In June, the Attorney General ("AG") of the Court of
Justice of the European Union ("CJEU") issued his opinion(English translation pending) in
the case of Verein für Konsumenteninformation v Amazon EU
Sàrl (Case C-191/15). The opinion makes potentially
important observations about which law should apply to the
processing of personal data under the Data Protection Directive
Where an organisation conducts data processing operations in
several Member States, the AG's opinion is that Article 4(1)(a)
of the Directive should be interpreted so that the law of one
single Member State applies. To determine which Member State's
law should apply, the "establishment" of the controller
should be analysed. The controller's establishment should be
where there is "real and effective activity" exercised
"through stable arrangements" (the interpretation of
'establishment' provided by the CJEU in Weltimmo s.r.o. v
Nemzeti Adatvédelmi és
Információszabadság Hatóság (C-230/14)).
The opinion is not binding on the CJEU; however, if the court
were to follow it, then organisations that have structured their
operations so that the law of only one Member State applies to
processing activities will breathe a sigh of relief. The case law
of the CJEU has recently been developing in such a way that
organisations' processing activities are potentially subject to
the data protection laws of several different Member States,
causing an increased compliance burden. The CJEU is now in a
position to offer such organisations some administrative
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).