Vice-President A Tizzano,
Presidents of Chambers R Silva de Lapuerta, T von Danwitz (Rapporteur), JL da Cruz Vilaça, J Malenovský, E Levits, C Vajda,
Judges A Borg Barthet, J-C Bonichot, A Arabadjiev, S Rodin, F Biltgen, K Jürimäe, C Lycourgos
Advocate General P Mengozzi
The Finnish Data Protection Board, at the request of the Data Protection Supervisor, adopted a decision prohibiting a religious community, whose members engaged in door-to-door preaching, from collecting or processing personal data unless they complied with the requirements for processing data in Parliament and Council Directive 95/46/EC. The Data Protection Board considered that the collection of the data constituted processing of personal data and that the religious community and its members were both data controllers. Under article 2(c) of the Directive “personal data filing system” was defined as any structured set of personal data which were accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. Article 2(d) defined a “controller” as the natural or legal person, public authority, agency or any other body which alone or jointly with others determined the purposes and means of the processing of personal data; where the purposes and means of processing were determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. Article 3(2) provided that Directive did not apply in the course of an activity which fell outside the scope of Community law or the processing of personal data by a natural person in the course of a purely personal or household activity. The decision of the Data Protection Board was annulled on the application of the religious community, on the ground that the community was not a controller of personal data and its activity did not constitute unlawful processing of such data. The Data Protection Supervisor challenged that judgment before the Supreme Administrative Court, Finland, which stayed the proceedings and referred to the Court of Justice of the European Union for a preliminary ruling questions concerning the interpretation of article 2(c) and (d) and article 3 of Directive 95/46/EC, read in the light of article 10 of the Charter of Fundamental Rights of the European Union which gave everyone the right to freedom of thought, conscience and religion.
On the reference—
Held, (1) that the collection of personal data by members of the community in the course of door-to-door preaching was a religious procedure carried out by individuals. It followed that such activity was not an activity of the state authorities and could not be treated in the same way as the activities in the first indent of article 3(2) of Parliament and Council Directive 95/46/EC. The exception in the second indent of article 3(2) only excluded data processing carried out in relation to an activity that was “purely” personal or household in nature. Thus, article 3(2) of Directive 95/46, read in the light of article 10(1) of the Charter of Fundamental Rights of the European Union, meant that the collection of personal data by members of a religious community in the course of door-to-door preaching and the subsequent processing of that data did not constitute the processing of personal data for the purpose of article 3(2) (judgment, paras 39–40, 51, operative part, para 1).
(2) That although article 2(c) did not set out the criteria according to which a filing system had to be structured, it was clear that those criteria had to relate to individuals. Therefore, the requirement that the set of personal data had to be “structured according to specific criteria” was simply intended to enable personal data to be easily retrieved. Apart from that requirement, article 2(c) of Directive 95/46 did not lay down the practical means by which a filing system was to be structured or the form in which it was to be presented. In particular, it did not follow that the personal data had to be contained in data sheets or specific lists or in another search method, in order to establish the existence of a filing system within the meaning of the Directive. In the present case, it was clear that the data collected in the course of the door-to-door preaching was collected as a memory aid, on the basis of an allocation by geographical sector, in order to facilitate the organisation of subsequent visits to persons who had already been contacted. They included not only information relating to the content of conversations concerning the beliefs of the person contacted, but also his name and address. Furthermore, the data, or at least a part of it, was used to draw up lists kept by the congregations of the community of persons who no longer wished to receive visits. The specific criterion and the specific form in which the set of personal data collected by each of the members who engaged in preaching was actually structured was irrelevant, so long as that set of data made it possible for the data relating to a specific person who had been contacted to be easily retrieved, which was for the referring court to ascertain. Thus, a “filing system” for the purposes of article 2(c) of Directive 95/46 included a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if that data was structured according to specific criteria which, in practice, enabled it to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it was not necessary that they included data sheets, specific lists or other search methods (judgment, paras 57–58, 60–62, operative part, para 2).
(3) Neither the wording of article 2(d) of Directive 95/46 nor any other provision of the Directive supported a finding that the determination of the purpose and means of processing had to be carried out by the use of written guidelines or instructions from the controller. However, a natural or legal person who exerted influence over the processing of personal data, for his own purposes, and who participated, as a result, in the determination of the purposes and means of that processing, could be regarded as a controller within the meaning of article 2(d) of Directive 95/46. Furthermore, the joint responsibility of several actors for the same processing, under that provision, did not require each of them to have access to the personal data concerned. Thus, article 2(d) of Directive 95/46, read in the light of article 10(1) of the Charter, supported the finding that a religious community was a controller, jointly with its members who engaged in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community had access to the data, or to establish that that community had given its members written guidelines or instructions in relation to the data processing (judgment, paras 67–69, 75, operative part, para 3).
R Aarnio, agent, for the Data Protection Supervisor.
SH Brady and P Muzny for the religious community.
H Leppo, agent, for the Finnish Government.
M Smolek and J Vláčil, agents, for the Czech Government.
G Palmieri, agent, and P Gentili, for the Italian Government.
P Aalto, H Kranenborg and D Nardi, agents, for the European Commission.