CJEU - C-185/25 - Waldfelber
CJEU Advocate General opinion on GDPR controller status for public officials.
Summary
The CJEU Advocate General has provided an opinion in a case concerning whether a public school headteacher can be considered a GDPR controller. The case involves a headteacher who, after receiving negative information about a proposed program coordinator, emailed a university requesting a different coordinator. The Advocate General suggests that individuals acting within public bodies, especially when processing data using prescribed means, may not be considered controllers if they are acting on behalf of the entity. The opinion also touches on the scope of the right of access and potential compensation for GDPR breaches.
Full text
Help CJEU - C-185/25 - Waldfelber: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 13:25, 22 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators91 edits Tag: submission [1.0] Latest revision as of 13:46, 22 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators91 editsTag: Visual edit Line 48: Line 48: === Facts ====== Facts === The defendant was the headteacher of a primary school in Austria. In this role, he organised mandatory continuing training programmes for teachers at the school.The headteacher of a primary school in Austria was in charge of organising mandatory continuing training programmes for teachers at the school. The training programmes were provided by a University, which supplied schools with organisational staff known as programme coordinators. The data subject was proposed by the University as the coordinator for an upcoming training programme at the school. After being informed of this proposal, the headteacher asked a teacher about the data subject’s reputation in a face-to-face conversation. The teacher expressed a negative opinion about the data subject. The training programmes were provided by a University, which supplied schools with organisational staff known as programme coordinators. The data subject was proposed by the University as the coordinator for an upcoming training programme at the school.The headteacher then sent an email from his professional email address, using a school computer and a designated server, to an employee of the University. In the email, he requested that another programme coordinator be assigned. He referred to the information obtained from the third party, according to which the data subject allegedly opposed the public school system and was in constant dispute with the relevant education authority. After being informed of this proposal, the defendant asked a teacher about the data subject’s reputation in a face-to-face conversation. The teacher expressed a negative opinion about the data subject. The defendant then sent an email from his professional email address, using a school computer and a designated server, to an employee of the University. In the email, he requested that another programme coordinator be assigned. He referred to the information obtained from the third party, according to which the data subject allegedly opposed the public school system and was in constant dispute with the relevant education authority.When the data subject became aware of the email, he requested access under [[Article 15 GDPR]]. In particular, he asked for the identity of the third party who had provided the information, as well as a copy of the personal data concerning him processed in the email. The headteacher refused to provide this information. He argued that he had not possessed or stored personal data concerning the data subject and had merely expressed concerns about the proposed appointment. When the data subject became aware of the email, he requested access under [[Article 15 GDPR|Article 15 GDPR]]. In particular, he asked for the identity of the third party who had provided the information, as well as a copy of the personal data concerning him processed in the email. The defendant refused to provide this information. He argued that he had not possessed or stored personal data concerning the data subject and had merely expressed concerns about the proposed appointment.The data subject brought legal proceedings. The first instance court dismissed the claim, and the appeal court upheld that decision. The courts found that the headteacher had acted as an executive officer of the legal entity governing the school. They also held that the means of processing, including the professional email address, server and computer, had been prescribed to him. Therefore, they considered that he could not be treated as a controller under the GDPR. The appeal court also held that there was no obligation to keep a written record of the third party’s name and therefore no obligation to disclose it. The data subject brought legal proceedings. The first instance court dismissed the claim, and the appeal court upheld that decision. The courts found that the defendant had acted as an executive officer of the legal entity governing the school. They also held that the means of processing, including the professional email address, server and computer, had been prescribed to him. Therefore, they considered that he could not be treated as a controller under the GDPR. The appeal court also held that there was no obligation to keep a written record of the third party’s name and therefore no obligation to disclose it. The data subject appealed before the High Court, which stayed the proceedings and referred questions to the Court of Justice.The data subject appealed before the High Court, which stayed the proceedings and referred questions to the Court of Justice. The main issues discussed in the Advocate General’s Opinion were whether a natural person acting within a public body can personally qualify as a controller under [[Article 4 GDPR#7|Article 4(7) GDPR]], the scope of the right to know the source of personal data under [[Article 15 GDPR#1g|Article 15(1)(g) GDPR]], whether a breach of the right of access can lead to compensation under [[Article 82 GDPR|Article 82 GDPR]], and whether national law may channel liability away from an individual public officer and towards the relevant public body.The main issues discussed in the Advocate General’s Opinion were whether a natural person acting within a public body can personally qualify as a controller under [[Article 4 GDPR#7|Article 4(7) GDPR]], the scope of the right to know the source of personal data under [[Article 15 GDPR#1g|Article 15(1)(g) GDPR]], whether a breach of the right of access can lead to compensation under [[Article 82 GDPR]], and whether national law may channel liability away from an individual public officer and towards the relevant public body. === Holding ====== Holding === The Advocate General first assessed whether the defendant could personally qualify as a controller under [[Article 4 GDPR#7|Article 4(7) GDPR]].The Advocate General first assessed whether the headteacher could personally qualify as a controller under [[Article 4 GDPR#7|Article 4(7) GDPR]]. The Advocate General recalled that the concept of controller is broad, but that it requires a person or entity to determine the purposes and means of the processing. A person who processes personal data on behalf of another person or entity, and not for their own purposes, does not normally qualify as a controller.The Advocate General recalled that the concept of controller is broad, but that it requires a person or entity to determine the purposes and means of the processing. A person who processes personal data on behalf of another person or entity, and not for their own purposes, does not normally qualify as a controller. Line 77: Line 75: Accordingly, the data subject would not automatically have a right to know the identity of the third party who had spoken to the author of the email. The position would be different if the email merely reproduced or cited the third party’s own views. In that case, the third party could be the source of the personal data.Accordingly, the data subject would not automatically have a right to know the identity of the third party who had spoken to the author of the email. The position would be different if the email merely reproduced or cited the third party’s own views. In that case, the third party could be the source of the personal data. The Advocate General also emphasised that the right of access under [[Article 15 GDPR|Article 15 GDPR]] must be balanced against the rights and freedoms of others. This includes the third party’s rights to privacy, confidentiality and freedom of ex