Case C-230/14, Weltimmo – regulatory competence over websites

If a Slovakian company runs a website that advertises Hungarian homes for sale, and Hungarian residents submit their personal data to the company’s website server, then in the event of the Slovakian company breaching data protection laws, does the Hungarian Data Protection Authority retain any regulatory competence to ensure that Hungarian data protection law is complied with? Or should the Hungarian Authority simply have requested its Slovakian counterpart to take action against the Slovakian company?

Facts
Weltimmo runs a website that advertises properties and real estate for sale in Hungary. To attract more Hungarian advertisements, the company offered to place an advert free of charge for the first month that the advert was on the website. After that month, the person who had placed the advert would then be charged a fee for using Weltimmo’s website service.

Many people who had made use of the free offer decided not to opt for Weltimmo’s paid website service. They duly Emailed Weltimmo to indicate that they no longer wished their advert to appear on Weltimmo’s site. They also requested that Weltimmo delete the amassed personal data which had been collected and processed by Weltimmo.

However, Weltimmo failed to remove adverts, and then billed people for the advert’s continued presence on the Weltimmo website. Furthermore, in the event of a bill going unpaid, peoples’ details were then passed on to debt collection agencies that would then ensure the bill was paid. On finding this to be true, the Hungarian Data Protection Authority duly fined Weltimmo for breaches of data protection law.

Weltimmo appealed the Authority’s decision to the local court. Weltimmo pointed out that the facts on which the decision rested had not been sufficiently ascertained, and that therefore the decision suffered from a lack of clarity. Weltimmo’s argument was successful before the court at first instance, and the Hungarian Authority’s decision was annulled.

The dispute was litigated up to Hungarian Kúria court. Before that court, Weltimmo pointed out that the Hungarian Authority simply had no jurisdiction to apply Hungarian law to Weltimmo. The reason was this: Weltimmo had its registered seat was in Slovakia, and in that situation, EU legislation clearly set out the procedure which the Hungarian Authority should have followed.

Namely, the relevant EU legislation was Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ [1995] L281/31).

Article 28(6) deals with ‘supervisory authorities’, and it makes plain:

Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

Consequently, Weltimmo was of the view that the Hungarian Authority should have put in a request to its Slovakian counterpart that the latter exercise its authority.

The Hungarian Authority disagreed with that interpretation of the law. First, the relevant legislation was that of national Hungarian law. For whereas Article 4(1) of the Directive might talk about the ‘applicable national legislation’, those provisions were not directly effective.

In any event, Article 4(1) of the Directive deals with the applicable national law and it says:

Article 4
National law applicable
1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable; …

But the Authority wondered how that Article of the Directive should be applied here? It was not clear to the Hungarian Authority where Weltimmo’s servers were actually located (fresh evidence had recently been adduced which suggested that they could be in Germany or Austria). Furthermore, even if Weltimmo was a company that was registered in Slovakia that by itself could not detract from the fact that one of Weltimmo’s owners was a Hungarian living in Hungary, and had legally represented the company both before the Hungarian Authority, and the Hungarian courts.

Even if the authority was wrong on that point, then it believed that it retained competence and jurisdiction under the Directive. In that context, it too sought to rely on the wording of Article 28(6) of the Directive about ‘supervisory authorities’. The authority pointed to the passage that said ‘whatever the national law applicable to the processing in question’ the supervisory authority could ‘exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3.’. Consequently, the authority submitted that irrespective of the applicable law, the Hungarian agency still enjoyed jurisdiction and competence.

The Hungarian Kúria court did not know what the correct interpretation of EU law should be. It therefore decided to make a reference to the CJEU concerning the applicable law provision in Article 4 of the Directive. Of particular concern was how that Article should be read in light of Recitals 18-20 of the Directive, which provide:

(18) Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; whereas, in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State;

(19) Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities;

(20) Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;

Equally, the Hungarian court could not determine whether Article 4 of the Directive had direct effect so it seemed appropriate to ask about Hungarian law too.

Questions Referred
According to the Curia website, the Kúria in Hungary has asked:

1. Can Article 28(1) of Directive 95/46/EC[…] of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘the data protection directive’) be interpreted as meaning that the provisions of national law of a Member State are applicable in its territory to a situation in which a data controller runs a property-dealing website established only in another Member State and also advertises properties situated in the territory of that first Member State and the property owners have forwarded their personal data to a facility (server) for data storage and data processing belonging to the operator of the website in that other Member State?

2. Can Article 4(1)(a) of the data protection directive, read in conjunction with recitals 18 to 20 of its preamble and Articles 1(2) and 28(1) thereof, be interpreted as meaning that the Hungarian Data Protection and Freedom of Information Authority (a Magyar Adatvédelmi és Információszabadság Hatóság, ‘the data protection authority’) may not apply the Hungarian law on data protection, as national law, to an operator of a property dealing website established only in another Member State, even if it also advertises Hungarian property whose owners transfer the data relating to such property probably from Hungarian territory to a facility (server) for data storage and data processing belonging to the operator of the website?

3. Is it significant for the purposes of interpretation that the service provided by the data controller who operates the website is directed at the territory of another Member State?

4. Is it significant for the purposes of interpretation that the data relating to the properties in the other Member State and the personal data of the owners are uploaded in fact from the territory of that other Member State?

5. Is it significant for the purposes of interpretation that the personal data relating to those properties are the personal data of citizens of another Member State?

6. Is it significant for the purposes of interpretation that the owners of the undertaking established in Slovakia have their habitual residence in Hungary?

7. If it appears from the answers to the above questions that the Hungarian data protection authority may act but must apply the law of the Member State of establishment and may not apply national law, must Article 28(6) of the data protection directive be interpreted as meaning that the Hungarian data protection authority may only exercise the powers provided for by Article 28(3) of the data protection directive in accordance with the provisions of the legislation of the Member State of establishment and accordingly may not impose a fine?

8. May the term ‘adatfeldolgozás’ (technical manipulation of data) used in both Article 4(1)(a) and in Article 28(6) of the [Hungarian version of the] data protection directive [to translate ‘data processing’] be considered to be equivalent to the usual term for data processing, ‘adatkezelés’, used in connection with that directive?

Comment
The issue of websites, data collection and processing is also at stake in another reference currently pending before the Court. See further, Case C-362/14, Schrems – does a ‘safe harbour’ shelter states that deprive EU citizens of their EU Charter rights?

Update – 8 February 2015
The Third Chamber is set to hear the Weltimmo dispute on 12 March 2015.

Update – 18 April 2015
The regulatory competence and jurisdiction of the Dutch data protection agency over companies based in the UK and the USA is one aspect to a preliminary reference to the CJEU. The background to the preliminary reference is outlined below until the reference is docketed by the CJEU.

Update – 1 May 2015
The above-mentioned Dutch data protection preliminary reference has now been docketed by the CJEU. Consequently, the EU Law Radar report of 18 April has now been moved. See further, Case C-192/15, Rease – secretly spied on, medical data leaked, and left unprotected by the Dutch regulator.

Update – 4 May 2015
The Opinion of Advocate General Cruz Villalón is due to be given to the Third Chamber on 4 June 2015.

Update – 2 June 2015
The Opinion is now scheduled for 25 June 2015.

Update – 20 June 2015
The interpretation of Article 4(1) of the Directive is also now at stake in an Austrian reference; see further, Case C-191/15, Verein für Konsumenteninformation – Amazon’s unfair online forum shopping.

Update – 18 September 2015
The Third Chamber is due to hand down its judgment on 1 October 2015, at the same time as the single-purpose data-processing judgment in Bara.

