Case summary

Deciding Body
Hungary, Supreme Court
Kúri
Hungary
National case details
Date of decision: 22.04.14
Instance: Cassation (review)
Area of law
Data protection

Other
Relevant principles applied
Effectiveness
Preliminary ruling
Judgement of the CJEU 1 October 2015, Case C-C‑230/14 Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság

Life-cycle diagram

  1. 1 January 2012

    Entry into force of the Hungaria

  2. 22 April 2014

    Request for a preliminary ruling by the Hungarian Supreme Court

  3. 1 October 2015

    Judgment by the CJEU

Identification of the case

National law sources
  • Law CXII of 2011 on the right to self-determination as regards information and freedom of information (az információs önrendelkezési jogról és az információszabadságról szóló 2011. évi CXII. törvény)
EU law sources
  • Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive)

Summary of the case

Facts of the case

Weltimmo, a company registered in Slovakia, ran property dealing websites concerning Hungarian properties. Advertisers on its websites complained with the Hungarian data protection authority that, notwithstanding their requests to delete their advertisements and personal data upon expiration of the free-of-charge period, Weltimmo did not delete those data, charged the advertisers for the price of its services and shared their personal data with debt collection agencies. The Hungarian data protection authority imposed a fine on Weltimmo of approximately EUR 32 000 for violating the Law on information, which transposed Directive 95/46 into Hungarian law. Weltimmo challenged the fine before the Budapest administrative and labour court, which set aside the decision of the data protection authority for lack of clarity of some facts, but at the same rejected the company’s claim that the authority was not competent to impose the fine because Weltimmo did not have a registered office or branch in Hungary. Weltimmo appealed the judgment before the Hungarian Supreme Court, reiterating its claim that, on the basis of Directive 95/46, Hungarian law was not applicable in the case at hand and the Hungarian data protection authority was not competent, but should have asked the Slovak data protection authority to act in its place.

Type of enforcement
  • Civil judicial enforcement
Measures, actions, remedies claimed/applied

Annulment of the decision by the Budapest administrative and labour court which held that the Hungarian data protection authority was in abstracto competent to impose a fine.

Preliminary questions

The Hungarian Supreme Court asked, essentially, “whether Articles 4(1)(a) and 28(1) of Directive 95/46 must be interpreted as permitting, in circumstances such as those at issue in the main proceedings, the data protection authority of a Member State to apply its national law on data protection with regard to a data controller whose company is registered in another Member State and who runs a property dealing website concerning properties situated in the territory of the first of those two States”. Specifically, the referring court inquired about the relevance of the following criteria to establish the competent authority and applicable law: the State at which the activity of the controller of the personal data is directed, where the properties are situated, from which the data are forwarded, of which the owners of the properties are nationals, and in which the owners of the company live. The referring court further asked “whether, should the Hungarian data protection authority reach the conclusion that the law applicable to the processing of the personal data is not Hungarian law, but the law of another Member State, Article 28(1), (3) and (6) of Directive 95/46 should be interpreted as meaning that that authority would be able to exercise only the powers provided for by Article 28(3) of that directive, in accordance with the law of that other Member State, and would not be able to impose penalties”. The powers that shall be entrusted to national supervisory authorities under Article 28(3) include investigative powers, powers of intervention (e.g. issuing opinions, ordering the blocking/erasure/destruction of data, suspending the processing of data, admonishing the data controller), power of instituting legal proceedings.

Reasoning (legal principles applied)

The CJEU first addressed the issue of the national law applicable by referring to Article 4 of Directive 95/46, which establishes that “each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. The question arises as to under what circumstances a data controller can be considered to be “established” on a Member State’s territory. The CJEU maintained that, the objective of Directive 95/46 being the effective protection of the right to privacy, a broad interpretation of the concept of “establishment” was warranted: it thus held that formal registration is not the decisive criterion, whereas the effective exercise of activities and the existence of stable arrangements are relevant. The Court further specified that even a minimal activity would be sufficient and that, under certain circumstances, the presence of merely one representative could constitute a “stable arrangement”. The CJEU then noted that, in the case under consideration, the websites run by Weltimmo concerned properties located in Hungary and were written in Hungarian; moreover, one of the company’s representatives lived in Hungary and represented the company in the administrative and judicial proceedings initiated there. Finally, the company had both a bank account and a letter box in Hungary. All of these elements, according to the Court, allow to conclude that an “establishment” in Hungary exists.

The Court then examined under what conditions the processing of personal data can be considered to be carried out “in the context of the activities” of an establishment. Having clarified that the data processing needs not be carried out “by” the establishment, but “in the context of [its] activities”, the Court confirmed that the loading of personal data on a webpage shall be considered “processing” of those data and that the processing took place in the “context of the activities” carried out by Weltimmo in Hungary. The Court therefore concluded that, subject to verification by the referring court of the information above, Hungarian law was applicable. It also added that, on the other hand, the fact that the owners of the properties were Hungarian was irrelevant to establish the applicability of Hungarian law.

Should however the data protection authority determine that Weltimmo is not established in Hungary, and Hungarian law is therefore not applicable, the CJEU clarified that in such an instance, according to the Directive, the supervisory authority “may exercise its investigative powers irrespective of the applicable law […]. However, if it reaches the conclusion that the law of another Member State is applicable, it cannot impose penalties outside the territory of its own Member State. In such a situation, it must, in fulfilment of the duty of cooperation laid down in Article 28(6) of that directive, request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits”.

Role of the Charter and role of the general principles on enforcement

Relation to scope of the Charter

The Charter is not referred to

Relevant principles applied
  • Effectiveness
Principle of effectiveness

The CJEU had recourse to the principle of effectiveness to adopt a broad interpretation of the concepts of “establishment” and “context of the activities of an establishment” for the purposes of Directive 95/46. As stated by the Court: “In the light of the objective pursued by Directive 95/46, consisting in ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data, the words ‘in the context of the activities of an establishment’ cannot be interpreted restrictively”. The principle of effectiveness and its interpretive consequences were thereafter reaffirmed when the Court held that “the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement”, and thus lead to conclude that an establishment exists.

Elements of judicial dialogue

Vertical dialogue type
  • Direct dialogue between CJEU and National court (preliminary reference)
Dialogue techniques

Preliminary reference

Purposes of using judicial dialogue

To clarify the scope of Directive 95/46 and of the national legislation implementing it, particularly as regards the law applicable and the powers of national data protection authorities.

Expected effects of judicial dialogue

The judgment sheds light on the interpretation of Directive 95/46, particularly as to the criteria to identify the Member State(s) where a controller of personal data is established for the purposes of the Directive. In doing so, the judgment gives important indications to both domestic data protection authorities and domestic courts regarding the national law applicable and the powers which might be exercised by supervisory authorities.

Additional notes on the decision

External links

Case author

PhD Student Chiara Tea Antoniazzi, University of Trento

Published by Lavinia Vizzoni on 27 November 2017