Wirtschaftsakademie Schleswig-Holstein (C-210/16) (‘Facebook Fan Pages’)
Year | 2018 |
Date | 05 June 2018 |
Issuer | Court of Justice of the European Union |
JUDGMENT OF THE COURT (Grand Chamber)
5 June 2018 ( *1 )
(Reference for a preliminary ruling — Directive 95/46/EC — Personal data — Protection of natural persons with respect to the processing of that data — Order to deactivate a Facebook page (fan page) enabling the collection and processing of certain data of visitors to that page — Article 2(d) — Controller responsible for the processing of personal data — Article 4 — Applicable national law — Article 28 — National supervisory authorities — Powers of intervention of those authorities)
In Case C‑210/16,
REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesverwaltungsgericht (Federal Administrative Court, Germany), made by decision of 25 February 2016, received at the Court on 14 April 2016, in the proceedings
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
v
Wirtschaftsakademie Schleswig-Holstein GmbH,
interveners:
Facebook Ireland Ltd,
Vertreter des Bundesinteresses beim Bundesverwaltungsgericht,
THE COURT (Grand Chamber),
composed of K. Lenaerts, President, A. Tizzano (Rapporteur), Vice-President, M. Ilešič, L. Bay Larsen, T. von Danwitz, A. Rosas, J. Malenovský and E. Levits, Presidents of Chambers, E. Juhász, A. Borg Barthet, F. Biltgen, K. Jürimäe, C. Lycourgos, M. Vilaras and E. Regan, Judges,
Advocate General: Y. Bot,
Registrar: C. Strömholm, Administrator,
having regard to the written procedure and further to the hearing on 27 June 2017,
after considering the observations submitted on behalf of:
– |
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, by U. Karpenstein and M. Kottmann, Rechtsanwälte, |
– |
Wirtschaftsakademie Schleswig-Holstein GmbH, by C. Wolff, Rechtsanwalt, |
– |
Facebook Ireland Ltd, by C. Eggers, H.‑G. Kamann and M. Braun, Rechtsanwälte, and I. Perego, avvocato, |
– |
the German Government, by J. Möller, acting as Agent, |
– |
the Belgian Government, by L. Van den Broeck, C. Pochet, P. Cottin and J.‑C. Halleux, acting as Agents, |
– |
the Czech Government, by M. Smolek, J. Vláčil and L. Březinová, acting as Agents, |
– |
Ireland, by M. Browne, L. Williams, E. Creedon, G. Gilmore and A. Joyce, acting as Agents, |
– |
the Italian Government, by G. Palmieri, acting as Agent, and P. Gentili, avvocato dello Stato, |
– |
the Netherlands Government, by C.S. Schillemans and K. Bulterman, acting as Agents, |
– |
the Finnish Government, by J. Heliskoski, acting as Agent, |
– |
the European Commission, by H. Krämer and D. Nardi, acting as Agents, |
after hearing the Opinion of the Advocate General at the sitting on 24 October 2017,
gives the following
Judgment
1 |
This request for a preliminary ruling concerns the interpretation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31). |
2 |
The request has been made in proceedings between the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany) (‘the ULD’) and Wirtschaftsakademie Schleswig-Holstein GmbH, a private-law company operating in the field of education (‘Wirtschaftsakademie’), concerning the lawfulness of ULD’s order to Wirtschaftsakademie to deactivate its fan page on the Facebook social network site (‘Facebook’). |
Legal context
EU law
3 |
Recitals 10, 18, 19 and 26 of Directive 95/46 state:
...
…
|
4 |
Article 1 of Directive 95/46, ‘Object of the Directive’, provides: ‘1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. 2. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.’ |
5 |
Article 2 of Directive 95/46, ‘Definitions’, reads as follows: ‘For the purposes of this Directive: …
...
...’ |
6 |
Article 4 of that directive, ‘National law applicable’, provides in paragraph 1: ‘Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
|
7 |
Article 17 of the directive, ‘Security of processing’, provides in paragraphs 1 and 2: ‘1. Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. 2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures... |
To continue reading
Request your trial