Update – 1 October 2015
Judgment

A version of the CJEU’s judgment in Case C-230/14, Weltimmo ECLI:EU:C:2015:639 is reproduced below. The reproduction is not authentic. Only the versions of the document published in the ‘Reports of Cases’ or the ‘Official Journal of the European Union’ are authentic. The source of the reproduction is the Eur-Lex Europa web site. The information on that site is subject to a disclaimer and a copyright notice.

JUDGMENT OF THE COURT (Third Chamber)

1 October 2015 ( )

(Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Articles 4(1) and 28(1), (3) and (6) — Controller who is form ally established in a Member State — Impairment of the right to the protection of personal data concerning natural persons in another Member State — Determination of the applicable law and the competent supervisory authority — Exercise of the powers of the supervisory authority — Power to impose penalties)

In Case C‑230/14,

REQUEST for a preliminary ruling under Article 267 TFEU from the Kúria (Hungary), made by decision of 22 April 2014, received at the Court on 12 May 2014, in the proceedings

Weltimmo s. r. o.

v

Nemzeti Adatvédelmi és Információszabadság Hatóság,

THE COURT (Third Chamber),

composed of M. Ilešič, President of the Chamber, A. Ó Caoimh, C. Toader, E. Jarašiūnas and C.G. Fernlund (Rapporteur), Judges,

Advocate General: P. Cruz Villalón,

Registrar: I. Illéssy, Administrator,

having regard to the written procedure and further to the hearing on 12 March 2015,

after considering the observations submitted on behalf of:

–        the Nemzeti Adatvédelmi és Információszabadság Hatóság, by A. Péterfalvi, acting as Agent, and by G. Dudás, ügyvéd,

–        the Hungarian Government, by M. Z. Fehér, G. Koós and A. Pálfy, acting as Agents,

–        the Polish Government, by B. Majczyna, M. Kamejsza and M. Pawlicka, acting as Agents,

–        the Slovak Government, by B. Ricziová, acting as Agent,

–        the United Kingdom Government, by M. Holt, acting as Agent, and by J. Holmes, Barrister,

–        the European Commission, by A. Tokár, B. Martenczuk and J. Vondung, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 25 June 2015,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Articles 4(1)(a) and 28(1), (3) and (6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

2        The request has been made in proceedings between Weltimmo s. r. o. (‘Weltimmo’), a company which has its registered office in Slovakia, and the Nemzeti Adatvédelmi és Információszabadság Hatóság (the national authority for data protection and freedom of information; ‘the Hungarian data protection authority’) concerning a fine imposed by the latter for infringement of Law CXII of 2011 on the right to self-determination as regards information and freedom of information (az információs önrendelkezési jogról és az információszabadságról szóló 2011. évi CXII. törvény; ‘the Law on information’), which transposed Directive 95/46 into Hungarian law.

 Legal context

 EU law

3        Recitals 3, 18 and 19 in the preamble to Directive 95/46 state:

‘(3)      Whereas the establishment and functioning of an internal market in which, in accordance with Article [26 TFEU], the free movement of goods, persons, services and capital is ensured require not only that personal data should be able to flow freely from one Member State to another, but also that the fundamental rights of individuals should be safeguarded;

(18)      Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; whereas, in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State;

(19)      Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities’.

4        Article 2 of Directive 95/46 provides:

‘For the purposes of this Directive:

(b)      “processing of personal data [‘feldolgozása’]” (“processing [‘feldolgozás’]”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

…’

5        Article 4(1)(a) of Directive 95/46 provides:

‘1.      Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a)      the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable’.

6        According to Article 28(1), (3) and (6) of Directive 95/46:

‘1.      Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

3.      Each authority shall in particular be endowed with:

–        investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

–        effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

–        the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

6.      Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.’

 Hungarian law

7        Paragraph 2(1) of the Law on information provides:

‘This Law shall apply to all data processing operations and technical manipulation of data carried out in the territory of Hungary that pertain to the data of natural persons or to public information or information of public interest.’

8        Paragraph 3(10) and (17) of the Law on information contains the following definitions:

‘(10)          “data processing” shall mean any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organisation, storage, adaptation or alteration, use, retrieval, transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);

(17)      “technical manipulation of data” [“adatfeldolgozás”] shall mean the technical operations involved in data processing, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are carried out on the data. ’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

9        Weltimmo, a company registered in Slovakia, runs a property dealing website concerning Hungarian properties. For that purpose, it processes the personal data of the advertisers. The advertisements are free of charge for one month but thereafter a fee is payable. Many advertisers sent a request by e-mail for the deletion of both their advertisements and their personal data as from that period. However, Weltimmo did not delete those data and charged the interested parties for the price of its services. As the amounts charged were not paid, Weltimmo forwarded the personal data of the advertisers concerned to debt collection agencies.

10      Those advertisers lodged complaints with the Hungarian data protection authority. That authority declared that it was competent under Paragraph 2(1) of the Law on information, taking the view that the collection of the data concerned constituted processing of data or a technical operation for the processing of data concerning natural persons. Considering that Weltimmo had infringed the Law on information, that data protection authority imposed on that company a fine of HUF 10 million (approximately EUR 32 000).

11      Weltimmo then brought an action before the Budapest administrative and labour court (Fővárosi Közigazgatási és Munkaügyi Bíróság), which held that the fact that that company did not have a registered office or branch in Hungary was not a valid argument in defence because the processing of data and the supply of data services relating to the Hungarian property concerned had taken place in Hungary. However, that court set aside the decision of the Hungarian data protection authority on other grounds, connected with the lack of clarity over some of the facts.

12      Weltimmo appealed on a point of law to the referring court, claiming that there was no need for further clarification of the facts, since, pursuant to Article 4(1)(a) of Directive 95/46, the Hungarian data protection authority in this case was not competent and could not apply Hungarian law in respect of a supplier of services established in another Member State. Weltimmo maintained that, under Article 28(6) of Directive 95/46, that authority should have asked the Slovak data protection authority to act in its place.

13      The Hungarian data protection authority submitted that Weltimmo had a Hungarian representative in Hungary, namely one of the owners of that company, who represented it in the administrative and judicial proceedings that took place in that Member State. That authority added that Weltimmo’s Internet servers were probably installed in Germany or in Austria, but that the owners of that company lived in Hungary. Lastly, according to that authority, it follows from Article 28(6) of Directive 95/46 that it was in any event competent to act, regardless of the applicable law.

14      Since it had doubts concerning the determination of the applicable law and the powers of the Hungarian data protection authority under Articles 4(1) and 28 of Directive 95/46, the Kúria (Supreme Court, Hungary) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Can Article 28(1) of Directive 95/46 be interpreted as meaning that the provisions of national law of a Member State are applicable in its territory to a situation where a data controller runs a property dealing website established only in another Member State and also advertises properties situated in the territory of that first Member State and the property owners have forwarded their personal data to a facility (server) for data storage and data processing belonging to the operator of the website in that other Member State?

(2)      Can Article 4(1)(a) of [Directive 95/46], read in conjunction with recitals 18 to 20 of its preamble and Articles 1(2) and 28(1) thereof, be interpreted as meaning that the Hungarian [data protection authority] may not apply the Hungarian law on data protection, as national law, to an operator of a property dealing website established only in another Member State, even if it also advertises Hungarian property whose owners transfer the data relating to such property probably from Hungarian territory to a facility (server) for data storage and data processing belonging to the operator of the website?

(3)      Is it significant for the purposes of interpretation that the service provided by the data controller who operates the website is directed at the territory of another Member State?

(4)      Is it significant for the purposes of interpretation that the data relating to the properties in the other Member State and the personal data of the owners are uploaded in fact from the territory of that other Member State?

(5)      Is it significant for the purposes of interpretation that the personal data relating to those properties are the personal data of citizens of another Member State?

(6)      Is it significant for the purposes of interpretation that the owners of the undertaking established in Slovakia live in Hungary?

(7)      If it appears from the answers to the above questions that the Hungarian data protection authority may act but must apply the law of the Member State of establishment and may not apply national law, must Article 28(6) of [Directive 95/46] be interpreted as meaning that the Hungarian data protection authority may only exercise the powers provided for by Article 28(3) of [Directive 95/46] in accordance with the provisions of the legislation of the Member State of establishment and accordingly may not impose a fine?

(8)      May the term “adatfeldolgozás” (technical manipulation of data) used in both Article 4(1)(a) and in Article 28(6) of the [Hungarian version of Directive 95/46 to translate ‘data processing’] be considered to be equivalent to the usual term for data processing, “adatkezelés”, used in connection with that directive?’

 Consideration of the questions referred

 Preliminary observations

15      As regards, first of all, the factual context of the main proceedings, certain additional information, which was submitted by the Hungarian data protection authority in its written observations and at the hearing before the Court, should be mentioned.

16      It is apparent from that information, first, that that authority informally learned from its Slovak counterpart that Weltimmo did not carry out any activity at the place where it has its registered office, in Slovakia. Moreover, on several occasions, Weltimmo moved that registered office from one State to another. Secondly, Weltimmo developed two property dealing websites, written exclusively in Hungarian. It opened a bank account in Hungary, which was intended for the recovery of its debts, and had a letter box in that Member State for its everyday business affairs. The post was regularly picked up and sent to Weltimmo by electronic means. Thirdly, the advertisers themselves not only had to enter the data relating to their properties on Weltimmo’s website, but also had to delete those data from that website if they did not want those data to continue to appear on the website after the end of the one-month period mentioned above. Weltimmo raised a computer management issue in order to explain why it had not been possible to carry out that erasure. Fourthly, Weltimmo is a company made up of only one or two persons. Its representative in Hungary tried to negotiate the settlement of the unpaid debts with the advertisers.

17      As regards, next, the wording of the questions referred, although the referring court uses the words ‘established only’ in its first and second questions, it is apparent from the order for reference and the written and oral observations submitted by the Hungarian data protection authority that, whilst Weltimmo is registered in Slovakia and is therefore established in that Member State, within the meaning of company law, there is uncertainty as to whether it is ‘established’ only in that Member State, within the meaning of Article 4(1)(a) of Directive 95/46. By referring a question to the Court regarding the interpretation of that provision, the referring court seeks to ascertain what is covered by the concept of ‘establishment’ used in that provision.

18      Lastly, it must be observed that, in the first and second questions, the referring court mentions that the server used by Weltimmo is installed in Slovakia, whereas, in another passage in the order for reference, it mentions the possibility that that company’s servers may be in Germany or in Austria. In those circumstances, it seems appropriate to consider that the question as to the Member State in which the server or servers used by that company are installed is not settled.

 The first to sixth questions

19      By its first to sixth questions, which should be examined together, the referring court asks, in essence, whether Articles 4(1)(a) and 28(1) of Directive 95/46 must be interpreted as permitting, in circumstances such as those at issue in the main proceedings, the data protection authority of a Member State to apply its national law on data protection with regard to a data controller whose company is registered in another Member State and who runs a property dealing website concerning properties situated in the territory of the first of those two States. In particular, the referring court asks whether it is significant that that Member State is the Member State:

–        at which the activity of the controller of the personal data is directed,

–        where the properties concerned are situated,

–        from which the data of the owners of those properties are forwarded,

–        of which those owners are nationals, and

–        in which the owners of that company live.

20      As regards the applicable law, the referring court refers in particular to Slovak and Hungarian law, Slovak law being the law of the Member State in which the controller of the personal data concerned is registered and Hungarian law being the law of the Member State mentioned by the websites at issue in the main proceedings, in the territory of which the properties forming the subject-matter of the published advertisements are situated.

21      In that regard, it should be noted that Article 4 of Directive 95/46, entitled ‘National law applicable’, which is found in the first Chapter of that directive, entitled ‘General provisions’, specifically governs the question raised.

22      By contrast, Article 28 of Directive 95/46, entitled ‘Supervisory authority’, deals with the role and powers of that authority. Pursuant to Article 28(1) of Directive 95/46, that authority is responsible for monitoring the application, within the territory of its own Member State, of the provisions adopted by the Member States pursuant to that directive. In accordance with Article 28(6) of that directive, the supervisory authority exercises the powers conferred on it, whatever the national law applicable to the processing of personal data.

23      The national law applicable to the controller in respect of that processing must therefore be determined not in the light of Article 28 of Directive 95/46, but in the light of Article 4 of that directive.

24      As set out in Article 4(1)(a) of Directive 95/46, each Member State is to apply the national provisions it adopts pursuant to that directive to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.

25      In the light of the objective pursued by Directive 95/46, consisting in ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data, the words ‘in the context of the activities of an establishment’ cannot be interpreted restrictively (see, to that effect, judgment in Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 53).

26      In order to achieve that objective and to ensure that individuals are not deprived of the protection to which they are entitled under that directive, recital 18 in the preamble to that directive states that any processing of personal data in the European Union must be carried out in accordance with the law of one of the Member States and that processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State.

27      The EU legislature thus prescribed a particularly broad territorial scope of Directive 95/46, which it registered in Article 4 thereof (see, to that effect, judgment in Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 54).

28      With regard, in the first place, to the concept of ‘establishment’, it should be noted that recital 19 in the preamble to Directive 95/46 states that establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality, is not the determining factor (judgment in Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 48). Moreover, that recital states that, when a single controller is established on the territory of several Member States, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities.

29      As the Advocate General observed, in essence, in points 28 and 32 to 34 of his Opinion, this results in a flexible definition of the concept of ‘establishment’, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered. Accordingly, in order to establish whether a company, the data controller, has an establishment, within the meaning of Directive 95/46, in a Member State other than the Member State or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet.

30      In that regard, it must, in particular, be held, in the light of the objective pursued by that directive, consisting in ensuring effective and complete protection of the right to privacy and in avoiding any circumvention of national rules, that the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.

31      In addition, in order to attain that objective, it should be considered that the concept of ‘establishment’, within the meaning of Directive 95/46, extends to any real and effective activity — even a minimal one — exercised through stable arrangements.

32      In the present case, the activity exercised by Weltimmo consists, at the very least, of the running of one or several property dealing websites concerning properties situated in Hungary, which are written in Hungarian and whose advertisements are subject to a fee after a period of one month. It must therefore be held that that company pursues a real and effective activity in Hungary.

33      Furthermore, it is apparent in particular from the information provided by the Hungarian data protection authority that Weltimmo has a representative in Hungary, who is mentioned in the Slovak companies register with an address in Hungary and who has sought to negotiate the settlement of the unpaid debts with the advertisers. That representative served as a point of contact between that company and the data subjects who lodged complaints and represented the company in the administrative and judicial proceedings. In addition, that company has opened a bank account in Hungary, intended for the recovery of its debts, and uses a letter box in that Member State for the management of its everyday business affairs. That information, which it is for the referring court to verify, is capable of establishing, in a situation such as that at issue in the main proceedings, the existence of an ‘establishment’ within the meaning of Article 4(1)(a) of Directive 95/46.

34      In the second place, it is necessary to establish whether the processing of personal data at issue is carried out ‘in the context of the activities’ of that establishment.

35      The Court has already held that Article 4(1)(a) of Directive 95/46 requires the processing of personal data in question to be carried out not ‘by’ the establishment concerned itself, but only ‘in the context of the activities’ of the establishment (judgment in Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 52).

