The processing of personal data carried out by Jehovah’s Witnesses during their door-to-door preaching must respect EU law on the protection of personal data, the EU’s top court ruled on Tuesday.
The case started in 2013 when Finland’s Data Protection Supervisor prohibited the Jehovah’s Witnesses religious community from collecting or processing personal data in the course of door-to-door preaching by its members unless Finnish data protection legislation was observed.
Jehovah’s Witnesses take notes in the course of their preaching about visits to people unknown to themselves or to that Community. This can include named and addresses, also information on their religious beliefs and their family circumstances. These are used as memory aids, and also to be retrieved for any subsequent visit without the knowledge or consent of the persons concerned.
Jehovah’s Witnesses organise and coordinate the door-to-door preaching by their members, in particular by creating maps from which areas are allocated between the members who engage in preaching and by keeping records about preachers and the number of the Community’s publications distributed by them.
Their community maintain a list of persons who have requested not to receive visits from preachers and the personal data on that list are used by members of that community.
The supreme Finnish Court was asked essentially whether the Jehovah’s Witnesses needed to observe the rules of EU Law on the protection of personal data.
In its judgment, the European Court of Justice considered, first of all, that the Jehovah’s Witnesses’ door-to-door preaching is not covered by the exceptions laid down by EU Law on the protection of personal data. In particular, that activity is not a ‘purely personal or household activity to which that law does not apply’. The fact that door-to-door preaching is protected by the fundamental right of freedom of conscience and religion enshrined in Article 10(1) of the Charter of Fundamental Rights of the European Union, does not confer an exclusively personal or household character on that activity because it extends beyond the private sphere of a member of a religious community who is a preacher.
Next, the Court stated, however, that the rules of EU Law on the protection of personal data apply to the manual processing of personal data only where the data processed form part of a filing system or are intended to form part of a filing system. In the present case, since the processing of personal data is carried out otherwise than by automatic means, the question arises as to whether the data processed form part of, or are intended to form part of, such a filing system. In that regard, the Court finds that the concept of a ‘filing system’ covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.
The processing of personal data carried out in connection with door-to-door preaching must therefore comply with the rules of EU law on the protection of personal data.
As regards the question as to who may be regarded as a controller of the processing of personal data, the Court states that the concept of ‘controller of the processing of personal data’ may concern several actors taking part in that processing, with each of them then being subject to the rules of EU law on the protection of personal data. Those actors may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case. The Court also states that no provision of EU Law supports a finding that the determination of the purpose and means of processing must be carried out by the use of written guidelines or instructions from the controller. However, a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller of the processing of personal data.
Furthermore, the joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned.
In the present case, it appears that the Jehovah’s Witnesses Community, by organising, coordinating and encouraging the preaching activities of its members participates, jointly with its members who engage in preaching, in determining the purposes and means of processing of personal data of the persons contacted, which is, however, for the Finnish court to verify with regard to all of the circumstances of the case. That finding cannot be called into question by the principle of organisational autonomy of religious communities guaranteed by Article 17 TFEU.
The Court concluded that EU law on the protection of personal data supports a finding that a religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.