In its judgment in Case
C-25/17 Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta,
the CJEU has held that the processing of personal data carried out in the
context of door-to-door preaching must respect the rules of EU law on the protection
of personal data. The case is mainly of interest because of the Court’s
comments about what constitutes a filing system and concerning joint
controllers. Arguably, the Court supports the so-called ‘Oprah effect’ where
all who so much as touch data become controllers, though the Court’s comments
are somewhat more nuanced than that.
On 17 September 2013, the Tietosuojavaltuutettu (Finnish
Data Protection Supervisor) prohibited the Jehovan todistajat — uskonnollinen
yhdyskunta (Jehovah’s Witnesses religious community, Finland) from collecting
or processing personal data in the course of door-to-door preaching by its
members unless the requirements of Finnish legislation relating to the
processing of personal data are observed. The members of the Jehovah’s
Witnesses Community take notes in the course of their door-to-door preaching
about visits to persons who are unknown to themselves or that Community. The
data collected may consist of the name and addresses of persons contacted,
together with information on their religious beliefs and their family
circumstances. Those data are collected as a memory aid and in order to be
retrieved for any subsequent visit without the knowledge or consent of the
persons concerned.
The Jehovah’s Witnesses Community and its congregations
organise and coordinate the door-to-door preaching by their members, in
particular by creating maps from which areas are allocated between the members
who engage in preaching and by keeping records about preachers and the number
of the Community’s publications distributed by them. Furthermore, the congregations
of the Jehovah’s Witnesses Community maintain a list of persons who have
requested not to receive visits from preachers and the personal data on that
list are used by members of that community.
The reference for preliminary ruling from the Korkein
hallinto-oikeus (Supreme Administrative Court, Finland) asked essentially
whether that community is required to observe the rules of EU Law on the
protection of personal data on account of the fact that its members, when they
carry out door-to-door preaching, may take notes re-transcribing the content of
their discussions and, in particular, the religious views of the persons whom
they have visited.
In its judgment, the Court of Justice considers, first of
all, that door-to-door preaching by members of the Jehovah’s Witnesses
Community is not covered by the exceptions laid down by EU Law on the
protection of personal data. In particular, that activity is not a purely
personal or household activity to which that law does not apply. The fact that
door-to-door preaching is protected by the fundamental right of freedom of
conscience and religion enshrined in Article 10(1) of the Charter of
Fundamental Rights of the European Union does not confer an exclusively
personal or household character on that activity because it extends beyond the
private sphere of a member of a religious community who is a preacher.
The Court states, however, that the rules of EU Law on the
protection of personal data apply to the manual processing of personal data
only where the data processed form part of a filing system or are intended to
form part of a filing system. In the present case, since the processing of
personal data is carried out otherwise than by automatic means, the question
arises as to whether the data processed form part of, or are intended to form
part of, such a filing system. In that regard, the Court finds that the concept
of a ‘filing system’ covers a set of personal data collected in the course of
door-to-door preaching, consisting of the names and addresses and other
information concerning the persons contacted, if those data are structured
according to specific criteria which, in practice, enable them to be easily retrieved
for subsequent use. In order for such a set of data to fall within that
concept, it is not necessary that they include data sheets, specific lists or
other search methods.
The processing of personal data carried out in connection
with door-to-door preaching must therefore comply with the rules of EU law on
the protection of personal data.
As regards the question as to who may be regarded as a
controller of the processing of personal data, the Court states that the
concept of ‘controller of the processing of personal data’ may concern several
actors taking part in that processing, with each of them then being subject to
the rules of EU law on the protection of personal data. Those actors may be
involved at different stages of that processing of personal data and to
different degrees, so that the level of responsibility of each of them must be
assessed with regard to all the relevant circumstances of the particular case.
The Court also states that no provision of EU Law supports a finding that the
determination of the purpose and means of processing must be carried out by the
use of written guidelines or instructions from the controller. However, a
natural or legal person who exerts influence over the processing of personal
data, for his own purposes, and who participates, as a result, in the
determination of the purposes and means of that processing, may be regarded as
a controller of the processing of personal data. Furthermore, the joint
responsibility of several actors for the same processing, under that provision,
does not require each of them to have access to the personal data concerned.
In the present case, it appears that the Jehovah’s Witnesses
Community, by organising, coordinating and encouraging the preaching activities
of its members participates, jointly with its members who engage in preaching,
in determining the purposes and means of processing of personal data of the
persons contacted, which is, however, for the Finnish court to verify with
regard to all of the circumstances of the case. That finding cannot be called
into question by the principle of organisational autonomy of religious
communities guaranteed by Article 17 TFEU. The Court concludes that EU law on
the protection of personal data supports a finding that a religious community is
a controller, jointly with its members who engage in preaching, of the
processing of personal data carried out by the latter in the context of
door-to-door preaching organised, coordinated and encouraged by that community,
without it being necessary that the community has access to those data, or to
establish that that community has given its members written guidelines or
instructions in relation to the data processing.
For the full judgment, click here.