Ez a dokumentum az EUR-Lex webhelyről származik.
Dokumentum 62023CJ0638
Judgment of the Court (Eighth Chamber) of 27 February 2025.#Amt der Tiroler Landesregierung v Datenschutzbehörde and Others.#Request for a preliminary ruling from the Verwaltungsgerichtshof.#Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Direct designation of the controller by national law – Auxiliary administrative entity in the service of a regional government – Lack of legal personality – Lack of legal capacity of the entity’s own – Determination of the purposes and means of the processing.#Case C-638/23.
Judgment of the Court (Eighth Chamber) of 27 February 2025.
Amt der Tiroler Landesregierung v Datenschutzbehörde and Others.
Request for a preliminary ruling from the Verwaltungsgerichtshof.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Direct designation of the controller by national law – Auxiliary administrative entity in the service of a regional government – Lack of legal personality – Lack of legal capacity of the entity’s own – Determination of the purposes and means of the processing.
Case C-638/23.
Judgment of the Court (Eighth Chamber) of 27 February 2025.
Amt der Tiroler Landesregierung v Datenschutzbehörde and Others.
Request for a preliminary ruling from the Verwaltungsgerichtshof.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Direct designation of the controller by national law – Auxiliary administrative entity in the service of a regional government – Lack of legal personality – Lack of legal capacity of the entity’s own – Determination of the purposes and means of the processing.
Case C-638/23.
Határozatok Tára – Általános EBHT – „A közzé nem tett határozatokra vonatkozó információk” rész
Európai esetjogi azonosító: ECLI:EU:C:2025:127
JUDGMENT OF THE COURT (Eighth Chamber)
27 February 2025 ( *1 )
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Direct designation of the controller by national law – Auxiliary administrative entity in the service of a regional government – Lack of legal personality – Lack of legal capacity of the entity’s own – Determination of the purposes and means of the processing)
In Case C‑638/23,
REQUEST for a preliminary ruling under Article 267 TFEU from the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), made by decision of 23 August 2023, received at the Court on 24 October 2023, in the proceedings
Amt der Tiroler Landesregierung
v
Datenschutzbehörde,
interveners:
Bundesministerin für Justiz,
CW,
THE COURT (Eighth Chamber),
composed of N. Jääskinen, President of the Ninth Chamber, acting as President of the Eighth Chamber, M. Gavalec (Rapporteur) and N. Piçarra, Judges,
Advocate General: M. Campos Sánchez-Bordona,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– |
the Datenschutzbehörde, by M. Schmidl and E. Wagner, acting as Agents, |
– |
the Bundesministerin für Justiz, by E. Riedl, acting as Agent, |
– |
the Austrian Government, by A. Posch, J. Schmoll and C. Gabauer, acting as Agents, |
– |
the European Commission, by A. Bouchagiar and M. Heller, acting as Agents, |
having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,
gives the following
Judgment
1 |
This request for a preliminary ruling concerns the interpretation of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’). |
2 |
The request has been made in proceedings between the Amt der Tiroler Landesregierung (Office of the Provincial Government of Tyrol, Austria) (‘the Office’) and the Datenschutzbehörde (Data Protection Authority, Austria) concerning allegedly unlawful processing of personal data of a natural person by the Office. |
Legal context
European Union law
3 |
Recitals 1, 7, 10, 45 and 74 of the GDPR are worded as follows:
…
…
…
…
|
4 |
Article 1 of that regulation, entitled ‘Subject matter and objectives’, provides, in paragraph 2 thereof: ‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’ |
5 |
Article 4 of the regulation, entitled ‘Definitions’, is worded as follows: ‘For the purposes of this Regulation: …
…
…’ |
6 |
Under Article 5 of that regulation, headed ‘Principles relating to processing of personal data’: ‘1. Personal data shall be:
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’ |
7 |
Article 6 of the GDPR, headed ‘Lawfulness of processing’, provides, in paragraphs 1 and 3 thereof: ‘1. Processing shall be lawful only if and to the extent that at least one of the following applies: …
…
… 3. The basis for the processing referred to in point[s] (c) and (e) of paragraph 1 shall be laid down by:
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. …’ |
Austrian law
Tyrolean Provincial Code 1989
8 |
Paragraph 56 of the Landesverfassungsgesetz über die Verfassung des Landes Tirol (Tiroler Landesordnung 1989) (Regional Law on the Constitution of the Province of Tyrol (Tyrolean Provincial Code 1989)) of 21 September 1988, in the version applicable to the dispute in the main proceedings (‘Tyrolean Provincial Code 1989’), entitled ‘Landeshauptmann (Governor of the Province, Austria) (‘the Governor’), provides, in paragraph 1 thereof: ‘The [Governor] represents the Province of Tyrol.’ |
9 |
Paragraph 58 of the Tyrolean Provincial Code 1989, entitled ‘[Office]’, provides in paragraph 1 thereof: ‘The [Governor], the Provincial Government and its members shall have recourse to the [Office] to deal with their affairs. The [Governor] is the President of the [Office].’ |
The TDVG
10 |
Paragraph 2 of the Tiroler Datenverarbeitungsgesetz (Tyrolean Law on Data Processing ‘the TDVG’), provides: ‘1. The following shall be considered to be a controller within the meaning of Article 4(7) of [the GDPR]:
… 3. Where the data processing is carried out or ordered by the Province of Tyrol, the [Office] shall always be regarded as responsible for such processing in so far as
|
The dispute in the main proceedings and the question referred for a preliminary ruling
11 |
In the context of measures aimed at fighting the COVID-19 pandemic, the Office, an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol, sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address. |
12 |
On 21 December 2021, CW, one of those addressees, filed a complaint with the Data Protection Authority against the Office alleging unlawful processing of his personal data. Before that authority, the Office stated that it had the status of ‘controller’ and that it was behind the letter sent to CW. |
13 |
By decision of 22 August 2022, that authority found that the Office had breached CW’s right to the protection of his personal data, in so far as, in order to send him a ‘vaccination reminder letter’, the Office had consulted the data of the person concerned in the vaccination register, even though it did not have a right to access that register or the patient index. The processing of CW’s personal data was therefore unlawful. |
14 |
The Office brought an action against that decision before the Bundesverwaltungsgericht (Federal Administrative Court, Austria). That court held that, on the basis of the applicable national law, the Office had the status of controller, but it did not have a right to consult the vaccination register for the purposes of sending a reminder letter such as that sent to CW. Since that court rejected the Office’s action, the Office brought an appeal on a point of law against that judgment before the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), the referring court. |
15 |
That court finds that, in order to enable it to rule in the case before it, it must be determined whether the Office, in the context of that case, has the status of ‘controller’, within the meaning of Article 4(7) of the GDPR. |
16 |
In that regard, the referring court points out the fact that the Office merely presented the Governor with a proposal to send a ‘vaccination reminder letter’, which the Governor approved in his capacity as President of the Office and representative of the Land of Tyrol, in accordance with Article 58 and Article 56(1) of the Tyrolean Provincial Code 1989 respectively. Therefore, the Office merely informed the Governor, first, what the proposed purpose of the processing of the personal data was, namely an increase in the vaccination rate, and, second, the means that would be implemented on the basis of that processing, namely the sending of such a ‘vaccination reminder letter’ using the data from the central vaccination register and the patient index. |
17 |
According to the referring court, taking that approval from the Governor into account, only the Governor decided on both the purpose and the means of the processing of personal data, with the result that the Office cannot have the status of ‘controller’ within the meaning of the first part of Article 4(7) of the GDPR. |
18 |
Nevertheless, that court is uncertain whether the Office could validly be designated as such by a provision of national law, namely Paragraph 2(1)(a) of the TDVG. |
19 |
The Office is not a natural person or an authority responsible for the processing of personal data which gave rise to the sending of a ‘vaccination reminder letter’ to CW. The Office intervened in that processing only as an auxiliary administrative entity in the service of a public authority. The Office lacks legal personality and legal capacity of its own. Therefore, it must be determined whether the Office may, accordingly, be regarded as an ‘agency or other body’, within the meaning of the first part of Article 4(7) of the GDPR, capable of being designated as controller under national law, in accordance with the second part of Article 4(7) of that regulation. |
20 |
In addition, that court notes that, in accordance with the second part of Article 4(7) of the GDPR, a controller may be designated directly only in so far as the purposes and means of the processing of the personal data concerned are determined by national law. While Paragraph 2(1)(a) of the TDVG designates the Office as controller, it does not state in a precise manner, however, the type of processing of personal data which may be carried out by the Office, the purposes that that processing should pursue or the means that the Office could implement to that effect. |
21 |
The referring court adds that it follows from Article 6(1)(c) and (e) of the GDPR that processing of personal data is lawful if it is necessary for compliance with a legal obligation to which the controller is subject or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It follows from those conditions of lawfulness and the objective pursued by Article 4(7) of the GDPR of ensuring effective and extensive protection of data subjects that Member States can only designate as controller a person or entity which is in a position to determine the purposes and the means of the processing of personal data or, at the very least, to participate in that determination. |
22 |
In those circumstances, the Verwaltungsgerichtshof (Supreme Administrative Court) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling: ‘Is Article 4(7) of [the GDPR] to be interpreted as precluding [the] application of a provision of national law (such as, in the present case, Paragraph 2(1) of the [TDVG]) in which a particular controller is provided for within the meaning of the second part of Article 4(7) of the GDPR but
|
Consideration of the question referred
23 |
By its question, the referring court asks, in essence, whether Article 4(7) of the GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations. That court also seeks to ascertain whether Article 4(7) of the GDPR must be interpreted as meaning that an entity designated as controller by national law, in accordance with that provision, must actually decide on the purposes and means of the processing of personal data to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR. |
24 |
As a preliminary point, it must be recalled that, under Article 4(7) of the GDPR, the concept of ‘controller’ covers natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. That provision also states that, where the purposes and means of such processing are determined, inter alia, by the law of a Member State, the controller may be nominated or the specific criteria for its nomination may be provided for by that law. |
25 |
It is apparent from the case-law of the Court that that provision is intended to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects (see, to that effect, judgments of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraph 29, and of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 40). |
26 |
The objective pursued by the GDPR, as is set out in Article 1 thereof and in recitals 1 and 10 thereof, consists, inter alia, in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, as enshrined in Article 8(1) of the Charter of Fundamental Rights and Article 16(1) TFEU (judgment of 7 March 2024, IAB Europe, C‑604/22, EU:C:2024:214, paragraph 53 and the case-law cited). |
27 |
Having regard to the wording of Article 4(7) of the GDPR, read in the light of that objective, in order to establish whether a person or entity is to be classified as a ‘controller’ within the meaning of that provision, it must be examined whether that person or entity determines, alone or jointly with others, the purposes and means of the processing or whether those purposes and means are determined by national law. Where such determination is made by national law, it must then be ascertained whether that law nominates the controller or provides for the specific criteria for its nomination (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 29). |
28 |
Having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 30). |
29 |
It is in the light of those preliminary considerations that the question referred is to be examined. To that effect, it is necessary, first, to determine to what extent the national legislature can validly designate an auxiliary administrative entity in the service of public authorities as controller, within the meaning of the second part of Article 4(7) of the GDPR, where that entity lacks legal personality and legal capacity of its own. |
30 |
In that regard, it should be noted that the Court has already ruled that it is apparent from the clear wording of Article 4(7) of the GDPR that a controller may be not only a natural or legal person, but also a public authority, an agency or a body, and such entities do not necessarily have legal personality under national law (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 36). |
31 |
Accordingly, it cannot be ruled out that an entity may be classified as a ‘controller’, within the meaning of that provision, even if that entity lacks legal personality. |
32 |
Moreover, as regards the question of whether the classification of an entity as ‘controller’ requires that entity to have legal capacity of its own, or if it is sufficient, for that purpose, that the entity concerned is provided with a certain capacity to decide and to act in the context of the protection of personal data, the Court notes that it is apparent from recital 74 of the GDPR that the EU legislature intended that the responsibility of the controller be identical whether the processing of personal data that it carries out is undertaken by the controller itself or by a third party, but on its behalf. That legislature also intended to ensure that the controller is obliged to implement appropriate and effective measures and is able to demonstrate the compliance of processing activities with that regulation, including the effectiveness of the measures in question, and that those measures should take into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of natural persons. |
33 |
It is to that extent that Article 5(2) of the GDPR establishes a principle of accountability, under which the controller is responsible for compliance with the principles relating to the processing of personal data set out in Article 5(1) and provides that that controller must be able to demonstrate compliance with those principles. |
34 |
Taking into account the legal obligations to which the controller referred to in Article 4(7) of the GDPR is subject, the controller must, in accordance with the procedures provided for by the legislation of the Member State to which it belongs, be able to fulfil, in fact and in law, those obligations, without it being relevant, in that regard, whether that entity has legal personality and legal capacity of its own. |
35 |
In the present case, it is for the referring court to determine whether the Office is authorised by Austrian law to assume the responsibilities and obligations that the GDPR imposes on the controller, having regard in particular to the fact, which has not been contested before the national courts hearing the dispute in the main proceedings, that the Office may bring an action against the decision of the Data Protection Authority, in the same way that it may be the subject of a complaint before that authority. The referring court may also take into consideration the fact that the Office appointed two private companies to carry out the processing of personal data in the central vaccination register and in the index of the patients residing in the Province of Tyrol. |
36 |
Second, the referring court is uncertain whether a national legislature may designate an entity as controller, under the second part of Article 4(7) of the GDPR, without specifying, in a precise manner, the processing of personal data that that entity may be required to carry out, its purpose or the precise means that it may implement for the purposes of that processing. |
37 |
As recalled in paragraph 28 above, where national law designates an entity as controller, the determination of the purposes and means of the processing by that law may be implicit, provided that that determination is derived with sufficient certainty from the role, task and powers conferred on that entity. That condition is met if those purposes and means arise, in essence, from the provisions of national law governing the activity of that entity. |
38 |
The direct designation, by the national legislature, of an entity as controller contributes to the objective of legal certainty pursued by the GDPR, as is apparent from recital 7 thereof, by allowing natural persons whose personal data are subject to processing to easily identify the entity responsible for ensuring compliance with the rights conferred on them by that regulation. |
39 |
The validity of such a designation is, however, subject to the condition that national legislation determine the scope of the processing of personal data for which that entity is designated as responsible, without it being necessary for that legislature to have listed, exhaustively, all the processing operations for which that entity is thus designated. As set out in recital 45 of that regulation, ‘a law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient.’ |
40 |
It follows that national legislation which designates an entity as controller without expressly listing all the specific processing operations of personal data for which it is responsible or the purpose of those processing operations is compatible with Article 4(7) of the GDPR, in so far as that legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is designated as responsible. |
41 |
In the present case, it is for the referring court to determine whether the processing of personal data which the Office carried out for the purposes of preparing and sending the ‘vaccination reminder letters’ at issue in the main proceedings is compatible with the purposes which must be fulfilled by the processing operations of personal data for which the Office has been designated as responsible, as those purposes follow, at least implicitly, from all the provisions of national law governing its activity and, moreover, the means that it may implement to that effect. The sole fact that those national provisions do not specify, where appropriate, in a precise manner, the processing operations that the Office is authorised to carry out cannot preclude the classification of an entity such as the Office as controller within the meaning of Article 4(7) of the GDPR. |
42 |
Third, the referring court asks whether an entity designated by national legislation as controller, within the meaning of the second part of Article 4(7) of the GDPR, must also decide itself, or with other competent authorities, the purposes and means of the processing of personal data for which it is designated as responsible, in order for it to be required to respond, in that capacity, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR. |
43 |
In that regard, it is sufficient to observe that it is in order to establish an entity’s status as a controller, within the meaning of the first part of Article 4(7) of the GDPR, that it is necessary to examine whether that entity actually exerted influence, for its own purposes, over the determination of the purposes and means of the processing in question (see, to that effect, judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraphs 30 and 31). |
44 |
By contrast, in order to establish an entity’s status as a controller, within the meaning of the second part of Article 4(7) of the GDPR, as is apparent from the clear wording of that provision, it is not necessary that that entity exercises influence over the determination of the purposes and means of the processing in question. |
45 |
Such an entity, designated by national law as controller, does not therefore have to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR. |
46 |
In that regard, the Court has already ruled that the validity of a direct designation was not affected by the fact that, under national law, the entity designated as controller does not exercise any control over the personal data that it is required to process (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraphs 37 and 38). |
47 |
Such an interpretation is in accordance with the objective of legal certainty pursued by the GDPR. As the European Commission pointed out in its written observations, that objective would be compromised if, in order to be able to consider that that designation was validly made by the national legislature, data subjects had to verify that the entity designated as controller of their personal data has the power to determine itself the purposes and means of such processing. |
48 |
It is also important to add that the fact that it is not necessary for an entity designated by national law as controller to be empowered also to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR does not however deprive those data subjects of the possibility of sending those requests to another entity which they consider to be responsible or jointly responsible for the processing of their personal data due to the influence that that other entity exercised over the determination of the purposes and means of the processing in question. |
49 |
In the light of the foregoing, the answer to the question referred is that Article 4(7) of the GDPR must be interpreted as not precluding national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations in so far as, first, such an entity is able to fulfil, in accordance with that national legislation, the obligations on a controller towards data subjects with respect to the protection of personal data and, second, that national legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is responsible. |
Costs
50 |
Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable. |
On those grounds, the Court (Eighth Chamber) hereby rules: |
Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) |
must be interpreted as not precluding national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations in so far as, first, such an entity is able to fulfil, in accordance with that national legislation, the obligations on a controller towards data subjects with respect to the protection of personal data and, second, that national legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is responsible. |
[Signatures] |
( *1 ) Language of the case: German.