Provisional text

JUDGMENT OF THE COURT (Second Chamber)

29 July 2019 (*)

(Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Article 2(d) — Notion of ‘controller’ — Operator of a website who has embedded on that website a social plugin that allows the personal data of a visitor to that website to be transferred to the provider of that plugin — Article 7(f) — Lawfulness of data processing — Taking into account of the interest of the operator of the website or of that of the provider of the social plugin — Articles 2(h) and 7(a) — Consent of the data subject — Article 10 — Informing the data subject — National legislation allowing consumer-protection associations to bring or defend legal proceedings)

In Case C‑40/17,

REQUEST for a preliminary ruling under Article 267 TFEU from the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany), made by decision of 19 January 2017, received at the Court on 26 January 2017, in the proceedings

Fashion ID GmbH & Co. KG

v

Verbraucherzentrale NRW eV,

interveners:

Facebook Ireland Ltd,

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen,

THE COURT (Second Chamber),

composed of K. Lenaerts, President of the Court, acting as President of the Second Chamber, A. Prechal, C. Toader, A. Rosas (Rapporteur) and M. Ilešič, Judges,

Advocate General: M. Bobek,

Registrar: D. Dittert, Head of Unit,

having regard to the written procedure and further to the hearing on 6 September 2018,

after considering the observations submitted on behalf of:

–        Fashion ID GmbH & Co. KG, by C.-M. Althaus and J. Nebel, Rechtsanwälte,

–        Verbraucherzentrale NRW eV, by K. Kruse, C. Rempe and S. Meyer, Rechtsanwälte,

–        Facebook Ireland Ltd, by H.-G. Kamann, C. Schwedler and M. Braun, Rechtsanwälte, and by I. Perego, avvocatessa,

–        Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, by U. Merger, acting as Agent,

–        the German Government, initially by T. Henze and J. Möller, and subsequently by J. Möller, acting as Agents,

–        the Belgian Government, by P. Cottin and L. Van den Broeck, acting as Agents,

–        the Italian Government, by G. Palmieri, acting as Agent, and P. Gentili, avvocato dello Stato,

–        the Austrian Government, initially by C. Pesendorfer, and subsequently by G. Kunnert, acting as Agents,

–        the Polish Government, by B. Majczyna, acting as Agent,

–        the European Commission, by H. Krämer and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 19 December 2018,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Articles 2, 7, 10 and 22 to 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

2        The request has been made in proceedings between Fashion ID GmbH & Co. KG and Verbraucherzentrale NRW eV concerning Fashion ID’s embedding of a social plugin provided by Facebook Ireland Ltd on the website of Fashion ID.

 Legal context

 European Union law

3        With effect from 25 May 2018, Directive 95/46 was repealed and replaced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1). However, in the light of the date of the facts in the dispute in the main proceedings, it is Directive 95/46 that is applicable to that dispute.

4        Recital 10 of Directive 95/46 states:

‘Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms[, signed in Rome on 4 November 1950,] and in the general principles of [EU] law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the [European Union]’.

5        Article 1 of Directive 95/46 provides:

‘1.      In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

2.      Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.’

6        Article 2 of that directive provides:

‘For the purposes of this Directive:

(a)      “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(b)      “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(d)      “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or [EU] laws or regulations, the controller or the specific criteria for his nomination may be designated by national or [EU] law;

(f)      “third party” shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data;

(g)      “recipient” shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;

(h)      “the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’

7        Article 7 of that directive states:

‘Member States shall provide that personal data may be processed only if:

(a)      the data subject has unambiguously given his consent; or

(f)      processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection under Article 1(1).’

8        Article 10 of Directive 95/46, headed ‘Information in cases of collection of data from the data subject’, provides:

‘Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

(a)      the identity of the controller and of his representative, if any;

(b)      the purposes of the processing for which the data are intended;

(c)      any further information such as

–        the recipients or categories of recipients of the data,

–        whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,

–        the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.’

9        Article 22 of Directive 95/46 is worded as follows:

‘Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.’

10      Article 23 of that directive states:

‘1.      Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.

2.      The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.’

11      Article 24 of that directive provides:

‘The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.’

12      Article 28 of Directive 95/46 states:

‘1.      Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

3.      Each authority shall in particular be endowed with:

–        the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

4.      Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

…’

13      Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11), (‘Directive 2002/58’) provides:

‘Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive [95/46], inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’

14      Article 1(1) of Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers’ interests (OJ 2009 L 110, p. 30), as amended by Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 (OJ 2013 L 165, p. 1), (‘Directive 2009/22’) provides:

‘The purpose of this Directive is to approximate the laws, regulations and administrative provisions of the Member States relating to actions for an injunction referred to in Article 2 aimed at the protection of the collective interests of consumers included in the Union acts listed in Annex I, with a view to ensuring the smooth functioning of the internal market.’

15      Article 2 of that directive provides:

‘1.      Member States shall designate the courts or administrative authorities competent to rule on proceedings commenced by qualified entities within the meaning of Article 3 seeking:

(a)      an order with all due expediency, where appropriate by way of summary procedure, requiring the cessation or prohibition of any infringement;

…’

16      Article 7 of that directive states:

‘This Directive shall not prevent Member States from adopting or maintaining in force provisions designed to grant qualified entities and any other person concerned more extensive rights to bring action at national level.’

17      Article 80 of Regulation 2016/679 reads as follows:

‘1.      The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.

2.      Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.’

 German law

18      Paragraph 3(1) of the version of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition) applicable to the dispute in the main proceedings (‘the UWG’) provides:

‘Unfair commercial practices shall be prohibited.’

19      Paragraph 3a of the UWG is worded as follows:

‘A person shall be regarded as acting unfairly where he infringes a statutory provision that is also intended to regulate market behaviour in the interests of market participants and the infringement is liable to have a significantly adverse effect on the interests of consumers, other market participants or competitors.’

20      Paragraph 8 of the UWG provides:

‘(1)      Any commercial practice which is unlawful under Paragraph 3 or Paragraph 7 may give rise to an order to cease and desist and, where there is a risk of recurrence, to a prohibition order. An application for a prohibition order may be made as from the time at which there is a risk of such unlawful practice within the meaning of Paragraph 3 or Paragraph 7 occurring.

(3)      Applications for the orders referred to in subparagraph (1) may be lodged by:

3.      qualified entities which prove that they are registered on the list of qualified entities pursuant to Paragraph 4 of the Unterlassungsklagegesetz [(Law on injunctions)] or on the list of the European Commission pursuant to Article 4(3) of Directive [2009/22];

…’

21      Paragraph 2 of the Law on injunctions provides:

‘(1)      Any person who infringes the provisions in place to protect consumers (consumer-protection laws), other than in the application or recommendation of general conditions of sale, may have an order to cease and desist and a prohibition order imposed on him in the interests of consumer protection. …

(2)      For the purposes of this provision, “consumer-protection laws” shall mean, in particular:

11.      the provisions that regulate the lawfulness

(a)      of the collection of a consumer’s personal data by a trader, or

(b)      of the processing or use of personal data collected about a consumer by a trader

if the data are collected, processed or used for the purposes of publicity, market and opinion research, operation of a credit agency, preparation of personality and usage profiles, address trading, other data trading or comparable commercial purposes.’

22      Paragraph 12(1) of the Telemediengesetz (Law on telemedia) (‘the TMG’) is worded as follows:

‘A service provider may collect and use personal data to make telemedia available only in so far as this Law or another legislative provision expressly relating to telemedia so permits or the user has consented to it.’

23      Paragraph 13(1) of the TMG states:

‘At the beginning of the use operation the service provider shall inform the user, in a generally understandable way, regarding the nature, extent and purpose of the collection and use of personal data and the processing of his data in States outside the scope of application of Directive [95/46] unless the user has already been informed thereof. In the case of an automated process allowing subsequent identification of the user and which prepares the collection or use of personal data, the user shall be informed at the beginning of this process. The content of the information conveyed to the user must be retrievable for the user at any time.’

24      Paragraph 15(1) of the TMG provides:

‘A service provider may collect and use the personal data of a user only to the extent necessary in order to facilitate, and charge for, the use of telemedia (data concerning use). Data concerning use include, in particular:

1.      features allowing identification of the user,

2.      information about the beginning, end and extent of the particular use, and

3.      information about the telemedia used by the user.’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

25      Fashion ID, an online clothing retailer, embedded on its website the ‘Like’ social plugin from the social network Facebook (‘the Facebook “Like” button’).

26      It is apparent from the order for reference that one feature of the internet is that, when a website is visited, the browser allows content from different sources to be displayed. Thus, for example, photos, videos, news and the Facebook ‘Like’ button at issue in the present case can be linked to a website and appear there. If a website operator intends to embed such third-party content, he places a link to the external content on that website. When the browser of a visitor to that website encounters such a link, it requests the content from the third-party provider and adds it to the appearance of the website at the desired place. For this to occur, the browser transmits to the server of the third-party provider the IP address of that visitor’s computer, as well as the browser’s technical data, so that the server can establish the format in which the content is to be delivered to that address. In addition, the browser transmits information relating to the desired content. The operator of a website embedding third-party content onto that website cannot control what data the browser transmits or what the third-party provider does with those data, in particular whether it decides to save and use them.

27      With regard, in particular, to the Facebook ‘Like’ button, it seems to be apparent from the order for reference that, when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland as a result of that website including that button. It seems that that transmission occurs without that visitor being aware of it regardless of whether or not he or she is a member of the social network Facebook or has clicked on the Facebook ‘Like’ button.

28      Verbraucherzentrale NRW, a public-service association tasked with safeguarding the interests of consumers, criticises Fashion ID for transmitting to Facebook Ireland personal data belonging to visitors to its website, first, without their consent and, second, in breach of the duties to inform set out in the provisions relating to the protection of personal data.

29      Verbraucherzentrale NRW brought legal proceedings for an injunction before the Landgericht Düsseldorf (Regional Court, Düsseldorf, Germany) against Fashion ID to force it to stop that practice.

30      By decision of 9 March 2016, the Landgericht Düsseldorf (Regional Court, Düsseldorf) upheld in part the requests made by Verbraucherzentrale NRW, after having found that it has standing to bring proceedings under Paragraph 8(3)(3) of the UWG.

31      Fashion ID brought an appeal against that decision before the referring court, the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany). Facebook Ireland intervened in that appeal in support of Fashion ID. Verbraucherzentrale NRW brought a cross-appeal seeking an extension of the ruling made against Fashion ID at first instance.

32      Fashion ID argues before the referring court that the decision of the Landgericht Düsseldorf (Regional Court, Düsseldorf) is incompatible with Directive 95/46.

33      First, Fashion ID claims that Articles 22 to 24 of that directive envisage granting legal remedies only to data subjects whose personal data are processed and the competent supervising authorities. Consequently, it argues, the action brought by Verbraucherzentrale NRW is inadmissible due to the fact that that association does not have standing to bring or defend legal proceedings under Directive 95/46.

34      Second, Fashion ID asserts that the Landgericht Düsseldorf (Regional Court, Düsseldorf) erred in finding that it was a controller, within the meaning of Article 2(d) of Directive 95/46, since it has no influence either over the data transmitted by the visitor’s browser from its website or over whether and, where applicable, how Facebook Ireland uses those data.

35      In the first place, the referring court has doubts whether Directive 95/46 gives public-service associations the right to bring or defend legal proceedings in order to defend the interests of persons who have suffered harm. It takes the view that Article 24 of that directive does not preclude associations from being a party to legal proceedings, since, pursuant to that article, Member States are required to adopt ‘suitable measures’ to ensure the full implementation of that directive. Thus, the referring court concludes that national legislation allowing associations to bring legal proceedings in the interest of consumers may constitute such a ‘suitable measure’.

36      That court notes, in this regard, that Article 80(2) of Regulation 2016/679, which repealed and replaced Directive 95/46, expressly authorises the bringing of legal proceedings by such an association, which would tend to confirm that the latter directive did not preclude such an action.

37      Further, that court is uncertain whether the operator of a website, such as Fashion ID, that embeds on that website a social plugin allowing personal data to be collected can be considered to be a controller within the meaning of Article 2(d) of Directive 95/46 despite the latter having no control over the processing of the data transmitted to the provider of that plugin. In this context, the referring court refers to the case that gave rise to the judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2018:388), which dealt with a similar question.

38      In the alternative, in the event that Fashion ID is not to be considered to be a controller, the referring court is uncertain whether that directive exhaustively regulates that notion, such that it precludes national legislation that establishes civil liability for a third party who infringes data protection rights. The referring court asserts that it would be possible to envisage Fashion ID being liable on this basis under national law as a ‘disrupter’ (‘Störer’).

39      If Fashion ID had to be considered to be a controller or was at least liable as a ‘disrupter’ for any data protection infringements by Facebook Ireland, the referring court is uncertain whether the processing of the personal data at issue in the main proceedings is lawful and whether the duty to inform the data subject under Article 10 of Directive 95/46 rests with Fashion ID or with Facebook Ireland.

40      Thus, first, with regard to the conditions for the lawfulness of the processing of data as provided for in Article 7(f) of Directive 95/46, the referring court expresses uncertainty as to whether, in a situation such as that at issue in the main proceedings, it is appropriate to take into account the legitimate interest of the operator of the website or that of the provider of the social plugin.

41      Second, that court is unsure who is required to obtain the consent of and inform the data subjects whose personal data are processed in a situation such as that at issue in the main proceedings. The referring court takes the view that the matter of who is obliged to inform the persons concerned, as provided for in Article 10 of Directive 95/46, is particularly important given that any embedding of third-party content on a website gives rise, in principle, to the processing of personal data, the scope and purpose of which are, however, unknown to the person embedding that content, namely the operator of the website concerned. That operator could not, therefore, provide the information required, to the extent that it is required to, meaning that the imposition of an obligation on the operator to inform the data subjects would, in practice, amount to a prohibition on the embedding of third-party content.

42      In those circumstances, the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Do the rules in Articles 22, 23 and 24 of Directive [95/46] preclude national legislation which, in addition to the powers of intervention conferred on the data-protection authorities and the remedies available to the data subject, grants public-service associations the power to take action against the infringer in the event of an infringement in order to safeguard the interests of consumers?

If Question 1 is answered in the negative:

(2)      In a case such as the present one, in which someone has embedded a programming code in his website which causes the user’s browser to request content from a third party and, to this end, transmits personal data to the third party, is the person embedding the content the “controller” within the meaning of Article 2(d) of Directive [95/46] if that person is himself unable to influence this data-processing operation?

(3)      If Question 2 is answered in the negative: Is Article 2(d) of Directive [95/46] to be interpreted as meaning that it definitively regulates liability and responsibility in such a way that it precludes civil claims against a third party who, although not a “controller”, nonetheless creates the cause for the processing operation, without influencing it?

(4)      Whose “legitimate interests”, in a situation such as the present one, are the decisive ones in the balancing of interests to be undertaken pursuant to Article 7(f) of Directive [95/46]? Is it the interests in embedding third-party content or the interests of the third party?

(5)      To whom must the consent to be declared under Articles 7(a) and 2(h) of Directive [95/46] be given in a situation such as that in the present case?

(6)      Does the duty to inform under Article 10 of Directive [95/46] also apply in a situation such as that in the present case to the operator of the website who has embedded the content of a third party and thus creates the cause for the processing of personal data by the third party?’

 Consideration of the questions referred

 The first question

43      By its first question the referring court asks, in essence, whether Articles 22 to 24 of Directive 95/46 must be interpreted as precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the laws protecting personal data.

44      As a preliminary point, it should be noted that, under Article 22 of Directive 95/46, Member States are required to provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.

45      The third indent of Article 28(3) of Directive 95/46 states that a supervisory authority that is responsible under Article 28(1) of that directive for monitoring the application within the territory of a Member State of the provisions adopted by that Member State pursuant to that directive is endowed with, inter alia, the power to engage in legal proceedings where the national provisions adopted pursuant to that directive have been violated or to bring those violations to the attention of the judicial authorities.

46      Article 28(4) of Directive 95/46 provides that a supervisory authority is to hear claims lodged by an association representing a data subject, within the meaning of Article 2(a) of that directive, concerning the protection of his rights and freedoms in regard to the processing of personal data.

47      However, no provision of that directive obliges Member States to provide, or expressly empowers them to provide, in their national law that an association can represent a data subject in legal proceedings or commence legal proceedings on its own initiative against the person allegedly responsible for an infringement of the laws protecting personal data.

48      Nevertheless, it does not follow from the above that Directive 95/46 precludes national legislation allowing consumer-protection associations to bring or defend legal proceedings against the person allegedly responsible for such an infringement.

49      Under the third paragraph of Article 288 TFEU, the Member States are required, when transposing a directive, to ensure that it is fully effective, but they retain a broad discretion as to the choice of ways and means of ensuring that it is implemented. That freedom of choice does not affect the obligation imposed on all Member States to which the directive is addressed to adopt all the measures necessary to ensure that the directive concerned is fully effective in accordance with the objective which it seeks to attain (judgments of 6 October 2010, Base and Others, C‑389/08, EU:C:2010:584, paragraphs 24 and 25, and of 22 February 2018, Porras Guisado, C‑103/16, EU:C:2018:99, paragraph 57).

50      In this regard, it must be noted that one of the underlying objectives of Directive 95/46 is to ensure effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data (see, to that effect, judgments of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 53, and of 27 September 2017, Puškár, C‑73/16, EU:C:2017:725, paragraph 38). Recital 10 of Directive 95/46 adds that the approximation of the national laws applicable in this area must not result in any lessening of the protection which they afford but must, on the contrary, seek to ensure a high level of protection in the European Union (judgments of 6 November 2003, Lindqvist, C‑101/01, EU:C:2003:596, paragraph 95, of 16 December 2008, Huber, C‑524/06, EU:C:2008:724, paragraph 50, and of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 28).

51      The fact that a Member State provides in its national legislation that it is possible for a consumer-protection association to commence legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data in no way undermines the objectives of that protection and, in fact, contributes to the realisation of those objectives.

52      Nevertheless, Fashion ID and Facebook Ireland submit that, since Directive 95/46 fully harmonised national provisions on data protection, any legal proceedings not expressly provided for by that directive are precluded. They argue that Articles 22, 23 and 28 of Directive 95/46 provide for legal proceedings brought only by data subjects and data protection supervisory authorities.

53      That argument, however, cannot be accepted.

54      Directive 95/46 does indeed amount to a harmonisation of national legislation on the protection of personal data that is generally complete (see, to that effect, judgments of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 29, and of 7 November 2013, IPI, C‑473/12, EU:C:2013:715, paragraph 31).

55      The Court has thus held that Article 7 of that directive sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful and that Member States cannot add new principles relating to the lawfulness of the processing of personal data to that article or impose additional requirements that have the effect of amending the scope of one of the six principles provided for in that article (judgments of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10, EU:C:2011:777, paragraphs 30 and 32, and of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 57).

56      The Court has, however, also held that Directive 95/46 lays down rules that are relatively general since it has to be applied to a large number of very different situations. Those rules have a degree of flexibility and, in many instances, leave to the Member States the task of deciding the details or choosing between options, meaning that, in many respects, Member States have a margin of discretion in implementing that directive (see, to that effect, judgments of 6 November 2003, Lindqvist, C‑101/01, EU:C:2003:596, paragraphs 83, 84 and 97, and of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 35).

57      This is also the case for Articles 22 to 24 of Directive 95/46, which, as the Advocate General noted in point 42 of his Opinion, are worded in general terms and do not amount to an exhaustive harmonisation of the national provisions stipulating the judicial remedies that can be brought against a person allegedly responsible for an infringement of the laws protecting personal data (see, by analogy, judgment of 26 October 2017, I, C‑195/16, EU:C:2017:815, paragraphs 57 and 58).

58      In particular, although Article 22 of that directive requires Member States to provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the personal data processing in question, that directive does not, however, contain any provisions specifically governing the conditions under which that remedy may be exercised (see, to that effect, judgment of 27 September 2017, Puškár, C‑73/16, EU:C:2017:725, paragraphs 54 and 55).

59      In addition, Article 24 of Directive 95/46 provides that Member States are to adopt ‘suitable measures’ to ensure the full implementation of the provisions of that directive, without defining such measures. It seems that a provision making it possible for a consumer-protection association to commence legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data may constitute a suitable measure, within the meaning of that provision, that contributes, as observed in paragraph 51 above, to the realisation of the objectives of that directive, in accordance with the Court’s case-law (see, to that effect, judgment of 6 November 2003, Lindqvist, C‑101/01, EU:C:2003:596, paragraph 97).

60      Moreover, contrary to what is claimed by Fashion ID, the fact that a Member State can provide for such a possibility in its national legislation does not appear to be such as to undermine the independence with which the supervisory authorities must perform the functions entrusted to them under Article 28 of Directive 95/46, since that possibility affects neither those authorities’ freedom to take decisions nor their freedom to act.

61      In addition, although it is true that Directive 95/46 does not appear among the measures listed in Annex I to Directive 2009/22, the fact nonetheless remains that, under Article 7 of the latter directive, that directive did not provide for an exhaustive harmonisation in that respect.

62      Last, the fact that Regulation 2016/679, which repealed and replaced Directive 95/46 and has been applicable since 25 May 2018, expressly authorises, in Article 80(2) thereof, Member States to allow consumer-protection associations to bring or defend legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data does not mean that Member States could not grant them that right under Directive 95/46, but confirms, rather, that the interpretation of that directive in the present judgment reflects the will of the EU legislature.

63      In the light of all the findings above, the answer to the first question is that Articles 22 to 24 of Directive 95/46 must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.

 The second question

64      By its second question, the referring court asks, in essence, whether the operator of a website, such as Fashion ID, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46, despite that operator being unable to influence the processing of the data transmitted to that provider as a result.

65      In this regard, it should be noted that, in accordance with the aim pursued by Directive 95/46, namely to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data, Article 2(d) of that directive defines the concept of ‘controller’ broadly as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraphs 26 and 27).

66      As the Court has held previously, the objective of that provision is to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects (judgments of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 34, and of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 28).

67      Furthermore, since, as Article 2(d) of Directive 95/46 expressly provides, the concept of ‘controller’ relates to the entity which ‘alone or jointly with others’ determines the purposes and means of the processing of personal data, that concept does not necessarily refer to a single entity and may concern several actors taking part in that processing, with each of them then being subject to the applicable data-protection provisions (see, to that effect, judgments of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 29, and of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 65).

68      The Court has also held that a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller within the meaning of Article 2(d) of Directive 95/46 (judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 68).

69      Furthermore, the joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned (see, to that effect, judgments of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 38, and of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 69).

70      That said, since the objective of Article 2(d) of Directive 95/46 is to ensure, through a broad definition of the concept of ‘controller’, the effective and comprehensive protection of the persons concerned, the existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, with the result that the level of liability of each of them must be assessed with regard to all the relevant circumstances of the particular case (see, to that effect, judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 66).

71      In this regard, it should be pointed out, first, that Article 2(b) of Directive 95/46 defines ‘processing of personal data’ as ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’.

72      It is apparent from that definition that the processing of personal data may consist in one or a number of operations, each of which relates to one of the different stages that the processing of personal data may involve.

73      Second, it follows from the definition of the concept of ‘controller’ in Article 2(d) of Directive 95/46 that, as is noted in paragraph 65 above, where several operators determine jointly the purposes and means of the processing of personal data, they participate in that processing as controllers.

74      Accordingly, as the Advocate General noted, in essence, in point 101 of his Opinion, it appears that a natural or legal person may be a controller, within the meaning of Article 2(d) of Directive 95/46, jointly with others only in respect of operations involving the processing of personal data for which it determines jointly the purposes and means. By contrast, and without prejudice to any civil liability provided for in national law in this respect, that natural or legal person cannot be considered to be a controller, within the meaning of that provision, in the context of operations that precede or are subsequent in the overall chain of processing for which that person does not determine either the purposes or the means.

75      In this case, subject to the investigations that it is for the referring court to carry out, it is apparent from the documents before the Court that, by embedding on its website the Facebook ‘Like’ button, Fashion ID appears to have made it possible for Facebook Ireland to obtain personal data of visitors to its website and that such a possibility is triggered as soon as the visitor consults that website, regardless of whether or not the visitor is a member of the social network Facebook, has clicked on the Facebook ‘Like’ button or is aware of such an operation.

76      In view of that information, it should be pointed out that the operations involving the processing of personal data in respect of which Fashion ID is capable of determining, jointly with Facebook Ireland, the purposes and means are, for the purposes of the definition of the concept of ‘processing of personal data’ in Article 2(b) of Directive 95/46, the collection and disclosure by transmission of the personal data of visitors to its website. By contrast, in the light of that information, it seems, at the outset, impossible that Fashion ID determines the purposes and means of subsequent operations involving the processing of personal data carried out by Facebook Ireland after their transmission to the latter, meaning that Fashion ID cannot be considered to be a controller in respect of those operations within the meaning of Article 2(d).

77      With regard to the means used for the purposes of the collection and disclosure by transmission of certain personal data of visitors to its website, it is apparent from paragraph 75 above that Fashion ID appears to have embedded on its website the Facebook ‘Like’ button made available to website operators by Facebook Ireland while fully aware of the fact that it serves as a tool for the collection and disclosure by transmission of the personal data of visitors to that website, regardless of whether or not the visitors are members of the social network Facebook.

78      Moreover, by embedding that social plugin on its website, Fashion ID exerts a decisive influence over the collection and transmission of the personal data of visitors to that website to the provider of that plugin, Facebook Ireland, which would not have occurred without that plugin.

79      In these circumstances, and subject to the investigations that it is for the referring court to carry out in this respect, it must be concluded that Facebook Ireland and Fashion ID determine jointly the means at the origin of the operations involving the collection and disclosure by transmission of the personal data of visitors to Fashion ID’s website.

80      As to the purposes of those operations involving the processing of personal data, it appears that Fashion ID’s embedding of the Facebook ‘Like’ button on its website allows it to optimise the publicity of its goods by making them more visible on the social network Facebook when a visitor to its website clicks on that button. The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a plugin on that website is in order to benefit from the commercial advantage consisting in increased publicity for its goods; those processing operations are performed in the economic interests of both Fashion ID and Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes is the consideration for the benefit to Fashion ID.

81      In such circumstances, it can be concluded, subject to the investigations that it is for the referring court to perform, that Fashion ID and Facebook Ireland determine jointly the purposes of the operations involving the collection and disclosure by transmission of the personal data at issue in the main proceedings.

82      Further, as is apparent from the case-law referred to in paragraph 69 above, the fact that the operator of a website, such as Fashion ID, does not itself have access to the personal data collected and transmitted to the provider of the social plugin with which it determines jointly the means and purposes of the processing of personal data does not preclude it from being a controller within the meaning of Article 2(d) of Directive 95/46.

83      Moreover, it must be emphasised that a website, such as that of Fashion ID, is visited both by those who are members of the social network Facebook, and who therefore have an account on that social network, and by those who do not have one. In that latter case, the responsibility of the operator of a website, such as Fashion ID, for the processing of the personal data of those persons appears to be even greater, as the mere consultation of such a website featuring the Facebook ‘Like’ button appears to trigger the processing of their personal data by Facebook Ireland (see, to that effect. judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 41).

84      Accordingly, it seems that Fashion ID can be considered to be a controller within the meaning of Article 2(d) of Directive 95/46, jointly with Facebook Ireland, in respect of the operations involving the collection and disclosure by transmission of the personal data of visitors to its website.

85      In the light of the findings above, the answer to the second question is that the operator of a website, such as Fashion ID, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.

 The third question

86      In view of the answer given to the second question, there is no need to answer the third question.

 The fourth question

87      By its fourth question, the referring court asks, in essence, whether, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, it is appropriate, for the purposes of the application of Article 7(f) of Directive 95/46, to take into consideration a legitimate interest pursued by that operator or a legitimate interest pursued by that provider.

88      As a preliminary point, it should be noted that, according to the Commission, this question is irrelevant for the resolution of the dispute in the main proceedings, since consent was not obtained from the data subjects as is required by Article 5(3) of Directive 2002/58.

89      In that regard, it should be pointed out that Article 5(3) of Directive 2002/58 provides that Member States are to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is allowed only on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46, inter alia, about the purposes of the processing.

90      It is for the referring court to investigate whether, in a situation such as that at issue in the main proceedings, the provider of a social plugin, such as Facebook Ireland, gains access, as is maintained by the Commission, from the operator of the website to information stored in the terminal equipment, within the meaning of Article 5(3) of Directive 2002/58, of a visitor to that website.

91      In such circumstances, and since the referring court seems to have concluded that, in the present case, the data transmitted to Facebook Ireland are personal data, within the meaning of Directive 95/46, which, moreover, are not necessarily limited to information stored in the terminal equipment, which it is for that court to confirm, the Commission’s views are insufficient to call into question the relevance of the fourth question referred for the resolution of the dispute in the main proceedings, which concerns the potentially lawful processing of the data at issue in the main proceedings, as was pointed out by the Advocate General in point 115 of his Opinion.

92      Consequently, it is necessary to examine what legitimate interest must be taken into account for the purposes of the application of Article 7(f) of that directive to the processing of those data.

93      In this regard, it should be noted at the outset that, according to the provisions of Chapter II of Directive 95/46, headed ‘General rules on the lawfulness of the processing of personal data’, subject to the derogations permitted under Article 13 of that directive, all processing of personal data must comply, inter alia, with one of the criteria for making data processing legitimate listed in Article 7 of that directive (see, to that effect, judgments of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 71, and of 1 October 2015, Bara and Others, C‑201/14, EU:C:2015:638, paragraph 30).

94      Under Article 7(f) of Directive 95/46, the interpretation of which is sought by the referring court, personal data may be processed if processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection under Article 1(1) of Directive 95/46.

95      Article 7(f) of that directive thus lays down three cumulative conditions for the processing of personal data to be lawful, namely, first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence (judgment of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 28).

96      Given that, in the light of the answer to the second question, it seems that, in a situation such as that at issue in the main proceedings, the operator of a website that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller responsible, jointly with that provider, for operations involving the processing of the personal data of visitors to its website in the form of collection and disclosure by transmission, it is necessary that each of those controllers should pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46, through those processing operations in order for those operations to be justified in respect of each of them.

97      In the light of the findings above, the answer to the fourth question is that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, it is necessary that that operator and that provider each pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46, through those processing operations in order for those operations to be justified in respect of each of them.

 The fifth and sixth questions

98      By its fifth and sixth questions, which it is appropriate to examine together, the referring court wishes to know, in essence, first, whether Articles 2(h) and 7(a) of Directive 95/46 must be interpreted as meaning that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, the consent referred to in those provisions must be obtained by that operator or by that provider and, second, whether Article 10 of that directive must be interpreted as meaning that, in such a situation, the duty to inform provided for in that provision is incumbent on that operator.

99      As is apparent from the answer to the second question, the operator of a website that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46, despite that liability being limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means.

100    It thus appears that the duties that may be incumbent on that controller under Directive 95/46, such as the duty to obtain the consent of the data subject under Articles 2(h) and 7(a) of that directive and the duty to inform under Article 10 thereof, must relate to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means.

101    In the present case, while the operator of a website that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, jointly with that provider, in respect of operations involving the collection and disclosure by transmission of the personal data of that visitor, its duty to obtain the consent from the data subject under Articles 2(h) and 7(a) of Directive 95/46 and its duty to inform under Article 10 of that directive relate only to those operations. By contrast, those duties do not cover operations involving the processing of personal data at other stages occurring before or after those operations which involve, as the case may be, the processing of personal data at issue.

102    With regard to the consent referred to in Articles 2(h) and 7(a) of Directive 95/46, it appears that such consent must be given prior to the collection and disclosure by transmission of the data subject’s data. In such circumstances, it is for the operator of the website, rather than for the provider of the social plugin, to obtain that consent, since it is the fact that the visitor consults that website that triggers the processing of the personal data. As the Advocate General noted in point 132 of his Opinion, it would not be in line with efficient and timely protection of the data subject’s rights if the consent were given only to the joint controller that is involved later, namely the provider of that plugin. However, the consent that must be given to the operator relates only to the operation or set of operations involving the processing of personal data in respect of which the operator actually determines the purposes and means.

103    The same applies in regard to the duty to inform under Article 10 of Directive 95/46.

104    In that regard, it follows from the wording of that provision that the controller or his representative must provide, as a minimum, the information referred to in that provision to the subject whose data are being collected. It thus appears that that information must be given by the controller immediately, that is to say, when the data are collected (see, to that effect, judgments of 7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 68, and of 7 November 2013, IPI, C‑473/12, EU:C:2013:715, paragraph 23).

105    It follows that, in a situation such as that at issue in the main proceedings, the duty to inform under Article 10 of Directive 95/46 is incumbent also on the operator of the website, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.

106    In the light of the findings above, the answer to the fifth and sixth questions is that Articles 2(h) and 7(a) of Directive 95/46 must be interpreted as meaning that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, the consent referred to in those provisions must be obtained by that operator only with regard to the operation or set of operations involving the processing of personal data in respect of which that operator determines the purposes and means. In addition, Article 10 of that directive must be interpreted as meaning that, in such a situation, the duty to inform laid down in that provision is incumbent also on that operator, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.

 Costs

107    Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Second Chamber) hereby rules:

1.      Articles 22 to 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.

2.      The operator of a website, such as Fashion ID GmbH & Co. KG, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.

3.      In a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, it is necessary that that operator and that provider each pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46, through those processing operations in order for those operations to be justified in respect of each of them.

4.      Articles 2(h) and 7(a) of Directive 95/46 must be interpreted as meaning that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, the consent referred to in those provisions must be obtained by that operator only with regard to the operation or set of operations involving the processing of personal data in respect of which that operator determines the purposes and means. In addition, Article 10 of that directive must be interpreted as meaning that, in such a situation, the duty to inform laid down in that provision is incumbent also on that operator, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.

[Signatures]


*      Language of the case: German.