OPINION OF ADVOCATE GENERAL

CRUZ VILLALÓN

delivered on 25 June 2015 (1)

Case C‑230/14

Weltimmo s.r.o.

v

Nemzeti Adatvédelmi és Információszabadság Hatóság

(Request for a preliminary ruling from the Kúria, Hungary)

(Protection of personal data — Directive 95/46/EC — Articles 4(1) and 28(1), (3) and (6) — Data controller established in the territory of another Member State — Determination of the applicable law and the competent supervisory authority — Powers of the supervisory authority — Power to impose penalties — Definition of ‘data processing’)





1.        The questions referred for a preliminary ruling by the Kúria (Supreme Court of Hungary) arise from a dispute between Magyar Adatvédelmi és Információszabadság Hatóság (‘Hungarian data protection authority’) and an undertaking operating a property dealing website, which is registered in Slovakia and advertises properties situated in Hungary.

2.        Explained in those terms, the present case offers the Court another opportunity to give a ruling on the determination of the law applicable to the processing of data in accordance with Article 4(1)(a) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (2) previously interpreted in Google Spain and Google. (3) In addition, this case raises unexplored questions concerning the determination of the competent national data protection authority, the law applicable by that authority and its powers of intervention, particularly as far as the power to impose penalties is concerned.

I –  Legislative framework

A –    EU law

3.        Directive 95/46 lays down a number of criteria for determination of the law applicable to the processing of personal data. Recital 18 of the directive states that, ‘… in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; … in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State’.

4.        In addition, recital 19 of Directive 95/46 observes that ‘establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect …’. That recital also states that ‘when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities’.

5.        Article 4(1) of Directive 95/46, subparagraph (a) of which is relevant for the purposes of the present proceedings, is the provision relating to the law applicable to the processing of data and provides that:

‘1.      Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a)      the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

…’

6.        Article 28, which is the provision relating to supervisory authorities for the protection of data, provides as follows in paragraphs 1, 3, 4 and 6:

‘1.      Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

3.      Each authority shall in particular be endowed with:

–        investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

–        effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

–        the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority, which give rise to complaints may be appealed against through the courts.

4.      Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

6.      Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

…’

B –    Hungarian Law

7.        Law CXII of 2011 on the right to self-determination as regards information and freedom of information (2011. évi CXII. törvény az információs önrendelkezési jogról és az információszabadságról szóló 2011; ‘the Law on information’) is the national provision implementing Directive 95/46.

8.        Paragraph 2 of the Law on information provides as follows:

‘(1)      This Law shall apply to all data processing operations and technical manipulation of data carried out in the territory of Hungary that pertain to the data of natural persons or to public information or information of public interest.

(2)      This Law shall apply to data processing operations and technical manipulation of data whether performed in full or in part by an automated process or manually.

(3)      This Law shall apply if a third-country controller who is involved in the processing of personal data employs a data processor whose registered address or place of business (branch) or habitual residence (place of abode) is situated in the territory of Hungary or if it makes use of equipment situated on the territory of Hungary, unless such equipment is used solely for the purpose of transit through the territory of the European Union. Such data controllers shall appoint a representative in Hungary.’

9.        For its part, Paragraph 3 of the Law on information provides that, for the purposes of the application of that Law:

‘(9)      “controller” (adatkezelő) shall mean the natural or legal person, or unincorporated body who alone or jointly with others determines the purposes of the processing of data, makes decisions regarding data processing (including the means) and implements such decisions itself or engages a data processor (adatfeldolgozó) to execute them;

(10)      “data processing” (adatkezelés) shall mean any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organisation, storage, adaptation or alteration, use, retrieval, transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);

(11)      “data transmission” shall mean making data available to a specific third party;

(17)      “technical manipulation of data” (adatfeldolgozás) shall mean the technical operations involved in data processing, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are carried out on the data;

(18)      “data processor” (adatfeldolgozó) shall mean a natural or legal person or unincorporated organisation who is engaged under contract in the technical manipulation of personal data on behalf of a controller, including when contracting is ordered by virtue of law;

…’

II –  The facts and the main proceedings

10.      The present reference for a preliminary ruling has arisen in an appeal brought before the Kúria against the judgment of the Fővárosi Közigazgatási és Munkaügyi Bíróság (Budapest administrative and labour court) in the administrative proceedings concerning data protection between Weltimmo s.r.o. (‘Weltimmo’) and the Hungarian data protection authority.

11.      Weltimmo is a company which runs a property dealing website and its registered office is in Slovakia. Its activity involves the operation of that website which publishes advertisements for properties situated in Hungary. Those advertisements are free of charge to the advertiser for the first month, after which the service must be paid for. A large number of advertisers sent a request by email for the deletion of their advertisements and their personal data as they did not wish to start paying for the service after the first month. However, Weltimmo did not carry out those requests and consequently issued invoices for its services. Since those invoices were not paid, Weltimmo forwarded the advertisers’ personal data to debt collection agencies.

12.      In response to complaints from the advertisers, the Hungarian data protection authority declared that it was competent and that national law was applicable (under Paragraph 3(10) of the Law on information, the collection of data constitutes data processing), and it imposed a penalty of HUF 10 million. Weltimmo appealed against that decision before the Budapest administrative and labour court which, while it did not call into question the competence of the data protection authority or the applicable law, annulled the administrative decision on the grounds that it lacked sufficient clarification of a number of the facts alleged.

13.      In its appeal, Weltimmo seeks, inter alia, a declaration that there is no need for further clarification of the facts, because, in accordance with Article 4(1)(a) of Directive 95/46, the Hungarian data protection authority is not competent to conduct the procedure and to apply Hungarian law in respect of a supplier of services established in another Member State; in that connection, Weltimmo states, in particular, that, under Article 28(6) of Directive 95/46, the Hungarian data protection authority should have asked its Slovak counterpart to take action against the applicant.

14.      In the main proceedings, the Hungarian data protection authority contends, as the basis for its competence and the applicability of Hungarian law, that Weltimmo has a ‘Hungarian contact person’ — one of its owners, who is a Hungarian national — who represented it in the administrative proceedings and the national legal proceedings. The data protection authority also points out that Weltimmo’s owners are resident in Hungary. In any event, the data protection authority submits that Article 28(6) of Directive 95/46 provides that it should have competence, regardless of the applicable law.

III –  The questions referred for a preliminary ruling and the procedure before the Court of Justice

15.      In that context, since the Kúria took the view that the relevant provisions of Directive 95/46 are not sufficiently clear, by an order dated 22 April 2014, which was received at the Court Registry on 12 May 2014, it referred the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Can Article 28(1) of Directive 95/46 … be interpreted as meaning that the provisions of national law of a Member State are applicable in its territory to a situation where a data controller runs a property dealing website established only in another Member State and also advertises properties situated in the territory of that first Member State and the property owners have forwarded their personal data to a facility (server) for data storage and data processing belonging to the operator of the website in that other Member State?

(2)      Can Article 4(1)(a) of the data protection directive, read in conjunction with recitals 18 to 20 of its preamble and Articles 1(2) and 28(1) thereof, be interpreted as meaning that the [Hungarian data protection authority] may not apply the Hungarian law on data protection, as national law, to an operator of a property dealing website established only in another Member State, even if it also advertises Hungarian property whose owners transfer the data relating to such property probably from Hungarian territory to a facility (server) for data storage and data processing belonging to the operator of the website?

(3)      Is it significant for the purposes of interpretation that the service provided by the data controller who operates the website is directed at the territory of another Member State?

(4)      Is it significant for the purposes of interpretation that the data relating to the properties in the other Member State and the personal data of the owners are uploaded in fact from the territory of that other Member State?

(5)      Is it significant for the purposes of interpretation that the personal data relating to those properties are the personal data of citizens of another Member State?

(6)      Is it significant for the purposes of interpretation that the owners of the undertaking established in Slovakia have their habitual residence in Hungary?

(7)      If it appears from the answers to the above questions that the Hungarian data protection authority may act but must apply the law of the Member State of establishment and may not apply national law, must Article 28(6) of the data protection directive be interpreted as meaning that the Hungarian data protection authority may only exercise the powers provided for by Article 28(3) of the data protection directive in accordance with the provisions of the legislation of the Member State of establishment and accordingly may not impose a fine?

(8)      May the term “adatfeldolgozás” (technical manipulation of data) used in both Article 4(1)(a) and in Article 28(6) of the [Hungarian version of the] data protection directive [to translate ‘data processing’] be considered to be equivalent to the usual term for data processing, “adatkezelés”, used in connection with that directive?’

16.      Written observations were submitted by the Hungarian Government, the Slovak Government, the United Kingdom Government, the Hungarian data protection authority and the European Commission. At the hearing, held on 12 March 2015, oral argument was presented by the Hungarian Government, the Slovak Government, the Polish Government, the Hungarian data protection authority and the European Commission.

IV –  Analysis

17.      The questions referred for a preliminary ruling by the Kúria concern two issues which, although presented in an interlinked way, merit separate attention — as the written and oral submissions put forward in the proceedings before the Court also make clear; those issues are the law applicable to the data processing and determination of the competent supervisory authority. Therefore, I shall divide my reasoning, essentially, into two sections. First, I shall deal with the issue of the law applicable to the data processing and, in short, the issue of ‘establishment’, by examining together questions 1 to 6. Second, I shall examine the issue of determination of the competent supervisory authority and its powers — in addition to analysing the issue of the possible dissociation between the competent supervisory authority and the applicable law — (question 7). Finally, I shall deal with the issue of terminology raised by question 8.

A –    The law applicable to the data processing and the concept of establishment (questions 1 to 6)

18.      By its first to sixth questions, which should be examined together, the Kúria asks essentially whether Articles 4(1)(a) and 28(1) of Directive 95/46 can be interpreted as meaning that, in circumstances such as those in the main proceedings, it is possible to apply the Hungarian law on data protection and the Hungarian data protection authority may apply that law to the operator of a website established only in another Member State. In that connection, the Kúria also asks about the effect of a number of specific factors, such as the fact that the services provided by that undertaking are directed at the territory of another Member State, the place from where the data relating to the properties were uploaded, the nationality of the data subjects, and the fact that the owners of the undertaking are resident in Hungary.

19.      In its first two questions, the Kúria refers to Article 28(1) and Article 4(1)(a) of the directive. However, for the purpose of answering its questions, I believe that it is perfectly possible to dispense with an analysis of the scope of the first of those provisions. Article 28(1) merely provides that ‘each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive’. I believe that that provision is not conclusive for the purpose of establishing the applicable law. First, from a systematic point of view, Article 28(1) is included in Chapter VI of the directive, which governs supervisory authorities and the working party on the protection of individuals with regard to the processing of personal data, rather than the issue of the applicable law. Second, the actual wording of Article 28(1) of the directive does not provide any additional criteria for determination of the law applicable to the data processing. In short, this provision does not contain any elements the interpretation of which would lead to a different reply to the question of determination of the applicable law resulting from the criteria laid down by Article 4 of the directive, which specifically governs the matter of the applicable law.

20.      Turning now to Article 4(1)(a) of the directive, it should first be noted that the observations submitted at the hearing and during the written procedure all point out the relevance of that provision for the purpose of answering the questions relating to the applicable law, and also the particular importance of determining Weltimmo’s place of establishment.

21.      The issue of the law applicable to cross-border data processing situations has for decades been a controversial one at international level. (4) Article 4 of the directive, which deals with determination of the national law applicable, was the first provision which succeeded in laying down a rule for determining the applicable law in that regard. (5) That provision lays down a number of criteria for determining whether the national law adopted to implement the directive is applicable, thereby establishing, indirectly (by stating when those national provisions are applicable), the territorial scope of the directive.

22.      Of particular significance for situations in which the question of the applicable law arises as between Member States of the European Union is Article 4(1)(a) of Directive 95/46, which provides that ‘each Member State shall apply the national provisions it adopts (6) pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State’.

23.      Thus, Article 4(1)(a) performs a dual role. On the one hand, it enables the application of EU law through the law of one of the Member States where data processing is carried out solely ‘in the context’ of the activities of an establishment situated in that Member State, even though, strictly speaking, the processing is carried out in a non-member country (as was the case in Google Spain and Google). (7) On the other hand, that provision operates as a rule for determining the applicable law as between Member States (which is the question at issue in the present case). In the latter situation, Article 4(1)(a) of the directive is the provision which determines the applicable law in so far as it is a rule governing conflict between the laws of the different Member States.

24.      In that connection, it should be noted that the wording of the questions submitted by the national court refers to the operator of a property advertisement website which is established only in another Member State — an assertion which the Hungarian data protection supervisory authority rejects. The United Kingdom submits that it is clear that the law applicable to the present case must be held to be that of the Member State of establishment, in this case Slovakia, and that the Hungarian authority is not entitled to apply the provisions of its own national law. On the same lines, the Commission draws attention to the fact that, irrespective of whether it can be accepted that Hungarian law is applicable if the applicant is found to be established also in Hungarian territory, the Kúria has stated that in this case the undertaking is established only in another Member State.

25.      In that connection, in addition to the factual assessment included in the wording of the questions, relating to the actual place of establishment, the third and sixth questions referred by the Kúria suggest a degree of uncertainty on the part of the referring court regarding the concept of establishment within the meaning of the directive, in so far as it may not be a purely formal concept. Accordingly, I believe that a helpful answer to questions 1 to 6 requires determination of the criteria for establishing whether the data processing was carried out ‘in the context of the activities of an establishment of the controller’ in Hungarian territory, within the meaning of Article 4(1)(a) of the directive.

26.      Therefore, in order to determine, in the present proceedings, whether Hungarian or, on the other hand, Slovak law is applicable, it will be necessary to carry out a two-stage examination, following the method adopted in Google Spain and Google. (8) Thus, it will be necessary, first, to ascertain whether Weltimmo had an establishment in the territory of Hungary and, second, whether the data was processed in the context of the activities of that establishment. However, it should be observed that, in the circumstances of the present case, unlike those underlying Google Spain and Google, it is not disputed that the data processing took place ‘in the context of the activities of an establishment’. The decisive question is, properly speaking, whether or not there is an establishment in Hungary and/or Slovakia. Therefore, my analysis will focus essentially on that first stage of the examination.

27.      With regard to that matter, the Hungarian Government states in its written observations that the different language versions of that provision support an interpretation of the concept of establishment which may not be satisfied by a mere reference to establishment within the meaning of company law. The Slovak Government, which also focuses on a non-formalistic definition of the concept of establishment, states that it is relevant, in this context, to refer to the case-law of the Court on freedom of establishment. Likewise, the Hungarian data protection authority argues for a definition of the concept of establishment in which the legal form is not decisive, and states that Weltimmo’s representative in Hungary, Mr Benkö, could constitute the establishment in this case. The data protection authority points out that Mr Benkö represented Weltimmo in the administrative proceedings and the judicial proceedings at first instance, has been in contact with the data subjects who lodged complaints and is recorded in the Slovak companies register with an address in Hungary. Furthermore, the data protection authority pointed out at the hearing that Weltimmo has a post office box in Hungary for management of its everyday business affairs and that, when it made an informal enquiry to the Slovak data protection authority the latter confirmed that the undertaking did not effectively carry on any activity in Slovakia. Only the Polish Government stressed, in its submissions at the hearing, that the fact that the company is registered in a Member State should alone be taken into account as the sole objective and verifiable piece of evidence.

28.      That said, reference must be made to recital 19 of Directive 95/46, which is an essential interpretative element to be taken into account when defining the term ‘establishment’ within the meaning of the directive. That recital focuses on a flexible definition of the term and departs from a formalistic approach whereby undertakings are established solely in the place where they are registered. Thus, the recital includes, first, a criterion of effectiveness and a factor of permanence, observing that ‘establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements …’. Second, it affords considerable flexibility by indicating that ‘the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect’.

29.      That definition of the concept of establishment accords with the interpretation of the term in the case-law of the Court relating to other areas of EU law. In particular, according to settled case-law, ‘the concept of establishment within the meaning of the Treaty provisions on freedom of establishment involves the actual pursuit of an economic activity through a fixed establishment in that State for an indefinite period’, (9) which ‘presupposes actual establishment of the company concerned in the host Member State and the pursuit of genuine economic activity there’. (10)

30.      Moreover, Opinion 8/2010 of the Article 29 Data Protection Working Party (‘Article 29 Working Party’) (11) refers to the interpretation of the concept of establishment as a connecting factor for tax purposes in relation to VAT. (12) The case-law of the Court on this subject is particularly interesting, as it uses the concept of establishment as a connecting factor for determining liability under national tax legislation and it develops in more detail the concept of fixed establishment, which ‘must be characterised by a sufficient degree of permanence and a suitable structure in terms of human and technical resources to enable it to receive and use the services supplied to it for its own needs’. (13) In addition, the concept of establishment included in the Rome Convention (14) and the Brussels Convention (15) also supports a non-formalistic definition. (16)

31.      Regardless of the clear difference in terms of contexts and objectives between the spheres covered by the case-law of the Court in the matters referred to and the present case, it is in any event significant that EU law, in a number of spheres, emphasises a definition of the concept of establishment based on the effective exercise of economic activities and a certain degree of stability, thereby satisfying the criteria also set out in recital 19 of Directive 95/46.

32.      In addition, having regard to the specific object of Directive 95/46, as set out in Article 1(1) thereto, which is to ‘protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data’, I believe that the degree of stability of the arrangements and the effective exercise of activities must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.

33.      As the Hungarian data protection authority and the Slovak Government observe, and also in line with the criteria suggested by the Article 29 Working Party, (17) a single agent may suffice to be considered as a stable arrangement if he acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.

34.      As Advocate General Jääskinen stated in his Opinion in Google Spain and Google, the business model of the operator in question must be taken into account in assessing the conditions laid down in Article 4 of Directive 95/46. (18) Therefore, it is necessary to examine the specific nature of undertakings which operate exclusively via the internet, whose business model diminishes the importance of the concept of fixed establishment and also has a bearing on the extent of the human and material resources. In some circumstances, an agent who is permanently present, equipped with little more than a laptop computer, can constitute a sufficient structure for the purposes of engaging in the effective and real exercise of an activity with a sufficient degree of stability. In the light of those considerations, it is necessary, when assessing those human and technical resources, to consider carefully the special features of undertakings offering services over the internet, in the light of the particular circumstances of each specific situation.

35.      The special nature of economic activities provided via the internet was previously taken into account for the purposes of defining the concept of establishment in other instruments of EU law. In particular, recital 19 of the directive on electronic commerce (19) states that ‘… the place of establishment of a company providing services via an Internet website is not the place at which the technology supporting its website is located or the place at which its website is accessible but the place where it pursues its economic activity’. The Article 29 Working Party considered that definition to be relevant for the purpose of interpreting Article 4 of Directive 95/46. (20)

36.      Taking those considerations into account, it is possible to conclude, without disputing the fact that Weltimmo is a company formally registered in Slovakia, that it cannot be ruled out that that company engaged in the effective and real exercise of its activity in the territory of another State, in this case Hungary, through stable arrangements — which may be provided by a single agent. If that is the case, Weltimmo would have an establishment in Hungary, within the meaning of Article 4(1)(a) of Directive 95/46.

37.      The various additional factors pointed out by the Kúria in its questions — the place from where the data was uploaded, the Member State at which the services are directed, the nationality of the data subjects, and the place of residence of the owners of the undertaking — do not, in this respect, have a direct and decisive effect on the determination of the applicable law. (21) Those factors do not appear in the directive as relevant criteria enabling departure from the criterion laid down by Article 4(1)(a). (22)

38.      Nevertheless, a number of those factors could, in certain circumstances, constitute evidence of the real and effective nature of the activity for the purpose of determining the place of establishment and, in particular, when it comes to determining whether the data processing was carried out in the context of the activities of an establishment of the data controller.

39.      Thus, particularly in connection with the second factor — the processing of data must be carried out in the context of the activities of the establishment situated in a Member State — it is necessary to refer to the interpretation laid down in Google Spain and Google. (23) In accordance with that interpretation, Article 4(1)(a) of Directive 95/46 ‘does not require the processing of personal data in question to be carried out “by” the establishment concerned itself, but only that it be carried out “in the context of the activities” of the establishment’. (24) Furthermore — the Court continued — in the light of the objective of the directive, ‘those words cannot be interpreted restrictively’. (25)

40.      The application of the latter criterion will be of particular relevance should the referring court find that Weltimmo is established — in accordance with the above criteria — in both Member States concerned. In that case, as the Slovak Government and the Commission point out in their written observations, it will be necessary to take specific account of the activities in the context of which the processing was carried out and, in particular, their degree of connection with a particular establishment. (26) Furthermore, other decisive factors in this regard were identified by the Article 29 Working Party in relation to search engines, and the following may be useful for deciding whether the operations are carried out in the context of the activities of the establishment: the establishment is responsible for relations with users; the establishment is involved in the selling of targeted advertisements to the inhabitants of that State; or the establishment responds to requests from the competent authorities of a Member State with regard to user data . (27)

41.      In short, in order to determine, in the present case, whether Hungarian law may be applicable to Weltimmo’s activities in Hungary, it is necessary to ascertain whether Weltimmo has an establishment in that Member State and whether it carried out the data processing at issue in the context of the activities of that establishment. To that end, it will be necessary to establish whether the agent referred to in the order for reference has stable arrangements, irrespective of their legal form, through which he engages in the effective and real exercise of an activity in the context of which the data processing at issue was performed.

42.      In conclusion, I believe that questions 1 to 6 referred by the Kúria should be answered jointly to the effect that Article 4(1)(a) of Directive 95/46 precludes the Hungarian data protection authority from applying Hungarian law to a data controller established only in another Member State. For that purpose, the concept of establishment must be interpreted as the existence of stable arrangements, irrespective of their legal form, through which the data controller engages in the effective and real exercise of an activity. A sole agent may be regarded as constituting stable arrangements if it has a sufficient degree of stability though the presence of the human and technical resources necessary for the provision of the specific services concerned.

Other factors, such as the place from where the data was uploaded, the nationality of the data subjects, the place of residence of the owners of the undertaking responsible for the data processing, and the fact that the service provided by that data controller is directed at the territory of another Member State lack direct and decisive relevance for the purpose of establishing the applicable law, although these factors may constitute evidence of the real and effective nature of the activity for the purpose of determining the place of establishment and, in particular, when it comes to determining whether the data processing was carried out in the context of the activities of that establishment.

B –    The competent supervisory authority and the possible dissociation between the applicable law and the competent authority (question 7)

43.      By the seventh question referred for a preliminary ruling, the Kúria asks the Court whether, ‘if it appears from the answers to the above questions that the Hungarian data protection authority may act but must apply the law of the Member State of establishment and may not apply national law, … Article 28(6) of the [directive] [must] be interpreted as meaning that the Hungarian data protection authority may only exercise the powers provided for by Article 28(3) of the [directive] in accordance with the provisions of the legislation of the Member State of establishment and accordingly may not impose a fine’.

44.      As we can see, this question is decisive only in the event that the referring court holds, in accordance with the abovementioned criteria, that Weltimmo does not have an establishment in Hungary but rather is established only in Slovakia. In order to give a useful reply to this question, it is therefore necessary to examine first — since it does not follow explicitly from the answer given to the previous questions — whether a supervisory authority of a Member State may act even if, based on the criteria laid down in Article 4(1)(a) of the directive, the law of another Member State is applicable. A positive answer to that question will lead, second, to the need to establish the scope and the content of the powers of that authority.

