (7) Some doubts also exist as to whether the NVSC consented to KARANTINAS being made available to the public during the period when the processing of personal data took place (April and May 2020). However, in the questions referred to the Court, the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius) identified the following circumstances as being relevant.

–        The NVSC had planned to acquire KARANTINAS pursuant to Article 72(2) of the Law on Public Procurement, but the procedure was never completed and the acquisition never occurred. Ownership of KARANTINAS was thus never transferred from ITSS to the NVSC.

–        The NVSC was mentioned as a controller in the confidentiality policy of KARANTINAS, which was made available to the public. Links to the NVSC were also included in the last version of the application, which was, however, never officially approved by that entity.

–        The NVSC never processed personal data itself nor did it formally consent to the processing operations undertaken, but it provided instructions regarding the development of KARANTINAS and those instructions were followed by ITSS.

–        ITSS and the NVSC did not come to any formal arrangement as to the purposes and means of the processing of personal data that took place.

25.      Against that background, the questions referred to the Court concern the interpretation of various provisions of the GDPR. The first three questions, as well as the fifth question, call for an interpretation of the concept of ‘controller’, within the meaning of Article 4(7) of that regulation, and require a clarification on the circumstances in which two or more entities can be regarded as ‘joint controllers’, pursuant to that provision and Article 26(1) of that regulation. I will first analyse those questions together (A) before turning to the fourth question, which concerns the concept of ‘processing’, within the meaning of Article 4(2) of the GDPR, and its application in the context of the test phase of a mobile application (B). (8) I will then delve into the issue which is at the heart of the present case, namely the sixth question, which is of a transversal nature since it concerns the conditions under which administrative fines may be imposed on controllers, in application of Article 83 of the GDPR (C).

A.      On the concept of ‘controller’ and situations of joint control (Questions 1 to 3 and 5)

26.      By the first three questions, the referring court wonders, in essence, whether, in the light of the circumstances detailed in point 24 above, an entity such as the NVSC must be regarded as a ‘controller’, within the meaning of Article 4(7) of the GDPR. Furthermore, by the fifth question, the referring court seeks clarification as to whether, in such circumstances, two entities such as the NVSC and ITSS must be regarded as ‘joint controllers’, in accordance with that provision and Article 26(1) of that regulation, even though they have not come to any formal arrangement as to the purposes and means of the processing and/or do not appear to have otherwise coordinated their actions.

1.      What is a controller? (Questions 1 to 3)

27.      I recall that, pursuant to Article 4(7) of the GDPR, a ‘controller’ is defined as the person or entity which, ‘alone or jointly with others, determines the purposes and means of the processing of personal data’. Put simply, a controller does not need to process any of the personal data itself, but it must determine the ‘why and how’ of the relevant processing operations. (9) The Court has suggested that, in order to fulfil that criterion, a person or entity must actually ‘[exert] influence over the processing of personal data’. (10) However, it is not necessary that the determination of the purposes and means of the processing be carried out in accordance with written guidelines or instructions from the controller. (11) Indeed, Article 4(7) of the GDPR calls for a factual analysis rather than a formal one.

28.      In connection therewith, the European Data Protection Board (EDPB) has suggested that it is also possible to be a controller irrespective of a specific competence or power to control data being conferred by law. Indeed, the capacity to determine the purposes and means of the processing depends, above all, on the influence exercised, which can be inferred from factual circumstances. An entity which is in fact in a position to determine the purposes and means of the processing will thus be regarded as a ‘controller’, irrespective of whether it was formally appointed as such (by law or in a contract or otherwise). (12)

29.      Having made those clarifications, I note that several of the circumstances described by the referring court in the first three questions are of a purely formal nature; for example, the fact that the NVCS does not legally own KARANTINAS or that the procedure for the acquisition of that mobile application was never completed, or that the NVSC did not officially authorise the release of the application to the public at large or approve the last version of the application. In my view, none of those circumstances can, in and of themselves, preclude a finding that the NVSC acted as a ‘controller’, within the meaning of Article 4(7) of the GDPR, in the context of the main proceedings. Indeed, they are not sufficient to refute a conclusion that the NVSC was in fact in a position to determine the purposes and means of the processing of personal data that took place. By the same token, it seems to me that the fact that the NVSC was mentioned as a controller in the confidentiality policy of the version of KARANTINAS which was made available for download by the public, or that links to that entity were included in that version of the mobile application, is relevant but not conclusive when it comes to the influence actually exercised by that entity.

30.      By contrast, the evidence before the referring court which shows that the NVSC decided which type of personal data should be collected by KARANTINAS and from which data subjects and/or other key aspects of the processing is, in my view, sufficient to establish that that entity determined the ‘means’ of the processing. I further consider that the fact that KARANTINAS was created to fulfil the objective defined by the NVSC, namely to provide a response to the COVID-19 pandemic, and that its functioning was regularly modified by ITSS to respond to the needs determined by the NVSC, in line with the instructions provided by that entity, is enough to conclude that that entity has determined the ‘purposes’ of that processing.

31.      Having said that, it seems to me that, in order to determine whether an entity such as the NVSC can be regarded as a ‘controller’ within the meaning of Article 4(7) of the GDPR, the referring court must also establish whether, notwithstanding the influence exercised by the NVSC at the stage of the development of KARANTINAS, the decision to make that mobile application available to the public and, therefore, to engage in the processing of personal data was actually adopted with the (express or implied) consent of that entity (regardless of the fact that that consent was not officially or formally provided).

32.      Indeed, as the definition of the concept of ‘controller’ in Article 4(7) of the GDPR makes clear, the influence exercised by a controller must relate to the processing of personal data itself, not just any prior step. A physical or moral person or entity does not become a ‘controller’ by the mere fact that it initiates the development of a mobile application or defines the parameters of that application (or of another data-collecting tool). Its actions must actually be connected to the processing of personal data and it must, therefore, have consented expressly or impliedly to the relevant tool being used to undertake such processing.

33.      The Court insisted on that requirement in its judgment in Fashion ID, (13) in which it expressly stated that the liability of a controller is limited to the operation or set of operations involving the processing of personal data in respect of which it actually determined the purposes and means. (14) It follows that the determination of the purposes and means must directly relate to the relevant operation or set of operations involving the processing of personal data.

34.      In my view, it follows from those findings that an entity, such as the NVSC, which initiates the development of a mobile application can be regarded as a ‘controller’, within the meaning of Article 4(7) of the GDPR, only in a situation where there are enough elements of a factual, rather than formal, nature from which the national courts can conclude that such an entity exercised actual influence with regards to the ‘purposes and means’ of that processing and that it actually consented to the release of the mobile application to the public and, consequently, to the processing of the personal data. Subject to the verifications to be carried out by the referring court, I believe that the NVSC fulfils those requirements.

