On 10 July 2018, the CJEU ruled in Case C-25/17, in which it stated that the religious community (Jehovah's Witnesses), together with its members, is the controller of personal data with regard to the processing of personal data by the members as part of an organized, coordinated and encouraged by that community work carried out by paying door-to-door visits.
The verdict was issued in response to the questions referred for a preliminary ruling by the Supreme Administrative Court of Finland on the interpretation of the provisions of Directive 95/46/EC of the EP and the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data - an EU legal act preceding the GDPR.
In the course of the proceedings, the Finnish court found that members of the religious community of Jehovah's Witnesses in Finland as part of their preaching work, which included door-to-door visits, were taking notes about the people they visited. These people were not known to them before, and their data concerned, among others, names, addresses, religious beliefs and family situation. The purpose of the collected data was to document the activities of individual members of the community and for a possible return visit. Visitors were not asked to give their consent or even informed about it.
That is why the Finnish court has asked the CJEU four questions for a preliminary ruling. The first one concerned the very necessity of applying the provisions of the Directive to the religious community and its members if they were considered to be processing personal data only during activities of a purely personal or household nature.
The second question concerned the concept of "filing system" - the court asked whether data collected in a non-automated way and constituting loose notes could nevertheless constitute such a filing system taking into account that in fact the information needed for further use of such data can be obtained easily an without excessive costs.
Next, the court asked two questions about the scope of the term 'data controller' and whether it encompassed the religious community, as the collection of personal data was performed by individual members of that community and not by the community itself. What is more the community did not even have access to the information collected. Furthermore, in the case at hand, the religious community did not apply other specific measures, such as written instructions or orders, with the help of which it would direct the collection of data by its preachers.
As to the first question, the CJEU considered that the activities of the Jehovah community are not covered by the exceptions set out in the Directive and that as a result of its activity personal data is processed. Answering the court's second question, CJEU stated that the concept of a filing system covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.
Also in the case of the last two questions, as mentioned above, the CJEU recognized that the provisions of the Directive allow the religious community to be recognized together with its members as the controller in relation to the processing of personal data carried out by these members in the context of door-to-door preaching in an organized, coordinated and encouraged by that community. According to the CJEU, it is not necessary for the said community to have access to the data nor does it have to be determined that it provided its members with written guidelines or instructions regarding such processing.
The full text of the CJEU judgment in English version at the following link:
On 5 June 2018, the Court of Justice of the European Union gave judgment in Case C-210/16, in which it replied to the question referred for a preliminary ruling concerning Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
The case concerned a German company conducting business in the field of education through its fan page on the social networking site Facebook. At the same time, the company used statistical data collected by using the so-called “cookies” files, made available to them free of charge via Facebook. These files are installed on the fan page users' devices when they visit the website and allow Facebook to collect and process personal data.
Based on the above the German supervisory authority ordered the company to deactivate the fan page due to the failure to inform its users about the collection of their data via Facebook. As a result of the company's complaint, the German Federal Administrative Court has asked the CJEU questions relating to the interpretation of the provisions of above-mentioned Directive.
In its ruling, the Court pointed out that it is true that by the mere fact of using the social networking site such as Facebook, its user (in this case the German company) does not become jointly responsible for the processing of personal data carried out through this portal. However, the administrator of the fan page on Facebook by creating such a site gave Facebook an opportunity to store cookies on the fan page visitors’ devices (eg.: PC) regardless of whether the person has an account on Facebook or not.
Therefore, according to the Court, the administrator of the fan page indirectly participates in defining the purposes and methods of processing personal data by setting parameters dependant among others on the target users of his fan page and objectives of managing and promoting its activities. In this case, according to the Court, it should be recognized that the administrator of the fan page is responsible at the Union level together with Facebook for the processing of data within the meaning of Directive 95/46.
The Tribunal also stressed that the fan page administrator's responsibility is even more justified when it comes to processing personal data of persons that don’t have an account on Facebook, because the mere entry on a fan page by these people results in the automatic processing of their personal data.
At the same time, the Court found that the supervisory authority of the Member States has powers of intervention in relation to an entity established in its territory, even if it is a subsidiary or branch (in this case it was a branch Facebook Germany) and even because of infringements of the rules on personal data protection by a third party established in another Member State (Facebook Ireland in the case at hand).
The full text of the CJEU judgment is available at the following link:
Ministry of Health published a statement in the matter of accepting drug donations by hospitals. Minister of Health pointed out that provisions of the Act on reimbursement of medicines, foodstuffs intended for particular nutritional uses and medical devices (the “Reimbursement Act”) regard only reimbursed medicinal products and do not forbid donations to hospitals.
According to the statement, hospitals may autonomously decide whether to accept and use donated medicines. The Reimbursement Act and regulations regarding emergency access to treatment do not forbid accepting drug donations and using such medicines.
Full text of the statement is available under the following link:
On 4th January 2018 the draft amendment to the Suppression of Unfair Competition Act was published on the Government’s Legislation Centre’s (Rządowe Centrum Legislacji) website.
The main purpose of the amendment is to implement the directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.
The draft explicitly states that an act of unfair competition shall be, among others, mere acquisition of other parties’ information constituting business secrets. Moreover, the project changes the statutory features of an act of unfair competition, e.g. by eliminating a “transfer” of other parties’ business secrets. However, the drafters claim that this is only a minor editorial change - unlawful transfer of other parties’ business secret will still be unlawful (as “publication”).
The draft law is available under the following link:
The Article 29 Working Party adopted guidelines on consent for personal data processing and guidelines on transparency of personal data processing.
The guidelines were adopted in order to achieve a consistent approach of the supervisory authorities of the EU member states in regard to assessment of validity of the consents. In the guidelines on consent the Article 29 Working Party laid down inter alia requirements on validity of consents obtained before the date from which the regulation 679/2016 (General Data Protection Regulation – GDPR) shall apply, that is before 25 May 2018, after this date (i.e. whether it will be permissible to continue processing of personal data on the basis of the “old” consents).
In line with the guidelines of the Article 29 Working Party the consents which have been obtained to date (“old” consents) continue to be valid in so far as it is in line with the conditions laid down in the GDPR. This does not mean however that all such consents will continue to be valid – for example, all presumed consents of which not references are kept will “automatically be below the consent standard of the GDPR” due to the fact that the controller will not be able to demonstrate their validity in line with article 7 paragraph 1 of the GDPR. In such case the consents will need to be “renewed”, i.e. obtained again in compliance with the GDPR.
The adopted guidelines are available at the following address: