On 5 December 2023, the Court of Justice of the EU provided insights into GDPR enforcement in a Lithuanian case concerning the processing of personal data for mobile apps tracking the spreade of COVID-19.

In this Lithuanian case, the National Public Health Centre, operating under the Ministry of Health, was challenging a €12,000 fine imposed on it. The fine is related to the collaborative development of a mobile application, with support from a private entity, designed for the registration and monitoring of data pertaining to individuals exposed to COVID-19.

In Grand Chamber, the Court emphasized that administrative fines for infringements of the General Data Protection Regulation (GDPR) can only be imposed when the infringement is committed wrongfully, either intentionally or negligently, and the controller was aware of the violation. Legal persons, including organizations, can be held liable for GDPR breaches committed by their representatives, extending responsibility beyond the management body without the need to identify a specific natural person responsible for the infringement.

The judgment affirmed that data controllers can face fines for operations conducted by processors if the controller can be held accountable for those operations. In terms of joint controllership, the Court clarified that a formal arrangement is not necessary; entities become joint controllers when jointly determining processing purposes and means, but they must establish an arrangement to define respective responsibilities.

For entities forming part of a group, the supervisory authority must calculate fines based on the concept of an “undertaking” under EU competition law. The maximum fine is a percentage of the total worldwide annual turnover in the preceding business year, ensuring a standardized approach to fine calculation.

Reference: case C-683/21 (ECLI:EU:C:2023:949).

Full text of the decision available at en