Innovation and the adoption of new technologies are catalysts for business development. In economies where small and mid-caps abound, as is the case in Portugal, outsourcing of IT applications development becomes inevitable. If not accompanied by the necessary precautions, using third parties to develop IT applications can lead to significant business risks.

The recent ruling of the EU Court of Justice (ECJ) of 5 December 2023 (case C-683/21) points to the risks (while at the same time allowing to draw up good practices) with regard to the processing of personal data in the context of contracting third parties to develop IT applications.

In the case underlying the request for a preliminary ruling from the ECJ, an organisation “commissioned” a third party to develop a mobile computer application (“app”), in which personal data including, among other, names, geographical coordinates, telephone numbers and addresses were made available by users. The third party developed the app and made it available on the Google Play Store and the Apple App Store, and it was used by 3,802 people over a period of about a month and a half. The organisation that ordered the app ended up not purchasing it from the developer. As part of an investigation led by the supervisory authority, fines were imposed on both the organisation that commissioned the app and the one that developed it (and eventually made it available to the public). The contracting organisation argued that only the company that developed the app processed personal data, and that it was therefore responsible for processing the data.

When called upon to rule, the ECJ decided that under Article 4(7) of the General Data Protection Regulation (GDPR) an entity which has entrusted a company to develop an app and which, in that context, has participated in determining the purposes and means of the processing of personal data carried out through that app, may be regarded as a data controller, even if it has not itself carried out any processing operations on that data, has not explicitly given its agreement to carry out the specific operations of that processing or to make that app available to the public and has not purchased it. However, the ECJ admits that this understanding would not apply if the organisation had expressly objected to the processing of the data.

The ECJ also added that, except in cases where the data has been rendered anonymous, the use of personal data for the purpose of IT testing of an application constitutes data processing for the purposes of Article 4 of the GDPR.

This decision by the Court of Justice reveals the consequences for a company that does not take the necessary precautions when entering into contracts with third parties for the development of IT applications that involve the processing of personal data.

Labour Department

Hugo Martins Braz | Tiago Lopes Fernandez