Articles

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

07.01.2016

On 1 October 2015 the European Court of Justice (“ECJ”) rendered a judgment in response to the questions raised by the Kúria (Hungarian Supreme Court) on the applicability of Hungarian data protection law and on the powers of the Hungarian Data Protection Authority (“DPA”) in relation to a company that is registered in Slovakia but offers online services in Hungary.

 

This was an important decision as the ECJ ruled that the concept of “establishment” in the meaning of article 4 of the Directive 95/46/CE of the European Parliament and of the Council of 24 October 1995 (the “Directive”) should be flexibly interpreted, and thus it cannot depend on the place where the company is registered.

The claimant, Weltimmo, is a company registered in Slovakia and runs a real estate services website for Hungarian properties. After a one-month grace period during which advertising on the website was free of charge, Weltimmo kept the advertisers’ data, charged them for the services it provided, and if necessary, sent their data to debt collection agencies. The Hungarian DPA fined Weltimmo for violation of the Law of 2011 on the right to self-determination as regards information and freedom of information. Weltimmo then brought an action before the Budapest Administrative and Labour Court and then to the Supreme Court.

In the first part of its decision, the ECJ clarifies that the applicable law to a data controller must be determined in light of Article 4 of the Directive rather than Article 28, which only relates to the role and powers of the supervisory authority. The ECJ further restates the ruling on the Google Spain case (C-131/12) and confirms that the words “in the context of the activities of an establishment” in Article 4 of the Directive cannot be interpreted restrictively. After having clarified that, the ECJ analyzes the several aspects of this requirement.

Firstly, the ECJ refuses to adopt a formalistic approach of the concept of “establishment” whereby companies would be deemed established solely where they are registered. This establishment concept must, however, imply that there is (1) a certain degree of stability of the arrangements; and (2) an effective exercise of activities. These two conditions must be interpreted in the light of the specific nature of the company’s economic activities and the provision of the services concerned. The ECJ further insists that this is even more true for companies such as the one at stake, which offers services only over the Internet.

Even more importantly, the ECJ affirms that the effectiveness of the activity can be very limited, as it was the case here, in which only one representative of Weltimmo was present in Hungary as the point of contact between the company and the data subjects. Indeed, the Court states that “the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.”

Secondly, the ECJ assesses whether the processing of the personal data is carried out in the context of the activities of the establishment. The ECJ refers again to the Google Spain case and clarifies that this does not mean that the activity must be carried out by the establishment itself, but rather in the context of its activities.

The ECJ, while leaving the factual assessment of Weltimmo being established in Hungarian in the case at stake, has nevertheless broadened the territorial scope of domestic data protection law significantly by affirming that the mere presence of an individual in one Member State, who acts for a company registered in another Member State, can be sufficient for the DPA of the former Member State to have power over this company.

The case (C-264/14) can be found on http://www.curia.europa.eu

Click here for a PDF version of the 52nd edition of our ICT Law Newsletter

Related news

16.01.2020 BE law
24 January 2020: Carol Evrard participates in a panel session on Global Compliance at the CPDP conference in Brussels

Speaking slot - Stibbe is a long standing partner of the International Computers, Privacy and Data Protection Conference (CPDP) which takes place in Brussels between 22 and 24 January 2020 This year's theme is “Data protection and Artificial intelligence”. Carol Evrard, associate in our TMT team, participates in a panel organised by TrustArc (a privacy compliance technology company based in San Francisco, California) on "Changing Technology and Laws: Can Accountability be a Key to Global Compliance?"

Read more

15.01.2020 NL law
Consultatiereactie 'Wet plan van aanpak witwassen'

Short Reads - Soeradj Ramsanjhal, Karlijn van den Heuvel, Djoe Kuils, Rogier Raas, Judica Krikke en Muriël Rosing hebben een reactie ingediend op het concept wetsvoorstel ‘Wet plan van aanpak witwassen’. Dit wetsvoorstel is 2 december 2019 in consultatie gegaan en bevat verschillende voorgestelde wijzigingen van de Wet ter voorkoming van witwassen en financieren van terrorisme en de Wet op de economische delicten. 

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring