Bytesize Legal Update: Navigating GDPR Controllership

In the latest decision from the CJEU, nearly 4,000 users' personal data had been collected by a Covid-19 mobile app released to the public without the Lithuanian Ministry's express approval, and yet the Lithuanian ministry were still held liable for the processing

In this episode of Fieldfisher's Bytesize Legal Updates podcast, featuring technology and data specialists James Russell  and Richard Lawne, we delve into the court's decision; and what this means for controllers and processors.

The case has led to debate over who should be held accountable as a data controller. The podcast provides an in-depth analysis of the case, highlighting the broad interpretation of controllership under GDPR. The case's outcome indicates that entities can be considered data controllers if they influence processing and set parameters, even without expressly authorising processing. The podcast emphasises the need for clear contractual agreements between controllers and processors to avoid ambiguities and liabilities and capture clear processing instructions.