CURIA - Documents

Home > Search form > List of results > Documents

Start printing

Language of document :

Request for a preliminary ruling from the Bundesverwaltungsgericht (Germany) lodged on 14 April 2016 — Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein

(Case C-210/16)

Language of the case: German

Referring court

Bundesverwaltungsgericht

Parties to the main proceedings

Defendant and appellant: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein

Applicant and respondent: Wirtschaftsakademie Schleswig-Holstein GmbH

Joined party: Facebook Ireland Limited

Intervener: Vertreter des Bundesinteresses beim Bundesverwaltungsgericht

Questions referred

Is Article 2(d) of Directive 95/46/EC ¹ to be interpreted as definitively and exhaustively defining the liability and responsibility for data protection violations, or does scope remain, under the ‘suitable measures’ pursuant to Article 24 of Directive 95/46/EC and the ‘effective powers of intervention’ pursuant to the second indent of Article 28(3) of Directive 95/46/EC, in multi-tiered information provider relationships for responsibility of a body that does not control the data processing within the meaning of Article 2(d) of Directive 95/46/EC when it chooses the operator of its information offering?

Does it follow a contrario from the obligation of Member States under Article 17(2) of Directive 95/46/EC to stipulate, in cases where data processing is carried out on the controller’s behalf, that the controller ‘must ... choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out’, that, where there are other user relationships not linked to data processing on the controller’s behalf within the meaning of Article 2(e) of Directive 95/46/EC, there is no obligation to make a careful choice and no such an obligation can be derived from national law?

In cases in which a parent company based outside the European Union has legally independent establishments (subsidiaries) in various Member States, is the supervisory authority of a Member State (in this case, Germany) entitled under Article 4 and Article 28(6) of Directive 95/46/EC to exercise the powers conferred under Article 28(3) of Directive 95/46/EC against the establishment located in its territory even when this establishment is solely responsible for promoting the sale of advertising and other marketing measures aimed at the inhabitants of this Member State, whereas the independent establishment (subsidiary) located in another Member State (in this case, Ireland) is exclusively responsible within the group’s internal division of tasks for collecting and processing personal data throughout the entire territory of the European Union and hence in the other Member State as well (in this case, Germany), if decisions about data processing are in fact taken by the parent company?

Are Article 4(1)(a) and Article 28(3) of Directive 95/46/EC to be interpreted as meaning that, in cases in which the controller has an establishment in the territory of one Member State (in this case, Ireland) and there is another, legally independent establishment in the territory of another Member State (in this case, Germany), whose responsibilities include the sale of advertising space and whose activity is aimed at the inhabitants of that State, the competent supervisory authority in this other Member State (in this case, Germany) may direct measures and orders implementing data protection legislation also against the other establishment (in this case, in Germany) not responsible for data processing under the group’s internal division of tasks and responsibilities, or are measures and orders only possible by the supervisory body of the Member State (in this case, Ireland) in whose territory the entity with internal responsibility within the group has its registered office?

Are Article 4(1)(a) and Article 28(3) and (6) of Directive 95/46/EC to be interpreted as meaning that, in cases in which the supervisory authority in one Member State (in this case, Germany) takes action against a person or entity in its territory pursuant to Article 28(3) of Directive 95/46/EC on the grounds of failing to exercise due care in choosing a third party involved in the data processing process (in this case, Facebook), because this third party is in violation of data protection legislation, the active supervisory authority (in this case, Germany) is bound by the appraisal of data protection legislation by the supervisory authority of the Member State in which the third party responsible for the data processing has its establishment (in this case, Ireland) meaning that it may not arrive at a different legal appraisal, or may the active supervisory authority (in this case, Germany) conduct its own examination of the lawfulness of the data processing by the third party established in another Member State (in this case, Ireland) as a preliminary question prior to its own action?

Where the possibility of conducting an independent examination is available to the active supervisory authority (in this case, Germany), is the second sentence of Article 28(6) of Directive 95/46/EC to be interpreted as meaning that this supervisory authority may exercise the effective powers of intervention conferred on it under Article 28(3) of Directive 95/46/EC against a person or entity established in its territory on the grounds of their joint responsibility for data protection violations by a third party established in another Member State only and not until it has first requested the supervisory authority in this other Member State (in this case, Ireland) to exercise its powers?

____________

¹ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).