by Dr. Gerald Trieb and Viktoria Kovacs//
The European Court of Justice (CJEU) recently ruled on a case relating to Austria: The CJEU had to decide on the question referred by the Austrian Supreme Administrative Court (“VwGH”) as to whether or not a Tyrolian State Law designating the Office of the Provincial Government of Tyrol (“Amt der Tiroler Landesregierung”, in the following “Office”) as a “controller” is in line with the GDPR.
Background
As part of measures to combat the COVID-19 pandemic, the Office had sent a “vaccination reminder letter” to all adults living in the Province of Tyrol who had not yet been vaccinated. One addressee of this letter then filed a complaint with the Austrian Data Protection Authority (“DSB”) due to unlawful processing of his personal data. Before the DSB, the Office named itself as the controller and stated that it had sent the letter. The DSB ruled in the complainant’s favor and held that the Office was neither authorized to access the Austrian “vaccination register” nor the country’s “patient index” to identify the inhabitants which not had been vaccinated yet. After the Austrian Federal Administrative Court (“BVwG”) had upheld the DSB’s decision, the Office appealed to the VwGH.
The preliminary question
For the following reasons, the VwGH had doubts as to whether the Office had the status of a controller within the meaning of Art 4(7) of the GDPR: Firstly, the Office had merely submitted a proposal to the Governor to send a “vaccination reminder letter”, which the Governor had approved, thus leaving the decision on the purposes and means of processing to the Governor; secondly, the Office is neither a legal person or an authority entrusted with the processing of the personal data relating to the vaccination reminder letters; nor does it have legal capacity of its own. Although Sec. 2 of the Tyrolean Law on Data Processing (“TDVG”) designates the Office as the controller, it is not clear from this provision what types of processing of personal data the Office can carry out, what purposes this processing should pursue and what means the Office can use for this purpose. The VwGH therefore decided to stay the proceedings and to refer the following questions to the CJEU for a preliminary ruling:
Is Article 4(7) of the GDPR to be interpreted as precluding the application of a provision of national law (such as, in the present case, Paragraph 2(1) of the TDVG) in which a particular controller is provided for within the meaning of the second part of Article 4(7) of the GDPR but
-
this is merely a service (such as, in the present case, the Office) which, although established by law, is not a natural or legal person nor, in the present case, an authority, but functions merely as an auxiliary apparatus for such an authority and has no full or partial legal capacity of its own; whose designation is made without reference to a specific processing of personal data and therefore no purposes and means of a specific processing of personal data are specified by the law of the Member State;
-
is nominated without reference to specific processing of personal data, with the result that the purposes and means of specific processing of personal data are not determined by Member State law either;
-
neither alone nor jointly with others determined the purposes and means of the processing of personal data at issue in the present case?
Consideration of the question referred
The CJEU held that a controller does not necessarily have legal personality or legal capacity of its own. However, he must comply with the principle of accountability and therefore be able to demonstrate compliance with the principles pursuant to Art 5(1) GDPR. The referring court must therefore examine whether the Office can assume the responsibility and liability as well as the obligations of a controller within the meaning of the GDPR under Austrian law. In particular, it must be taken into account that, from the perspective of the national courts, the Office can both bring a complaint against decisions of the DSB and itself be the subject of a complaint.
The CJEU also ruled that the determination of the purposes and means of the processing and the designation of the controller can also be implied by national law. However, the role, task and powers of the controller must be defined with sufficient certainty (see also judgment of 11 January 2024, État belge (Data processed by an official journal), C 231/22).
Furthermore, it must be examined whether the processing of personal data in the context of sending the “vaccination reminder letters” is compatible with the statutory purposes for which the Office has been designated as responsible. In addition, the means that the Office can use for this purpose must be assessed. Furthermore, the CJEU stated that in order to determine whether a body has the status of a controller within the meaning of Art 4(7) first half-sentence of the GDPR, it must be examined whether the body actually exerted influence on the purposes and means of the processing.
Conclusion
According to the CJEU, Art 4(7) of the GDPR must be interpreted as permitting national legislation that designates an auxiliary administrative body that has no legal personality and no legal capacity of its own as controller, as long as this body can fulfill the obligations of a controller towards data subjects with respect to the protection of personal data and the national legislation clearly defines the scope of data processing – either explicitly or implicitly. Following the previously cited CJEU decision on “État belge”, the decision of the CJEU in this sense was expected; it also serves the required legal certainty for data subjects, as it would be questionable if they also had to check a national legal provision for conformity with Union law, which determines which body in the public sector, i.e. the administration, is responsible for the processing of their data.
Dr. Gerald Trieb is Partner at Knyrim Trieb Rechtsanwälte, Vienna (Austria)
Viktoria Kovacs is a Legal Intern at Knyrim Trieb Rechtsanwälte, Vienna (Austria)