… In a world where personal data have become a bargaining chip and constitute a newly found goldmine for businesses, under what conditions can administrative fines be imposed to controllers or processors for breach of the data protection rules set out in
Regulation
(EU)
2016
/
679
? (2) More specifically, is a ‘fault’ element required to be fulfilled before they can be subject to such fines? …
… Whether personal data are collected with a view to testing the IT systems embedded in a mobile application or for another purpose has, for its part, no bearing on the question of whether the operation in question qualifies as ‘processing’.
(4) Article 83 of
Regulation
2016
/
679
must be interpreted as meaning that a fine can only be imposed in order to sanction a breach of the rules of that regulation which has been committed ‘intentionally or negligently’. …
… However, if the processor processes personal data outside of, or contrary to, the lawful instructions of the controller and uses the personal data received for its own purposes, and it is clear that the parties are not ‘joint controllers’, within the meaning of Article 4(7) and Article 21(6) of
Regulation
2016
/
679
, then the controller cannot be fined, in application of Article 83 of that regulation, in relation to the unlawful processing that took place.
1 Original language: English.
2 Regulation …