Based on the GDPR, data controllers have several obligations, such as maintaining the records of data processing or in case of joint controllers, entering into an agreement which determines their respective responsibilities for compliance with their data protection related obligations. In a recent case, the Court of Justice of the European Unio (‘CJEU’) needed to decide on the issue whether the non-compliance with these obligations constitutes unlawful processing resulting in the duty to erase the personal data of the data subject.
Regarding the factual background of the case, the German Federal Office for Migration and Refugees (‘Federal Office’) rejected the applicant’s application for internal protection. The applicant attacked this decision before the administrative court; thus, the Federal Office sent an electronic file containing the applicant’s personal data to the court via the electronic court and administrative mailbox.
The administrative court had doubts as to whether the maintenance and the transmission of the electronic file complied with the GDPR for two reasons. First, the Federal Office did not produce a complete record of the processing activities relating to the electronic file in accordance with Article 30 of the GDPR. Second, in disregard of Article 26 of the GDPR, no national legislation governs the transmission of the electronic file, and the Federal Office did not provide an agreement on the joint responsibility.
In the above context, the German administrative court asked the CJEU whether the failure of the controller to comply with the accountability principle of the GDPR (Article 5), specifically not concluding an agreement determining joint responsibility for processing and not maintaining a record of processing activities constitutes unlawful processing conferring on the data subject a right to erasure or restriction of processing.
The decision of the CJEU
The CJEU recalled that the lawfulness of processing is precisely the subject of Article 6 of the GDPR. This means that a data processing may only be lawful if one of the six conditions set forth in Article 6 is met, for example if the data subject has given consent to the data processing or the data processing is necessary for the performance of a contract or for the legitimate interests of the controller.
However, compliance with the obligation laid down in Article 26 of the GDPR to conclude an arrangement determining joint responsibility for processing and the obligation to maintain a record of processing activities laid down in Article 30 is not among the grounds for lawfulness of processing set out in Article 6 of the GDPR.
Thus, the infringement of Articles 26 and 30 of the GDPR does not constitute unlawful processing in the sense of the right to erasure (Article 17 1. (d)) or of the right to restriction of processing (Article 18 1. (b)), since this breach as such does not mean that the controller violates the principle of “accountability” (Article 5).
This means that the ‘sanction’ of the violations of Article 26 and 30 of the GDPR is not the erasure of the personal data or the restriction of the data processing, but other corrective actions provided for by the GDPR, such as the obligation to bring the processing operations into compliance with the GDPR, the lodging of a complaint with the supervisory authority, or compensation for any damage caused by the controller.
The decision of the CJEU presented above is important because it makes a clear differentiation between the legal basis of the data processing and the “secondary” data protections related obligations of the controllers (and processors) under the GDPR.
The CJEU clarified that the lawfulness of the processing activity depends solely on the questions of whether a legal basis (based on Article 6) exists in relation with the data processing. In case the appropriate legal basis is missing, the data subject may demand the erasure of his personal data or the restriction of the data processing. By contrast, if the data processing has a legal basis in accordance with the GDPR, nevertheless the controller fails to comply with other obligations provided for by the GDPR, other corrective actions may be implied.
By Anita Vereb, Attorney-at-lawda, SmartLegal Schmidt & Partners