Articles

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

07.01.2016

On 1 October 2015 the European Court of Justice (“ECJ”) rendered a judgment in response to the questions raised by the Kúria (Hungarian Supreme Court) on the applicability of Hungarian data protection law and on the powers of the Hungarian Data Protection Authority (“DPA”) in relation to a company that is registered in Slovakia but offers online services in Hungary.

 

This was an important decision as the ECJ ruled that the concept of “establishment” in the meaning of article 4 of the Directive 95/46/CE of the European Parliament and of the Council of 24 October 1995 (the “Directive”) should be flexibly interpreted, and thus it cannot depend on the place where the company is registered.

The claimant, Weltimmo, is a company registered in Slovakia and runs a real estate services website for Hungarian properties. After a one-month grace period during which advertising on the website was free of charge, Weltimmo kept the advertisers’ data, charged them for the services it provided, and if necessary, sent their data to debt collection agencies. The Hungarian DPA fined Weltimmo for violation of the Law of 2011 on the right to self-determination as regards information and freedom of information. Weltimmo then brought an action before the Budapest Administrative and Labour Court and then to the Supreme Court.

In the first part of its decision, the ECJ clarifies that the applicable law to a data controller must be determined in light of Article 4 of the Directive rather than Article 28, which only relates to the role and powers of the supervisory authority. The ECJ further restates the ruling on the Google Spain case (C-131/12) and confirms that the words “in the context of the activities of an establishment” in Article 4 of the Directive cannot be interpreted restrictively. After having clarified that, the ECJ analyzes the several aspects of this requirement.

Firstly, the ECJ refuses to adopt a formalistic approach of the concept of “establishment” whereby companies would be deemed established solely where they are registered. This establishment concept must, however, imply that there is (1) a certain degree of stability of the arrangements; and (2) an effective exercise of activities. These two conditions must be interpreted in the light of the specific nature of the company’s economic activities and the provision of the services concerned. The ECJ further insists that this is even more true for companies such as the one at stake, which offers services only over the Internet.

Even more importantly, the ECJ affirms that the effectiveness of the activity can be very limited, as it was the case here, in which only one representative of Weltimmo was present in Hungary as the point of contact between the company and the data subjects. Indeed, the Court states that “the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.”

Secondly, the ECJ assesses whether the processing of the personal data is carried out in the context of the activities of the establishment. The ECJ refers again to the Google Spain case and clarifies that this does not mean that the activity must be carried out by the establishment itself, but rather in the context of its activities.

The ECJ, while leaving the factual assessment of Weltimmo being established in Hungarian in the case at stake, has nevertheless broadened the territorial scope of domestic data protection law significantly by affirming that the mere presence of an individual in one Member State, who acts for a company registered in another Member State, can be sufficient for the DPA of the former Member State to have power over this company.

The case (C-264/14) can be found on http://www.curia.europa.eu

Click here for a PDF version of the 52nd edition of our ICT Law Newsletter

Related news

02.07.2019 NL law
Debate night: HR Analytics: opportunity or threat?

Seminar - On 2 July 2019, Stibbe's Digital Economy Group will host a debate night in Amsterdam on the hot topic of HR analytics. During Stibbe's debate night, speakers from the world of business, politics, science and law will exchange views on HR analytics, how they can be used in practice, and their development in the context of employment and privacy law.

Read more

27.06.2019 NL law
Stibbe launches website about Digital Economy

Inside Stibbe - Stibbe's Digital Economy group published a new website this week: Stibbedigital.com With this new website we aim to view technological developments including artificial intelligence (AI), blockchain, the Internet of Things, smart mobility and the rise of digital platforms from a legal perspective.

Read more

07.06.2019 BE law
Part three - GDPR and public law: To retroact or not?

Articles - Since the General Data Protection Regulation (“GDPR”) became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and public law”, we discuss three capita selecta of the interaction of GDPR with public law and government. In this blog we discuss the retroactive application of GDPR.

Read more

21.06.2019 NL law
Nieuw boetebeleid van de Autoriteit Persoonsgegevens

Short Reads - Op 14 maart 2019 zijn de nieuwe Boetebeleidsregels Autoriteit Persoonsgegevens 2019 ("Boetebeleidsregels") van de Autoriteit Persoonsgegevens ("AP") gepubliceerd. Dit boetebeleid heeft de AP opgesteld vanwege de inwerkingtreding van de Algemene verordening gegevensverwerking ("AVG") en omdat er op Europees niveau nog geen boeterichtsnoeren zijn opgesteld.

Read more

06.06.2019 BE law
TMT Roundtable: Getting a handle on software quality

Roundtable - Erik Valgaeren, TMT Partner at Stibbe Brussels, and his team organize a roundtable on software quality in our Brussels office on June 6th, 2019. Software quality is a recurring theme in many matters handled by our TMT team. Whether our assistance relates to preparing tender documents, contracting effectively, assessing proper performance or allocating ownership and accountability in challenging IT projects, questions concerning software quality always arise.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring