In October 2015, the Court of Justice of the European Union pronounced three landmark decisions in the field of personal data protection:
1. Decision of 1st October 2015 in the case Smaranda Bara and other vs. the President of the National House of Health Insurance, the National House of Health Insurance and the National Agency for Fiscal Administration (NAFA) - (C-201/14).
In this decision the Court states that articles 10, 11 and 13 of Directive 95/46/EC must be interpreted in the sense that they are against certain national measures such as those brought before the court in the main litigation, which allow a public administration body of a member state to transfer personal data to another public administration body and later process those data further, without any information being provided to the data subjects with regard to such a transfer and further processing of the data.
This decision consolidates the importance of ensuring the data subject’s right of information in the context of processing the personal data referring to him/her.
The Supervisory Authority constantly underlined the fact that this first right granted by article 12 of Law no. 677/2001 must be observed by data controllers, irrespective of the conditions of the legitimacy of processing the data, namely the data subjects’ consent or based on certain exemptions.
The Supervisory Authority draws attention to the fact the information of the data subjects is extremely important, both as regards the information which must be offered to the data subjects, as well as the later exercise of the other rights by the data subjects, such as the right of access to data, right of intervention upon the data, right of opposition, in order to provide the data subjects with the possibility to act accordingly.
The decision is also extremely important as the European Union’s court of law has ascertained the fact that the information sent, as well as the way in which they were transferred were both established not by a legislative measure, but through a Protocol signed in 2007 between NAFA an NHHI, a document which was never published.
The full text of this judgement may be accessed at the link below: http://curia.europa.eu/juris/document/document.jsf?text=&docid=168943&pageIndex=0&doclang=RO&mode=req&dir=&occ=first&part=1&cid=121396
2. Judgement of 6th October 2015 in the case Maximilian Schrems vs. Data Protection Commissioner of Ireland (C-362/14), in which the Court invalidated European Commission’s Decision 2000/520/EC (known as the “Safe Harbour Decision”)
The Court established the fact that article 25 paragraph (6) of Directive 95/46/EC, as modified by Regulation (EC) no. 1882/2003 of the European Parliament and Council of 29th September 2003, interpreted in the light of articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted in the sense that a decision adopted on the basis of this provision, such as Commission’s Decision 2000/520/EC of 26th July 2000 on the basis of Directive 95/46/EC on the adequate level of protection offered by the principles of “safe harbour” on the protection of private life and the subsequent questions, published by the US Department of Commerce, in which the European Commission ascertains that a third country ensures an adequate level of protection, does not prohibit a supervisory authority from a member state, in the sense of article 28 of that Directive, with the subsequent modifications, to examine at the request of a data subject the level of protection of his/her rights and liberties as regards the processing of personal data which were transferred by a member state to that third country, in the situations in which that person invokes the fact that the law and practices enforced in that country don’t ensure an adequate level of protection.
The judgement’s full text may be accessed at the link below:
3. Judgement of 1st October 2015 in the case Weltimmo s.r.o. vs. Nemzeti Adatvédelmi és Információszabadság Hatóság from Hungary (C-230/2014), in which the Court establishes the following>:
1. Article 4 paragraph (1) letter (a) of Directive 95/46/EC must be interpreted in the sense that it allows the enforcement of the legal framework on personal data protection of another member state than the one in which the data controller is registered, in as much as the data controller exercises, in a form of installation on the territory of another member state, an effective and real activity, even though minimal, in the course of which the data processing in question is carried out.
In order to determine, in circumstances such as the ones brought in question within the main litigation, if these conditions are fulfilled, the national court which submitted the cause may pay particular attention to the fact that the data controller’s activity, within which the processing of personal data takes place, consists of exploiting certain real estate web sites referring to real estates located on the territory of the member state mentioned and offered in the language of that state and, therefore, is mainly or even completely geared towards that member state and, on the other hand, this data controller has a representative in the member state mentioned which is tasked with collecting debts which result from this activity, as well as to represent the data controller in administrative and judicial proceedings related to the processing of personal data.
However, what doesn’t matter at all in these circumstances is the data subjects’ citizenship.
2. In the event in which the supervisory authority of one member state receives complaints in accordance with the provisions of article 28 paragraph (4) of Directive 95/46/EC, it might come to the conclusion that the law applicable to the data processing in question isn’t the law of that member state, but that of another member state, article 28 paragraphs (1), (3) and (6) of this Directive mustn’t be interpreted in the sense that this supervisory authority might not exercise the effective powers of intervention conferred to it in accordance with article 28 paragraph (3) of the above mentioned Directive only on the territory of its member state.
Therefore, it may not apply sanctions to the data controller based on the law of that state, but, on the basis of article 28 paragraph (6) of the Directive, would have to request the authority from the member state whose law is applicable to intervene.
The judgements full text may be accessed at the link below: