Data protection laws may apply to foreign companies rules ECJ
Data protection legislation of a member state may be applied to a foreign company which exercises in that state, through stable arrangements, a real and effective activity the European Court of Justice has ruled.
The Data Protection Directive provides that each member state is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted by the member states on the basis of the directive. Each authority is competent to exercise, within its territory, in particular investigative powers and powers of intervention, whatever the national law applicable to the processing in question. In addition, each authority may be requested to exercise its powers by an authority of another member state.
Weltimmo, a company registered in Slovakia, ran a property dealing website concerning Hungarian properties. Within that context, it processes the personal data of the advertisers. The advertisements are free of charge for one month but thereafter a fee is payable.
Many advertisers sent a request by email for the deletion of both their advertisements and their personal data at the end of the first month. However, Weltimmo did not delete those data and charged the interested parties for the price of its services. As the amounts charged were not paid, Weltimmo forwarded the personal data of the advertisers to debt collection agencies.
The advertisers lodged complaints with the Hungarian authority responsible for data protection. That authority imposed a fine of HUF 10 million (approximately €32,000) on Weltimmo for having infringed the Hungarian law transposing the directive.
Weltimmo then contested the decision of the supervisory authority before the Hungarian courts. Called upon to hear the dispute on appeal, the Kúria (Supreme Court, Hungary) asked the Court of Justice whether, in the present case, the directive enabled the Hungarian supervisory authority to apply the Hungarian law adopted on the basis of the directive and to impose the fine provided for by that law.
In its judgment, the court recalled that, according to the directive, each member state must apply the provisions it adopted pursuant to the directive where the data processing is carried out in the context of the activities conducted on its territory by an establishment of the controller. In that regard, the court noted that the presence of only one representative can, in some circumstances, suffice to constitute an establishment if that representative acts with a sufficient degree of stability for the provision of the services concerned in the member state in question. In addition, the court stated that the concept of “establishment” extends to any real and effective activity — even a minimal one — exercised through stable arrangements.
In the present case, the court observed that Weltimmo unquestionably pursued a real and effective activity in Hungary.
Furthermore, it is apparent from the information provided by the Hungarian supervisory authority that Weltimmo has a representative in Hungary, who is mentioned in the Slovak companies register with an address in Hungary and who has sought to negotiate the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data settlement of the unpaid debts with the advertisers.
That representative served as a point of contact between Weltimmo and the advertisers and represented the company in the administrative and judicial proceedings. In addition, Weltimmo opened a bank account in Hungary, intended for the recovery of its debts, and uses a letter box in Hungary for the management of its everyday business affairs.
That information, which it is for the referring court to verify, is capable of establishing the existence of an “establishment”, within the meaning of the directive, in Hungary. If this is the case, Weltimmo’s activity is subject to the Hungarian legislation on data protection.
The court stated that each supervisory authority established by a member state must ensure compliance, within the territory of that state, with the provisions adopted by all member states pursuant to the directive. Consequently, each supervisory authority is to hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data, even if the law applicable to that processing is the law of another member state.
However, in the event of the application of the law of another member state, the powers of intervention of the supervisory authority must be exercised in compliance, inter alia, with the territorial sovereignty of the other member states, with the result that a national authority cannot impose penalties outside the territory of its own state.
Consequently, in the event that the referring court should find that Weltimmo does not have an “establishment”, within the meaning of the directive, in Hungary and that the law applicable to the processing in question is therefore that of another member state, the Hungarian supervisory authority will not be able to exercise the powers to impose penalties which Hungarian law has conferred on it.
Pursuant to the duty of cooperation laid down in the directive, it is nevertheless for that authority to request the supervisory authority of the other member state concerned to establish an infringement of the law of that state and to impose the penalties which may be provided for by that law.