The Court held that the data protection legislation of a Member State may be applied to a foreign company which exercises in that State, through stable arrangements, a real and effective activity.
The facts: Weltimmo s.r.o. is a Slovakian company hosting a real estate website. The website advertises Hungarian real estates. The advertising is free only for the first month. After that, Weltimmo charges a fee. Since several of the advertisers were not interested in using Weltimmo’s services after the first month, they asked the company to have their advertisement taken down. However, Weltimmo did not comply with the requests and charged them. The Nemzeti Adatvédelmi és Információszabadság hatóság, the Hungarian data protection authority (“DPA”) deemed to be competent and fined Weltimmo 10 million Hungarian Forints (around $35.000). The Fővárosi Közigazgatási és Munkaügyi Bíróság, the administrative court located in Budapest, annulled the decision for lack of facts.
On appeal, before the Kúria (the Hungarian Supreme Court) Weltimmo claimed that the Hungarian DPA was not competent to issue a sanction and that Hungarian data protection law does not apply to service provider based in a different Member State. At the most, it should have been the Slovakian DPA to intervene.
The Hungarian DPA deemed to be competent according to section 28.6, Directive 9/46/EC because one of Weltimmo’s representative is Hungarian and who is also one of the company’s owners. In addition, both of Weltimmo’s owners have their residency in Hungary.
The Kúria referred to the ECJ several preliminary questions asking, among other things, whether Article 28.1, Directive 95/46/EC (concerning the role of the local Data Protection Authority), can be interpreted as meaning that the data protection law of a Member State is applicable in its territory “to a situation in which a data controller runs a property-dealing website established only in another Member State and also advertises properties situated in the territory of that first Member State and the property owners have forwarded their personal data to a facility (server) for data storage and data processing belonging to the operator of the website in that other Member State.”
As we said, the Court held that the presence of one single representative may be sufficient to trigger the application of a Member State’s data protection law.
Here more on the case (including Advocate General’s Opinion).
Here for the press release of the decision.
For more information, Francesca Giannoni-Crystal