CJEU - C-25/17 - Jehovan todistajat: Difference between revisions

From GDPRhub
(Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑25/17 Tietosuojavaltuutettu |ECLI=ECLI:EU:C:2018:551 |Opinion_Link= |Judgement_Link=http://curia.europa.eu/juris/document/document.js...")
 
No edit summary
 
(15 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{CJEUdecisionBOX
{{CJEUdecisionBOX


|Case_Number_Name=C‑25/17 Tietosuojavaltuutettu
|Case_Number_Name=C-25/17 Jehovan todistajat / Tietosuojavaltuutettu
|ECLI=ECLI:EU:C:2018:551
|ECLI=ECLI:EU:C:2018:551


|Opinion_Link=
|Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=365863
|Judgement_Link=http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=875890/
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=203822&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=365863


|Date_Decided=10.07.2018
|Date_Decided=10.07.2018
|Year=2018
|Year=2018


 
|EU_Law_Name_2=Article 2(d) Directive 95/46
|EU_Law_Name_1=Article 1(1) Directive 95/46
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046
|EU_Law_Name_2=Article 2 Directive 95/46
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046
|EU_Law_Name_3=Article 3 Directive 95/46
|EU_Law_Name_3=Article 2(c) Directive 95/46
|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046
|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046
|EU_Law_Name_4=Recital 10, 12, 15, 26, 27 Directive 95/46
|EU_Law_Name_4=Article 3(2) Directive 95/46
|EU_Law_Link_4=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046
|EU_Law_Link_4=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046
|EU_Law_Name_5=Article 17 TFEU
|EU_Law_Link_5=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12016ME%2FTXT
|EU_Law_Name_6=Article 10(1) ECFR
|EU_Law_Link_6=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT


|National_Law_Name_1=Paragraph 2 of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’).
|National_Law_Link_1=https://www.finlex.fi/en/laki/kaannokset/1999/en19990523_20000986.pdf
|National_Law_Name_2=Paragraph 3(3) of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’).
|National_Law_Link_2=https://www.finlex.fi/en/laki/kaannokset/1999/en19990523_20000986.pdf
|National_Law_Name_3=Paragraph 44 of The henkilötietolaki 523/1999 (Law on Personal Data No 523/1999, ‘Law No 523/1999’).
|National_Law_Link_3=https://www.finlex.fi/en/laki/kaannokset/1999/en19990523_20000986.pdf


|Party_Name_1=
|Party_Name_1=
Line 38: Line 33:
|Party_Link_5=
|Party_Link_5=


|Reference_Body=Supreme Administrative Court, Finland
|Reference_Body=Supreme Administrative Court (Finland)
|Reference_Case_Number_Name=
|Reference_Case_Number_Name=


Line 45: Line 40:
}}
}}


On 10th July 2018, the CJEU made a judgement on the Tietosuojavaltuutettu Case. This case involves the processing of personal data by a religious community.
The CJEU held that a religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community pursuant to [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 2(d) of Data Protection Directive 95/46].


