Transatlantic Legal Services

Data Protection in the EU and Jurisdiction: The CJEU clarifies

The European Court of Justice’s interpretation of EU Privacy Directive 95/46.

On the 1st of October 2015, the European Court of Justice (CJEU) gave a broad interpretation of the Article 4 of the European Directive, which allows a Member State of the EU to claim jurisdiction over anyone who is “processing personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of (that) Member State.”[1]

The ECJ laid out some criteria to evaluate whether a particular data processor is under a Member State’s jurisdiction or not. As a matter of fact “both the degree of stability of the arrangements and the effective exercise of activities in that (…) Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.”[2]

Basically, if your business is making an effective and real exercise of its activity in a particular Member State through stable arrangements, then it will be considered established in that state, and thus subject to its jurisdiction.

The Court held that “the presence of one representative could suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the necessary equipment for provision of the specific services concerned in the Member State in question.”[3] For example, if the representative of your business has an address in a given Member State, manages a bank account, collects debts, and/or uses a letterbox in that state, then it will most likely be enough to meet the “stable arrangements” requirement.

As for the “real and effective activity” requirement, the Court held that the activity could be a “minimal one.” For example, making deals in the Member State through a website, selling goods or services in that state, and in the language of that state could be enough for this requirement to be met.

In the end, depending on how your activity is structured and carried out in the EU you may find yourself having to abide by the laws of one or more Member States. With that in mind, it would be wise to make sure you are familiar with the applicable privacy laws of the EU Member State in which you wish to open an office, or trade with. Some Member States may have privacy laws that are more or less in your favor. Knowing which laws are more favorable to your business will greatly help with mitigating your risk of lawsuits.

For further information please feel free to contact us (see “Contact us” section), and subscribe to our newsletter. You may also look at the original decision of the ECJ: “Weltimmo v. Nemzeti Adatvédelmi és Információszabadság Hatóság”

> Weltimmo v. Nemzeti Adatvédelmi és Információszabadság Hatóság

[1] Set out in Article 4(1)(a) of Directive 95/46
[2] Judgment of the Court (Third Chamber) 1 October 2015, Weltimmo v. Nemzeti Adatvédelmi és Információszabadság Hatóság, §29
[3] Id note 2, §30

Related Posts:

Recent Posts

Receive our future articles*



* When you provide us with your email address for the purpose of subscribing to our newsletter, you expressly consent to the processing of your personal data in order to allow us to manage your subscription to our newsletter and send it to you. You can withdraw your consent and unsubscribe to our newsletter at any time through our “Contact us” form. For further information on how we collect and use your personal information through your use of our website, please read our privacy policy.

Copyright © Law Office of S. Grynwajc, PLLC. All Rights Reserved Attorney advertising.
Prior results do not guarantee a similar outcome.

Facebook Instagram Linkedin Skype
Open chat
Powered by Joinchat
Hello, how can we help ?