The European Court of Justice (ECJ) in Luxembourg rendered a judgment on July 12 that explains, among other things, what a (joint) data controller is. The judgment is on the “old” EU Data Protection Directive 95/46/EC, but the relevant provisions in the General Data Protection Regulation (GDPR), Art. 4 and 26, are very similar.
1) Background
The case is about Jehovah’s Witnesses Community and whether taking notes in the course of their door-to-door preaching falls under the GDPR. The ECJ states that (a) their activities don’t fall under the exemptions for religious communities, and that (b) the community is a data controller jointly with its members who engage in this preaching activity.
2) Quotes from the Judgment (emphasis added)
65 “As expressly provided in Article 2(d) of Directive 95/46, the concept of ‘controller’ refers to the natural or legal person who ‘alone or jointly with others determines the purposes and means of the processing of personal data’. Therefore, that concept does not necessarily refer to a single natural or legal person and may concern several actors taking part in that processing, with each of them then being subject to the applicable data protection provisions (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 29).
66 The objective of that provision being to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of the persons concerned, the existence of joint responsibility does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraphs 28, 43 and 44).
67 In that connection, neither the wording of Article 2(d) of Directive 95/46 nor any other provision of that directive supports a finding that the determination of the purpose and means of processing must be carried out by the use of written guidelines or instructions from the controller.
68 However, a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller within the meaning of Article 2(d) of Directive 95/46.
69 Furthermore, the joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 38).
70 In the present case, as is clear from the order for reference, it is true that members of the Jehovah’s Witnesses Community who engage in preaching determine in which specific circumstances they collect personal data relating to persons visited, which specific data are collected and how those data are subsequently processed. However, as set out in paragraphs 43 and 44 of the present judgment, the collection of personal data is carried out in the course of door-to-door preaching, by which members of the Jehovah’s Witnesses Community who engage in preaching spread the faith of their community. That preaching activity is, as is apparent from the order for reference, organized, coordinated and encouraged by that community. In that context, the data are collected as a memory aid for later use and for a possible subsequent visit. Finally, the congregations of the Jehovah’s Witnesses Community keep lists of persons who no longer wish to receive a visit, from those data which are transmitted to them by members who engage in preaching.
71 Thus, it appears that the collection of personal data relating to persons contacted and their subsequent processing help to achieve the objective of the Jehovah’s Witnesses Community, which is to spread its faith and are, therefore, carried out by members who engage in preaching for the purposes of that community. Furthermore, not only does the Jehovah’s Witnesses Community have knowledge on a general level of the fact that such processing is carried out in order to spread its faith, but that community organises and coordinates the preaching activities of its members, in particular, by allocating areas of activity between the various members who engage in preaching.
3) Practical Consequences
- The status of a (joint) controller does not require that the controller has data access
- Written guidelines or instructions from the controller on the purpose and means of processing are not required
- Manual records/notes are also covered by the GDPR
- The level of control of the controller “in determining the purposes and means of processing of personal data” is the decisive factor
- The judgment will probably lead to a more intense discussion as to who is a (joint) controller
- One decisive factor will be to determine who “organized, coordinated and encouraged” the data processing