Blog » EU COURT RULED – EVEN JEHOVAH’S WITNESSES CANNOT ESCAPE GDPR
EU COURT RULED – EVEN JEHOVAH’S WITNESSES CANNOT ESCAPE GDPR
25 July 2018
Are you under the scope of GDPR if you collect personal data only in paper format? Are you data controller if it is not you who determine for your business partner what kind of personal data should be collected, and you do not even have access to data? You can get the answers from our article which summarizes the EU Court’s judgement in the case of the Jehovah’s Witnesses Community.
The background of the case
The members Jehovah’s Witnesses Community go from door to door to carry out preaching activity. The members of the Finnish Jehovah’s Witnesses Community (“Community”) make notes during the activity about people they have visited. These notes contain among others the visited person’s name, address and information about his religious beliefs and family situation.
The Community organizes the preaching activity of his members, for example provides them with maps and general guidelines regarding the notes. Further, the Community draws up a so called refusal register about persons who no longer wish to receive visits by members.
In 2013, the Finnish Data Protection Board prohibited the Community to collect personal data about the visited persons. The reason for that was that in the Board’s opinion the processing of personal data was not compliant with the data protection laws as the visited persons neither have given consent to the data collection, not have they been informed about the data processing.
The Community appealed the Data Protection Board’s decision before the Finnish administrative court and the case was brought before the Court of Justice of the European Union (“Curia”). The Finnish Supreme Court expected from the Curia to answer his questions in relation with the case by interpreting the Data Protection Directive (the predecessor of the GDPR).
The case in Luxembourg
The Finnish Supreme Court asked two questions from the Curia.
The first question was, whether the data collection on paper shall be regarded as data processing in the sense of the Data Protection Directive. The question arose because according to the Data Protection Directive (similarly to the GDPR) the processing of personal data by not automated means (meaning on paper) falls only under the scope of the Directive is the data form part of a filing system or are intended to form part on such.
Not surprisingly the Community claimed that the personal data collected by its member do not form part of a filing system, thus the Data Protection Directive is not applicable to the activity.
The Curia emphasized that the collected personal data form part of a filing system if they are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. However, the Community and its members organized the collected data according to specific criteria, for example they made a list about persons who no longer wanted to be visited by the members of the Community.
The second question was whether the Community shall be regarded as a joint controller together with is member. The Community claimed that he is not a controller as he has not given specific written guidelines to its members in relation with the data collection since the member could decide alone which data they collect and record. In the Community’s opinion, its capacity of being a controller is excluded as he does not have access to the collected data.
The Curia pointed out that for being regarded as a controller it is not necessary for the Community to give specific written guidelines to its members.
In fact, the Community did not only know that their members process personal data in relation with the door-to-door preaching activity, but he encouraged and organized this activity, among others by providing maps to the members and dividing their area of activity. By doing so, the Community practically takes part in the determination of the purposes and means of data processing.
Further, the Curia recalled his point of view expressed already in more of his judgements, that it is not necessary to have access to the processed data for being regarded as a controller.
The most important lesson of the case that for being a (joint) controller it is not strictly necessary that you give detailed and specific instructions to the other person taking part in the data processing or that you have access to the collected data.
In fact, you can be regarded as a controller if you have influence on the data processing, for example you know about it and encourage the other person participating in the data processing, eg. headhunter or other contractual partner.
Further, you have to comply with the data protection rules even if you process the given personal data solely on paper if you organize those data according to specific criteria (eg. year, topic) which enables the data to be easily retrieved.
WHEN LESS IS MORE - HOLIDAY SALES FROM LEGAL ASPECT
The Christmas shopping fever began with Black Friday in late November, and not only the buyers are trying to exploit this period of discounts, but also the sellers. During this season the Competition Authority is also curious about the incredible sales and should they find any breach, their “surprise” to the seller will be a fine of ten millions of HUF. During the inspections of recent years, big companies have been caught in the authority's net such as Extreme Digital, Media Markt, Alzo or Lidl. If you are a seller or operate an e-shop, it is as easy to slip into a legal pitfall as slipping on ice. That's why we've collected the most important rules for discounts attracting customers and how to operate a compliant e-shop. Thus, you can avoid paying your end-of-year earnings to the Competition Authority.Read more »
THE 5 BIGGEST GDPR FAILS OF THE YEAR
Have you ever experienced that if you deal with a topic excessively you start to see it everywhere? For me, it was clearly the GDPR that filtered into my private life. This gave me the idea to collect the GDPR “fails” of the year that me or my colleagues experienced. Of course, “our GDPR infringers” have not played as big as Facebook and his “little” buddies, but maybe our stories will show you how easy it is to slip on a banana peel when it comes to GDPR compliance.Read more »
CHALLENGING ARBITRATORS IN HUNGARY
On what grounds can arbitrators be challenged and removed in Hungary? What are the main features of the challenge procedure? What is the difference in case of institutional arbitration? What happens if an arbitrator becomes incapable of performing his duties? We address these question in our article.Read more »