Data protection case law Court of Justice

Joint controllers

2 pending referrals

Referral C-604/22 (IAB Europe, 19 Sep 2022)

Referral C-60/22 (Bundesrepublik Deutschland, 1 Feb 2022)

4 preliminary rulings

of 5 Dec 2023, C-683/21 (Nacionalinis visuomenės sveikatos centras)

Article 4(7) and Article 26(1) of Regulation 2016/679must be interpreted as meaning that the classification of two entities as joint controllers does not require that there be an arrangement between those entities regarding the determination of the purposes and means of the processing of personal data in question; nor does it require that there be an arrangement laying down the terms of the joint control.

Judgment of 29 Jul 2019, C-40/17 (Fashion ID)

The operator of a website, such as Fashion ID GmbH & Co. KG, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.

Judgment of 10 Jul 2018, C-25/17 (Jehovan todistajat)

Article 2(d) of Directive 95/46, read in the light of Article 10(1) of the Charter of Fundamental Rights, must be interpreted as meaning that it supports the finding that a religious community is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.

Judgment of 5 Jun 2018, C-210/16 (Wirtschaftsakademie Schleswig-Holstein)

Article 2(d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the concept of ‘controller’ within the meaning of that provision encompasses the administrator of a fan page hosted on a social network.