Opinion of Advocate General Emiliou delivered on 4 May 2023.

• Jurisdiction: European Union
• ECLI: ECLI:EU:C:2023:376
• Date: 04 May 2023
• Celex Number: 62021CC0683
• Court: Court of Justice (European Union)

Provisional text

OPINION OF ADVOCATE GENERAL

EMILIOU

delivered on 4 May 2023(1)

Case C‑683/21

Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos

v

Valstybinė duomenų apsaugos inspekcija,

joined parties:

‘IT sprendimai sėkmei’ UAB,

Lietuvos Respublikos sveikatos apsaugos ministerija

(Request for a preliminary ruling from the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania))

(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Development of a mobile application in the context of the COVID-19 pandemic – Responsibility of the public authority in charge of organising the tendering procedure for the acquisition of the mobile application – Article 4(2) – Concept of ‘processing’ – Use of personal data during the test phase of a mobile application – Article 26(1) – Joint control – Article 83 – Imposition of administrative fines – Conditions – Need for the infringement to be deliberate or negligent – Responsibility of the controller for the processing of personal data undertaken by a processor)

I. Introduction

1. In a world where personal data have become a bargaining chip and constitute a newly found goldmine for businesses, under what conditions can administrative fines be imposed to controllers or processors for breach of the data protection rules set out in Regulation (EU) 2016/679? (2) More specifically, is a ‘fault’ element required to be fulfilled before they can be subject to such fines? That is the core issue raised by the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania) in the present case.

2. The dispute before that court, which arises between the Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos (National Public Health Centre under the Ministry of Health, Lithuania; ‘the NVSC’) and the Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate, Lithuania; ‘the Inspectorate’), concerns, in essence, the role played by the NVSC in the development and making publicly available of a mobile application which collected, in April and May 2020, the personal data of people who had been in contact with COVID-19-infected patients.

3. Within that context, the present case gives the Court an opportunity to provide additional clarity on the concepts of ‘controller’, ‘joint controllers’ and ‘processing’, defined respectively in Article 4(7), Article 26(1) and Article 4(2) of the GDPR, and to consider, for the first time, whether it is possible, in application of Article 83 of that regulation, to impose an administrative fine on a controller that has not intentionally or negligently committed any breach of the rules contained in the GDPR. That question requires the Court to clarify whether that provision allows fines to be imposed in the absence of any fault, on the basis of strict liability.

II. Legal framework

A. European Union law

4. Recital 148 of the GDPR states:

‘In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation … In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.’

5. Pursuant to recital 150 of that regulation:

‘In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. … Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.’

6. Article 4(7) of the GDPR defines the concept of ‘controller’ as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data …’.

7. Article 26 of that regulation, entitled ‘Joint controllers’, states in the relevant part:

‘1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. …

…’

8. Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, provides:

‘1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement taking into account the nature[,] scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b) the intentional or negligent character of the infringement;

…

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

…’

B. Lithuanian law

9. Article 72(2) of the Viešųjų pirkimų įstatymas (Law on Public Procurement) states:

‘The contracting authority shall carry out a negotiated procedure without publication of a contract notice in the following stages:

(1) written invitation to the selected economic operators to submit tenders;

(2) verification as to whether there are any grounds for the exclusion of economic operators as laid down in the procurement documents, and verification as to whether the economic operators fulfil the qualification requirements imposed and, where applicable, meet the required quality assurance standards and/or environmental management standards;

(3) conduct of negotiations with the tenderers in accordance with the procedure established in Article 66 of this law and the request for them to submit final tenders. The contracting authority shall not be required to request the submission of a final tender in the case of one economic operator participating in the negotiated procedure without publication of a prior notice;

(4) evaluation of the final tenders and determination of the successful candidate.’

III. Facts, national proceedings and the questions referred

10. In order to respond to the situation resulting from the spread of COVID-19, the Minister for Health of the Republic of Lithuania (‘the Minister for Health’) instructed, by decision of 24 March 2020, the Director of the NVSC to organise the development and acquisition of a mobile application, namely KARANTINAS. That mobile application was designed to collect and monitor the personal data of individuals who had been in contact with COVID-19-infected patients. (3)

11. On 27 March 2020, a person claiming to be an agent representing the NVSC informed the company ‘IT sprendimai sėkmei’ UAB (‘ITSS’) that it had been selected to be the developer of KARANTINAS. Emails were exchanged between ITSS and that person as well as between ITSS and a number of employees and the Director of the NVSC in relation to the development of that mobile application. A confidentiality agreement was also drawn up at that stage, mentioning both ITSS and the NVSC as controllers.

12. The mobile application that was eventually developed was made available for download by the public from Google Play Store on 4 April 2020, and from Apple App Store on 6 April 2020. Both ITSS and the NVSC were again mentioned as controllers in the version of KARANTINAS that was made available for download by the public. At that time, that mobile application had not yet been purchased by the NVSC.

13. By decision of 10 April 2020, the Minister for Health instructed the Director of the NVSC to proceed with the acquisition of KARANTINAS by negotiated procedure without publication of a contract notice, in application of Article 72(2) of the Law on Public Procurement.

14. That procedure was initiated but, having failed to receive...