Newsflash: European Court of Justice rule on data controller status

The European Court of Justice has produced a judgment which demonstrates the fluid nature of data controller status and that it is rarely a matter of simply binary choice. The ruling is on a referral from the German Courts – case C-40/17 Fashion ID V Verbraucherzentrale NRW.  While it relates to the pre GDPR law, the reasoning is equally relevant to the newer law.

The ruling of the ECJ makes it clear that the concept of being a data controller is task specific, rather than being based on organisational relationships or hierarchies.  The key question of whether someone is a data controller is whether they are responsible for determining the means and purposes of a particular processing operation, whether or not  this is done alone or jointly with another. This is the case even if the body does not have access to the data processed under that operation – provided it is at least partly responsible for determining the means and purposes of that operation, it will be a data controller in that respect. This has the practical effect that an organisation may be a data controller for some processing operations in relation to the data but not others.

For example, in the Fashion ID case, a website provider that included Facebook plug-ins on their website (which caused data about the website visitors to be passed to Facebook) was a joint data controller with Facebook for the decision to share that data with Facebook, even though the website provider was not a data controller in relation to the activities Facebook subsequently undertook in relation to that data.

None of this is new law – however, the idea that there can only be one data controller in relation to a given data set, irrespective of who is in fact responsible for determining the means and purposes of processing operations in relation to that data, has proved curiously persistent.  A number of organisations are now realising that data processing contracts signed in the rush to be ready for the GDPR are impossible to comply with as the other party is also a data controller, and are taking steps to rectify matters.

However, there are still a number of inappropriate data processing contracts in existence. We recommend that all organisations with data processing contracts in place with others who in fact have their own responsibility for determining the means and purposes of the processing involved (for example, any organisation whose staff are responsible for their own independent professional judgment and who owe their own duty of care to the data subjects), review matters and replace them with agreements that accurately reflect the nature of the data relationships.