2.      When can two entities be regarded as joint controllers? (Question 5)

35.      The fifth question concerns the conditions that must be satisfied in order for two (or more) entities to be regarded as joint controllers. I understand that the referring court seeks clarity on the interpretation of that concept because it suspects that, in the situation at hand in the main proceedings, the NVSC and ITSS could be regarded as ‘joint controllers’ and, as such, could be jointly and severally liable for the damage caused (15) and/or jointly fined for the breaches of the data protection rules committed when KARANTINAS was made available for download by the public. I note, in that regard, that, as I indicated in point 16 above, that entity and that company were, in fact, both found responsible and fined in application of Article 83 of the GDPR for the infringements committed, in their capacity as joint controllers, by the Inspectorate.

36.      Pursuant to Article 26(1) of the GDPR, ‘joint controllers’ exist where two or more controllers jointly determine the purposes and means of processing. Each joint controller must, therefore, independently fulfil the criteria listed in the definition of ‘controller’ provided in Article 4(7) of that regulation. (16) Furthermore, the joint controllers must have a certain relationship with one another, given that their influence over the processing must be exercised jointly.

37.      The Court has indicated that the existence of joint control does not necessarily imply equal responsibility or participation of the various persons or entities involved. On the contrary, joint controllers may be involved at different stages of the processing, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances in each case. (17) Moreover, joint responsibility of several entities for the same processing does not require each of them to have access to the personal data concerned. (18) What matters, however, is that they jointly participate in the determination of the ‘purposes and means’ of the processing.

38.      In that regard, I note that, as the Guidelines 07/2020 state, such joint participation can exist in different forms. It can result from a common decision taken by two or more entities or it can merely result from converging decisions of those entities. Where the latter is the case, it only matters that the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing – meaning, in essence, that the processing would not be possible without the participation of both parties. (19)

39.      Against that background, the referring court wonders whether the fact that two controllers (in casu, the NVSC and ITSS) have not come to any formal arrangement as to the purposes and means of the processing and/or do not appear to have otherwise coordinated their actions precludes them from being regarded as ‘joint controllers’.

40.      I understand that the referring court’s doubts in that regard arise from the fact that, pursuant to Article 26(1) of the GDPR, joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with the obligations of that regulation, by means of an arrangement between them. Furthermore, recital 79 of that regulation indicates that ‘clear allocation of the responsibilities’ is required, including where a controller determines the purposes and means of processing jointly with others. However, in my view, those obligations and requirements apply to joint controllers only once they can be regarded as such. They do not form part of the criteria that must be fulfilled in order for them to be qualified as such.

41.      As I have stated in point 36 above, joint control depends on only two objective conditions being fulfilled. First, each joint controller must fulfil the criteria listed in the definition of ‘controller’ provided in Article 4(7) of the GDPR. There is not enough information in the case file from which it can be determined whether, in the situation in the main proceedings, ITSS must be regarded as a ‘controller’ within the meaning of that provision. However, it appears to me, in the light of the findings that I have made in the previous section and subject to the verification to be undertaken by the referring court, that at least  the NVSC – if not both that entity and ITSS – fulfils the conditions to be considered a ‘controller’, within the meaning of that provision. Second, the controllers’ influence over the processing must be exercised jointly (meaning that it must be exercised in conformity with the legal criteria and case-law which I have recalled in points 37 and 38 above). In that regard, I have explained that joint participation in the processing can exist in different forms and does not even have to proceed from a common decision of the parties involved. As such, the substantive and functional approach required in order to establish whether a person or entity must be regarded as a ‘controller’, within the meaning of Article 4(7) of the GDPR, also applies, in my view, to joint control. (20)

42.      Given those elements, I am of the view, first, that the absence of any agreement or arrangement or even common decision between two or more controllers such as the NVSC and ITSS cannot, in and of itself, exclude a finding that they are ‘joint controllers’ within the meaning of Article 4(7) of the GDPR, read in conjunction with Article 26(1) thereof. In that regard, I add that the EDPB has suggested that, although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the relationship between the parties. (21)

43.      Second, it also seems to me that simply because the NVSC and ITSS do not appear , beyond the fact that they have not reached an agreement, arrangement or common decision, to have coordinated their actions or otherwise cooperated with one another does not mean that they cannot be regarded as ‘joint controllers’. Even if such coordination or cooperation exists, it is immaterial to the question of whether the relationship between those two entities is one of joint control or not. Indeed, one may easily imagine that cooperation or coordination could exist between two or more entities, without them being joint controllers at all. For example, two separate controllers could be coordinating their actions or cooperating with one another with the intention of transferring personal data between themselves. That would not, however, turn them into ‘joint controllers’ within the meaning of Article 4(7) and Article 26(1) of the GDPR. (22)What matters, as I have explained in point 38 above, is that the processing would not be possible without the participation of both parties because both have a tangible impact on the determination of the purposes and means of that processing.

3.      Conclusion on the interpretation of the concept of ‘controller’ and situations of joint control

44.      In the light of the foregoing, it seems to me that, on the one hand, subject to the verifications to be carried out by the referring court, an entity such as the NVSC fulfils the conditions listed in Article 4(7) of the GDPR to be regarded as a ‘controller’. On the other hand, whether the NVSC and ITSS can be regarded as ‘joint controllers’, in line with the criteria which I have outlined in the previous section, or qualify as ‘controller’ and ‘processor’, respectively, depends on the nature of their relationship, which it is for the referring court to assess.

45.      In that regard, I add that the nature of the relationship between the NVSC and ITSS (namely, whether they are ‘joint controllers’ or, respectively, ‘controller’ and ‘processor’) is relevant to the sixth question. I will therefore return to the findings that I have made with regard to the fifth question when turning to the issues raised by the sixth question.

B.      On the concept of ‘processing’ (Question 4)

46.      By the fourth question, the referring court wonders, in essence, whether the definition of ‘processing’ provided in Article 4(2) of the GDPR covers a situation where personal data are used during the test phase of a mobile application. (23) I gather from the request for a preliminary ruling that KARANTINAS was put through a test phase before it was made available for download by the public. From my understanding, the fourth question thus concerns a situation which is different from the one at the heart of the other questions referred to the Court, which all relate to the processing of personal data after the run of the test phase, when KARANTINAS was released to the public. Specifically, the referring court wishes to know whether the use of personal data during that test phase qualifies as ‘processing’ within the meaning of Article 4(2) of the GDPR and, as such, could result in potential liability for the controllers and/or processors involved.

