The European court ruled in Case C‑230/14, Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság. The case concerns the following:
Weltimmo, a company registered in Slovakia, runs a property dealing website concerning Hungarian properties. For that purpose, it processes the personal data of the advertisers. The advertisements are free of charge for one month but thereafter a fee is payable. Many advertisers sent a request by e-mail for the deletion of both their advertisements and their personal data as from that period. However, Weltimmo did not delete those data and charged the interested parties for the price of its services. As the amounts charged were not paid, Weltimmo forwarded the personal data of the advertisers concerned to debt collection agencies.
Those advertisers lodged complaints with the Hungarian data protection authority. That authority declared that it was competent under Paragraph 2(1) of the Law on information, taking the view that the collection of the data concerned constituted processing of data or a technical operation for the processing of data concerning natural persons. Considering that Weltimmo had infringed the Law on information, that data protection authority imposed on that company a fine of HUF 10 million (approximately EUR 32 000).
Weltimmo then brought an action before the Budapest administrative and labour court (Fővárosi Közigazgatási és Munkaügyi Bíróság), which held that the fact that that company did not have a registered office or branch in Hungary was not a valid argument in defence because the processing of data and the supply of data services relating to the Hungarian property concerned had taken place in Hungary. However, that court set aside the decision of the Hungarian data protection authority on other grounds, connected with the lack of clarity over some of the facts.
Weltimmo appealed on a point of law to the referring court, claiming that there was no need for further clarification of the facts, since, pursuant to Article 4(1)(a) of Directive 95/46, the Hungarian data protection authority in this case was not competent and could not apply Hungarian law in respect of a supplier of services established in another Member State. Weltimmo maintained that, under Article 28(6) of Directive 95/46, that authority should have asked the Slovak data protection authority to act in its place.
The Hungarian data protection authority submitted that Weltimmo had a Hungarian representative in Hungary, namely one of the owners of that company, who represented it in the administrative and judicial proceedings that took place in that Member State. That authority added that Weltimmo’s Internet servers were probably installed in Germany or in Austria, but that the owners of that company lived in Hungary. Lastly, according to that authority, it follows from Article 28(6) of Directive 95/46 that it was in any event competent to act, regardless of the applicable law.
Since it had doubts concerning the determination of the applicable law and the powers of the Hungarian data protection authority under Articles 4(1) and 28 of Directive 95/46, the Kúria (Supreme Court, Hungary) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
(1) Can Article 28(1) of Directive 95/46 be interpreted as meaning that the provisions of national law of a Member State are applicable in its territory to a situation where a data controller runs a property dealing website established only in another Member State and also advertises properties situated in the territory of that first Member State and the property owners have forwarded their personal data to a facility (server) for data storage and data processing belonging to the operator of the website in that other Member State?
(2) Can Article 4(1)(a) of [Directive 95/46], read in conjunction with recitals 18 to 20 of its preamble and Articles 1(2) and 28(1) thereof, be interpreted as meaning that the Hungarian [data protection authority] may not apply the Hungarian law on data protection, as national law, to an operator of a property dealing website established only in another Member State, even if it also advertises Hungarian property whose owners transfer the data relating to such property probably from Hungarian territory to a facility (server) for data storage and data processing belonging to the operator of the website?
(3) Is it significant for the purposes of interpretation that the service provided by the data controller who operates the website is directed at the territory of another Member State?
(4) Is it significant for the purposes of interpretation that the data relating to the properties in the other Member State and the personal data of the owners are uploaded in fact from the territory of that other Member State?
(5) Is it significant for the purposes of interpretation that the personal data relating to those properties are the personal data of citizens of another Member State?
(6) Is it significant for the purposes of interpretation that the owners of the undertaking established in Slovakia live in Hungary?
(7) If it appears from the answers to the above questions that the Hungarian data protection authority may act but must apply the law of the Member State of establishment and may not apply national law, must Article 28(6) of [Directive 95/46] be interpreted as meaning that the Hungarian data protection authority may only exercise the powers provided for by Article 28(3) of [Directive 95/46] in accordance with the provisions of the legislation of the Member State of establishment and accordingly may not impose a fine?
(8) May the term “adatfeldolgozás” (technical manipulation of data) used in both Article 4(1)(a) and in Article 28(6) of the [Hungarian version of Directive 95/46 to translate ‘data processing’] be considered to be equivalent to the usual term for data processing, “adatkezelés”, used in connection with that directive?’
The Court decision:
1. Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.
In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.
By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.
2. Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.
3. Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).