Weltimmo v Hungarian DPA: Landmark Verdict on the Meaning of “Established”

Locke Lord LLP
Contact
LinkedIn
Facebook
X
Send
Embed

In the case of Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, the Court of Justice of the European Union (“CJEU”) handed down a landmark judgment in October 2015 on data protection legislation, tackling the issue of jurisdiction when a company is headquartered in one EU country and operates its business in another. The ruling has extended the meaning of “established” as to a company under EU Directive 95/46/EC to include “real and effective activity” through stable arrangements. The decision is likely to have important implications for companies operating across multiple EU countries.

The key facts of the case surround Weltimmo, a company registered in Slovakia, which runs a property advertising website concerning Hungarian properties and processes the personal data of the advertisers. When the fees for this service were not paid by many advertisers, Weltimmo forwarded the personal data of the advertisers to debt collection agencies. After receiving complaints from these advertisers, the Hungarian Data Protection Authority (“NAIH”) fined Weltimmo HUF 10 million (approximately €32,000) for breaching Hungarian law transposing EU Directive 95/46/EC.

Weltimmo appealed the fine before the domestic courts in Hungary, claiming that the NAIH was not competent, under Article 4 of Directive 95/46/EC, to apply the Hungarian Data Protection Law to a company established in Slovakia, a different Member State. The Hungarian Supreme Court referred the case to the CJEU, who ruled in the NAIH’s favour.

This ruling is pivotal as it allows data protection legislation of a Member State to be applied to a foreign company that has representatives in that country and operates a service in the native language of that country, despite being headquartered in a different country.

Going forward this decision will impact multi-jurisdictional countries who have chosen to headquarter their business in a particular European country (such as Facebook has done in Ireland) with the understanding that they would only be subject to the data protection laws of that country. Now these companies will also be answerable to the authorities of other Member States in which they operate a “real and effective activity” and are accordingly deemed to have an “establishment” in that territory.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP
Locke Lord LLP
Contact
more
less

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide