What does this cover?

On 1 October there was a significant CJEU decision in the case of Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Weltimmo). In essence, companies do not require a physical establishment in a member state for the local data protection laws to apply.  A combination of a website targeted at the EU member state's nationals with an individual representative in county will be sufficient for a company to be established there and subject to the local data protection laws. 

Weltimmo concerned whether or not the Hungarian National Authority for Data Protection and Freedom of Information (the Authority) had jurisdiction to fine a Slovakian company, Weltimmo, for breaches of national data protection law, even though it did not have its headquarters in Hungary.

Weltimmo is a Slovakian property sales website that advertises Hungarian property. The Authority received complaints following Weltimmo's failure to action requests by advertisers to remove adverts and delete personal data following the conclusion of a 'free advertising space' offer. Many advertisers sent a request by email for the deletion of both their advertisements and their personal data but Weltimmo did not delete such data and charged the advertisers for the price of its services. As the sums claimed were not paid, Weltimmo forwarded the personal data of the advertisers to debt collection agencies and the individuals were pursued by debt collection agencies to whom their personal data had been transferred.

The Data Protection Directive 95/46/EC provides that if data processing is being carried out by a data controller with an establishment in a member state, then the national data protection laws of that country apply to any processing. If a data controller has establishments in different member states, they have to comply with each of the rules of the different member states.

The CJEU was asked whether Weltimmo was established in Hungary, whether Weltimmo was processing personal data in the context of that establishment and therefore whether the Authority had jurisdiction to fine Weltimmo.  The CJEU ruled that they were established and processing personal data in the context of that establishment: Weltimmo had two Hungarian-language websites, a Hungarian bank account, a letter box for everyday business affairs and one representative working for itin Hungary.

To view the full CJEU judgement, please click here.

What action could be taken to manage risks that may arise from this development?

The judgment could have significant cost implications in terms of compliance, especially in member states with a keen appetite for enforcement.

Companies could find themselves subject to the regulatory requirements of all member states even those where they do not have a branch, if they are targeting services of those jurisdictions.