36      In the present case, the processing at issue in the main proceedings consists, inter alia, of the publication, on Weltimmo’s property dealing websites, of personal data relating to the owners of those properties and, in some circumstances, of the use of those data for the purpose of the invoicing of the advertisements after a period of one month.

37      In this respect, it should be observed that, as regards in particular the Internet, the Court has already had occasion to state that the operation of loading personal data on an Internet page must be considered to be ‘processing’ within the meaning of Article 2(b) of Directive 95/46 (judgments in Lindqvist, C‑101/01, EU:C:2003:596, paragraph 25, and Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 26).

38      There is no doubt that that processing takes place in the context of the activities, as described in paragraph 32 of this judgment, which Weltimmo pursues in Hungary.

39      Therefore, subject to the checks referred to in paragraph 33 of this judgment, which it is for the referring court to carry out for the purpose of establishing, should that be the case, the existence of an establishment of the controller in Hungary, it must be held that that processing is carried out in the context of the activities of that establishment and that Article 4(1)(a) of Directive 95/46 permits, in a situation such as that at issue in the main proceedings, the application of the Hungarian law on the protection of personal data.

40      By contrast, the fact that the owners of the properties forming the subject-matter of the advertisements have Hungarian nationality is of no relevance whatsoever for the purposes of determining the national law applicable to the processing of the data at issue in the main proceedings.

41      In the light of all the foregoing considerations, the answer to the first to sixth questions is as follows:

–        Article 4(1)(a) of Directive 95/46 must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out;

–        in order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned;

–        by contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

 The seventh question

42      The seventh question is asked only in the event that the Hungarian data protection authority should consider that Weltimmo has, not in Hungary but in another Member State, an establishment, within the meaning of Article 4(1)(a) of Directive 95/46, performing activities in the context of which the processing of the personal data concerned is carried out.

43      By that question, the referring court asks, in essence, whether, should the Hungarian data protection authority reach the conclusion that the law applicable to the processing of the personal data is not Hungarian law, but the law of another Member State, Article 28(1), (3) and (6) of Directive 95/46 should be interpreted as meaning that that authority would be able to exercise only the powers provided for by Article 28(3) of that directive, in accordance with the law of that other Member State, and would not be able to impose penalties.

44      With regard, in the first place, to the competence of a supervisory authority to act in such a case, it must be observed that, under Article 28(4) of Directive 95/46, each supervisory authority is to hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data.

45      Consequently, in a situation such as that at issue in the main proceedings, the Hungarian data protection authority may hear claims lodged by persons, such as the advertisers of properties at issue in the main proceedings, who consider themselves victims of unlawful processing of their personal data in the Member State in which they hold those properties.

46      In the second place, it is necessary to examine what are the powers of that supervisory authority, in the light of Article 28(1), (3) and (6) of Directive 95/46.

47      It follows from Article 28(1) of that directive that each supervisory authority established by a Member State is to ensure compliance, within the territory of that Member State, with the provisions adopted by the Member States pursuant to Directive 95/46.

48      Pursuant to Article 28(3) of Directive 95/46, those supervisory authorities are in particular to be endowed with investigative powers, such as powers to collect all the information necessary for the performance of their supervisory duties, and effective powers of intervention, such as powers of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, or of warning or admonishing the data controller.

49      In view of the non-exhaustive nature of the powers thus listed and the type of powers of intervention mentioned in that provision, as well as the discretion available to the Member States in transposing Directive 95/46, it should be considered that those powers of intervention may include the power to penalise the data controller by imposing on him, where appropriate, a fine.

50      The powers granted to the supervisory authorities must be exercised in accordance with the procedural law of the Member State to which they belong.

51      It is apparent from Article 28(1) and (3) of Directive 95/46 that each supervisory authority is to exercise all of the powers conferred on it on the territory of its own Member State in order to ensure, on that territory, compliance with data protection rules.

