Tietosuojavaltuutettu v Jehovan tod istajat (C‑25/17) (‘Jehovah’s Witnesses Case’)

Date10 July 2018
IssuerCourt of Justice of the European Union

JUDGMENT OF THE COURT (Grand Chamber)

10 July 2018 ( *1 )

(Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Scope of the directive — Article 3 — Data collected and processed by the members of a religious community in the course of their door-to-door preaching — Article 2(c) — Definition of a ‘personal data filing system’ — Article 2(d) — Definition of a ‘controller’ of the processing of personal data — Article 10(1) of the Charter of Fundamental Rights of the European Union)

In Case C‑25/17,

REQUEST for a preliminary ruling under Article 267 TFEU from the Korkein hallinto-oikeus (Supreme Administrative Court, Finland), made by decision of 22 December 2016, received at the Court on 19 January 2017, in the proceedings

Tietosuojavaltuutettu

intervening parties:

Jehovan todistajat — uskonnollinen yhdyskunta,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, A. Tizzano, Vice-President, R. Silva de Lapuerta, T. von Danwitz (Rapporteur), J.L. da Cruz Vilaça, J. Malenovský, E. Levits and C. Vajda, Presidents of Chambers, A. Borg Barthet, J.-C. Bonichot, A. Arabadjiev, S. Rodin, F. Biltgen, K. Jürimäe and C. Lycourgos, Judges,

Advocate General: P. Mengozzi,

Registrar: C. Strömholm, Administrator,

having regard to the written procedure and further to the hearing on 28 November 2017,

after considering the observations submitted on behalf of:

the tietosuojavaltuutettu, by R. Aarnio, acting as Agent,

Jehovan todistajat — uskonnollinen yhdyskunta, by S.H. Brady, asianajaja, and by P. Muzny,

the Finnish Government, by H. Leppo, acting as Agent,

the Czech Government, by M. Smolek and J. Vláčil, acting as Agents,

the Italian Government, by G. Palmieri, acting as Agent, and by P. Gentili, avvocato dello Stato,

the European Commission, by P. Aalto, H. Kranenborg and D. Nardi, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 1 February 2018,

gives the following

Judgment

1

This request for a preliminary ruling concerns the interpretation of Article 2(c) and (d) and Article 3 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) read in the light of Article 10 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

2

The request has been made in proceedings brought by the tietosuojavaltuutettu (Data Protection Supervisor, Finland) concerning the legality of a decision of the tietosuojalautakunta (Data Protection Board, Finland) prohibiting the Jehovan todistajat — uskonnollinen yhdyskunta (Jehovah’s Witnesses religious community, ‘the Jehovah’s Witnesses Community’) from collecting or processing personal data in the course of their door-to-door preaching unless the requirements of Finnish legislation relating to the processing of personal data are observed.

Legal context

European Union law

3

Recitals 10, 12, 15, 26 and 27 of Directive 95/46 state:

‘(10)

Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms[, signed in Rome on 4 November 1950,] and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;

(12)

Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses;

(15)

Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question;

(26)

Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; …

(27)

Whereas the protection of individuals must apply as much to automatic processing of data as to manual processing; whereas the scope of this protection must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention; whereas, nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data; whereas, in line with the definition in Article 2(c), the different criteria for determining the constituents of a structured set of personal data, and the different criteria governing access to such a set, may be laid down by each Member State; whereas files or sets of files as well as their cover pages, which are not structured according to specific criteria, shall under no circumstances fall within the scope of this Directive’.

4

Article 1(1) of Directive 95/46 provides:

‘In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.’

5

Article 2 of that directive provides:

‘For the purpose of this Directive:

(a)

“personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(b)

“processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(c)

“personal data filing system” (“filing system”) shall mean any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(d)

“controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;

…’

6

Article 3 of the directive states:

‘1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Directive shall not apply to the processing of personal data:

in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

by a natural person in the course of a purely personal or household activity.’

Finnish law

7

Directive 95/46 was transposed into Finnish law by the henkilötietolaki 523/1999 (Law on personal data No 523/1999, ‘Law No 523/1999’).

8

Paragraph 2, first and second paragraphs, of that law, entitled ‘Soveltamisala’ (Scope), provides;

‘This Law applies to the automated processing of personal data. It also applies to other means of personal data processing where the personal data form part of a personal data filing system or a part of such a system or are intended to form part of a personal data filing system or a part of such a system.

This Law does not apply to the processing of personal data by a natural person for purely personal purposes or for comparable ordinary and private purposes.’

9

Paragraph 3(3) of Law No 523/1999 defines a ‘personal data filing system’ as a ‘set of personal data, connected by a common use and processed fully or partially by automated means or organised using data sheets or lists or any other comparable means permitting the retrieval of data relating to persons easily...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT