On October 1, 2015, the Court of Justice of the European Union (CJEU), which is the EU’s highest court, delivered its judgment in Case C-230/14—Weltimmo.¹ The CJEU ruling is a landmark decision in determining the territorial scope of application of national data protection laws and the competence of national Data Protection Authorities (DPAs) in the EU.

All 28 countries of the EU have their own national data protection laws. The territorial scope of application of these laws often raises questions for companies doing business in multiple EU countries. The main rule states that the national data protection law of a certain EU country applies if data processing is “carried out in the context of the activities of an establishment” of the data controller in that EU country. If the data controller is not established in the EU, but makes use of “equipment” in a certain EU country to process personal data, the national data protection law of that EU country will apply. The Weltimmo case provides some clarity on how to determine the application of EU data protection law when the data controller is established in the EU.
Continue Reading Landmark Decision Clarifies Territorial Scope of Application of National Data Protection Laws in the EU