47.      Article 4(2) of the GDPR defines ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means …’. (24)

48.      I understand from that wording (in particular from the use of the word ‘any’ and of generic terms such as ‘operation’ or ‘set of operations’) that that provision is to be given a broad meaning, so as to cover as many possible situations in which personal data are used. The non-exhaustive list of such situations, which is laid down in that provision, confirms that interpretation, given the variety of operations that are included therein. (25)

49.      Furthermore, whereas it results from the above section that the definition of ‘controller’, within the meaning of Article 4(7) of that regulation, is closely connected to the purposes of the processing of personal data (the reasons ‘why’ personal data are collected), that is not the case for the definition set out in Article 4(2) thereof. As such, the reasons for which an operation or set of operations are carried out is, in principle, irrelevant to the question of whether they must be characterised as ‘processing’, within the meaning of that provision. It follows, in my view, that whether personal data are collected with a view to testing the IT systems embedded in a mobile application or for another purpose has no bearing on the question of whether the operation in question qualifies as ‘processing’.

50.      In that regard, I further note that ‘use’ of personal data (without any further mention and, therefore, regardless of the purpose of the use) is listed amongst the operations or sets of operations that constitute ‘processing’. (26) Moreover, Article 4(2) of the GDPR does not contain any express exception, derogation or exclusion for operations relating to the use of personal data for the testing of IT systems. It follows that nothing prevents the use of personal data with a view to performing such testing to be considered as ‘processing’, within the meaning of that provision; quite the contrary.

51.      In the light of those elements, I consider that the definition of ‘processing’ provided in Article 4(2) of the GDPR covers a situation where personal data are used during the test phase of a mobile application.

52.      My conclusion in that regard is not affected by the mere fact that the personal data provided for the purposes of testing the IT systems embedded in a mobile application may have undergone pseudonymisation. (27) The only circumstance under which the GDPR would not apply is if the information supplied into the mobile application consists only of anonymous information which ‘does not relate to an identified or identifiable natural person or to personal data’ or of personal data that have been ‘rendered anonymous in such a manner that the data subject is not or no longer identifiable’. I note, however, that, in the case in the main proceedings, the data used for the testing phase do not appear, on the basis of the information provided in the case file, to have consisted of such anonymised data. (28)

53.      In the light of the foregoing, I consider that the definition of ‘processing’ provided in Article 4(2) of the GDPR covers a situation where personal data are used during the test phase of a mobile application, unless such data have been rendered anonymous in such a manner that the data subject is not or no longer identifiable. Whether personal data are collected with a view to testing the IT systems embedded in a mobile application or for another purpose has, for its part, no bearing on the question of whether the operation in question qualifies as ‘processing’. (29)

54.      Having made those clarifications, I shall now turn to the core issue in the present case, which concerns the conditions under which an administrative fine can be imposed on a controller or processor, in application of Article 83 of the GDPR.

C.      On administrative fines imposed in application of Article 83 of the GDPR (Question 6)

55.      Before the adoption of the GDPR, penalties for breach of the data protection rules were largely left to the discretion of the Member States, pursuant to their procedural and remedial autonomy. (30) Administrative fines, which were introduced by Article 83 of that regulation, are, consequently, a relatively new ‘development’ in EU data protection law. They have been described by the Article 29 Working Party as a ‘central element in the new enforcement regime’. (31) Although that provision has not yet been interpreted by the Court, it has already been applied by supervisory authorities, sometimes to impose heavy fines on controllers or processors. (32)

56.      Article 83 of the GDPR provides a two-tier sanction system, depending on the specific type of provision infringed. Whereas the first tier, defined in Article 83(4) of that regulation, applies to situations where a controller or processor breaches the general obligations to which they are subject, as well as certain specific obligations, the second tier is reserved, as Article 83(5) of the GDPR indicates, for more serious infringements, such as infringements of, inter alia, the basic principles for processing, the data subjects’ rights, and the rules relating to the transfer of personal data to a recipient in a third country or an international organisation.

57.      For both tiers, the competent national authorities must, after they have established that a particular provision of the GDPR has been infringed, perform two assessments. First, they must determine whether a fine should be imposed and, second, where they have so determined, they must set the amount of that fine. Those assessments must be carried out in each individual case, in the light of various factors listed in Article 83(2) of the GDPR. Among those factors is the ‘intentional or negligent character of the infringement’ (Article 83(2)(b) thereof).

58.      By its sixth question, the referring court wonders, in essence, whether an administrative fine can be imposed on a controller when the controller did not act intentionally or negligently in breaching the data protection rules and the unlawful processing of personal data was done, not by the controller itself, but by a processor. Returning to the findings that I have made above with regard to the fifth question, it seems to me that the sixth question is asked in the event that, in the main proceedings, the NVSC and ITSS could not be regarded as ‘joint controllers’, within the meaning of Article 4(7) of the GDPR, read in conjunction with Article 26(1) of that regulation, and would have to be considered ‘controller’ and ‘processor’, respectively. Within that particular framework, the referring court would like to clarify the circumstances under which the NVSC may be fined, in application of Article 83 of the GDPR.

59.      Having said that, I note that the sixth question mentions only Article 83(1) of the GDPR as the relevant provision. However, in my view, the issues raised by that question require one to consider Article 83 of that regulation as a whole and, in particular, as I have explained in point 57 above, to take into account Article 83(2)(b) thereof, given that that provision refers to the ‘intentional or negligent character of the infringement’. I will thus consider the sixth question to enquire about the interpretation of Article 83 of the GDPR as a whole, not just Article 83(1) thereof.

60.      In my view, that question has two parts to it. First, it requires the Court to determine whether Article 83 of the GDPR allows administrative fines in general to be imposed on controllers or processors in the absence of any mens rea (mental element – fault). In essence, the referring court would like to know whether the NVSC could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller (strict liability), or whether an element of fault in committing the relevant breach(es) is required. Second, it calls for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects, in any way, the ability of supervisory authorities to impose a fine on the controller.

61.      I will consider each of those two aspects in turn.

1.      The first aspect: the need to establish fault

62.      Article 83 of the GDPR requires every administrative fine imposed for a breach of the data protection rules to be ‘effective, proportionate and dissuasive’. That is made clear by paragraph 1 of that provision. However, that paragraph does not state whether such a fine can be imposed only if fault is also established, that is to say, whether ‘fault’ is a prerequisite to the imposition of any administrative fine.

63.      Paragraph 2(b) of that provision, on the other hand, lists the ‘intentional or negligent character of the infringement’ among the elements (33) to which supervisory authorities must have ‘due regard’ in each individual case. Pursuant to Article 83(2)(k) of that regulation, those elements must be understood as ‘aggravating or mitigating [factors]’ and are non-exhaustive.