==English Summary==
==English Summary==


=== Facts ===
===Facts===
On 17 September 2013, the Finish Data Protection Board, at the request of the Finish Data Protection Supervisor, adopted a decision prohibiting the Jehovah’s Witness Community from collecting or processing personal data in the course of their door- to-door preaching carried out by its members unless the legal requirements for processing under paragraphs 8 and 12 of Law No. 523/1999 were satisfied. In addition, the Data Protection Board banned the collection of personal data for 6 months until such requirements were fulfilled. The Jehovah’s Witness Community brought an action before the Administrative Court at Helsinki against that decision on grounds that they were not controllers and its activities did not consist of unlawful processing. The court annulled the decision of the board. The board proceeded to challenge that decision before the Supreme Administrative Court, Finland. The court noted the following key matters to be of importance in reaching its decision: a) that members of Jehovah’s Witness Community take notes during their door-to-door activities, notes that may include names and addresses of persons unknown to them without their knowledge or consent b) That the Jehovah’s Witness Community gave its members guidelines on the taking of such notes in at least one of its magazines that is dedicated to preaching. c) that the community and its congregants organize and coordinate the door-to-door preaching by their members by creating maps from which members are allocated areas to engage in preaching, keeping records about preachers and community publications distributed by them. In addition, the congregation of the Jehovah’s witness Community maintains a register, a refusal register, of persons who have requested not to receive visits from preachers. This activity of data collection, according to the information from Jehovah’s Witness Community, is not required and in cases where such data is collected, it has no knowledge of the nature of the data or identity of the preacher. The referring court stayed its proceedings and referred the following issues to the CJEU.
Following a request from the Finnish DPA, the Finnish Data Protection Board adopted a decision prohibiting a religious community (the Jehovah’s Witnesses Community) from collecting or processing personal data in the course of door-to-door preaching carried out by its members unless the legal requirements for processing were satisfied. The Data Protection Board imposed a ban on the collection of personal data by the Jehovah’s Witnesses Community for a period of six months unless those conditions were observed.  
 
The Jehovah’s Witnesses Community appealed the decision before the Administrative Court in Helsinki, Finland (Helsingin hallinto-oikeus), which annulled the decision on the grounds, inter alia, that the Jehovah’s Witnesses Community was not a controller and that its activity did not constitute unlawful processing.  
 
The DPA challenged that judgment before the Supreme Administrative Court in Finland (Korkein hallinto-oikeus). The Supreme Administrative Court referred questions to the CJEU for a preliminary ruling on the following matters
 
(1) Whether the collection and other processing of personal data carried out by the members of a religious community in connection with door-to-door preaching fall outside the scope of the Data Protection Directive 95/46 under the exceptions stipulated in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 3(2) of the Data Protection Directive 95/46]?
 
(2) Whether personal data collected otherwise than by automatic means in connection with the door-to-door preaching constitute a 'filing system' in light of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 2(c) of the Data Protection Directive 95/46]?
 
(3) Whether the phrase “''alone or jointly with others determines the purposes and means of the processing of personal data''” in light of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 2(d) of the Data Protection Directive 95/46] means that a religious community organising an activity in the course of which personal data is collected may be regarded as a controller, in respect of the processing activities carried out by its members, even if the religious community claims that only the individual members have access to the data?
 
(4) Whether in order for a religious community to be considered as a controller in the light of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 2(d) of the Data Protection Directive 95/46], does it have to take specific measures, such as give written instructions or orders directing the collection of data, or is it sufficient that that religious community can be regarded as having ''de facto'' control of its members’ activities?
 
===Holding===
<u>Regarding the first question,</u>
 
The CJEU stated that the collection of personal data by members of the Jehovah’s Witnesses Community in the course of door-to-door preaching is a religious procedure carried out by ''individuals''. Therefore, such activity is not an activity of the 'State authorities', and so, does not fall under the exception under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 3(2), first indent, of the Data Protection Directive 95/46].
 
The so-called ‘household exemption’ under Article 3(2), second indent, of the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Data Protection Directive 95/46] must be interpreted as covering only activities that are carried out in the context of the private or family life of individuals. The CJEU viewed that an activity cannot be regarded as purely personal or domestic where a) its purpose is to make the data collected accessible to an unrestricted number of people or b) where that activity extends, even partially, to a public space and is accordingly directed outwards from the private setting of the person who is processing the data.
 
In this particular case, the CJEU noted that the door-to-door preaching is directed outwards from the private setting of the preaching members of the Jehovah’s Witnesses Community. In addition, the CJEU took in consideration that the preaching members make at least some of the data collected accessible to a potentially unlimited number of persons.
 
The CJEU held that the collection of personal data by members of a religious community in the course of door-to-door preaching does not fall under the exemption under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 3(2) of the Data Protection Directive 95/46.] Therefore the processing of personal data in question fell within the scope of the Data Protection Directive 95/46.
 
<u>Regarding the second question,</u>
 
The CJEU viewed that the concept of a ‘filing system’ stipulated in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 2(c) of the Data Protection Directive 95/46] must be interpreted broadly.
 
In this particular case, the CJEU highlighted that the data collected in the course of door-to-door preaching are collected as memory aid for later use and for a possible subsequent visit and to keep lists of persons who no longer wish to be contacted. The CJEU considered irrelevant the specific criterion and the specific form in which the set of personal data collected by each preaching member is actually structured, as long as that set of data makes it possible for the data relating to a specific person who has been contacted to be easily retrieved.
 
The CJEU held that the concept of a ‘filing system’, referred to by [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 2(c) of the Data Protection Directive 95/46], covers a set of personal data collected in the course of door-to-door preaching, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.
 
<u>Regarding the third and fourth questions,</u>


=== Dispute ===
The CJEU observed the concept of a ‘controller’ provided in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 2(d) of the Data Protection Directive 95/46] and noted that ‘a controller’ does not necessarily refer to a single natural or legal person and may concern several actors taking part in the processing. Additionally, the CJEU stated that the concept of ‘controller’ should also be interpreted broadly.
a) Whether the processing of personal data by members of a religious community in connection with door-to-door preaching falls outside the scope of Directive 95/46 under the exception under Article 3(2) Directive 95/46.
b) Whether the data collected and its maintenance fall within the definition of a filing system following Article 2(c) Directive 95/46 as read with Recitals 26 and 27 of that Directive.
c) Whether the religious community that organizes an activity in the course of which personal data is collected may be regarded as a controller concerning the processing carried out by its members who are the only ones with access to the personal data within the definition under Article 2(d) Directive 95/46.
d) Whether a religious community may be considered to be a controller for activities carried out by its members or it must have de facto control over the members' activities.


With regard to joint responsibility, the CJEU viewed that the existence of joint responsibility does not necessarily imply equal responsibility. Therefore, the different actors may be involved at different stages of the processing of personal data and to different degrees. Firstly, the CJEU concluded that the determination of the purposes and means of processing does not require the use of written guidelines or instructions from the controller, and secondly, that the joint responsibility of several actors for the same processing does not require each of them to have access to the personal data.


=== Holding ===
In this particular case, the CJEU noted that the collection of personal data help to achieve the objective of the Jehovah’s Witnesses Community. Furthermore, the CJEU emphasized that that community organises and coordinates the preaching activities of its members. The CJEU took the view that the Jehovah’s Witnesses Community jointly with its members determine the purposes and means of processing of personal data of the persons contacted, but left it for the referring court to verify. Furthermore, the CJEU found that this finding cannot be questioned by the principle of organisational autonomy of religious communities which derives from [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12016ME%2FTXT Article 17 TFEU].
On the first question, the court observed that Article 1(1) and Recital 10 is clear that the directive seeks to ensure a high level of protection of fundamental rights and freedoms of natural persons, in particular, their right to privacy concerning the protection of personal data as was held in Google Spain and Google, C‑131/12 at paragraph 66, and Wirtshaftsakademie Schleswig-Holstein, C‑210/16, at paragraph 26. Also, Article 3 (1) provides the scope of the directive which applies to the processing of personal data wholly or partly by automatic means which form or is intended to form part of a filing system. However, Article 3(2) lays down exceptions to the application of the directive in processing personal data which must be interpreted strictly as was held in Ryneš, C‑212/13 at paragraph 29, and Puškár, C‑73/1, at paragraph 38. The court noted that in the present case, the activities carried out by the Jehovah’s Witness Community do not fall under the two exceptions of activities carried out by state authority and simply personal or household activities. Pure household activity was defined in the case of Ryneš, C‑212/13 at paragraphs 31 and 33 as the activity of the person processing the personal data and not to the person whose data is processed. The court emphasized that for this exception to apply it must be an activity carried out in the context of the private or family life of individuals. This was not the case in this present matter and hence doesn’t fall under the exception.
On the second question, the court observed that the concept of a filing system as defined under Article2 (c) Directive 95/46 is any structured set of personal data which are accessible according to specific criteria whether centralized, decentralized or dispersed on a functional or geographical basis. Besides, according to recital 15 and 27 of Directive 95/46, the content of a filing system must be structured to allow easy access to personal data. In light of this, the court observed that the personal data collected during door-to-door preaching collected as a memory aid, allocated by geographical sector to organize subsequent visits fall within the scope of Article 2(c) and the question on the specific criterion or form that it is structured is irrelevant.
On the third and fourth question, the court looked at the definition of a controller under Article 2(d) Directive 95/46. A controller is defined as a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. The court observed that the scope of this definition is wide to ensure effective and complete protection of the persons concerned. Besides, the level of responsibility of joint controllers must be assessed concerning all relevant circumstances of the particular case as was held in Wirtschaftsakademie Schleswig-Holstein, C‑210/16 at paragraphs 28, 43 and 44. Furthermore, it was held, in that same case, that the joint responsibility of several actors for the same processing doesn’t require that each of them has access to the personal data concerned. In the present case, it was clear that Jehovah’s Witness Community who engage in preaching determine the specific data collected and how that data is subsequently processed. The collection of personal data helped in achieving the objective of the Jehovah’s Witness Community which was/is to spread its faith. The court concluded that, in light of the activities of the Jehovah’s witness community, the community encourages its members who engage in preaching to carry out data processing activities in the context of their preaching activity. As such, the court further held that, by organizing, coordinating and encouraging preaching activities of its members intended to spread its faith, the Jehovah’s Witness Community participated jointly with its members in determining the purposes and means of processing personal data.
The court noted that this finding can be called into question by the principle of organizational autonomy of religious communities under Article 17 TFEU but stated that every person has an obligation to comply with the rules of the EU on the protection of personal data. This position was reiterated in Egenberger, C‑414/16 at paragraph 58.


