On October 1, 2015, the Court of Justice of the European Union (CJEU), which is the EU’s highest court, delivered its judgment in Case C-230/14—Weltimmo.1 The CJEU ruling is a landmark decision in determining the territorial scope of application of national data protection laws and the competence of national Data Protection Authorities (DPAs) in the EU.
All 28 countries of the EU have their own national data protection laws. The territorial scope of application of these laws often raises questions for companies doing business in multiple EU countries. The main rule states that the national data protection law of a certain EU country applies if data processing is “carried out in the context of the activities of an establishment” of the data controller in that EU country. If the data controller is not established in the EU, but makes use of “equipment” in a certain EU country to process personal data, the national data protection law of that EU country will apply. The Weltimmo case provides some clarity on how to determine the application of EU data protection law when the data controller is established in the EU.
This article informs you about the facts, key findings, and implications of Weltimmo.
Weltimmo, a Slovakian company, operated a real estate website that allowed subscribers to list and advertise real estate for sale in Hungary. Weltimmo offered a free trial period to Hungarian advertisers, but did not deregister the advertisers that opted out at the end of the trial period. Instead, Weltimmo sent the advertisers invoices and forwarded their personal data to debt collectors.
When the Hungarian advertisers complained about these practices to the Hungarian DPA, the DPA fined Weltimmo with 10 million HUF (approximately $34,500) for breach of Hungarian data protection law. Weltimmo appealed and obtained the annulment of the DPA’s decision. The case was then brought before the highest court in Hungary, which asked the CJEU to clarify whether or not Hungarian data protection law applied to the matter. Weltimmo argued that Hungarian data protection law did not apply, since Weltimmo did not have a registered office or branch in Hungary, and was therefore not established in Hungary.
The CJEU decided that Weltimmo was established in Hungary and that Hungarian data protection law applied to the matter. Below are the key findings of the case.
- Definition of Establishment. The court clarified the concept of “establishment.” It is sufficient to have some stable arrangements to provide services in an EU country in order to be considered to have an establishment there. Having a representative in the country (in this case, local debt collectors acting on behalf of Weltimmo) may be enough. Having a postal address and a bank account in the country are additional factors to consider. The court also took into consideration the fact that Weltimmo’s service, in the context of what personal data was processed, was targeted to Hungary (i.e., the website featured properties in Hungary and was written in Hungarian). Finally, the court specified that the nationality of the individuals concerned by the data processing is irrelevant for the determination of the applicable national data protection law.
- National DPA Jurisdiction Hinges on Establishment. The court stated that a national DPA is competent for the companies that are established in its jurisdiction. It cannot impose penalties on companies established outside its own country. Therefore, if a company does not have an establishment the EU country where the infringing act occurred, the DPA of that country may not impose penalties. Instead, it should request the DPA of the EU country where the company is established to investigate the matter and to potentially sanction the company in accordance with its own applicable data protection law.
Since the court’s threshold for having an “establishment” is relatively low, businesses that carry out data processing activities in multiple EU countries should beware that they can be considered to be established in several EU countries, even if they don’t have legal entities there. It may be sufficient to target individuals in a certain EU country and to work with people on the ground (e.g., debt collectors) to be considered to have an establishment in that EU country. In the EU, the same data processing activity may thus be subject to different national data protection laws that are enforced by different DPAs, if the activity involves multiple EU markets. In light of this judgement, companies should reassess their strategy for compliance with multiple local data protection laws.