CJEU - C‑25/17 - Tietosuojavaltuutettu

From GDPRhub
CJEU - C‑25/17 Tietosuojavaltuutettu
Cjeulogo.png
Court: CJEU [[Category:CJEU|]]
Jurisdiction: European Union
Relevant Law:
Article 1(1) Directive 95/46
Article 2 Directive 95/46
Article 3 Directive 95/46
Recital 10, 12, 15, 26, 27 Directive 95/46
Paragraph 2 of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’).
Paragraph 3(3) of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’).
Paragraph 44 of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’).
Decided: 10.07.2018
Parties:
Case Number/Name: C‑25/17 Tietosuojavaltuutettu
European Case Law Identifier: ECLI:EU:C:2018:551
Reference from: Supreme Administrative Court, Finland
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Elaine Thuo

The CJEU published the Tietosuojavaltuutettu Case which involves the processing of personal data by a religious community. The Court notably defined the term "processing" in the context of filing systems. This was decided in the context of the Data Protection Directive 95/46.

English Summary[edit | edit source]

Facts[edit | edit source]

On 17 September 2013, the Finish Data Protection Board, at the request of the Finish Data Protection Supervisor, adopted a decision prohibiting the Jehovah’s Witness Community from collecting or processing personal data in the course of their door- to-door preaching carried out by its members unless the legal requirements for processing under paragraphs 8 and 12 of Law No. 523/1999 were satisfied.

In addition, the Data Protection Board banned the collection of personal data for 6 months until such requirements were fulfilled. The Jehovah’s Witness Community brought an action before the Administrative Court at Helsinki against that decision on grounds that they were not controllers and its activities did not consist of unlawful processing. The court annulled the decision of the board. The board proceeded to challenge that decision before the Supreme Administrative Court, Finland. The court noted the following key matters to be of importance in reaching its decision:

a) that members of Jehovah’s Witness Community take notes during their door-to-door activities, notes that may include names and addresses of persons unknown to them without their knowledge or consent.

b) That the Jehovah’s Witness Community gave its members guidelines on the taking of such notes in at least one of its magazines that is dedicated to preaching.

c) that the community and its congregants organize and coordinate the door-to-door preaching by their members by creating maps from which members are allocated areas to engage in preaching, keeping records about preachers and community publications distributed by them.

In addition, the congregation of the Jehovah’s witness Community maintains a register, a refusal register, of persons who have requested not to receive visits from preachers. This activity of data collection, according to the information from Jehovah’s Witness Community, is not required and in cases where such data is collected, it has no knowledge of the nature of the data or identity of the preacher. The referring court stayed its proceedings and referred the following issues to the CJEU.

Dispute[edit | edit source]

The following questions were answered by the CJEU:

a) Whether the processing of personal data by members of a religious community in connection with door-to-door preaching falls outside the scope of Directive 95/46 under the exception under Article 3(2) Directive 95/46.

b) Whether the data collected and its maintenance fall within the definition of a filing system following Article 2(c) Directive 95/46 as read with Recitals 26 and 27 of that Directive.

c) Whether the religious community that organizes an activity in the course of which personal data is collected may be regarded as a controller concerning the processing carried out by its members who are the only ones with access to the personal data within the definition under Article 2(d) Directive 95/46.

d) Whether a religious community may be considered to be a controller for activities carried out by its members or it must have de facto control over the members' activities.

Holding[edit | edit source]

On the first question, the court observed that Article 1(1) and Recital 10 is clear that the Directive seeks to ensure a high level of protection of fundamental rights and freedoms of natural persons, in particular, their right to privacy concerning the protection of personal data as was held in Google Spain and Google, C‑131/12 at paragraph 66, and Wirtshaftsakademie Schleswig-Holstein, C‑210/16, at paragraph 26. Also, Article 3(1) provides the scope of the Directive which applies to the processing of personal data wholly or partly by automatic means which form or is intended to form part of a filing system. However, Article 3(2) lays down exceptions to the application of the Directive in processing personal data which must be interpreted strictly as was held in Ryneš, C‑212/13 at paragraph 29, and Puškár, C‑73/1, at paragraph 38. The court noted that in the present case, the activities carried out by the Jehovah’s Witness Community do not fall under the two exceptions of activities carried out by state authority and simply personal or household activities. Pure household activity was defined in the case of Ryneš, C‑212/13 at paragraphs 31 and 33 as the activity of the person processing the personal data and not to the person whose data is processed. The court emphasized that for this exception to apply it must be an activity carried out in the context of the private or family life of individuals. This was not the case in this present matter and hence doesn’t fall under the exception.

On the second question, the court observed that the concept of a filing system as defined under Article 2(1)(c) Directive 95/46 is any structured set of personal data which are accessible according to specific criteria whether centralized, decentralized or dispersed on a functional or geographical basis. Besides, according to Recital 15 and 27 of Directive 95/46, the content of a filing system must be structured to allow easy access to personal data. In light of this, the court observed that the personal data collected during door-to-door preaching collected as a memory aid, allocated by geographical sector to organize subsequent visits fall within the scope of Article 2(1)(c) and the question on the specific criterion or form that it is structured is irrelevant.

On the third and fourth question, the court looked at the definition of a controller under Article 2(1)(d) Directive 95/46. A controller is defined as a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. The court observed that the scope of this definition is wide to ensure effective and complete protection of the persons concerned. Besides, the level of responsibility of joint controllers must be assessed concerning all relevant circumstances of the particular case as was held in Wirtschaftsakademie Schleswig-Holstein, C‑210/16 at paragraphs 28, 43 and 44. Furthermore, it was held, in that same case, that the joint responsibility of several actors for the same processing doesn’t require that each of them has access to the personal data concerned. In the present case, it was clear that Jehovah’s Witness Community who engage in preaching determine the specific data collected and how that data is subsequently processed. The collection of personal data helped in achieving the objective of the Jehovah’s Witness Community which was/is to spread its faith.

The court concluded that, in light of the activities of the Jehovah’s witness community, the community encourages its members who engage in preaching to carry out data processing activities in the context of their preaching activity. As such, the court further held that, by organizing, coordinating and encouraging preaching activities of its members intended to spread its faith, the Jehovah’s Witness Community participated jointly with its members in determining the purposes and means of processing personal data.

The court noted that this finding can be called into question by the principle of organizational autonomy of religious communities under Article 17 TFEU but stated that every person has an obligation to comply with the rules of the EU on the protection of personal data. This position was reiterated in Egenberger, C‑414/16 at paragraph 58.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!