The Court of Justice of the EU (CJEU) has given its ruling in the Weltimmo case which was referred to it by the Hungarian Supreme Court.  The CJEU was asked for guidance in determining whether Hungary’s data protection authority had the jurisdiction to impose a fine on a Slovakian-registered company (whose website targeted the Hungarian market) for alleged breaches of Hungarian data protection laws.  

The CJEU determined that an entity established in an EU country is subject to the national data protection authority (DPA) where data processing is carried out by the establishment in pursuit of its business in that DPA’s country. The concept of “establishment” encompasses any real and effective activity, even if minimal, which is exercised through stable arrangements. This applies even if the businesses are not based in the country.  The presence of only one representative can constitute a stable arrangement.

The CJEU provided useful guidance on what can constitute an “establishment”. It was found that Weltimmo “pursues a real and effective activity in Hungary” and even though the company is registered in Slovakia it does not carry out any activity there and had moved its registered office to various other countries on several occasions. Two websites had been developed in the Hungarian language. A Hungarian bank account and letter box for everyday business affairs had been established and Weltimmo had a representative working for the company in Hungary. Given the nature of Weltimmo’s operations, the CJEU held that if these facts are proven then the Hungarian court may find that Weltimmo is established in Hungary and therefore subject to Hungary’s data protection laws.

In addition, the CJEU clarified that the nationality of data subjects is irrelevant in determining whether a company is subject to a national DPA. National DPAs are entitled to conduct their own investigations into alleged data protection breaches by companies based in other countries. However, where national data protection authorities find that companies are governed by another EU country’s data protection laws, then it cannot impose penalties against those companies. In those circumstances, the national DPAs can liaise with each other. 

The impact of this decision is that companies, particularly consumer-facing businesses, will now need to examine the extent of their data protection compliance in each Member State in which they have an “establishment” which imposes additional legal and administrative burdens on such businesses.  This case is a timely reminder that the ‘one stop shop’ regulation position proposed under a new EU-wide Data Protection Regulation is not yet in force.  This decision gives a clear indication to companies established in Ireland but operating in many EU member states that they may need to work with many regulators across the EU.  This case comes at a time when many changes are afoot in the area of data protection law.  We await further developments with the outcome of the trilogue discussions on the Data Protection Regulation.