Plans for a single market have been delivered yet another blow, this time as a result of an ECJ preliminary ruling against a relatively unknown Slovakian company. The court ruled in Weltimmo SRO v. Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, that national data protection authorities (DPAs) may take action against businesses that target residents in their Member State, even if the businesses are not registered in that state.

The ruling is significant for the ‘one stop-shop’ provisions currently being negotiated as part of the General Data Protection Regulation (‘GDPR’). In an earlier blog, we explained that the European Council endorsed the ‘one-stop-shop’ approach, so that in the future, organisations will only need to deal with the DPA having jurisdiction over the location of its EU headquarters, or EU location with delegated data protection responsibility.  The decision in Weltimmo says otherwise: an organisation will be subject to the authority of the DPA if it has an ‘establishment’ within the jurisdiction of the DPA. With the GDPR expected to be finalised later this year, it will be interesting to see how this ruling will be reconciled with the GDPR.
Continue Reading Another day…another set-back for Europe’s plans for a single market