64.      Within that context, there are, in my view, two possible ways to understand Article 83 of the GDPR.

65.      On the one hand, one could consider that, although a decision to impose a fine and its amount must be determined having due regard to the degree of fault involved (so that, for instance, a higher fine should in principle be imposed if the infringement was the result of intentional conduct and, conversely, negligent conduct should result in a lower fine), nothing prevents a fine from also being imposed in the absence of any fault, so long as the data processor or controller can be deemed to be responsible for the infringement. That interpretation would be supported by a reading of Article 83(2)(b) and (k) to the effect that, by mentioning different types of fault (deliberate or by negligence) as ‘aggravating or mitigating [factors]’, those provisions could be implying that fault, in general, is not a prerequisite for the imposition of a fine.

66.      On the other hand, one could also argue, as the Commission does in the present case, that the negligence of the person or entity that committed the infringement must be established, as a minimum requirement, before a fine can be imposed. That approach would be supported by a different, more cautious reading of Article 83(2)(b) and (k) of the GDPR, namely that those provisions require supervisory authorities to distinguish between a mitigating factor (negligence) and an aggravating one (intention), but do not indicate that a fine could be imposed in the complete absence of fault.

67.      The Commission expressly opted for that interpretation in its initial proposal which led to the adoption of the GDPR, (34) in which it suggested to organise the system of fines as a three-tier system. For each tier, the Commission proposed that fines could only be imposed on ‘anyone who, intentionally or  negligently’, (35) committed one or more of the alleged infringements. Fault was, thus, clearly envisaged by the Commission as a prerequisite for the imposition of such a fine. (36)

68.      Although both approaches can, in my view, be defended based on a textual interpretation of Article 83(2) of the GDPR, as they each correspond to an understanding of the ‘intentional or negligent character of the infringement’ as an ‘aggravating’ or ‘mitigating’ factor, I am of the view that only the second approach properly reflects the intention of the EU legislature. Several reasons guide me to that conclusion.

(a)    The reasons why fault is required

69.      First, I note that several of the factors listed in Article 83(2) of the GDPR contain specific wording from which it can be inferred that such factors may not apply in all cases, but only in some. In particular, Article 83(2)(c), (e) and (k) all start with the word ‘any’ (‘any action taken by the controller or processor to mitigate the damage …’; ‘any relevant previous infringements …’; ‘any other aggravating or mitigating factor applicable to the circumstances of the case …’), thereby suggesting that, although the supervisory authorities must always take into account whether there is any mitigating action, prior infringement or other relevant aggravating or mitigating factor where such elements are present or proven, there may, in fact, be situations where the same elements are simply absent, and yet the competent data protection authority may still decide to impose a fine (or, conversely, not to impose one). In a similar vein, I note that Article 83(2)(i) of the GDPR is also formulated in a non-systematic manner, as it requires a consideration as to whether the controller or processor has complied with measures referred to in Article 58(2) of that regulation, but only ‘where [such] measures … have previously been ordered against the controller or processor’.

70.      Article 83(2)(b), by contrast, mentions ‘the intentional or negligent character of the infringement’. (37) As such, it seems to me to form part of the factors that must be present and, figuratively speaking, whose box must be ‘ticked’, in all cases, before a fine can be imposed, much like ‘the nature, gravity and duration of the infringement …’ (Article 83(2)(a)), ‘the categories of personal data affected …’ (Article 83(2)(g)) and ‘the manner in which the infringement became known …’ (Article 83(2)(h)). Those other factors must also, in my view, be ‘present’ in all cases: for example, the ‘nature, gravity and duration of the infringement’ may differ greatly from one case to another (and may, accordingly, be considered either as a reason ‘for’ or as a reason ‘against’ the imposition of a fine). Yet, in all cases, there will be the nature, some gravity and some duration of the infringement to take into account. In my view, that constitutes first indicia that administrative fines were introduced in Article 83 of the GDPR, so that they only be imposed in situations where the alleged infringement was either intentional or negligent. (38)

71.      Second, I note that, although Article 83(2) of the GDPR does not expressly state that the infringement must have occurred ‘intentionally or negligently’, the same cannot be said of paragraph 3 of that provision, which contains a general rule precluding the aggregation of administrative fines. That paragraph mentions only the situation where the relevant infringement(s) occurred ‘intentionally or negligently’.

72.      In my view, it logically follows that Article 83(2) of the GDPR must be interpreted as meaning that a fine can be imposed only if the alleged infringement occurred intentionally or negligently. Indeed, if the scope of paragraphs 2 and 3 of Article 83 of the GDPR were different, then it would be possible to impose aggregated fines for less serious infringements (that is to say, those committed without any fault), since, although they could still result in the imposition of a fine in application of the first of those provisions (Article 83(2)), they would not be caught by the second (Article 83(3)). The same would not, however, be possible for infringements committed negligently or intentionally, as they would all be subject to the rule against aggregation contained in Article 83(3) of that regulation. Such an outcome would clearly go against the basic principle of the penalty regime put in place by the GDPR, which is that serious infringements should, in principle, be penalised more strictly than less serious ones, and not the other way around.

73.      Third, I note that the fines imposed in application of Article 83 of the GDPR can result in severe punishment. Indeed, the first tier, which is covered by Article 83(4) of that regulation, can lead to the imposition of fines of up to EUR 10 000 000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The second tier provides for fines up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (again, whichever is higher).

74.      Consequently, it would seem to me that the fines imposed in application of Article 83 of the GDPR pursue a punitive purpose, at least in some situations, (39) and present a high degree of severity such that they are liable to be regarded as being criminal in nature (40) and, thus, as falling within the scope of Article 49 of the Charter of Fundamental Rights of the European Union (‘the Charter’). (41)

75.      In the light of those elements and, in particular, of the criminal character of the fines imposed in application of Article 83 of the GDPR, one may be tempted to argue that it would be incompatible with the requirement of paragraph 1 of that provision that fines be, in all cases, not merely ‘effective’ and ‘dissuasive’, but also ‘proportionate’, to allow such fines to be imposed in the absence of fault. In other words, it would be disproportionate to impose fines in cases where not even negligence is established. In my view, that argument is, however, a difficult one to make, given that the Court has already found that a system of penalties or sanctions based on strict liability, even one which is criminal in nature, is not, in itself, disproportionate to the objectives pursued, if that system is such as to encourage the persons concerned to comply with the provisions of a regulation and where the objective pursued is a matter of public interest which may justify the introduction of such a system. (42) Moreover, the European Court of Human Rights (ECtHR) has held, in relation to Article 7 of the European Convention on Human Rights (ECHR) (which corresponds to Article 49 of the Charter), (43) that, although punishment under that provision generally requires the existence of a mental link through which an element of liability may be detected in the conduct of the person who physically committed the offence, that requirement does not preclude the existence of certain forms of objective liability. (44)

76.      Having said that, I understand from that case-law that a mens rea is, as a general rule, required in order for a criminal penalty to be imposed, and that strict liability thus constitutes a sort of ‘exception’ to that general rule, to the extent that it must be justified in the light of the objectives pursued by the regulation.

77.      Considering the GDPR as a whole, it seems to me that administrative fines were contemplated by the EU legislature as only one of the tools provided in that instrument to ensure effective compliance. Indeed, fines must be imposed ‘in addition to, or instead of,’ the other measures listed in Article 58(2) of that regulation, which confers on supervisory authorities a range of corrective powers (such as the power to issue warnings, reprimands or orders). (45) Furthermore, in situations where no administrative fine is imposed in application of Article 83 of the GDPR, supervisory authorities have the possibility of imposing other penalties pursuant to Article 84 of that regulation. (46)

78.      In my view, those provisions make clear that, when adopting that regulation, the EU legislature did not intend for every breach of the data protection rules to be punishable by an administrative fine. Rather, it meant to provide for a flexible and differentiated system of penalties and sanctions. That is confirmed by recital 148 of the GDPR, which provides that supervisory authorities can abstain from imposing an administrative fine, and instead issue a reprimand, in a case of ‘minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person’. Within that context, limiting the application of Article 83 of the GDPR to situations where negligence is, as a minimum requirement, established is, to my mind, aligned with those objectives and the overarching logic of those different provisions, according to which the imposition of administrative fines should be reserved for certain types of breaches.

79.      It also seems to me that, when the EU legislature has shown its wish to introduce strict or presumed liability in the GDPR, it has done so using specific wording which is absent from Article 83 thereof. For example, for civil liability (that is, responsibility of controllers and processors to data subjects), which is covered by Article 82 of the GDPR, the EU legislature has stated that controllers and processors are under a strict obligation to compensate the damage that they cause to data subjects unless they manage to prove that they are not in any way responsible for the events giving rise to the damage. (47) Article 83 of that regulation, by contrast, does not contain similar wording to Article 84 of the GDPR. That, in my view, confirms that the EU legislature did not intend for that provision to introduce a system of fines based on strict or presumed liability.

80.      Fourth, and perhaps most importantly, I consider that, in practice, the threshold for a negligent infringement of the GDPR, within the meaning of Article 83(2)(b) of that regulation, is, in any case, so low that it is difficult to envisage situations where it will be impossible to impose a fine for the mere reason that that element is not satisfied. As such, I consider that the mere fact that intention or negligence must be established before a fine can be imposed in application of Article 83 of that regulation does not jeopardize the EU legislature’s objective of guaranteeing the effective enforcement of the data protection rules contained therein, quite the contrary.

81.      Some have argued, in that regard, that the mere failure to take any action in a situation where the controller or processor has mere doubts about the legality of the processing undertaken already constitutes deliberate acceptance of potentially infringing the GDPR and, thus, gross negligence. (48) Furthermore, the Article 29 Working Party has suggested that a negligent infringement, in many ways, equates to an ‘unintentional’ infringement, since, in its view, such an infringement can exist where there was no intention to cause the infringement, and the controller or processor merely breached its duty of care. (49) In particular, it has stated that even plain and simple ‘human error’ (50) may be indicative of negligence.

82.      Two conclusions come to mind. First, the line between an entirely unintentional no-fault infringement and a negligent one is, in fact, very fine. I believe that supervisory authorities will seldom have difficulty in finding sufficient elements to the effect that the alleged infringement occurred at least negligently. In that regard, I note that it has been said, in the literature, that ‘given the now numerous actions for awareness-raising … to ensure compliance with the GDPR …, it is hard to imagine … infringements of the GDPR without at least negligence present’. (51) I fully agree, and recall that the GDPR specifically aims at ensuring that controllers and processors are aware of the data protection rules, which makes it even more difficult, in my view, to consider that an infringement could occur through no fault at all (not even negligence). (52)

83.      Second, that result appears perfectly consistent with the primary objective of the GDPR, which is to ensure a consistent and high level of protection of natural persons within the European Union. (53) Indeed, fines have a deterrent effect. (54) Thanks to the incentive that they create for controllers and processors to comply with the GDPR, they contribute overall to the reinforcement of the protection of data subjects and are, therefore, a key element in ensuring the respect of their rights. (55) In my view, it follows that, while ‘fault’ cannot be dispensed with, the degree of fault required for Article 83 of that regulation to be triggered is sufficiently low, so as to ensure an appropriate level of protection for data subjects.

84.      In addition, I would emphasise that that approach which I propose the Court to adopt would also confirm the alignment of the fining system put in place by that provision with that which is laid out in Article 23(1) of Regulation (EC) No 1/2003, (56) for competition law infringements, which also only applies if intention or negligence are established. The fact that that other fining system inspired the wording of Article 83 of the GDPR is borne out by recital 150 thereof, which states that ‘where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes’, and by other similarities between those two fining systems, such as the fact that the amount of the fines can, for undertakings, be based, in both systems, on their turnover. I also note that several of the factors listed in Article 83(2) of the GDPR mirror those which are relevant in order to determine the amount of a fine for infringements of competition law. (57)

85.      Having outlined the reasons why I believe that fault must be established before a fine can be imposed on a controller or processor in application of Article 83(2) of the GDPR, it remains for me to say a few words about the line of reasoning put forward by the Council and the Lithuanian Government. According to those parties, it is for the Member States to decide whether fault is required or not before an administrative fine can be imposed.

86.      I, for one, simply do not agree with that suggestion.

(b)    Why Member States have no margin of appreciation as to whether fault is required

87.      It is clear to me that one of the core objectives of the GDPR and, in particular, of Article 83 thereof is to achieve a greater level of harmonisation across the European Union with regard, specifically, to the imposition of fines. (58) As such, I am of the view that, contrary to what the Council and the Lithuanian Government have argued, the EU legislature did not intend for Member States to have discretion as to whether fault is required or not.

88.      It is true that additional requirements regarding the procedure to be followed by the supervisory authorities when imposing a fine may be provided for in national legislation (with respect to matters such as the notification of the fine and deadlines for making representations, appeal, enforcement and payment). (59) That is clear from Article 83(8) of the GDPR, which states that the exercise by the supervisory authorities of their fining powers shall be ‘subject to appropriate procedural safeguards’, which are to be provided for by national law, so long as respect of EU law (and particularly with the right to effective judicial remedy and due process) is guaranteed.

89.      That discretion cannot, however, extend to the substantive requirements which apply for the imposition of a fine, such as the degree of fault. In my view, that conclusion directly follows from several recitals of that regulation, (60) which indicate that the system of administrative fines put in place by Article 83 of the GDPR was intended by the EU legislature to produce consistent results across the territory of the European Union.

90.      For the sake of completeness, I add that, given that fines have a strong impact on competition between undertakings and have significant market repercussions, it is essential, in my view, that Article 83 of the GDPR be applied in a consistent manner, or else it could actually contribute to introducing distortions of competition between undertakings. (61)

2.      The second aspect: can a controller be fined for an infringement committed in a context where the unlawful processing was done not by itself but by a processor?

91.      By the second part of the sixth question, the referring court wonders, in essence, whether a controller can be fined in application of Article 83 of the GDPR in a context where the unlawful processing of personal data was not carried out by the controller itself, but by a processor (in casu, by ITSS).

92.      In my view, that question must be answered in the affirmative.

93.      In that regard, I recall that, as I have indicated in point 27 above, a controller does not need to process any of the personal data itself, so long as it determines the ‘why and how’ of the relevant processing operations. I further note that Article 4(8) of the GDPR defines a ‘processor’ as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’. (62)

94.      Those definitions confirm, in my view, that, within the context of the application of the GDPR, a controller can be held liable and therefore can be fined, in application of Article 83 of that regulation, in a situation where personal data are processed unlawfully, and that unlawful processing was not carried out by the controller itself, but by a processor. That possibility remains in place for so long as such a processor processes personal data on behalf of the controller.

95.      That will be the case for so long as the processor acts within the scope of the mandate conferred upon it by the controller and processes data in compliance with the lawful instructions received from the controller. (63) However, if the processor goes beyond the scope of that mandate and uses data received as a processor for its own purposes, and it is clear that the parties are not ‘joint controllers’ within the meaning of Article 4(7) and Article 21(6) of the GDPR, then the controller cannot, in my view, be fined, in application of Article 83 of that regulation, in relation to the unlawful processing that took place.(64)

96.      It follows that, in a case such as the one in the main proceedings, a fine can be imposed, in application of Article 83 of the GDPR, on the NVSC, even though personal data were unlawfully processed by ITSS only and the NVSC took no part in the processing. That possibility is open for so long as that company can be considered to have processed personal data on the NVSC’s behalf, which will not be the case if ITSS acted outside of, or in contradiction with, the lawful instructions of the NVSC and used personal data for its own purposes, and it is clear that the NVSC and ITSS did not act as joint controllers.

V.      Conclusion

97.      In the light of the foregoing, I propose that the Court answer the questions referred for a preliminary ruling by the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania) as follows:

(1)      Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’, within the meaning of that provision, in a situation where there are enough elements of a factual, rather than formal, nature from which national courts can conclude that such an entity exercised actual influence as regards both the ‘purposes’ and the ‘means’ of that processing and it actually consented to the release to the public of the mobile application and, consequently, to the processing of the personal data.

(2)      That provision, read in conjunction with Article 26(1) of that regulation,

must be interpreted as meaning that, for two or more controllers to be regarded as ‘joint controllers’, two conditions must be satisfied: first, each joint controller must independently fulfil the criteria listed in the definition of ‘controller’ provided in Article 4(7) of that regulation, and, second, the controllers’ influence over the ‘purposes and means’ of the processing must be exercised jointly. Furthermore, the absence of any agreement or even coordination between the controllers cannot, in and of itself, exclude a finding that the controllers are ‘joint controllers’ within the meaning of those provisions.

(3)      Article 4(2) of that regulation

must be interpreted as meaning that the concept of ‘processing’ covers a situation where personal data are used during the test phase of a mobile application, unless such data have been rendered anonymous in such a manner that the data subject is not or no longer identifiable. Whether personal data are collected with a view to testing the IT systems embedded in a mobile application or for another purpose has, for its part, no bearing on the question of whether the operation in question qualifies as ‘processing’.

(4)      Article 83 of Regulation 2016/679

must be interpreted as meaning that a fine can only be imposed in order to sanction a breach of the rules of that regulation which has been committed ‘intentionally or negligently’. Furthermore, a controller may be fined in application of that provision even though the unlawful processing is carried out by a processor. That possibility is open for so long as it is established that the processor acts on the controller’s behalf. However, if the processor processes personal data outside of, or contrary to, the lawful instructions of the controller and uses the personal data received for its own purposes, and it is clear that the parties are not ‘joint controllers’, within the meaning of Article 4(7) and Article 21(6) of Regulation 2016/679, then the controller cannot be fined, in application of Article 83 of that regulation, in relation to the unlawful processing that took place.


1      Original language: English.


2      Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).


3      The personal data collected by KARANTINAS from its users included the following: identity number, latitude and longitude coordinates, country, city, municipality, residential address, forename, surname, personal identification number, telephone number, whether the person was required to self-isolate, whether he/she had registered, and so forth. Those data were collected not only in Lithuania but also abroad.


4      Article 5 of the GDPR contains a list of the general principles the compliance with which controllers must ensure when personal data are processed. Article 13 of that regulation lists the information that controllers must provide to data subjects when personal data are collected from them. Article 24 of that regulation provides that controllers must, inter alia, implement appropriate technical and organisational measures to ensure (and be able to demonstrate) that processing is performed in accordance with the applicable data protection rules. Article 32 of the GDPR relates to the security of processing and creates obligations for both controllers and processors in that regard, whilst Article 35 thereof concerns the obligation of controllers to carry out data protection impact assessments before undertaking certain types of processing.


5      Pursuant to Article 29 of the GDPR, ‘the processor, and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law’.


6      I note that personal data concerning health constitute a ‘special category of personal data’, the processing of which is prohibited by Article 9 of the GDPR, unless one of the grounds listed in paragraph 2 of that provision applies (for example the fact that the processing is necessary for reasons of public interest in the area of public health (point (i)) or for the purposes of preventive or occupational medicine (point (h))). Having said that, I note that the questions referred to the Court in the present case do not concern the lawfulness of such processing, but rather the conditions under which an entity such as the NVSC can be made liable for the processing undertaken by the developer of such a mobile application (in casu, ITSS).


7      Based on the information provided in the case file and at the hearing, it is unclear whether the city of Vilnius participated in the development of KARANTINAS.


8      As I will explain in point 46 below, I gather from the request for a preliminary ruling that KARANTINAS was put through a test phase before it was made available for download by the public. From my understanding, the fourth question thus concerns the use of personal data that occurred during that test phase, as opposed to that used at a later stage when KARANTINAS was available for download by the public.


9      See Rücker, D. and Kugler, T., New European General Data Protection Regulation: A Practitioner’s Guide, C.H. Beck, Hart and Nomos, Oxford, 2018, p. 27. According to the authors, the most important characteristic of a controller is that it determines results which are supposed to be achieved, rather than the means or the ‘how’ of processing, which can, at least in their non-essential aspects, be delegated to a processor without losing the capacity of controller.


10      See judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraph 68). That judgment concerned the interpretation of the concept of ‘controller’ as it was defined under Article 2(d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31). Although that directive is no longer in force and has been replaced by the GDPR, the interpretation given by the Court with regard to that provision remains relevant within the context of the application of the GDPR, given that the definition of that concept remains identical in both instruments, save for minor formal modifications. Thus, I will refer to judgments relating to one or the other instrument without making a distinction.


11      See judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraph 67).


12      See ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’ of the EDPB, version 2.1, adopted on 7 July 2021 (‘the Guidelines 07/2020’, available in English at the following address: https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf), p. 3 and points 21 and 25 to 27.


13      Judgment of 29 July 2019 (C‑40/17, EU:C:2019:629, paragraph 85).


14      See, also, the Guidelines 07/2020, point 42.


15      See Article 26(3) of the GDPR, pursuant to which ‘the data subject may exercise his or her rights under [the GDPR] in respect of and against each of the controllers’. See, also, Article 82(4) and (5) of that regulation.


16      See, in that regard, judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, paragraph 67 and the case-law cited).


17      See, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2018:388, paragraph 43).


18      See judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraph 69 and the case-law cited).


19      See the Guidelines 07/2020, p. 3 and points 54 and 55.


20      Indeed, it would be slightly contradictory if it were possible to do away with formal requirements in order for a person or entity to be qualified as a ‘controller’, but not for the same entity and another entity to be regarded as ‘joint controllers’.


21      See the Guidelines 07/2020, point 52.


22      See, in that regard, the Guidelines 07/2020, point 69.


23      I note that, in the fourth question, the referring court mentions the use of ‘copies of personal data’ rather than personal data. I must admit that it is not clear to me what that court means by the term ‘copies of personal data’, given that personal data can exist in an intangible form, and that, as Article 4(1) of the GDPR makes clear, the term ‘personal data’ is defined, in that provision, as ‘any information relating to an identified or identifiable natural person’ (my emphasis), without any requirement that the personal data be ‘copied’ or transcribed onto a particular device or medium. In my view, the physical object (for example, hard copies) or, for that matter, the electronic files on which the personal data are available are not relevant to the question of whether a particular set of operations involving personal data qualifies as ‘processing’ within the meaning of Article 4(2) of that regulation. In my answer to the fourth question, I will therefore refer to ‘personal data’ rather than to ‘copies of personal data’.


24      My emphasis.


25      Pursuant to Article 4(2) of the GDPR, ‘processing’ includes operations such as ‘collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.


26      See the previous footnote.


27      Indeed, ‘personal data’, within the meaning of Article 4(1) of the GDPR, read in the light of recital 26 thereof, include personal data which have undergone pseudonymisation, but which could be attributed to a natural person by the use of additional personal information.


28      In the request for a preliminary ruling, the referring court mentions that some, but not all, of the personal data used for the purposes of the test phase may have consisted of ‘fake’ data. However, it does not elaborate further on what it means by that term. In that regard, I only wish to indicate that, in my view, information may qualify as ‘personal data’, within the meaning of Article 4(1) of the GDPR, regardless of whether it contains true or false information. What matters, as I have stated, is only that the information relates to an identified or identifiable natural person. If the data are entirely made up so that they cannot be said to relate to an identified or identifiable person, then, in my view, they are not ‘personal data’ and the GDPR does not apply to the processing of those data. However, that regulation still applies with regard to the other ‘non-fake’ data collected during the test phase.


29      I would like to recall that the use of personal data for the purposes of testing the IT systems embedded in a mobile application constitutes a different ‘processing’ from that which takes place when the same mobile application is made available for download by the public. A separate assessment as to what is a ‘controller’, a ‘processor’ or a ‘joint controller’ is thus required.


30      See Article 24 of Directive 95/46.


31      See ‘Guidelines on the application and setting of administrative fines for the purposes of the [GDPR]’ of the Article 29 Data Protection Working Party, adopted on 3 October 2017, p. 4. That working party was then replaced by the EDPB. However, its ‘Guidelines on the application and setting of administrative fines’ remains valid.


32      See, for example, the multimillion-euro fine that was imposed by the French Data Protection Authority against Google in January 2019 (https://edpb.europa.eu/news/national-news/2019/cnils-restricted-committee-imposes-financial-penalty-50-million-euros_en).


33      Specifically, in Article 83(2)(b) of that regulation. The other elements listed in Article 83(2)(a) to (k) are connected either to the infringement itself (for example its nature, gravity and duration (a) or the categories of personal data targeted (g)) or to the controller or processor to whom or to which the fine would be addressed (namely, their degree of responsibility (d), their ex ante conduct, such as relevant previous infringements (e) and previous measures ordered against them (i), and their ex post behaviour, including whether they notified the infringement (h), the action which they took to mitigate the damage (c) and the degree to which they cooperated with the supervisory authority with a view to remedying the infringement and mitigating its possible adverse effects (f)). Furthermore, due regard must be had to ‘any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement’ (k).


34      ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’, COM(2012) 11 final (‘the Commission’s initial proposal for the adoption of a regulation’).


35      See Article 79(4), (5) and (6) of the Commission’s initial proposal for the adoption of a regulation. I note that the ‘intentional or negligent nature of the infringement was also included in the list of factors contained in Article 79(2) of that proposal, which had to be taken into consideration in order to fix the amount of the fine; my emphasis.


36      That wording was then modified and the terms ‘intentionally or negligently’ are no longer included in the provisions defining the two tiers of the fining system put in place by the GDPR.


37      My emphasis.


38      The same observation can also be made if one looks at the other language versions of Article 83(2) of the GDPR, in particular the Czech, Greek, Spanish, French and Italian language versions. I note however that, in the Italian version, the word ‘the’ (‘le’), rather than ‘any’ (‘eventuali’) is used with regard to Article 83(2)(c) of that regulation, which concerns the action taken by the controller or processor to mitigate the damage.


39      According to the Article 29 Working Party, administrative fines are ‘corrective measures’ whose objective may be ‘either to re-establish compliance with the rules, or to punish unlawful behaviour (or both)’ (my emphasis) (see ‘Guidelines on the application and setting of administrative fines for the purposes of the [GDPR]’ of the Article 29 Data Protection Working Party, adopted on 3 October 2017, p. 6).