Eventually, the CJEU held that the religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community pursuant to [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Article 2(d) of Data Protection Directive 95/46], read in the light of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT Article 10(1) of the Charter].


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''

Latest revision as of 14:38, 7 June 2023

CJEU - C-25/17 Jehovan todistajat / Tietosuojavaltuutettu
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 2(d) Directive 95/46
Article 2(c) Directive 95/46
Article 3(2) Directive 95/46
Article 17 TFEU
Article 10(1) ECFR
Decided: 10.07.2018
Parties:
Case Number/Name: C-25/17 Jehovan todistajat / Tietosuojavaltuutettu
European Case Law Identifier: ECLI:EU:C:2018:551
Reference from: Supreme Administrative Court (Finland)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: Elaine Thuo

The CJEU held that a religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community pursuant to Article 2(d) of Data Protection Directive 95/46.

English Summary

Facts

Following a request from the Finnish DPA, the Finnish Data Protection Board adopted a decision prohibiting a religious community (the Jehovah’s Witnesses Community) from collecting or processing personal data in the course of door-to-door preaching carried out by its members unless the legal requirements for processing were satisfied. The Data Protection Board imposed a ban on the collection of personal data by the Jehovah’s Witnesses Community for a period of six months unless those conditions were observed.

The Jehovah’s Witnesses Community appealed the decision before the Administrative Court in Helsinki, Finland (Helsingin hallinto-oikeus), which annulled the decision on the grounds, inter alia, that the Jehovah’s Witnesses Community was not a controller and that its activity did not constitute unlawful processing.

The DPA challenged that judgment before the Supreme Administrative Court in Finland (Korkein hallinto-oikeus). The Supreme Administrative Court referred questions to the CJEU for a preliminary ruling on the following matters:

(1) Whether the collection and other processing of personal data carried out by the members of a religious community in connection with door-to-door preaching fall outside the scope of the Data Protection Directive 95/46 under the exceptions stipulated in Article 3(2) of the Data Protection Directive 95/46?

(2) Whether personal data collected otherwise than by automatic means in connection with the door-to-door preaching constitute a 'filing system' in light of Article 2(c) of the Data Protection Directive 95/46?

