(7) Controller

Home > Personal Data Protection > General Data Protection Regulation (GDPR) > Article 4 - Definitions > (7) Controller

2 pending referrals

Referral C-205/25 (Bayerisches Landesamt für Datenschutzaufsicht, 17 Mar 2025)

Referral C-185/25 (Waldfelber, 7 Mar 2025)

12 preliminary rulings

Judgment of 2 Dec 2025, C-492/23 (Russmedia Digital and Inform Media Press)

Article 5(2) and Articles 24 to 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required, before the publication of the advertisements and by means of appropriate technical and organisational measures,– to identify the advertisements that contain sensitive data in terms of Article 9(1) of that regulation,– to verify whether the user advertiser preparing to place such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case,– to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, within the meaning of Article 9(2)(a), or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied.

Judgment of 30 Apr 2025, C-313/23 (Inspektorat kam Visshia sadeben savet)

Article 4(7) of Regulation 2016/679 must be interpreted as meaning that a court having jurisdiction to authorise, at the request of another judicial body, disclosure by a bank to that body of data relating to the bank accounts of judges, public prosecutors and investigating magistrates as well as of their family members, cannot be classified as a controller within the meaning of that provision.

Judgment of 27 Feb 2025, C-638/23 (Amt der Tiroler Landesregierung)

Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as not precluding national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations in so far as, first, such an entity is able to fulfil, in accordance with that national legislation, the obligations on a controller towards data subjects with respect to the protection of personal data and, second, that national legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is responsible.

Judgment of 4 Oct 2024, C-200/23 (Agentsia po vpisvaniyata)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in particular Article 4(7) and (9) thereof must be interpreted as meaning that the authority responsible for maintaining the commercial register of a Member State which publishes, in that register, the personal data contained in a company’s constitutive instrument, which is subject to compulsory disclosure under Directive 2017/1132 and was transmitted to it in an application for registration of the company concerned in that register, is both a ‘recipient’ of those data and, particularly in so far as it makes them available to the public, a ‘controller’ of those data, within the meaning of that provision, even where that instrument contains personal data not required by that directive or by the law of that Member State.

Judgment of 11 Jul 2024, C-461/22 (MK)

Judgment of 7 Mar 2024, C-604/22 (IAB Europe)

Article4(7) and Article26(1) of Regulation 2016/679must be interpreted as meaning that:–first, a sectoral organisation, in so far as it proposes to its members a framework of rules that it has established relating to consent to the processing of personal data, which contains not only binding technical rules but also rules setting out in detail the arrangements for storing and disseminating personal data relating to such consent, must be classified as a ‘joint controller’ for the purpose of those provisions where, in the light of the particular circumstances of the individual case, it exerts influence over the personal data processing at issue, for its own purposes, and determines, as a result, jointly with its members, the purposes and means of such processing. The fact that such a sectoral organisation does not itself have direct access to the personal data processed by its members under those rules does not preclude it from holding the status of joint controller for the purpose of those provisions;–second, the joint controllership of that sectoral organisation does not extend automatically to the subsequent processing of personal data carried out by third parties, such as website or application providers, with regard to users’ preferences for the purposes of targeted online advertising.

Judgment of 11 Jan 2024, C-231/22 (Belgian State)

Point 7 of Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, which is inter alia required, under the law of that State, to publish as they stand official acts and documents that have been prepared by third parties under their own responsibility in compliance with the applicable rules, then lodged with a judicial authority that sends them to it for publication, may, notwithstanding its lack of legal personality, be classified as a ‘controller’ of the personal data contained in those acts and documents, where the national law concerned determines the purposes and means of the processing of personal data performed by that official journal.

Article 5(2) of Regulation 2016/679, read in conjunction with point 7 of Article 4 and Article 26(1) thereof, must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, classified as a ‘controller’ within the meaning of point 7 of Article 4 of that regulation, is solely responsible for compliance with the principles set out in Article 5(1) thereof as regards the personal data processing operations that it is required to perform under national law, unless joint responsibility with other entities in respect of those operations arises under that law.

Judgment of 5 Dec 2023, C-683/21 (Nacionalinis visuomenės sveikatos centras)

Article4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),must be interpreted as meaning that an entity which has entrusted an undertaking with the development of a mobile IT application and which has, in that context, participated in the determination of the purposes and means of the processing of personal data carried out through that application may be regarded as a controller, within the meaning of that provision, even if that entity has not itself performed any processing operations in respect of such data, has not expressly agreed to the performance of specific operations for such processing or to that mobile application being made available to the public, and has not acquired the abovementioned mobile application, unless, prior to that application being made available to the public, that entity expressly objected to such making available and to the resulting processing of personal data.

Article 4(7) and Article 26(1) of Regulation 2016/679 must be interpreted as meaning that the classification of two entities as joint controllers does not require that there be an arrangement between those entities regarding the determination of the purposes and means of the processing of personal data in question; nor does it require that there be an arrangement laying down the terms of the joint control.

Judgment of 9 Jul 2020, C-272/19 (Land Hessen)

Judgment of 29 Jul 2019, C-40/17 (Fashion ID)

The operator of a website, such as FashionID GmbH & Co. KG, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.

Judgment of 10 Jul 2018, C-25/17 (Jehovan todistajat)

Article 2(d) of Directive 95/46, read in the light of Article 10(1) of the Charter of Fundamental Rights, must be interpreted as meaning that it supports the finding that a religious community is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.

Judgment of 13 May 2014, C-131/12 (Google Spain and Google)

Article2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2 (d).

Disclaimer