In the case of Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, the Court of Justice of the European Union (“CJEU”) handed down a landmark judgment in October 2015 on data protection legislation, tackling the issue of jurisdiction when a company is headquartered in one EU country and operates its business in another. The ruling has extended the meaning of “established” as to a company under EU Directive 95/46/EC to include “real and effective activity” through stable arrangements. The decision is likely to have important implications for companies operating across multiple EU countries.

The key facts of the case surround Weltimmo, a company registered in Slovakia, which runs a property advertising website concerning Hungarian properties and processes the personal data of the advertisers. When the fees for this service were not paid by many advertisers, Weltimmo forwarded the personal data of the advertisers to debt collection agencies. After receiving complaints from these advertisers, the Hungarian Data Protection Authority (“NAIH”) fined Weltimmo HUF 10 million (approximately €32,000) for breaching Hungarian law transposing EU Directive 95/46/EC.

Weltimmo appealed the fine before the domestic courts in Hungary, claiming that the NAIH was not competent, under Article 4 of Directive 95/46/EC, to apply the Hungarian Data Protection Law to a company established in Slovakia, a different Member State. The Hungarian Supreme Court referred the case to the CJEU, who ruled in the NAIH’s favour.

This ruling is pivotal as it allows data protection legislation of a Member State to be applied to a foreign company that has representatives in that country and operates a service in the native language of that country, despite being headquartered in a different country.

Going forward this decision will impact multi-jurisdictional countries who have chosen to headquarter their business in a particular European country (such as Facebook has done in Ireland) with the understanding that they would only be subject to the data protection laws of that country. Now these companies will also be answerable to the authorities of other Member States in which they operate a “real and effective activity” and are accordingly deemed to have an “establishment” in that territory.