DATA PROTECTION
EU Court of Justice: even an entity without legal personality can be a Data Controller pursuant to Article 4, no. 7 of the GDPR.
The Court of Justice of the European Union (CJEU) ruled, in its judgment of 27 February 2025 in Case C-638/23, that even a service without legal personality can be considered a data controller. The decision clarified an interpretative aspect relating to Article 4, point 7, of the General Data Protection Regulation (GDPR).
The CJEU's pronouncement arose from a case that took place in Austria, in which an administrative unit supporting a regional government sent reminder letters for anti-Covid vaccination to all adults who had not yet been vaccinated residing in a given Land. However, to carry out this activity, a database was accessed without authorization, thus violating the GDPR.
One of the recipients reported the incident to the Austrian Data Protection Authority, which opened an investigation and declared the conduct of the office responsible for communication unlawful. The latter appealed against the decision, arguing that it could not be considered a controller since the Governor of the Land had approved the sending of the letters.
The main crux of the matter concerned the identification of the data controller. The office involved in sending the communication operated under the control of the regional governor, who had approved the initiative. However, the national legislation explicitly recognised that entity as a controller, although it did not define in detail the operating methods and purposes of the processing itself.
Faced with this scenario, the Austrian court asked the CJEU to provide an interpretation of Article 4(7) of the GDPR, which also includes "services or other bodies" among the possible controllers. The request aimed to clarify whether administrative units without legal personality and decision-making autonomy could also be included.
The Court confirmed that an auxiliary administrative entity, although lacking personality and independent legal capacity, can be classified as a controller. This condition is valid even if the reference legislation does not specify in detail the treatment operations and their objectives, provided that two fundamental requirements are met:
the entity must be structured in such a way as to be able to fulfil its obligations under the GDPR.
The law designating it must involve, at least indirectly, the scope of the data processing for which it is responsible.
In addition, the CJEU has pointed out that when legislation assigns the role of controller to a given entity, this qualification cannot be questioned, even if the entity does not exercise direct control over the data processed or the purposes of the processing.
This ruling is particularly relevant since the established principle could be used by national legislators to take advantage of the possibility, provided for in Article 4(7), second sentence, of the GDPR, to divide and distribute data protection obligations and responsibilities among different organisational units of the same body or between structures specifically created for the management of processing.
The CJEU's pronouncement arose from a case that took place in Austria, in which an administrative unit supporting a regional government sent reminder letters for anti-Covid vaccination to all adults who had not yet been vaccinated residing in a given Land. However, to carry out this activity, a database was accessed without authorization, thus violating the GDPR.
One of the recipients reported the incident to the Austrian Data Protection Authority, which opened an investigation and declared the conduct of the office responsible for communication unlawful. The latter appealed against the decision, arguing that it could not be considered a controller since the Governor of the Land had approved the sending of the letters.
The main crux of the matter concerned the identification of the data controller. The office involved in sending the communication operated under the control of the regional governor, who had approved the initiative. However, the national legislation explicitly recognised that entity as a controller, although it did not define in detail the operating methods and purposes of the processing itself.
Faced with this scenario, the Austrian court asked the CJEU to provide an interpretation of Article 4(7) of the GDPR, which also includes "services or other bodies" among the possible controllers. The request aimed to clarify whether administrative units without legal personality and decision-making autonomy could also be included.
The Court confirmed that an auxiliary administrative entity, although lacking personality and independent legal capacity, can be classified as a controller. This condition is valid even if the reference legislation does not specify in detail the treatment operations and their objectives, provided that two fundamental requirements are met:
the entity must be structured in such a way as to be able to fulfil its obligations under the GDPR.
The law designating it must involve, at least indirectly, the scope of the data processing for which it is responsible.
In addition, the CJEU has pointed out that when legislation assigns the role of controller to a given entity, this qualification cannot be questioned, even if the entity does not exercise direct control over the data processed or the purposes of the processing.
This ruling is particularly relevant since the established principle could be used by national legislators to take advantage of the possibility, provided for in Article 4(7), second sentence, of the GDPR, to divide and distribute data protection obligations and responsibilities among different organisational units of the same body or between structures specifically created for the management of processing.