40      See, by analogy, judgment of 2 February 2021, Consob (C‑481/19, EU:C:2021:84, paragraph 43). I recall that three criteria are relevant to assess whether penalties are criminal in nature: the first criterion is the legal classification of the offence under national law, the second is the intrinsic nature of the offence, and the third is the degree of severity of the penalty that the person concerned is liable to incur (see paragraph 42 of that judgment as well as judgment of 5 June 2012, Bonda, C‑489/10, EU:C:2012:319, paragraph 37; see, also, ECtHR, 8 June 1976, Engel and others v. The Netherlands, CE:ECHR:1976:0608JUD000510071, § 82). Not all criteria must be fulfilled in order for a fine to be considered as being criminal (see, in that regard, Opinion of Advocate General Bot in ThyssenKrupp Nirosta v Commission (C‑352/09 P, EU:C:2010:635, point 50 and the case-law cited).


41      Article 49 of the Charter, which is entitled ‘Principles of legality and proportionality of criminal offences and penalties’, states, in paragraph 3, that ‘the severity of penalties must not be disproportionate to the criminal offence’.


42      See judgments of 9 February 2012, Urbán (C‑210/10, EU:C:2012:64, paragraph 48); of 13 November 2014, Reindl (C‑443/13, EU:C:2014:2370, paragraph 42); of 20 December 2017, Global Starnet (C‑322/16, EU:C:2017:985, paragraph 63); and of 22 March 2017, Euro-Team and Spirál-Gép (C‑497/15 and C‑498/15, EU:C:2017:229, paragraphs 53 and 54). Those judgments illustrate the fact that this case-law has been applied to a variety of areas of EU law.


43      See ‘Explanations relating to the Charter of Fundamental Rights’ (OJ 2007 C 303, p. 17). Pursuant to Article 52(3) of the Charter, the level of protection granted by Article 49 thereof cannot be inferior to that which is afforded by Article 7 ECHR.


44      See ECtHR (Grand Chamber), 28 June 2018, GIEM s.r.l. and others v. Italy (CE:ECHR:2018:0628JUD000182806, §§ 242 and 243).


45      See Article 58(2)(i) and Article 83(2) of the GDPR.


46      Pursuant to Article 84(1) of the GDPR, ‘Member States shall lay down the rules on other penalties applicable to infringements … in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented’. Recital 152 of that regulation explains that Article 84 applies where the GDPR ‘does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements’.


47      See, in that regard, Chamberlain, J. and Reichel, J., ‘The Relationship Between Damages and Administrative Fines in the EU General Data Protection Regulation’, Vol. 89, No 4, Mississippi Law Journal, 2020, pp. 677 to 679.


48      See Nemitz, P., ‘Fines under the GDPR’, in Leenes, R., van Brakel, R., Gutwirth, S. and De Hert, P., Data Protection and Privacy: The Internet of Bodies, Hart Publishing, Oxford, 2019, p. 241.


49      By contrast, it has defined the concept of ‘intent’ as including both knowledge and wilfulness in relation to the characteristics of an offence (see ‘Guidelines on the application and setting of administrative fines for the purposes of the [GDPR]’ of the Article 29 Data Protection Working Party, adopted on 3 October 2017, p. 11).


50      Ibid., p. 12. Other circumstances mentioned include the mere failure to read and abide by existing policies, to check for personal data in information published, to apply technical updates in a timely manner or to adopt policies.


51      See Nemitz, P., ‘Fines under the GDPR’, in Leenes, R., van Brakel, R., Gutwirth, S. and De Hert, P., Data Protection and Privacy: The Internet of Bodies, Hart Publishing, Oxford, 2019, p. 240.


52      See recitals 122 and 132 of the GDPR.


53      See, in particular, recital 1 of the GDPR, which recalls, with reference to Article 8(1) of the Charter and Article 16(1) TFEU, that protection of personal data is a fundamental right. See, also, recitals 10, 11 and 13 of the GDPR, and judgment of 24 September 2019, Google (Territorial scope of de-referencing) (C‑507/17, EU:C:2019:772, paragraph 54).


54      See recital 148 of the GDPR.


55      See Chamberlain, J. and Reichel, J., ‘The Relationship Between Damages and Administrative Fines in the EU General Data Protection Regulation’, Vol. 89, No 4, Mississippi Law Journal, 2020, p. 685.


56      Council Regulation of 16 December 2002 on the implementation of the rules on competition laid down in Article [101 and 102] TFEU (OJ 2003 L 1, p. 1).


57      See judgment of 8 December 2011, Chalkor v Commission (C‑386/10 P, EU:C:2011:815, paragraphs 56 and 57 and the case-law cited). In that regard, I note that although intention or negligence must be established before a fine is imposed for breach of the competition law rules, that requirement is also very low in practice. Indeed, the Court has held that that condition is satisfied where the undertaking concerned cannot be unaware of the anticompetitive nature of its conduct, whether or not it is aware that it is infringing the competition rules (see judgment of 10 July 2014, Telefónica and Telefónica de España v Commission (C‑295/12 P, EU:C:2014:2062, paragraph 156 and the case-law cited).


58      See, for example, recital 9 of the GDPR, which indicates that differences in the level of protection of rights and freedoms of natural persons between Member States ‘prevent the free flow of personal data’ and ‘constitute an obstacle to the pursuit of economic activities at the level of the Union’.


59      See recital 129 (‘this should not preclude additional requirements pursuant to Member State procedural law’ (my emphasis)) and recital 150 of the GDPR. See also, in that regard, ‘Guidelines on the application and setting of administrative fines for the purposes of the [GDPR]’ of the Article 29 Data Protection Working Party, adopted on 3 October 2017, p. 6.


60      In that regard, I note that recital 10 of the GDPR states that ‘the level of protection … should be equivalent in all Member States’, whilst recitals 11, 13 and 129 of that regulation call for equivalent powers for monitoring and ensuring compliance and equivalent sanctions for infringements in the Member States. Recital 152 of that regulation, for its part, indicates that it is only to the extent that that regulation does not harmonise administrative penalties (or where it is otherwise necessary) that Member States should implement a system which provides for such penalties (see, also, recital 150 of the GDPR).


61      See, in that regard, Voss, W.G. and Bouthinon-Dumas, H., ‘EU General Data Protection Regulation Sanctions in Theory and in Practice’, Vol. 37, Santa Clara High Tech, 2020, p. 44.


62      My emphasis.


63      Pursuant to Article 29 of the GDPR, ‘the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law’.


64      Pursuant to Article 28(10) of the GDPR, the processor will be regarded as a controller with regard to the processing of such data. See, also, in that regard, Rücker, D. and Kugler, T., New European General Data Protection Regulation: A Practitioner’s Guide, C.H. Beck, Hart and Nomos, Oxford, 2018, p. 30.

© European Union
The source of this judgment is the Europa web site. The information on this site is subject to a information found here: Important legal notice. This electronic version is not authentic and is subject to amendment.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/eu/cases/EUECJ/2023/C68321_O.html