Last February 2021, the State Data Protection Inspectorate (SDPI) established that the National Center for Public Health (Nacionaliniam visuomenės sveikatos centrui) and the Company responsible for developing the App, UAB IT Solutions Success (UAB “IT sprendimai sėkmei “), were joint data controllers, hence, fined them both for the breaches to the GDPR.
I don’t know the details of why the SDPI found the developers, Data Controllers -which are the one that determines the purpose (why) and means of the processing (how) of personal data. Developing projects for others, usually, fall into the Data Processor category -the one that processes personal data for the account and under the Data Controller’s authority- and is not his employee.
But either way, whether Data Controller or Data Processor, responsible for the entire processing or not, the data subject (data owner) can hold both accountable for the whole damage. Therefore, it is essential to understand the legal principles that need to be respected when doing personal data processing activities.
What I have been reading?
- CNIL GDPR Developer’s guide