52      That territorial application of the powers of each supervisory authority is confirmed in Article 28(6) of the directive, which states that each supervisory authority is competent, whatever the national law applicable, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with Article 28(3) of that directive. Article 28(6) of the directive also states that each authority may be requested to exercise its powers by an authority of another Member State and that the supervisory authorities are to cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

53      That provision is necessary in order to ensure the free flow of personal data in the European Union, whilst ensuring compliance with the rules aimed at protecting the privacy of natural persons laid down in Directive 95/46. In the absence of that provision, where the controller of personal data is subject to the law of a Member State, but infringes the right to the protection of the privacy of natural persons in another Member State, in particular by directing his activity at that other Member State without, however, being established there within the meaning of that directive, it would be difficult, or even impossible, for those persons to enforce their right to that protection.

54      It thus follows from Article 28(6) of Directive 95/46 that the supervisory authority of a Member State, to which a complaint has been submitted, on the basis of Article 28(4) of that directive, by natural persons in relation to the processing of their personal data, may examine that complaint irrespective of the applicable law, and, consequently, even if the law applicable to the processing of the data concerned is that of another Member State.

55      However, in that case, the powers of that authority do not necessarily include all of the powers conferred on it in accordance with the law of its own Member State.

56      As the Advocate General observed in point 50 of his Opinion, it follows from the requirements derived from the territorial sovereignty of the Member State concerned, the principle of legality and the concept of the rule of law that the exercise of the power to impose penalties cannot take place, as a matter of principle, outside the legal limits within which an administrative authority is authorised to act subject to the law of its own Member State.

57      Thus, when a supervisory authority receives a complaint, in accordance with Article 28(4) of Directive 95/46, that authority may exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable to the processing in question. However, if it reaches the conclusion that the law of another Member State is applicable, it cannot impose penalties outside the territory of its own Member State. In such a situation, it must, in fulfilment of the duty of cooperation laid down in Article 28(6) of that directive, request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits, based, where necessary, on the information which the authority of the first Member State has transmitted to it.

58      The supervisory authority to which such a complaint has been submitted may, in the context of that cooperation, find it necessary to carry out other investigations, on the instructions of the supervisory authority of the other Member State.

59      It follows that, in a situation such as that at issue in the main proceedings, if the applicable law is that of a Member State other than Hungary, the Hungarian data protection authority will not be able to exercise the powers to impose penalties which Hungarian law has conferred on it.

60      It follows from the foregoing considerations that the answer to the seventh question is that, where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

 The eighth question

61      By its eighth question, the referring court seeks an interpretation from the Court of the scope of the term ‘adatfeldolgozás’ (technical manipulation of data) used in particular in Article 4(1)(a) of Directive 95/46, relating to the determination of the applicable law, and in Article 28(6) of that directive, relating to the competence of the supervisory authority.

62      It is apparent from Directive 95/46, in the Hungarian version thereof, that that version consistently uses the term ‘adatfeldolgozás’.

63      The referring court states that, in particular in its provisions designed to implement the provisions of Directive 95/46 relating to the competence of the supervisory authorities, the Law on information uses the term ‘adatkezelés’ (data processing). However, as is apparent from Paragraph 3(10) of that law, that term has a broader meaning than that of the term ‘adatfeldolgozás’, defined in Paragraph 3(17) of that law, and encompasses the latter term.

64      Whilst, according to its usual meaning and as is apparent from the Law on information, the term ‘adatfeldolgozás’ has a narrower meaning than the term ‘adatkezelés’, it must however be observed that the Hungarian version of Directive 95/46 defines the term ‘adatfeldolgozás’ in Article 2(b) thereof in a broad manner, corresponding to the term ‘adatkezelés’.

65      It follows that the answer to the eighth question is that Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

 Costs

66      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Third Chamber) hereby rules:

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

[Signatures]


Language of the case: Hungarian.