45.      Therefore, the preliminary issue raised is whether Article 4, on the applicable law, is, in addition to a clause determining the applicable law, a clause on jurisdiction and, if that is the case, the value of the criteria provided by Article 28 in relation to the powers of public authorities. This must all be done against the background of a wide-ranging reform of EU data protection law. (28)

46.      The observations submitted to the Court advance different interpretations of Article 28(1), (3) and (6) of the directive. The Hungarian data protection authority maintains that it has the power to impose a pecuniary penalty even where the law of another Member State is applicable. The same view is put forward by the Hungarian Government, which submits that it is quite clear that the detailed rules governing the status and the procedure for the exercise of the powers of supervisory authorities, laid down in Article 28(3) of the directive, are governed by the national law of the State in which the authority is established, meaning that penalties must be imposed in accordance with its own national law.

47.      For its part, the Commission submits that the supervisory authorities of a Member State are entitled to exercise the powers set out in Article 28(3) of the directive to the extent that they may exercise those powers on their own territory in accordance with Article 28(1) and (6). On the other hand, where a power may be exercised only on the territory of another Member State, that authority will have no option but to request the administrative cooperation of the supervisory authority of that Member State. Therefore, the supervisory authority of that Member State will not be able to impose a penalty on a data controller established only in another Member State. On the same lines, the Slovak Government submits that, if Slovak law is applicable, the Hungarian data protection authority will have the power, under Article 28(3) and (6), to conduct an investigation and to examine complaints brought before it, acting in accordance with its own rules of procedure, but it must send a request for cooperation to the authority of the Member State whose law is applicable, for it will be that supervisory authority which must decide whether any penalty should be imposed. Poland points out that the directive does not provide for the possibility of application of the substantive law of one Member State by the authorities of another, arguing that had the legislature wished to provide for such an ambitious possibility, the directive would have contained precise provisions defining its field of application. Finally, the United Kingdom submits that, in view of the fact that Slovak law is applicable, the Hungarian data protection authority lacks competence.

48.      In the light of the foregoing, there is a striking difference of opinions in the observations submitted, of which only those of the United Kingdom and Poland appear to accept an absolute need for consistency between the applicable law and the jurisdiction of the supervisory authority — such that the determination of the applicable law under Article 4(1)(b) of the directive also determines the competent supervisory authority. (29)

49.      As I shall argue below, I believe that the complex issue before the Court must be settled by seeking to reconcile the specific objectives of the directive and the principles which govern the intervention of supervisory authorities.

50.      There is a major substantive issue underlying the problem raised by this question, which is whether it should be accepted that the directive moderates or even nullifies the validity of the rule whereby, in principle, the administrative authorities of a State act in accordance with and apply their own national law. In relation to the powers of public authorities, and, therefore, with regard to the exercise of powers governed by public law, inter alia the power to impose penalties, it is essential to take as the starting point the requirements derived from the territorial sovereignty of the State, (30) the principle of legality, and, in short, the concept of the rule of law, (31) pursuant to which the jurisdiction of the supervisory authority must coincide with the applicable law. (32) In that connection, the exercise of the power to impose penalties — which is the power specifically at issue in this case — cannot take place, as a rule of principle, outside the legal limits within which an administrative authority is authorised to act subject to national law. (33) Departure from that rule requires, at least, a specific legal basis which authorises and delimits the application of the public law of another Member State and which also allows those subject to the law to identify precisely and clearly which law governs their conduct, and its effects. (34)

51.      In line with the foregoing, I do not believe that the first sentence of Article 28(6), which reads ‘each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3’, constitutes a provision sufficient to lead to such a significant outcome. (35) That provision does not lay down any specifications regarding the field of application, scope and guarantees which could enable the administrative authorities of one Member State to apply the provisions — in particular, those governing penalties — of another.

52.      Nor, to my mind, does Article 28(1) of the directive constitute a sufficient legal basis for such a claim, founded merely on the fact, alleged by the Hungarian Government and the Hungarian data protection authority, that that provision uses the plural in providing that ‘each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.’ (36)

53.      Nevertheless, those provisions point towards the possibility that a certain dissociation may arise between the competent authority and the applicable law. In any event, those provisions allow for the possibility that the authority of a Member State may monitor the activities carried out on its territory even where the legislation of another Member State is applicable.

54.      Having reached this stage, I believe that it is possible to reconcile an interpretation of Article 28(1), (3) and (6) with the basic principles governing the exercise of the administrative power to impose penalties. That is assisted by a combined consideration of the first sentence of Article 28(6), the second sentence of Article 28(6) — which provides that an authority which exercises powers on the territory of its own Member State ‘may be requested to exercise its powers by an authority of another Member State’ — and the second subparagraph of Article 28(6) — which provides that ‘the supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties …’

55.      In that connection, the right to act conferred on supervisory authorities by Article 28(6) even where the law of their Member State is not applicable must be interpreted systematically, by taking into account both the existence of a clear requirement for cooperation between administrative authorities and the fact that an authority may be requested to exercise its powers by another. A combined assessment of that provision points toward a division of tasks between the different supervisory authorities, in a framework of cooperation and mutual assistance.

56.      The fact that the applicable law is that of one Member State does not deprive the supervisory authorities of other Member States of their right to act, particularly since, in certain situations, even though the law of another Member State may be applicable in accordance with the criterion in Article 4(1)(a) of the directive, there may be other connecting factors with the territory — such as technical resources and, in particular, data subjects. That all means that, for the purpose of the effective application of the directive, the local supervisory authority may investigate and adopt certain measures, including before it has been possible to determine which is the applicable law.

57.      More specifically, a supervisory authority called upon to act through an individual complaint or request submitted to it must be able to exercise its investigative powers on its own territory. That is indisputable in the light of Article 28(4) of the directive, which provides that supervisory authorities must hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data. In addition, that assertion accords with the provisions of Council of Europe Convention 108 of 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, (37) Article 14 of which provides that where a person resides in the territory of another contracting party, ‘he shall be given the option of submitting his request through the intermediary of the authority designated by that Party’.

58.      That approach may yet be sufficient to deal with the concern raised at the hearing by the Hungarian Government, which stated that, if the Hungarian data protection authority did not have competence the effectiveness of the remedies provided for in the directive would be undermined if the data subjects were obliged to apply to a foreign authority in a language they do not speak.

