top of page

Advocate General Opinion on the aspects of joint controllership liability of the controller

Case background and key facts:

The dispute arose between National Public Health Centre under the Ministry of Health, Lithuania; ‘the NVSC’ and the State Data Protection Inspectorate, Lithuania; ‘the Inspectorate’. The case concerns, the role played by the NVSC in the development and making publicly available of a mobile application that collected, in April and May 2020, the personal data of people who had been in contact with COVID-19-infected patients.

In order to respond to the situation resulting from the spread of COVID-19, the Minister for Health of the Republic of Lithuania instructed, by decision of 24 March 2020, the Director of the NVSC to organize the development and acquisition of a mobile application, namely KARANTINAS. That mobile application was designed to collect and monitor the personal data of individuals who had been in contact with COVID-19-infected patients. On 27 March 2020, a person claiming to be an agent representing the NVSC informed the company ‘IT sprendimai sėkmei’ UAB (‘ITSS’) that it had been selected to be the developer of KARANTINAS. The mobile application that was eventually developed was made available for download by the public from Google Play Store on 4 April 2020, and from Apple App Store on 6 April 2020. Both ITSS and the NVSC were again mentioned as controllers in the version of KARANTINAS that was made available for download by the public. At that time, that mobile application had not yet been purchased by the NVSC. By decision of 10 April 2020, the Minister for Health instructed the Director of the NVSC to proceed with the acquisition of KARANTINAS .The procedure was initiated but, but terminated it due to the absence of funding. No public contract for purchase was thus concluded. KARANTINAS, however, continued to be available for download by the public.

On 15 May 2020, the NVSC requested ITSS not to use any details of the NVSC or to draw links with the NVSC in the mobile application.

On 18 May 2020, the Inspectorate began an investigation concerning both ITSS and the NVSC for breach of the rules laid down in the GDPR. The operations of KARANTINAS were suspended at the request of the Inspectorate on 26 May 2020. According to ITSS, 3 802 users had provided their personal data via the application between 4 April and 26 May 2020. By decision of 24 February 2021, the Inspectorate imposed administrative fines on the NVSC and on ITSS, in their capacity as joint controllers, for infringement of Articles 5, 13, 24, 32 and 35 of the GDPR.

NVSC challenged the decision in Regional Administrative Court, Vilnius.

The questions before court:

  1. Can NVSC be considered as controller, or mainly was NVSC “determining the purposes and means” of processing, considering facts that, a)this body wasn’t the developer of a mobile application b) was a body with a view to acquiring such a mobile application by way of a tendering procedure, c) tendering procedure was ultimately abandoned, and KARANTINAS never acquired by the NVSC, d) NVSC did not officially consent to or authorise the making available of that mobile application to the public.

  2. What is the relationship between the NVSC and ITSS? Can they be regarded as ‘joint controllers’? Or they have the relationship as ‘controller’ and ‘processor’

  3. And to conclude could the actions of ITSS have lead to liability for the NVSC. In application of Article 83 of that regulation, to impose an administrative fine on a controller that has not intentionally or negligently committed any breach of the rules contained in the GDPR. This question requires the Court to clarify whether that provision allows fines to be imposed in the absence of any fault, on the basis of strict liability.

Advocate General Emiliou analyzing the correlation between the questions in dispute and the provisions of GDPR, clarifies, that the Guidelines 07/2020 state, joint participation can exist in different forms. It can result from a common decision taken by two or more entities or it can merely result from converging decisions of those entities, however the key is “jointly having decision-making power upon purposes and means of processing”.

Article 26(1) of the GDPR, joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with the obligations of that regulation, by means of an arrangement between them. And the recital 79 requires ‘clear allocation of the responsibilities’

To define all that the substantive and functional approach required in order to establish whether a person or entity must be regarded as a ‘controller’. And in opinion of Emiliou in this case, “first, that the absence of any agreement or arrangement or even common decision between two or more controllers such as the NVSC and ITSS cannot, in and of itself, exclude a finding that they are ‘joint controllers’ within the meaning of Article 4(7) of the GDPR, read in conjunction with Article 26(1) thereof”. Secondly, Emiliou discusses, that “simply because the NVSC and ITSS do not appear , beyond the fact that they have not reached an agreement, arrangement or common decision, to have coordinated their actions or otherwise cooperated with one another does not mean that they cannot be regarded as ‘joint controllers’. Even if such coordination or cooperation exists, it is immaterial to the question of whether the relationship between those two entities is one of joint control or not. Indeed, one may easily imagine that cooperation or coordination could exist between two or more entities, without them being joint controllers at all.”

Therefore, upon the joint controllership, the advocate general comes to following conclusion, that “must be interpreted as meaning that, for two or more controllers to be regarded as ‘joint controllers’, two conditions must be satisfied: first, each joint controller must independently fulfil the criteria listed in the definition of ‘controller’ provided in Article 4(7) of that regulation, and, second, the controllers’ influence over the ‘purposes and means’ of the processing must be exercised jointly. Furthermore, the absence of any agreement or even coordination between the controllers cannot, in and of itself, exclude a finding that the controllers are ‘joint controllers’ within the meaning of those provisions”

And the most intriguing question, relates to can in such situations where controller that has not intentionally or negligently committed any breach of the rules contained in the GDPR administrative fine be imposed, the advocate comes to following conclusion: fine can only be imposed in order to sanction a breach of the rules of that regulation which has been committed ‘intentionally or negligently’. Furthermore, a controller may be fined in application of that provision even though the unlawful processing is carried out by a processor. That possibility is open for so long as it is established that the processor acts on the controller’s behalf. However, if the processor processes personal data outside of, or contrary to, the lawful instructions of the controller and uses the personal data received for its own purposes, and it is clear that the parties are not ‘joint controllers’, within the meaning of Article 4(7) and Article 21(6) of Regulation 2016/679, then the controller cannot be fined, in application of Article 83 of that regulation, in relation to the unlawful processing that took place.

8 views0 comments


bottom of page