Data protection legislation of a Member State may be applied to a foreign company which exercises in that State, through stable arrangements, a real and effective activity
Judgment in Case C-230/14 Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság
The Data Protection Directive1 provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted by the Member States on the basis of the directive. Each authority is competent to exercise, within its territory, in particular investigative powers and powers of intervention, whatever the national law applicable to the processing in question. In addition, each authority may be requested to exercise its powers by an authority of another Member State.
Weltimmo, a company registered in Slovakia, runs a property dealing website concerning Hungarian properties. Within that context, it processes the personal data of the advertisers. The advertisements are free of charge for one month but thereafter a fee is payable. Many advertisers sent a request by e-mail for the deletion of both their advertisements and their personal data at the end of the first month. However, Weltimmo did not delete those data and charged the interested parties for the price of its services. As the amounts charged were not paid, Weltimmo forwarded the personal data of the advertisers to debt collection agencies.
The advertisers lodged complaints with the Hungarian authority responsible for data protection. That authority imposed a fine of HUF 10 million (approximately €32 000) on Weltimmo for having infringed the Hungarian law transposing the directive.
Weltimmo then contested the decision of the supervisory authority before the Hungarian courts. Called upon to hear the dispute on appeal, the Kúria (Supreme Court, Hungary) asks the Court of Justice whether, in the present case, the directive enabled the Hungarian supervisory authority to apply the Hungarian law adopted on the basis of the directive and to impose the fine provided for by that law.
By today’s judgment, the Court recalls that, according to the directive, each Member State must apply the provisions it adopted pursuant to the directive where the data processing is carried out in the context of the activities conducted on its territory by an establishment of the controller. In that regard, the Court notes that the presence of only one representative can, in some circumstances, suffice to constitute an establishment if that representative acts with a sufficient degree of stability for the provision of the services concerned in the Member State in question. In addition, the Court states that the concept of ‘establishment’ extends to any real and effective activity — even a minimal one — exercised through stable arrangements.
Read more from the Court of Justice of the European Union.
Sorry, the comment form is closed at this time.