59.      Irrespective of the substantive law which may be applicable, supervisory authorities have the investigative powers and powers of intervention referred to in Article 28(3) of the directive, but these are governed only by their national law, within their territorial sphere of action, (38) and provided that they respect the principles set out in point 50 of this Opinion.

60.      Thus, it is quite clear that the supervisory authority of a Member State does not have an unlimited capacity to act where the substantive law of another Member State is applicable. On that point, attention should be drawn to the continued validity of the principle according to which, in the exercise of its powers, the supervisory authority will be bound by the limits imposed on it by its status as a body governed by public law and subject to the law of its own Member State, and which may exercise its powers only on its own territory. In particular, any finding of unlawfulness, and likewise any imposition of penalties for infringements derived from unlawful data processing, must of necessity be effected by the authority of the Member State whose substantive law is applicable to the data processing, in accordance with the criterion in Article 4(1)(a) of the directive.

61.      Accordingly, while there is nothing to preclude the power to impose penalties from being considered to be one of the powers referred to in Article 28(3) of the directive (the third indent of which refers to the ‘power [of supervisory authorities] to engage in legal proceedings where the national provisions … have been violated’), regard being had to the duty of cooperation laid down in Article 28(6) of the directive, a request must be made to the authority of the Member State whose law is applicable to the data processing in order to be able to proceed to establish the infringement in accordance with the applicable law and to impose any penalties, on the basis of the information gathered and, where appropriate, transmitted, by the authority of the first Member State.

62.      That interpretation does not conflict with the view expressed in a number of documents by the Article 29 Working Party. First, as Opinion 8/2010 on applicable law observes, Article 28(6) is aimed at ‘bridging the possible gap between applicable law and supervisory jurisdiction, which may arise in the area of data protection within the internal market’. (39) In that connection, while that opinion expressly states that ‘…when a data protection law of another Member State is applicable, the supervisory authority will be in a position to fully exercise on its territory all powers conferred to it by its national legal system’, it also expresses significant doubts in relation to the extent of the powers of supervisory authorities in that context. (40) As a result of subsequent comments by the Article 29 Working Party, at the request of the Commission, the latter set out its position regarding the issue of dissociation between applicable law and jurisdiction in its report on the practical implementation of Article 28(6). (41) The Article 29 Working Party concludes that, in a factual situation of dissociation, the data protection authority will have to apply the procedural and administrative provisions of its own legal system, while the material aspects of data protection will be the responsibility of the Member State whose law is applicable. (42)

63.      The above considerations come within a specific legal context where the instrument for the intervention of EU law is a directive, which has allowed for the laws of the Member States to retain considerable latitude as concerns, in particular, the regulation of and the possibilities for the imposition of penalties by supervisory authorities. (43) Thus, it would be difficult to reconcile with the requirements of the principles of territorial sovereignty and legality, in the absence of a clear legal basis and guarantees ensuring close cooperation in the interpretation of infringements and the equivalence of penalties, (44) that the dissociation between the competent authority and the applicable law should lead either to the imposition of penalties in accordance with the national law of the local supervisory authority — which may not be provided for in the legal system of the State whose law is applicable to the data processing — or to the application by the local supervisory authority of another Member State’s law relating to penalties.

64.      Finally, a different conclusion is not reached though reliance on the application by analogy of the judgment of the Court in UPC DTH, (45) sought by the Hungarian Government and the Hungarian supervisory authority to justify the latter’s competence to impose penalties in the present case. In that judgment, which concerned the interpretation of a number of instruments within the regulatory framework for electronic communications, (46) the Court declared that ‘surveillance proceedings relating to electronic communications services … will be subject to the authorities of the Member State in which the recipients of those services are resident’. (47)

65.      In response to that claim, suffice it to state that, aside from the fact that that interpretation concerns a situation involving the freedom to provide services and is confined to a legal framework whose objectives and structure are markedly different from that at issue in the present proceedings, it is, more importantly, the case that those considerations were put forward in a situation in which there was no dispute concerning the applicable law. (48)

66.      For all those reasons, as EU law currently stands, I believe that question 7 referred for a preliminary ruling by the Kúria must be answered as follows:

If the national court finds that its national law is not applicable, in accordance with the criterion laid down in Article 4(1)(a) of Directive 95/46, Article 28(6) thereof must be interpreted as meaning that the imposition of penalties for infringements related to the processing of data is the responsibility of the supervisory authority of the Member State whose law is applicable, irrespective of whether the local supervisory authority may exercise all the powers referred to in Article 28(3) on its territory and in accordance with the detailed rules set out in its national law.

C –    The concept of data ‘processing’ (question 8)

67.      In its eight question, the referring court asks the Court: ‘May the term “adatfeldolgozás” (technical manipulation of data) used in both Article 4(1)(a) and in Article 28(6) of the [Hungarian version of the] data protection directive [to translate “data processing”] be considered to be equivalent to the usual term for data processing, “adatkezelés”, used in connection with that directive?’

68.      All the observations submitted to the Court argue that the difference in terminology referred to in the order for reference is immaterial.

69.      The provisions of Directive 95/46 systematically use only the term ‘[adat]feldolgozás’ to refer to the concept of data processing, as defined in Article 2(b) of the directive. The dissociation between the concepts of ‘adatkezelés’ and ‘adatfeldolgozás’ (49) is found only in the Law on information, which defines the latter term as ‘the technical operations involved in data processing …’ (50)

70.      The definition of the term ‘[adat]feldolgozás’ in Article 2(b) of the directive, which is used in Article 4(1)(a) and Article 28(6), is very broad and includes any operation performed upon personal data, whether or not by automatic means. Therefore, that broad concept of processing includes the more limited concept of the technical operations involved in data processing.

71.      Accordingly, I propose that the Court should reply as follows to the eighth question referred for a preliminary ruling:

The term ‘adatfeldolgozás’, used in Articles 4(1)(a) and 28(6) of the Hungarian version of Directive 95/46, must be interpreted as including both data processing in the broad sense and the technical operations involved in data processing.

