Privacy & Information Security Law Blog

On October 1, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Weltimmo v Nemzeti (Case C-230/14). Weltimmo, a company registered and headquartered in Slovakia, runs a website that allows property owners in Hungary to advertise their properties. The CJEU stated that, in some cases, Weltimmo had failed to delete the personal data of the advertisers upon request, and also had sent debt collectors to some advertisers despite their earlier attempts to cancel their accounts. The advertisers complained to the Hungarian Data Protection Authority (“DPA”), which investigated the matter and issued a fine of HUF 10 million (approximately 36,500 USD) against Weltimmo.

Weltimmo brought an action in the Hungarian courts, contesting the fine. It argued that Hungarian data protection law did not apply under the EU Data Protection Directive 95/46/EC (the “Directive”), because Weltimmo did not have a branch or office in Hungary, was not established in Hungary and none of the other bases for the application of Hungarian law under the Directive were applicable. The Hungarian courts referred the question to the CJEU.

The CJEU noted that Article 4(1) of the Directive governs the determination regarding which Member State’s law applies. The CJEU applied the classic formulation that the data protection law of an EU Member State applies to data processing activities “where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.” Nevertheless, the CJEU also observed that, as set out in its own judgment in Costeja, Article 4(1) should be interpreted broadly, and establishment is a “flexible concept.” It further stated that “the concept of ‘establishment’… extends to any real and effective activity — even a minimal one — exercised through stable arrangements.”

The CJEU took the view that the presence of a single representative in a Member State can be sufficient to create an establishment of the controller in that Member State. It concluded that Weltimmo was established in Hungary, on the basis of several factors:

• Weltimmo’s website concerned properties that were physically located in Hungary, and the website was written in Hungarian.
• Weltimmo had a “representative” in Hungary, on the basis that it had instructed local Hungarian debt collectors to act on its behalf.
• The debt collectors used a postal address in Hungary and a Hungarian bank account to do business on Weltimmo’s behalf.

Consequently, the CJEU held that Hungarian data protection law applied to Weltimmo. The CJEU also clarified that the nationality of the advertisers (who were the data subjects in this case) was irrelevant to the question of applicable law.

The consequences of this judgment are potentially significant for businesses. In practice, if a business has “even a minimal” presence in an EU Member State, it is likely that the data protection laws of that Member State will apply to that business. There is no “bright line” test, and the CJEU appears comfortable relying on a broad range of factors in order to make a finding of establishment.