In order to dissert upon the Data Protection matter, it is essential to recall Regulation n.679/2016 as the most recent and concrete legislative mean to assert the question.
Firstly, the normative of crucial importance attains to Art.4 comma 7 of the GDPR, the provision qualifying the controller as “a natural or legal person, a public authority, agency, competent to determine the purposes and means of processing personal data”.
A practical application of such provision could be related to the possibility for an employer to control his own employees personal data, given that employers have faculty to determine purposes and means concerning the information processing procedure.
Secondly, it emerges an arising question: how to define and determine purposes and means? Doctrine generally considers purposes as “an anticipated outcome that is intended” and means as “how a result is obtained or an end is achieved”.
An aspect recently debated and strictly connected to the previous question attains to whether a single verification operated by a controller is a condicio sine qua non to implement the content mentioned under EU Regulation n. 679/2016: according to jurisprudence formulated in recent years by the CJEU, the control exercised by an employer shall be intended as “in its own extent to the entirety of processing”.
A further area of interest attains to the case in which control is exercised jointly by two subjects in determining purposes and means of a processing operation: the compulsory criterion under the Guidelines Regulations to realize such form responds to the fact that “two different actions complementary to each other for an unique purpose have a tangible impact on the determination of purposes”.
Furthermore, the Guidelines principles clarify that the above-mentioned criterion shall not be considered as satisfied whether a process carried out by two different subjects could have been performed by one part only without intervention from the other.
The processor: definition and tasks
EU Regulation 679/2016 under art.4 comma 8 attributed the processor the same definition as for the controller, but at the same time precisely asserted under the Guidelines the following:
- the processor must be a separate legal entity than the controller;
- the processor must act on the controller’s behalf. A more-in-depth reasoning is visible under art. 28 comma 1, which specifies the controller’s duty “to use processors at the same time able to provide sufficient guarantees from an organizational point of view and to make sure that personal data will be efficiently protected”.
An element for the immediate future of jurisprudence is the following: quid iuris in case a violation of a personal data may occur?
In the near future it might emerge a potential overlapping of competence between the CJEU and the ECHR in case an individual would face discrimination from the point of view of freedom of religion rather than sexual orientation consequently to: in fact, the European Court of Human Rights might claim competence ratione personae in case a discrimination either directly or indirectly would be perpetrated by a controller or a processor in respect to an individual who has seen its own data being used for a discriminatory therefore illegitimate purpose, while the Court of Luxemburg might condemn the State on the ratione materiae principle assuming the CJEU as competent judicial organ to establish whether a breach of an EU legally binding disposition occurred or not.