V –  Conclusion

72.      In the light of the arguments set out, I propose that the Court reply as follows to the questions referred for a preliminary ruling by the Kúria:

(1)      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data precludes the Hungarian data protection authority from applying Hungarian law to a data controller established only in another Member State. For that purpose, the concept of establishment must be interpreted as the existence of stable arrangements, irrespective of their legal form, through which the data controller engages in the effective and real exercise of an activity. A sole agent may be regarded as constituting stable arrangements if it has a sufficient degree of stability though the presence of the human and technical resources necessary for the provision of the specific services concerned.

Other factors, such as the place from where the data was uploaded, the nationality of the data subjects, the place of residence of the owners of the undertaking responsible for the data processing, and the fact that the service provided by that data controller is directed at the territory of another Member State lack direct and decisive relevance for the purpose of establishing the applicable law, although these factors may constitute evidence of the real and effective nature of the activity for the purpose of determining the place of establishment and, in particular, when it comes to determining whether the data processing was carried out in the context of the activities of that establishment.

(2)      If the national court finds that its national law is not applicable, in accordance with the criterion laid down in Article 4(1)(a) of Directive 95/46, Article 28(6) thereof must be interpreted as meaning that the imposition of penalties for infringements related to the processing of data is the responsibility of the supervisory authority of the Member State whose law is applicable, irrespective of whether the local supervisory authority may exercise all the powers referred to in Article 28(3) on its territory and in accordance with the detailed rules set out in its national law.

(3)      The term ‘adatfeldolgozás’, used in Articles 4(1)(a) and 28(6) of the Hungarian version of Directive 95/46, must be interpreted as including both data processing in the broad sense and the technical operations involved in data processing.


1 — Original language: Spanish.


2 – Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (OJ 1995 L 281, p. 31).


3 – C‑131/12, EU:C:2014:317.


4 – See, for example, Rigaux, F., ‘La loi applicable à la protection des individus à l’égard du traitement automatisé des données à caractère personnel’, Revue critique de droit international privé, 1980, pp. 443 to 478.


5–      Bygrave, L., ‘Determining applicable law pursuant to European Data Protection Legislation’, Computer Law and Security Report, No 16, 2000, p. 252.


6 – Footnote not relevant to English translation.


7 – C‑131/12, EU:C:2014:317.


8 – C‑131/12, EU:C:2014:317, paragraphs 48 to 50.


9 – See judgments in Factortame and Others, C‑221/89, EU:C:1991:320, paragraph 20, and Commission v United Kingdom, C‑246/89, EU:C:1991:375, paragraph 21.


10 – Judgment in Cadbury Schweppes and Cadbury Schweppes Overseas, C‑196/04, EU:C:2006:544, paragraph 54.


11 – Opinion 8/2010 on applicable law, adopted on 16 December 2010, 0836-02/10/ES, WP 179.


12 – That opinion refers to the judgments in Berkholz, 168/84, EU:C:1985:299, paragraph 18, and Lease Plan, C‑390/96, EU:C:1998:206, which concerned the interpretation of Article 9(1) of Sixth Council Directive 77/388/EEC of 17 May 1977 on the harmonisation of the laws of the Member States relating to turnover taxes — Common system of value added tax: uniform basis of assessment (OJ 1977 L 145, p. 1).


13 – Judgment in Welmory, C‑605/12, EU:C:2014:2298, paragraph 58, concerning the interpretation of Article 44 of Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax (OJ 2006 L 347, p. 1), as amended by Council Directive 2008/8/EC of 12 February 2008 (OJ 2008 L 44, p. 11). See also judgment in Planzer Luxembourg, C‑73/06, EU:C:2007:397, paragraph 54 and the case-law cited.


14 – Convention on the law applicable to contractual obligations, opened for signature in Rome on 19 June 1980 (OJ 1980 L 266, p. 1).


15 – Brussels Convention of 27 September 1968 on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters (OJ 1972, L 299, p. 32; consolidated text in OJ 1998, C 27, p. 1).


16 – Stating that ‘the concept of branch, agency or other establishment implies a place of business which has the appearance of permanency, such as the extension of a parent body, has a management and is materially equipped to negotiate business with third parties’ (judgments in Somafer, 33/78, EU:C:1978:205, paragraph 12, and Blanckaert & Willems, 139/80, EU:C:1981:70, paragraph 11), and emphasising that ‘…the term “place of business” cover[s] every stable structure of an undertaking. Consequently, not only the subsidiaries and branches but also other units, such as the offices of an undertaking, could constitute places of business within the meaning of Article 6(2)(b) of the Rome Convention, even though they do not have legal personality’ (Voogsgeerd, C‑384/10, EU:C:2011:842, paragraph 54).


17 – Opinion 8/2010, p. 14.


18 – C‑131/12, EU:C:2013:424, point 65.


19 – Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (OJ 2000 L 178, p. 1).


20 – See Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites, WP 56, 5035/01/ES/Final, 30 May 2002, p. 8.


21 – The observations submitted to the Court differ in terms of their consideration of these factors. Whereas the Hungarian data protection authority submits that those factors are relevant, the United Kingdom submits that none of the factors referred to is relevant, as Article 4(1) of the directive does not refer to any of them. The European Commission takes a similar view. The Hungarian Government submits that only the fact that the services are directed at the territory of a Member State and the place where the data was uploaded to the computer network are relevant. The Slovak Government submits that the place from which the data are communicated, the nationality of the data subjects and the place of residence of the owners of the undertaking are not relevant for the purpose of determining the national law applicable.


22 – The Article 29 Working Party put forward a similar view, stating that ‘neither the nationality or place of habitual residence of data subjects, nor the physical location of the personal data, are decisive [for the purpose of determining the applicable law].’ Opinion 8/2010, p. 10. See also points 55 to 58 of the Opinion of Advocate General Jääskinen in Google Spain and Google, C‑131/12, EU:C:2013:424.


23 – C‑131/12, EU:C:2014:317, paragraphs 48 to 50.


24 – Ibidem, paragraph 52.


25 – Ibidem, paragraph 53.


26 – On that point, see also Opinion 8/2010 of the Article 29 Working Party.


27 – Opinion 1/2008 on data protection issues related to search engines, adopted on 4 April 2008, WP 148, 00737/ES.


28 – Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regards to the processing of personal data and on the free movement of such data, COM(2012) 11 final.


29 – Moreover, the legal literature is divided on the subject. A number of authors regard Article 4 of the directive as the provision which also determines jurisdiction (for example, Bing, J., ‘Data Protection, Jurisdiction and the Choice of Law’, Privacy Law & Policy Reporter, 1999), whereas others take the opposite view. See, for example, Swire, P. P., ‘Of Elephants, Mice and Privacy: International Choice of Law and the Internet’, The International Lawyer, 1998, p. 991. See also on that debate, Kuner, C., ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’, International Journal of Law and Information Technology, No 18, 2010, p. 176.


30 – Recital 21 of the directive states expressly that the directive ‘is without prejudice to the rules of territoriality applicable in criminal matters’. I believe that the same assertion may be applied to administrative penalties.


31 – The essential core of which may be defined as meaning that all public authorities, at all levels, ‘must exercise the powers conferred on them reasonably, in good faith, for the purpose for which the powers were conferred and without exceeding the limits of such powers’, Lord Bingham, ‘The Rule of Law’, The Cambridge Law Journal, No 66, 2007, p. 78.


32 – Legal literature has stated that, ‘as a consequence of the essentially administrative or public-law nature of the supervisory system, there is a close correlation between the applicable law and the authority with competence to impose penalties for any infringements’, de Miguel Asensio, P. A., Derecho Privado de Internet, 4th ed., Madrid, 2011, p. 333. Legal writers have taken a similar view regarding the powers of supervisory authorities in relation to competence, stating that, in the sphere of public intervention, the applicability of the rule determines the competence of the authority required to apply it. See, for example, Basedow, J. ‘Antitrust or Competition Law, International’, in Wolfrum, R. (ed.), Max Planck Encyclopedia of Public International Law, 2009.


33 – In that connection, see Rigaux: ‘On ne conçoit guère que les autorités administratives, les commissions de contrôle … les organes de surveillance soumettent les fichiers du secteur privé à d’autres normes de conduite et qu’ils obéissent eux-mêmes à d’autres règles de fonctionnement qu’à celles qui sont contenues dans la lex fori’, op. cit. p. 469.


34 – C. Ohler, Die Kollisionsordnung des allgemeinen Verwaltungsrechts, Mohr Siebeck, 2005, pp. 109 and 314.


35 – Emphasis added.


36 – Emphasis added. On that discussion, see Damman U. and Simitis S., EG-Datenschutzrichtlinie, Nomos Verlagsgesellschaft, Baden-Baden, 1997, p. 306.


37 – (ETS 108), to which all the Member States are party. According to recital 11 in the preamble to the directive, the latter gives substance to and amplifies the protection afforded by the Convention.


38 – On that point, see Damman U. and Simitis S., cited above, p. 313.


39 – Opinion 8/2010 on applicable law, p. 29


40 – Thus, on the one hand, Opinion 8/2010 of the Article 29 Working Party observes that the content of the cooperation between supervisory authorities, as it rightly states, does not encompass only the exchange of information but also the ‘handling cross-border complaints, collecting evidence for other DPAs, or imposing sanctions’ (p. 31). However, the opinion expresses doubts about the scope of competences to be exercised by each data protection authority: ‘In particular, how far will the DPA of the location exercise its powers with regard to the application of the material principles and the sanctions? Should it limit the use of its powers to the verification of facts, can it take provisional measures of enforcement or even definitive measures? Can it give its own interpretation of the provisions of the law applicable, or is it the prerogative of the DPA of the Member State whose law is applicable? …’ (p. 30).


41 – Advice paper on the practical implementation of Article 28(6) of Directive 95/46/EC, Ref. Ares (2011) 444105, of 20 April 2011.


42 – Example No 10 in the Opinion is highly instructive for those purposes: in relation to a hypothetical case in which German law is applicable to a data processing activity carried out in the United Kingdom, it states that ‘the UK DPA needs to have the power to inspect the premises in the UK, and establish findings, to be transmitted to the German DPA; the German DPA should be able to impose a sanction on the controller established in Germany on the basis of the findings of the UK DPA’.


43 – That is clear from recital 9 of the directive. In that connection, see the document drawn up by the European Union Agency for Fundamental Rights, Data Protection in the European Union: the role of National Data Protection Authorities, 2010, which highlights the different powers of supervisory authorities in the Member States.


44 – In that connection, there is no doubting the importance and innovative nature of EU law on data protection within the European Administrative Space. If the proposal for a future general regulation on data protection goes ahead, it will involve a major transformation in the field, particularly with regard to the implementation of a complex and elaborate system of cooperation, cohesion and division of responsibilities between the different supervisory authorities.


45 – Judgment in UPC DTH, C‑475/12, EU:C:2014:285.


46 – In particular, Directive 2002/20/EC of the European Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks and services (OJ 2002 L 108 p. 21), as amended by Directive 2009/140 (‘the Authorisation Directive’) and Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (OJ 2002 L 108, p. 33), as amended by Directive 2009/140.


47 – Judgment in UPC DTH, C‑475/12, EU:C:2014:285, paragraph 88.


48 – The penalty imposed in that case was due to the refusal of the company in question to provide information to the national communications authority. The Court observed that ‘under Article 11(1)(b) of the Authorisation Directive … national authorities may request from undertakings information that is proportionate and objectively justified for verification of compliance with conditions relating to consumer protection where a complaint has been received or in the case of an investigation by the national authority on its own initiative’ (paragraph 85).


49 – The directive uses only a word derived from the term ‘adatkezelés’ when referring to the data controller.


50 – Paragraph 3(17) of the Law on information. Paragraph 3(10) of the Law on information defines the concept of ‘adatkezelés’ broadly, in a way which corresponds in substance to the concept of data processing as defined in Article 2(b) of the directive.