Controllers are liable for their processors regardless of fault pursuant to Art. 83 (1) GDPR – Opinion of the Advocate General

The submissions of Advocate General Nicolas Emiliou are based on a reference for a preliminary ruling by the Regional Administrative Court in Vilinius (Lithuania), which provides an opportunity to clarify the range of liability for administrative fines under data protection law. The national court asked the ECJ, whether the provision of Art. 83 (1) GDPR should be interpreted as meaning that the controller (Art. 4 No. 7 GDPR) is liable for illegal data processing by the processor (Art. 4 No. 8 GDPR, Art. 28 GDPR) without any fault. In his conclusion, the Advocate General explained comprehensively with regard to Art. 83 GDPR that strict liability of the controller comes into consideration if the processor violates data protection provisions; in individual cases, an administrative fine can then be imposed pursuant to Art. 83 (1) GDPR.

 

In this regard, the Advocate General cited the following guiding principles:

 

According to the Advocate General, a culpable breach of applicable data protection provisions is at first a mandatory requirement. In this regard, the Advocate General states that Art. 83(2)(b) of the GDPR specifies the intentionality or negligence of the infringement expressis verbis and that this must be a minimum requirement - also according to the intention of the EU legislator. In addition, the Advocate General interprets the provision in such a way that the liability to pay an administrative fine has the character of a criminal sanction and therefore a mens rea (a subjective element) is also required.

  

With regard to the second mandatory requirement, the Advocate General suggested that there is a constellation in which the controller is liable without fault. This refers to the case where the unlawful processing is carried out by a processor on behalf of the controller. Only in this case is there a risk of liability for the controller and thus also strict liability. At the same time, the Advocate General limits the risk of liability for the controller by refusing to impose a fine on the controller in the case of unauthorized illegal data processing by the processor for its own purposes - without being a "joint controller" according to Article 26 GDPR. In this way, the scope of strict liability of the controller is to be understood restrictively.

 

If the ECJ follows the Advocate General's mandatory requirement, the implied strict liability - despite its restrictive range - would lead to considerable consequences in practice. In order to avoid the risk of liability, the Data Processing Agreements (DPA) between the controller and the processor should be carefully formulated, in particular with regard to the form of the controller's instructions. Care should be taken to ensure that the processor does not have any discretion with regard to data processing. 

  

In addition, precise instructions in the DPA pursuant to Art. 28 (3) sentence 2 a) GDPR can provide evidence that the processor did not act within the range of its instructions in the individual case or acted on its own authority. In addition, the level of responsibility according to Art. 83 (2) sentence 2 d) GDPR may also have an impact on the assessment of the administrative fine, which is why a precisely formulated DPA in practice - against the background of the threat of strict liability – will become more important.

  

It therefore remains interesting to be seen whether the ECJ will actually follow the Advocate General's opinion and thereby ensure greater legal clarity in data protection administrative fine proceedings.