EU Court Clarifies Data Protection Responsibilities for Entities Without Legal Personality

The Court of Justice of the European Union (CJEU) recently clarified that even an instrumental body without legal personality can be considered responsible for the processing of personal data. This decision broadens the definition of "data controller" under the GDPR. The ruling specifies that legal capacity is not a determining criterion for this responsibility. This interpretation could have significant implications for entities that process personal data without having their own legal personality.