Articles

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

ECJ on territorial application of domestic data protection law: a single representative can fulfill “stable establishment” concept under Directive 95/46/CE

07.01.2016

On 1 October 2015 the European Court of Justice (“ECJ”) rendered a judgment in response to the questions raised by the Kúria (Hungarian Supreme Court) on the applicability of Hungarian data protection law and on the powers of the Hungarian Data Protection Authority (“DPA”) in relation to a company that is registered in Slovakia but offers online services in Hungary.

 

This was an important decision as the ECJ ruled that the concept of “establishment” in the meaning of article 4 of the Directive 95/46/CE of the European Parliament and of the Council of 24 October 1995 (the “Directive”) should be flexibly interpreted, and thus it cannot depend on the place where the company is registered.

The claimant, Weltimmo, is a company registered in Slovakia and runs a real estate services website for Hungarian properties. After a one-month grace period during which advertising on the website was free of charge, Weltimmo kept the advertisers’ data, charged them for the services it provided, and if necessary, sent their data to debt collection agencies. The Hungarian DPA fined Weltimmo for violation of the Law of 2011 on the right to self-determination as regards information and freedom of information. Weltimmo then brought an action before the Budapest Administrative and Labour Court and then to the Supreme Court.

In the first part of its decision, the ECJ clarifies that the applicable law to a data controller must be determined in light of Article 4 of the Directive rather than Article 28, which only relates to the role and powers of the supervisory authority. The ECJ further restates the ruling on the Google Spain case (C-131/12) and confirms that the words “in the context of the activities of an establishment” in Article 4 of the Directive cannot be interpreted restrictively. After having clarified that, the ECJ analyzes the several aspects of this requirement.

Firstly, the ECJ refuses to adopt a formalistic approach of the concept of “establishment” whereby companies would be deemed established solely where they are registered. This establishment concept must, however, imply that there is (1) a certain degree of stability of the arrangements; and (2) an effective exercise of activities. These two conditions must be interpreted in the light of the specific nature of the company’s economic activities and the provision of the services concerned. The ECJ further insists that this is even more true for companies such as the one at stake, which offers services only over the Internet.

Even more importantly, the ECJ affirms that the effectiveness of the activity can be very limited, as it was the case here, in which only one representative of Weltimmo was present in Hungary as the point of contact between the company and the data subjects. Indeed, the Court states that “the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.”

Secondly, the ECJ assesses whether the processing of the personal data is carried out in the context of the activities of the establishment. The ECJ refers again to the Google Spain case and clarifies that this does not mean that the activity must be carried out by the establishment itself, but rather in the context of its activities.

The ECJ, while leaving the factual assessment of Weltimmo being established in Hungarian in the case at stake, has nevertheless broadened the territorial scope of domestic data protection law significantly by affirming that the mere presence of an individual in one Member State, who acts for a company registered in another Member State, can be sufficient for the DPA of the former Member State to have power over this company.

The case (C-264/14) can be found on http://www.curia.europa.eu

Click here for a PDF version of the 52nd edition of our ICT Law Newsletter

Related news

19.08.2019 EU law
Enable “likes” and bear joint-controllership

Articles - The Court of Justice of the European Union recently ruled, in Case C-40/14 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV,  that a website operator that features “Like” social-media plugin from Facebook likely qualifies as joint-controller with Facebook for its website visitors’ personal data collection and transmission to Facebook.

Read more

23.07.2019 LU law
The Revised CSSF Cloud Circular

Articles - On 27 March 2019, the Luxembourg supervisory authority for the financial sector (the Commission de surveillance du secteur financier or CSSF) published the long-awaited CSSF Circular 19/714 amending the CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (the Revised Cloud Circular).

Read more

22.07.2019 NL law
HagaZiekenhuis beboet voor datalek

Short Reads - Enkele maanden geleden vierden we de eerste verjaardag van de Algemene Verordening Gegevensbescherming (AVG) met een uitgebreide beschouwing  over de belangrijkste  ontwikkelingen uit  het eerste jaar van de verordening. We concludeerden daarin onder meer dat de door sommigen voorspelde hoge bestuurlijke boetes voor overtredingen van de AVG tot dan toe  - zowel in Nederland als in de andere EU-lidstaten - grotendeels waren uitgebleven.

Read more

08.08.2019 BE law
Regulating online platforms: piece of the puzzle

Articles - The new Regulation no. 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services, applicable as of 12 July 2020, is another piece of the puzzle regulating online platforms, this time focussing on the supply side of the platforms.

Read more

15.07.2019 EU law
ICO to impose record-breaking fines for inadequate security measures and data breaches

Short Reads - Though the European data protection authorities have taken their time in enforcing the GDPR, two announcements by the ICO in the UK regarding proposed fines for British Airways and Marriott demonstrate that large fines are about to start landing regularly. Both of the substantial fines are to be handed out as a result of shortcomings in handling data breaches caused by cyber-attacks.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring