Amt der Tiroler Landesregierung (Protection of natural persons with regard to the processing of personal data - Concept of 'controller' - Judgment) [2025] EUECJ C-638/23 (27 February 2025)
Court of Justice of the European Communities (including Court of First Instance Decisions)
You are here:BAILII >>
Databases >>
Court of Justice of the European Communities (including Court of First Instance Decisions) >>
Amt der Tiroler Landesregierung (Protection of natural persons with regard to the processing of personal data - Concept of 'controller' - Judgment) [2025] EUECJ C-638/23 (27 February 2025)
URL: http://www.bailii.org/eu/cases/EUECJ/2025/C63823.html Cite as:
ECLI:EU:C:2025:127,
EU:C:2025:127,
[2025] EUECJ C-638/23
( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Direct designation of the controller by national law – Auxiliary administrative entity in the service of a regional government – Lack of legal personality – Lack of legal capacity of the entity’s own – Determination of the purposes and means of the processing )
In Case C‑638/23,
REQUEST for a preliminary ruling under Article 267 TFEU from the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), made by decision of 23 August 2023, received at the Court on 24 October 2023, in the proceedings
Amt der Tiroler Landesregierung
v
Datenschutzbehörde,
interveners:
Bundesministerin für Justiz,
CW,
THE COURT (Eighth Chamber),
composed of N. Jääskinen, President of the Ninth Chamber, acting as President of the Eighth Chamber, M. Gavalec (Rapporteur) and N. Piçarra, Judges,
Advocate General: M. Campos Sánchez-Bordona,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– the Datenschutzbehörde, by M. Schmidl and E. Wagner, acting as Agents,
– the Bundesministerin für Justiz, by E. Riedl, acting as Agent,
– the Austrian Government, by A. Posch, J. Schmoll and C. Gabauer, acting as Agents,
– the European Commission, by A. Bouchagiar and M. Heller, acting as Agents,
having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
2 The request has been made in proceedings between the Amt der Tiroler Landesregierung (Office of the Provincial Government of Tyrol, Austria) (‘the Office’) and the Datenschutzbehörde (Data Protection Authority, Austria) concerning allegedly unlawful processing of personal data of a natural person by the Office.
Legal context
European Union law
3 Recitals 1, 7, 10, 45 and 74 of the GDPR are worded as follows:
‘(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union … and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.
…
(7) … Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.
…
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …
…
(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.
…
(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.’
4 Article 1 of that regulation, entitled ‘Subject matter and objectives’, provides, in paragraph 2 thereof:
‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’
5 Article 4 of the regulation, entitled ‘Definitions’, is worded as follows:
‘For the purposes of this Regulation:
…
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…’
6 Under Article 5 of that regulation, headed ‘Principles relating to processing of personal data’:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
7 Article 6 of the GDPR, headed ‘Lawfulness of processing’, provides, in paragraphs 1 and 3 thereof:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
…
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
…
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
…
3. The basis for the processing referred to in point[s] (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. …’
Austrian law
Tyrolean Provincial Code 1989
8 Paragraph 56 of the Landesverfassungsgesetz über die Verfassung des Landes Tirol (Tiroler Landesordnung 1989) (Regional Law on the Constitution of the Province of Tyrol (Tyrolean Provincial Code 1989)) of 21 September 1988, in the version applicable to the dispute in the main proceedings (‘Tyrolean Provincial Code 1989’), entitled ‘Landeshauptmann (Governor of the Province, Austria) (‘the Governor’), provides, in paragraph 1 thereof:
‘The [Governor] represents the Province of Tyrol.’
9 Paragraph 58 of the Tyrolean Provincial Code 1989, entitled ‘[Office]’, provides in paragraph 1 thereof:
‘The [Governor], the Provincial Government and its members shall have recourse to the [Office] to deal with their affairs. The [Governor] is the President of the [Office].’
The TDVG
10 Paragraph 2 of the Tiroler Datenverarbeitungsgesetz (Tyrolean Law on Data Processing ‘the TDVG’), provides:
‘1. The following shall be considered to be a controller within the meaning of Article 4(7) of [the GDPR]:
(a) the [Office];
…
3. Where the data processing is carried out or ordered by the Province of Tyrol, the [Office] shall always be regarded as responsible for such processing in so far as
(a) there is no joint responsibility within the meaning of subparagraph 1(b) or (c), and
(b) there is no entrusted processing within the meaning of Paragraph 5.’
The dispute in the main proceedings and the question referred for a preliminary ruling
11 In the context of measures aimed at fighting the COVID-19 pandemic, the Office, an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol, sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address.
12 On 21 December 2021, CW, one of those addressees, filed a complaint with the Data Protection Authority against the Office alleging unlawful processing of his personal data. Before that authority, the Office stated that it had the status of ‘controller’ and that it was behind the letter sent to CW.
13 By decision of 22 August 2022, that authority found that the Office had breached CW’s right to the protection of his personal data, in so far as, in order to send him a ‘vaccination reminder letter’, the Office had consulted the data of the person concerned in the vaccination register, even though it did not have a right to access that register or the patient index. The processing of CW’s personal data was therefore unlawful.
14 The Office brought an action against that decision before the Bundesverwaltungsgericht (Federal Administrative Court, Austria). That court held that, on the basis of the applicable national law, the Office had the status of controller, but it did not have a right to consult the vaccination register for the purposes of sending a reminder letter such as that sent to CW. Since that court rejected the Office’s action, the Office brought an appeal on a point of law against that judgment before the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), the referring court.
15 That court finds that, in order to enable it to rule in the case before it, it must be determined whether the Office, in the context of that case, has the status of ‘controller’, within the meaning of Article 4(7) of the GDPR.
16 In that regard, the referring court points out the fact that the Office merely presented the Governor with a proposal to send a ‘vaccination reminder letter’, which the Governor approved in his capacity as President of the Office and representative of the Land of Tyrol, in accordance with Article 58 and Article 56(1) of the Tyrolean Provincial Code 1989 respectively. Therefore, the Office merely informed the Governor, first, what the proposed purpose of the processing of the personal data was, namely an increase in the vaccination rate, and, second, the means that would be implemented on the basis of that processing, namely the sending of such a ‘vaccination reminder letter’ using the data from the central vaccination register and the patient index.
17 According to the referring court, taking that approval from the Governor into account, only the Governor decided on both the purpose and the means of the processing of personal data, with the result that the Office cannot have the status of ‘controller’ within the meaning of the first part of Article 4(7) of the GDPR.
18 Nevertheless, that court is uncertain whether the Office could validly be designated as such by a provision of national law, namely Paragraph 2(1)(a) of the TDVG.
19 The Office is not a natural person or an authority responsible for the processing of personal data which gave rise to the sending of a ‘vaccination reminder letter’ to CW. The Office intervened in that processing only as an auxiliary administrative entity in the service of a public authority. The Office lacks legal personality and legal capacity of its own. Therefore, it must be determined whether the Office may, accordingly, be regarded as an ‘agency or other body’, within the meaning of the first part of Article 4(7) of the GDPR, capable of being designated as controller under national law, in accordance with the second part of Article 4(7) of that regulation.
20 In addition, that court notes that, in accordance with the second part of Article 4(7) of the GDPR, a controller may be designated directly only in so far as the purposes and means of the processing of the personal data concerned are determined by national law. While Paragraph 2(1)(a) of the TDVG designates the Office as controller, it does not state in a precise manner, however, the type of processing of personal data which may be carried out by the Office, the purposes that that processing should pursue or the means that the Office could implement to that effect.
21 The referring court adds that it follows from Article 6(1)(c) and (e) of the GDPR that processing of personal data is lawful if it is necessary for compliance with a legal obligation to which the controller is subject or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It follows from those conditions of lawfulness and the objective pursued by Article 4(7) of the GDPR of ensuring effective and extensive protection of data subjects that Member States can only designate as controller a person or entity which is in a position to determine the purposes and the means of the processing of personal data or, at the very least, to participate in that determination.
22 In those circumstances, the Verwaltungsgerichtshof (Supreme Administrative Court) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Is Article 4(7) of [the GDPR] to be interpreted as precluding [the] application of a provision of national law (such as, in the present case, Paragraph 2(1) of the [TDVG]) in which a particular controller is provided for within the meaning of the second part of Article 4(7) of the GDPR but
– this is merely a service (such as, in the present case, the [Office]) which, although established by law, is not a natural or legal person nor, in the present case, an authority, but functions merely as an auxiliary apparatus for such an authority and has no full or partial legal capacity of its own;
– is nominated without reference to specific processing of personal data, with the result that the purposes and means of specific processing of personal data are not determined by Member State law either;
– neither alone nor jointly with others determined the purposes and means of the processing of personal data at issue in the present case?’
Consideration of the question referred
23 By its question, the referring court asks, in essence, whether Article 4(7) of the GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations. That court also seeks to ascertain whether Article 4(7) of the GDPR must be interpreted as meaning that an entity designated as controller by national law, in accordance with that provision, must actually decide on the purposes and means of the processing of personal data to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.
24 As a preliminary point, it must be recalled that, under Article 4(7) of the GDPR, the concept of ‘controller’ covers natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. That provision also states that, where the purposes and means of such processing are determined, inter alia, by the law of a Member State, the controller may be nominated or the specific criteria for its nomination may be provided for by that law.
25 It is apparent from the case-law of the Court that that provision is intended to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects (see, to that effect, judgments of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraph 29, and of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 40).
26 The objective pursued by the GDPR, as is set out in Article 1 thereof and in recitals 1 and 10 thereof, consists, inter alia, in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, as enshrined in Article 8(1) of the Charter of Fundamental Rights and Article 16(1) TFEU (judgment of 7 March 2024, IAB Europe, C‑604/22, EU:C:2024:214, paragraph 53 and the case-law cited).
27 Having regard to the wording of Article 4(7) of the GDPR, read in the light of that objective, in order to establish whether a person or entity is to be classified as a ‘controller’ within the meaning of that provision, it must be examined whether that person or entity determines, alone or jointly with others, the purposes and means of the processing or whether those purposes and means are determined by national law. Where such determination is made by national law, it must then be ascertained whether that law nominates the controller or provides for the specific criteria for its nomination (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 29).
28 Having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 30).
29 It is in the light of those preliminary considerations that the question referred is to be examined. To that effect, it is necessary, first, to determine to what extent the national legislature can validly designate an auxiliary administrative entity in the service of public authorities as controller, within the meaning of the second part of Article 4(7) of the GDPR, where that entity lacks legal personality and legal capacity of its own.
30 In that regard, it should be noted that the Court has already ruled that it is apparent from the clear wording of Article 4(7) of the GDPR that a controller may be not only a natural or legal person, but also a public authority, an agency or a body, and such entities do not necessarily have legal personality under national law (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 36).
31 Accordingly, it cannot be ruled out that an entity may be classified as a ‘controller’, within the meaning of that provision, even if that entity lacks legal personality.
32 Moreover, as regards the question of whether the classification of an entity as ‘controller’ requires that entity to have legal capacity of its own, or if it is sufficient, for that purpose, that the entity concerned is provided with a certain capacity to decide and to act in the context of the protection of personal data, the Court notes that it is apparent from recital 74 of the GDPR that the EU legislature intended that the responsibility of the controller be identical whether the processing of personal data that it carries out is undertaken by the controller itself or by a third party, but on its behalf. That legislature also intended to ensure that the controller is obliged to implement appropriate and effective measures and is able to demonstrate the compliance of processing activities with that regulation, including the effectiveness of the measures in question, and that those measures should take into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of natural persons.
33 It is to that extent that Article 5(2) of the GDPR establishes a principle of accountability, under which the controller is responsible for compliance with the principles relating to the processing of personal data set out in Article 5(1) and provides that that controller must be able to demonstrate compliance with those principles.
34 Taking into account the legal obligations to which the controller referred to in Article 4(7) of the GDPR is subject, the controller must, in accordance with the procedures provided for by the legislation of the Member State to which it belongs, be able to fulfil, in fact and in law, those obligations, without it being relevant, in that regard, whether that entity has legal personality and legal capacity of its own.
35 In the present case, it is for the referring court to determine whether the Office is authorised by Austrian law to assume the responsibilities and obligations that the GDPR imposes on the controller, having regard in particular to the fact, which has not been contested before the national courts hearing the dispute in the main proceedings, that the Office may bring an action against the decision of the Data Protection Authority, in the same way that it may be the subject of a complaint before that authority. The referring court may also take into consideration the fact that the Office appointed two private companies to carry out the processing of personal data in the central vaccination register and in the index of the patients residing in the Province of Tyrol.
36 Second, the referring court is uncertain whether a national legislature may designate an entity as controller, under the second part of Article 4(7) of the GDPR, without specifying, in a precise manner, the processing of personal data that that entity may be required to carry out, its purpose or the precise means that it may implement for the purposes of that processing.
37 As recalled in paragraph 28 above, where national law designates an entity as controller, the determination of the purposes and means of the processing by that law may be implicit, provided that that determination is derived with sufficient certainty from the role, task and powers conferred on that entity. That condition is met if those purposes and means arise, in essence, from the provisions of national law governing the activity of that entity.
38 The direct designation, by the national legislature, of an entity as controller contributes to the objective of legal certainty pursued by the GDPR, as is apparent from recital 7 thereof, by allowing natural persons whose personal data are subject to processing to easily identify the entity responsible for ensuring compliance with the rights conferred on them by that regulation.
39 The validity of such a designation is, however, subject to the condition that national legislation determine the scope of the processing of personal data for which that entity is designated as responsible, without it being necessary for that legislature to have listed, exhaustively, all the processing operations for which that entity is thus designated. As set out in recital 45 of that regulation, ‘a law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient.’
40 It follows that national legislation which designates an entity as controller without expressly listing all the specific processing operations of personal data for which it is responsible or the purpose of those processing operations is compatible with Article 4(7) of the GDPR, in so far as that legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is designated as responsible.
41 In the present case, it is for the referring court to determine whether the processing of personal data which the Office carried out for the purposes of preparing and sending the ‘vaccination reminder letters’ at issue in the main proceedings is compatible with the purposes which must be fulfilled by the processing operations of personal data for which the Office has been designated as responsible, as those purposes follow, at least implicitly, from all the provisions of national law governing its activity and, moreover, the means that it may implement to that effect. The sole fact that those national provisions do not specify, where appropriate, in a precise manner, the processing operations that the Office is authorised to carry out cannot preclude the classification of an entity such as the Office as controller within the meaning of Article 4(7) of the GDPR.
42 Third, the referring court asks whether an entity designated by national legislation as controller, within the meaning of the second part of Article 4(7) of the GDPR, must also decide itself, or with other competent authorities, the purposes and means of the processing of personal data for which it is designated as responsible, in order for it to be required to respond, in that capacity, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.
43 In that regard, it is sufficient to observe that it is in order to establish an entity’s status as a controller, within the meaning of the first part of Article 4(7) of the GDPR, that it is necessary to examine whether that entity actually exerted influence, for its own purposes, over the determination of the purposes and means of the processing in question (see, to that effect, judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraphs 30 and 31).
44 By contrast, in order to establish an entity’s status as a controller, within the meaning of the second part of Article 4(7) of the GDPR, as is apparent from the clear wording of that provision, it is not necessary that that entity exercises influence over the determination of the purposes and means of the processing in question.
45 Such an entity, designated by national law as controller, does not therefore have to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR.
46 In that regard, the Court has already ruled that the validity of a direct designation was not affected by the fact that, under national law, the entity designated as controller does not exercise any control over the personal data that it is required to process (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraphs 37 and 38).
47 Such an interpretation is in accordance with the objective of legal certainty pursued by the GDPR. As the European Commission pointed out in its written observations, that objective would be compromised if, in order to be able to consider that that designation was validly made by the national legislature, data subjects had to verify that the entity designated as controller of their personal data has the power to determine itself the purposes and means of such processing.
48 It is also important to add that the fact that it is not necessary for an entity designated by national law as controller to be empowered also to decide itself the purposes and means of the processing of personal data in order to be required to respond, as controller, to requests submitted to it by data subjects on the basis of the rights which they derive from the GDPR does not however deprive those data subjects of the possibility of sending those requests to another entity which they consider to be responsible or jointly responsible for the processing of their personal data due to the influence that that other entity exercised over the determination of the purposes and means of the processing in question.
49 In the light of the foregoing, the answer to the question referred is that Article 4(7) of the GDPR must be interpreted as not precluding national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations in so far as, first, such an entity is able to fulfil, in accordance with that national legislation, the obligations on a controller towards data subjects with respect to the protection of personal data and, second, that national legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is responsible.
Costs
50 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Eighth Chamber) hereby rules:
Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as not precluding national legislation which designates, as controller, an auxiliary administrative entity lacking legal personality and legal capacity of its own, without specifying, in a precise manner, the specific processing operations of personal data for which that entity is responsible or the purpose of those operations in so far as, first, such an entity is able to fulfil, in accordance with that national legislation, the obligations on a controller towards data subjects with respect to the protection of personal data and, second, that national legislation determines, explicitly or at least implicitly, the scope of the processing of personal data for which that entity is responsible.
