News

legislacja
dane_osobowe
2018-07-25

Judgment of the Court of Justice of the European Union stating that the religious community is the controller of personal data

On 10 July 2018, the CJEU ruled in Case C-25/17, in which it stated that the religious community (Jehovah's Witnesses), together with its members, is the controller of personal data with regard to the processing of personal data by the members as part of an organized, coordinated and encouraged by that community work carried out by paying door-to-door visits.

The verdict was issued in response to the questions referred for a preliminary ruling by the Supreme Administrative Court of Finland on the interpretation of the provisions of Directive 95/46/EC of the EP and the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data - an EU legal act preceding the GDPR. In the course of the proceedings, the Finnish court found that members of the religious community of Jehovah's Witnesses in Finland as part of their preaching work, which included door-to-door visits, were taking notes about the people they visited.

These people were not known to them before, and their data concerned, among others, names, addresses, religious beliefs and family situation. The purpose of the collected data was to document the activities of individual members of the community and for a possible return visit. Visitors were not asked to give their consent or even informed about it.

That is why the Finnish court has asked the CJEU four questions for a preliminary ruling. The first one concerned the very necessity of applying the provisions of the Directive to the religious community and its members if they were considered to be processing personal data only during activities of a purely personal or household nature. The second question concerned the concept of "filing system" - the court asked whether data collected in a non-automated way and constituting loose notes could nevertheless constitute such a filing system taking into account that in fact the information needed for further use of such data can be obtained easily an without excessive costs.

Next, the court asked two questions about the scope of the term 'data controller' and whether it encompassed the religious community, as the collection of personal data was performed by individual members of that community and not by the community itself. What is more the community did not even have access to the information collected. Furthermore, in the case at hand, the religious community did not apply other specific measures, such as written instructions or orders, with the help of which it would direct the collection of data by its preachers.

As to the first question, the CJEU considered that the activities of the Jehovah community are not covered by the exceptions set out in the Directive and that as a result of its activity personal data is processed. Answering the court's second question, CJEU stated that the concept of a filing system covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use.

Also in the case of the last two questions, as mentioned above, the CJEU recognized that the provisions of the Directive allow the religious community to be recognized together with its members as the controller in relation to the processing of personal data carried out by these members in the context of door-to-door preaching in an organized, coordinated and encouraged by that community. According to the CJEU, it is not necessary for the said community to have access to the data nor does it have to be determined that it provided its members with written guidelines or instructions regarding such processing.

The full text of the CJEU judgment in English version at the following link:

https://bit.ly/2LNSF3k

back