In answering the second preliminary question, the Court starts by outlining the legal framework, providing a convenient and concise overview of relevant Court judgments.

High level of protection and broad interpretation of concept of ‘controller’

First, the Court recalls that the purpose of the GDPR is, in particular, to ensure a high level of protection of the fundamental freedoms and rights of natural persons (data subjects).[1] In view of that objective, a broad definition of the term “controller” follows from Article 4(7) GDPR and the case law relating to that article.[2] The broad definition of controller is thus intended to ensure effective and complete protection of data subjects.

Joint controllers

Next, the Court considers joint control. After all, it follows from Article 4(7) GDPR that the purpose and means of data processing may be determined alone or jointly with others. Thus, the concept of controller may cover several participants in a processing operation, each of which must then separately comply with the provisions of the GDPR.[3] If a natural person or legal entity exercises influence over the processing of personal data for its own purposes and is therefore involved in determining the purposes and means of data processing, it must be considered a controller. If two or more controllers jointly determine the purposes and means of processing, they are joint controllers within the meaning of Article 26 GDPR.[4]

Involvement in determining the purposes and means of processing may take different forms. It may involve a joint decision between two or more parties or convergent decisions by those parties. In the case of convergent decisions, the separate decisions of the parties must complement each other in a way that each has a concrete effect on the determination of the purposes and means of processing. However, it is not necessary for the emergence of joint controllership for there to be a formal agreement between the parties as to the purposes and means of processing. What is decisive for qualification is the factual situation (and not the legal reality).[5]

Each of the joint controllers must therefore individually qualify as a controller within the meaning of Article 4(7) GDPR. However, the existence of joint controllership does not necessarily lead to equal responsibility of the different participants in the same data processing operation. On the contrary, the participants may be involved in the processing at different stages and to different degrees. The level of involvement must therefore be assessed in light of all relevant circumstances of the case. This is further compounded by the fact that joint controllership does not presuppose that each individual participant has access to the personal data in question. [6]


[1] The Court refers to Article 1 AVG, recitals 1 and 10 to the AVG and to the judgment of May 4, 2023, Bundesrepublik Deutschland (Judicial Electronic Mailbox),C-60/22, EU:C:2023:373, para. 64.

[2] The Court refers to the judgment of June 5, 2018, Wirtschaftsakademie Schleswig-Holstein, C-210/16, EU:C:2018:388, para. 28)

[3] The Court refers to see Judgments of June 5, 2018, Wirtschaftsakademie Schleswig-Holstein, C-210/16, EU:C:2018:388, para. 29, and July 10, 2018, Jehovan todistajat, C-25/17, EU:C:2018:551, para. 65.

[4] The Court refers to the judgment of July 10, 2018, Jehovan todistajat, C-25/17, EU:C:2018:551, paragraph 68 and the judgment of December 5, 2023, Nacionalinis visuomenės sveikatos centras, C-683/21, EU:C:2023:949, paragraph 40.

[5] The Court refers to the judgment of December 5, 2023, Nacionalinis visuomenės sveikatos centras, C-683/21, EU:C:2023:949, paragraphs 43 and 44.

[6] The Court refers to judgment of July 10, 2018, Jehovan todistajat, C-25/17, EU:C:2018:551, paragraphs 66 and 69 and case law cited there.

Ask your questions to our specialists