Articles

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

07.01.2016 EU law

On 1 October 2015 the European Court of Justice (“ECJ”) rendered a judgment in response to the questions raised by the Kúria (Hungarian Supreme Court) on the applicability of Hungarian data protection law and on the powers of the Hungarian Data Protection Authority (“DPA”) in relation to a company that is registered in Slovakia but offers online services in Hungary.

 

This was an important decision as the ECJ ruled that the concept of “establishment” in the meaning of article 4 of the Directive 95/46/CE of the European Parliament and of the Council of 24 October 1995 (the “Directive”) should be flexibly interpreted, and thus it cannot depend on the place where the company is registered.

The claimant, Weltimmo, is a company registered in Slovakia and runs a real estate services website for Hungarian properties. After a one-month grace period during which advertising on the website was free of charge, Weltimmo kept the advertisers’ data, charged them for the services it provided, and if necessary, sent their data to debt collection agencies. The Hungarian DPA fined Weltimmo for violation of the Law of 2011 on the right to self-determination as regards information and freedom of information. Weltimmo then brought an action before the Budapest Administrative and Labour Court and then to the Supreme Court.

In the first part of its decision, the ECJ clarifies that the applicable law to a data controller must be determined in light of Article 4 of the Directive rather than Article 28, which only relates to the role and powers of the supervisory authority. The ECJ further restates the ruling on the Google Spain case (C-131/12) and confirms that the words “in the context of the activities of an establishment” in Article 4 of the Directive cannot be interpreted restrictively. After having clarified that, the ECJ analyzes the several aspects of this requirement.

Firstly, the ECJ refuses to adopt a formalistic approach of the concept of “establishment” whereby companies would be deemed established solely where they are registered. This establishment concept must, however, imply that there is (1) a certain degree of stability of the arrangements; and (2) an effective exercise of activities. These two conditions must be interpreted in the light of the specific nature of the company’s economic activities and the provision of the services concerned. The ECJ further insists that this is even more true for companies such as the one at stake, which offers services only over the Internet.

Even more importantly, the ECJ affirms that the effectiveness of the activity can be very limited, as it was the case here, in which only one representative of Weltimmo was present in Hungary as the point of contact between the company and the data subjects. Indeed, the Court states that “the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.”

Secondly, the ECJ assesses whether the processing of the personal data is carried out in the context of the activities of the establishment. The ECJ refers again to the Google Spain case and clarifies that this does not mean that the activity must be carried out by the establishment itself, but rather in the context of its activities.

The ECJ, while leaving the factual assessment of Weltimmo being established in Hungarian in the case at stake, has nevertheless broadened the territorial scope of domestic data protection law significantly by affirming that the mere presence of an individual in one Member State, who acts for a company registered in another Member State, can be sufficient for the DPA of the former Member State to have power over this company.

The case (C-264/14) can be found on http://www.curia.europa.eu

Click here for a PDF version of the 52nd edition of our ICT Law Newsletter

Related news

07.08.2018 NL law
General Data Protection Regulation comes into effect

Short Reads - On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) came into effect. The GDPR replaces the EU's prior directive governing the processing and transfer of personal data, which was in place since 1995. As a regulation, the GDPR is directly applicable in all 28 EU member states and thus removes the need for national implementing legislation. However, the GDPR allows member states discretion in certain areas, as a result of which national legislation may still be implemented. In the Netherlands, the GDPR Implementation Act came into effect on 25 May 2018.

Read more

12.07.2018 NL law
Algemene verordening gegevensbescherming van toepassing

Short Reads - Vanaf 25 mei 2018 zijn de Algemene verordening gegevensbescherming (Verordening (EU) 2016/679) (AVG) en de Uitvoeringswet Algemene verordening gegevensbescherming (Uitvoeringswet) van toepassing in Nederland. De AVG en de Uitvoeringswet vervangen de richtlijn betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens (Richtlijn 95/46/EG) en de Wet bescherming persoonsgegevens (Wbp).

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring