Case C‑230/14
Weltimmo s.r.o.
v
Nemzeti Adatvédelmi és Információszabadság Hatóság
(Request for a preliminary ruling
from the Kúria)
(Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Articles 4(1) and 28(1), (3) and (6) — Controller who is formally established in a Member State — Impairment of the right to the protection of personal data concerning natural persons in another Member State — Determination of the applicable law and the competent supervisory authority — Exercise of the powers of the supervisory authority — Power to impose penalties)
Summary — Judgment of the Court (Third Chamber), 1 October 2015
1. Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Establishment of a company responsible for the processing of data — Concept — Flexible interpretation
(European Parliament and Council Directive 95/46, Recital 19)
2. Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Company responsible for the processing of data in a Member State other than that where it is registered — Application of the law of that other Member State — Condition — Exercise of a real and effective activity through stable arrangements — Criteria for assessment
(European Parliament and Council Directive 95/46, Art. 4(1)(a))
3. Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Complaint lodged with the supervisory authority of a Member State — Supervisory authority concluding that the law of another Member State is applicable to the processing of data — Powers of intervention of that authority — Limits
(European Parliament and Council Directive 95/46, Art. 28(1), (3), (4) and (6))
4. Approximation of laws — Protection of individuals with regard to the processing of personal data — Directive 95/46 — Term ‘adatfeldolgozás’ (technical manipulation of data) found in the Hungarian version — Scope
(European Parliament and Council Directive 95/46, Arts 4(1)(a) and 28(6))
1. Recital 19 of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data results in a flexible definition of the concept of ‘establishment’, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered. Accordingly, in order to establish whether a company, the data controller, has an establishment, within the meaning of Directive 95/46, in a Member State other than the Member State or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet.
(see para. 29)
2. Article 4(1)(a) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.
In order to ascertain whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.
By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.
(see para. 41, operative part 1)
3. Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.
It follows from the requirements derived from the territorial sovereignty of the Member State concerned, the principle of legality and the concept of the rule of law that the exercise of the power to impose penalties cannot take place, as a matter of principle, outside the legal limits within which an administrative authority is authorised to act subject to the law of its own Member State.
(see paras 56, 60, operative part 2)
4. Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).
(see para. 65, operative part 3)