(3) Whether the phrase “alone or jointly with others determines the purposes and means of the processing of personal data” in light of Article 2(d) of the Data Protection Directive 95/46 means that a religious community organising an activity in the course of which personal data is collected may be regarded as a controller, in respect of the processing activities carried out by its members, even if the religious community claims that only the individual members have access to the data?

(4) Whether in order for a religious community to be considered as a controller in the light of Article 2(d) of the Data Protection Directive 95/46, does it have to take specific measures, such as give written instructions or orders directing the collection of data, or is it sufficient that that religious community can be regarded as having de facto control of its members’ activities?

Holding

Regarding the first question,

The CJEU stated that the collection of personal data by members of the Jehovah’s Witnesses Community in the course of door-to-door preaching is a religious procedure carried out by individuals. Therefore, such activity is not an activity of the 'State authorities', and so, does not fall under the exception under Article 3(2), first indent, of the Data Protection Directive 95/46.

The so-called ‘household exemption’ under Article 3(2), second indent, of the Data Protection Directive 95/46 must be interpreted as covering only activities that are carried out in the context of the private or family life of individuals. The CJEU viewed that an activity cannot be regarded as purely personal or domestic where a) its purpose is to make the data collected accessible to an unrestricted number of people or b) where that activity extends, even partially, to a public space and is accordingly directed outwards from the private setting of the person who is processing the data.

In this particular case, the CJEU noted that the door-to-door preaching is directed outwards from the private setting of the preaching members of the Jehovah’s Witnesses Community. In addition, the CJEU took in consideration that the preaching members make at least some of the data collected accessible to a potentially unlimited number of persons.

The CJEU held that the collection of personal data by members of a religious community in the course of door-to-door preaching does not fall under the exemption under Article 3(2) of the Data Protection Directive 95/46. Therefore the processing of personal data in question fell within the scope of the Data Protection Directive 95/46.

Regarding the second question,

The CJEU viewed that the concept of a ‘filing system’ stipulated in Article 2(c) of the Data Protection Directive 95/46 must be interpreted broadly.

In this particular case, the CJEU highlighted that the data collected in the course of door-to-door preaching are collected as memory aid for later use and for a possible subsequent visit and to keep lists of persons who no longer wish to be contacted. The CJEU considered irrelevant the specific criterion and the specific form in which the set of personal data collected by each preaching member is actually structured, as long as that set of data makes it possible for the data relating to a specific person who has been contacted to be easily retrieved.

The CJEU held that the concept of a ‘filing system’, referred to by Article 2(c) of the Data Protection Directive 95/46, covers a set of personal data collected in the course of door-to-door preaching, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.

Regarding the third and fourth questions,

The CJEU observed the concept of a ‘controller’ provided in Article 2(d) of the Data Protection Directive 95/46 and noted that ‘a controller’ does not necessarily refer to a single natural or legal person and may concern several actors taking part in the processing. Additionally, the CJEU stated that the concept of ‘controller’ should also be interpreted broadly.

With regard to joint responsibility, the CJEU viewed that the existence of joint responsibility does not necessarily imply equal responsibility. Therefore, the different actors may be involved at different stages of the processing of personal data and to different degrees. Firstly, the CJEU concluded that the determination of the purposes and means of processing does not require the use of written guidelines or instructions from the controller, and secondly, that the joint responsibility of several actors for the same processing does not require each of them to have access to the personal data.

In this particular case, the CJEU noted that the collection of personal data help to achieve the objective of the Jehovah’s Witnesses Community. Furthermore, the CJEU emphasized that that community organises and coordinates the preaching activities of its members. The CJEU took the view that the Jehovah’s Witnesses Community jointly with its members determine the purposes and means of processing of personal data of the persons contacted, but left it for the referring court to verify. Furthermore, the CJEU found that this finding cannot be questioned by the principle of organisational autonomy of religious communities which derives from Article 17 TFEU.

Eventually, the CJEU held that the religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community pursuant to Article 2(d) of Data Protection Directive 95/46, read in the light of Article 10(1) of the Charter.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-25/17_-_Jehovan_todistajat&oldid=33328"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki