On 10 July 2018, the Court of Justice of the European Union ruled that a religious community, such as the Jehovah’s Witnesses, is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching. Consequently, the processing of personal data carried out in the context of such activity must respect the rules of EU law on the protection of personal data.
Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta, Case C-25/17, [Full Judgment [EN], Press Release]
On 17 September 2013, the Tietosuojavaltuutettu (Finnish Data Protection Supervisor) prohibited the Jehovan todistajat — uskonnollinen yhdyskunta (Jehovah’s Witnesses religious community, Finland) from collecting or processing personal data in the course of door-to-door preaching by its members unless the requirements of Finnish legislation relating to the processing of personal data are observed.
Background
Members of the Jehovah’s Witnesses Community (“the Community”) take notes during their door-to-door preaching about visits to persons who are unknown to themselves or that Community. The data collected may consist of the name and addresses of persons contacted, together with information on their religious beliefs and their family circumstances. Those data are collected as a memory aid and in order to be retrieved for any subsequent visit without the knowledge or consent of the persons concerned.
The Community and its congregations organise and coordinate the door-to-door preaching by their members, in particular by creating maps from which areas are allocated between the members who engage in preaching and by keeping records about preachers and the number of the Community’s publications distributed by them. Furthermore, the congregations of the Community maintain a list of persons who have requested not to receive visits from preachers and the personal data on that list are used by members of that community.
The reference for preliminary ruling from the Korkein hallinto-oikeus (Supreme Administrative Court, Finland) asks essentially whether that community is required to observe the rules of EU law on the protection of personal data on account of the fact that its members, when they carry out door-to-door preaching, may take notes re-transcribing the content of their discussions and, in particular, the religious views of the persons whom they have visited.
The Court of Justice considered that door-to-door preaching by members of the Community is not covered by the exceptions laid down by EU law on the protection of personal data. In particular, that activity is not a purely personal or household activity to which that law does not apply. The fact that door-to-door preaching is protected by the fundamental right of freedom of conscience and religion enshrined in Article 10(1) of the Charter of Fundamental Rights of the European Union, does not confer an exclusively personal or household character on that activity because it extends beyond the private sphere of a member of a religious community who is a preacher.
The Court noted that the rules of EU law on the protection of personal data apply to the manual processing of personal data only where the data processed form part of a filing system or are intended to form part of a filing system. In the present case, since the processing of personal data is carried out otherwise than by automatic means, the question arises as to whether the data processed form part of, or are intended to form part of, such a filing system.
The Court determined that the concept of a ‘filing system’ covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.
The processing of personal data carried out in connection with door-to-door preaching must therefore comply with the rules of EU law on the protection of personal data.
With regard to who may be regarded as a controller of the processing of personal data, the Court stated that this concept may concern several actors taking part in that processing, with each of them then being subject to the rules of EU law on the protection of personal data. Those actors may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.
The Court also stated that no provision of EU Law supports a finding that the determination of the purpose and means of processing must be carried out by the use of written guidelines or instructions from the controller. However, a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller of the processing of personal data.
The joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned. In the present case, it appears that by organising, coordinating and encouraging the preaching activities of its members the Community participates, jointly with its members who engage in preaching, in determining the purposes and means of processing of personal data of the persons contacted; this is, however, for the Finnish court to verify with regard to all of the circumstances of the case. That finding cannot be called into question by the principle of organisational autonomy of religious communities guaranteed by Article 17 TFEU.
The Court concluded that EU law on the protection of personal data supports a finding that a religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.