CJEU - C-25/17 - Jehovan todistajat

From GDPRhub
CJEU - C-25/17 Jehovan todistajat
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 2(d) Directive 95/46
Article 2(c) Directive 95/46
Article 3(2) Directive 95/46
Article 17 TFEU
Article 10(1) ECFR
Decided: 10.07.2018
Parties:
Case Number/Name: C-25/17 Jehovan todistajat
European Case Law Identifier: ECLI:EU:C:2018:551
Reference from: Supreme Administrative Court (Finland)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: Elaine Thuo


The CJEU held that a religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community pursuant to Article 2(d) of Data Protection Directive 95/46.

English Summary

Facts

Following a request from the Finnish DPA, the Finnish Data Protection Board adopted a decision prohibiting a religious community (the Jehovah’s Witnesses Community) from collecting or processing personal data in the course of door-to-door preaching carried out by its members unless the legal requirements for processing were satisfied. The Data Protection Board imposed a ban on the collection of personal data by the Jehovah’s Witnesses Community for a period of six months unless those conditions were observed.

The Jehovah’s Witnesses Community appealed the decision before the Administrative Court in Helsinki, Finland (Helsingin hallinto-oikeus), which annulled the decision on the grounds, inter alia, that the Jehovah’s Witnesses Community was not a controller and that its activity did not constitute unlawful processing.

The DPA challenged that judgment before the Supreme Administrative Court in Finland (Korkein hallinto-oikeus). The Supreme Administrative Court referred questions to the CJEU for a preliminary ruling on the following matters:

(1) Whether the collection and other processing of personal data carried out by the members of a religious community in connection with door-to-door preaching fall outside the scope of the Data Protection Directive 95/46 under the exceptions stipulated in Article 3(2) of the Data Protection Directive 95/46?

(2) Whether personal data collected otherwise than by automatic means in connection with the door-to-door preaching constitute a 'filing system' in light of Article 2(c) of the Data Protection Directive 95/46?

(3) Whether the phrase “alone or jointly with others determines the purposes and means of the processing of personal data” in light of Article 2(d) of the Data Protection Directive 95/46 means that a religious community organising an activity in the course of which personal data is collected may be regarded as a controller, in respect of the processing activities carried out by its members, even if the religious community claims that only the individual members have access to the data?

(4) Whether in order for a religious community to be considered as a controller in the light of Article 2(d) of the Data Protection Directive 95/46, does it have to take specific measures, such as give written instructions or orders directing the collection of data, or is it sufficient that that religious community can be regarded as having de facto control of its members’ activities?

Holding

Regarding the first question,

The CJEU stated that the collection of personal data by members of the Jehovah’s Witnesses Community in the course of door-to-door preaching is a religious procedure carried out by individuals. Therefore, such activity is not an activity of the 'State authorities', and so, does not fall under the exception under Article 3(2), first indent, of the Data Protection Directive 95/46.

The so-called ‘household exemption’ under Article 3(2), second indent, of the Data Protection Directive 95/46 must be interpreted as covering only activities that are carried out in the context of the private or family life of individuals. The CJEU viewed that an activity cannot be regarded as purely personal or domestic where a) its purpose is to make the data collected accessible to an unrestricted number of people or b) where that activity extends, even partially, to a public space and is accordingly directed outwards from the private setting of the person who is processing the data.

In this particular case, the CJEU noted that the door-to-door preaching is directed outwards from the private setting of the preaching members of the Jehovah’s Witnesses Community. In addition, the CJEU took in consideration that the preaching members make at least some of the data collected accessible to a potentially unlimited number of persons.

The CJEU held that the collection of personal data by members of a religious community in the course of door-to-door preaching does not fall under the exemption under Article 3(2) of the Data Protection Directive 95/46. Therefore the processing of personal data in question fell within the scope of the Data Protection Directive 95/46.

Regarding the second question,

The CJEU viewed that the concept of a ‘filing system’ stipulated in Article 2(c) of the Data Protection Directive 95/46 must be interpreted broadly.

In this particular case, the CJEU highlighted that the data collected in the course of door-to-door preaching are collected as memory aid for later use and for a possible subsequent visit and to keep lists of persons who no longer wish to be contacted. The CJEU considered irrelevant the specific criterion and the specific form in which the set of personal data collected by each preaching member is actually structured, as long as that set of data makes it possible for the data relating to a specific person who has been contacted to be easily retrieved.

The CJEU held that the concept of a ‘filing system’, referred to by Article 2(c) of the Data Protection Directive 95/46, covers a set of personal data collected in the course of door-to-door preaching, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.

Regarding the third and fourth questions,

The CJEU observed the concept of a ‘controller’ provided in Article 2(d) of the Data Protection Directive 95/46 and noted that ‘a controller’ does not necessarily refer to a single natural or legal person and may concern several actors taking part in the processing. Additionally, the CJEU stated that the concept of ‘controller’ should also be interpreted broadly.

With regard to joint responsibility, the CJEU viewed that the existence of joint responsibility does not necessarily imply equal responsibility. Therefore, the different actors may be involved at different stages of the processing of personal data and to different degrees. Firstly, the CJEU concluded that the determination of the purposes and means of processing does not require the use of written guidelines or instructions from the controller, and secondly, that the joint responsibility of several actors for the same processing does not require each of them to have access to the personal data.

In this particular case, the CJEU noted that the collection of personal data help to achieve the objective of the Jehovah’s Witnesses Community. Furthermore, the CJEU emphasized that that community organises and coordinates the preaching activities of its members. The CJEU took the view that the Jehovah’s Witnesses Community jointly with its members determine the purposes and means of processing of personal data of the persons contacted, but left it for the referring court to verify. Furthermore, the CJEU found that this finding cannot be questioned by the principle of organisational autonomy of religious communities which derives from Article 17 TFEU.

Eventually, the CJEU held that the religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community pursuant to Article 2(d) of Data Protection Directive 95/46, read in the light of Article 10(1) of the Charter.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!