The privacy and personal data protection legal landscape witnessed a landmark period as the Court of Justice of the European Union (CJEU) rendered several pivotal judgments in GDPR-related cases.

1. The CJEU's Verdicts: A Breakdown

(a) Case C‑634/21 SCHUFA Holding AG: Automated Decision-Making under Article 22(1) of GDPR

The CJEU's judgment addressed the complex realm of automated decision-making by credit information agencies. Central to this examination was the automated creation of a probability value derived from personal data, for the purpose of evaluating an individual's future payment capabilities. The main question raised was whether this automated process fell within the scope of 'automated individual decision-making' and its further impact on contractual relationships.

The CJEU outlined the three fundamental conditions stipulated in Article 22(1) of the GDPR:

  1. Existence of a Decision: The CJEU embarked on a nuanced exploration to define what constituted a 'decision' within the GDPR framework. It encompassed acts or calculations that significantly influenced an individual's legal status, such as determining their creditworthiness.
  2. Solely Automated Processing: Scrutiny was directed towards discerning whether the decision-making process relied exclusively on automated procedures or profiling. This involved an assessment of the methodology behind generating the probability value and its alignment with the GDPR's definition of profiling.
  3. Legal Effects or Significant Impact: An in-depth analysis was conducted to ascertain the consequential influence of the probability value on third-party decisions and the potential substantial impact on individuals, including implications like loan refusals.

The CJEU, therefore, categorised the automated creation of the probability value as falling within the scope of 'automated individual decision-making.' Consequently, stringent restrictions and specific measures outlined in the GDPR to ensure fairness, transparency, and the protection of individual rights were unequivocally mandated.

(b) Case C‑807/21 Deutsche Wohnen SE: Imposition of Administrative Fines on Data Controllers

This ruling clarified the imposition of fines on data controllers breaching GDPR obligations. Key points discussed by the CJEU included:

  • Accountability of Controllers: The judgment emphasized that both natural and legal persons can be held accountable for violations of the GDPR.
  • Identification of Misconduct: It clarified that fines do not necessarily require the linking of an infringement to a specific natural person, but need proof of intentional or negligent misconduct by the controller.

As a result, the decision clarified the broader accountability framework for violations under GDPR, focusing on establishing misconduct by the controller, rather than pinpointing individuals linked to the infringement as the accountable party.

(c) Case C‑683/21 Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos: Defining Controllership in Mobile App Development

Delving into the nuances of Article 4(7) of the GDPR, this CJEU's judgment delineated whether entities outsourcing mobile app development could be deemed data controllers without their direct involvement in the data processing.

The interpretation of the CJEU highlighted the expansive scope of controllership within the GDPR framework. The CJEU emphasised that an entity may be categorised as a controller if it significantly influenced processing purposes and means, irrespective of their direct involvement in processing activities.

As a result, this case clarifies that an entity outsourcing IT application development can be seen as a data controller if it influences data processing decisions. The CJEU, thus, makes it clear that joint controllership does not need a formal arrangement but involves converging decisions impacting data processing. The CJEU also clarified that using personal data for IT testing is considered processing unless the data are made anonymous or fictitious. Administrative fines require proof of intentional or negligent infringement by the controller and can be imposed for a processor's actions unless the processor operates independently or against the controller's consent. These interpretations provide important guidance on GDPR responsibilities, controllership, joint control, and fine imposition.

(d) Case C340/21 Natsionalna agentsia za prihodite: Security Measures, Liability, and Data Breaches

The judgment of the CJEU in this case delved into evaluating the adequacy of security measures taken by the controller and their liability in cases of unauthorised data access by the third parties. The analysis included the burden of proof, adequacy assessments, and exemptions from compensating for damages due to breaches.

Emphasising that unauthorised access does not automatically render controllers liable, the CJEU placed the onus on controllers to substantiate the adequacy of implemented security measures. National courts are urged to consider various forms of evidence, beyond expert reports, to comprehensively assess security measures. Furthermore, controllers might be exempt from liability if they can incontrovertibly demonstrate a lack of causal connection between their actions and resulting damages. Especially in instances where breaches occurred solely due to third-party actions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.