Three CJEU pronouncements have clarified some important aspects of the general concepts of “processing” and “personal data.”
Some of the Court’s considerations are of general relevance; others must be contextualized to the case before the Luxembourg judges.
The rulings were all delivered on March 7, 2024; two are in response to references for preliminary rulings, specifically:
- c-740/22 on the Shine Finland Oy case on the notion of “processing of personal data“
- c-604/22 IAB Europe on the notion of “personal data,” “controller,” and “joint controllers“
The third – a decision on the appeal regarding a judgment of the European General Court – is c-479/22 P, on the OC case on the notion of “personal data” and “identifiable natural person,” referring to Regulation (EU) 2018/1725 but whose analysis is also applicable to the GDPR.
Conclusions
The following general conclusions can be drawn from the cross-analysis of the aforementioned three CJEU decisions:
- the legal concepts of “processing,” “personal data,” and “data controller” should be interpreted broadly and inclusively
- this key to interpretation derives both from the letter of the provisions, all of which use the term “any” in the defining text along with additional broad expressions, and from the aim pursued by the legislator of the GDPR, which intends to offer a high level of protection to the rights and freedoms of data subjects, as made explicit in the text of the regulation
- From these premises, we come to the conclusion that:
- “Processing” includes any operation on personal data even if it consists of a communication in oral form between two parties
- “Personal data” also includes that information which is non-identifying but which could identify the individual, even indirectly, through the association of other related information, even if in the possession of parties other than the data controller
- A “data controller” is a person who determines or helps to determine the purposes and means of the processing of personal data, even if he or she does not have material access to the data in question; in the case of more than one person in such a position, each will be a “joint controller” and will be fully accountable for the part referable to his or her own determinations.