Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 62017CC0025

Opinion of Advocate General Mengozzi delivered on 1 February 2018.
Proceedings brought by Tietosuojavaltuutettu.
Request for a preliminary ruling from the Korkein hallinto-oikeus.
Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Scope of the directive — Article 3 — Data collected and processed by the members of a religious community in the course of their door-to-door preaching — Article 2(c) — Definition of a ‘personal data filing system’ — Article 2(d) — Definition of a ‘controller’ of the processing of personal data — Article 10(1) of the Charter of Fundamental Rights of the European Union.
Case C-25/17.

ECLI identifier: ECLI:EU:C:2018:57

OPINION OF ADVOCATE GENERAL

MENGOZZI

delivered on 1 February 2018 ( 1 )

Case C‑25/17

Tietosuojavaltuutettu

Other party:

Jehovan todistajat — uskonnollinen yhdyskunta

(Request for a preliminary ruling from the Korkein hallinto-oikeus (Supreme Administrative Court, Finland))

(Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Scope — Definition of purely personal or household activity — Data collected and processed by the members of a religious community in the context of their door-to-door proselytising — Freedom of religion — Article 10(1) of the Charter of Fundamental Rights of the European Union — Definition of filing system — Definition of controller of the processing of personal data)

1.

Must the Jehovah’s Witnesses community be subject to compliance with the data protection requirements of EU law because its members, when they go preaching on the doorstep, may be prompted to take notes recording the content of their interviews and, in particular, the religious affiliation of the people they have visited? That is, in essence, what is at issue in the present reference for a preliminary ruling.

I. Legal framework

A.   EU law

2.

It is apparent from recital 12 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ( 2 ) that ‘the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses’.

3.

According to recital 27 of Directive 95/46, ‘the protection of individuals must apply as much to automatic processing of data as to manual processing; … the scope of this protection must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention; … nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; … in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data; … in line with the definition in Article 2(c), the different criteria for determining the constituents of a structured set of personal data, and the different criteria governing access to such a set, may be laid down by each Member State; … files or sets of files as well as their cover pages, which are not structured according to specific criteria, shall under no circumstances fall within the scope of this Directive’.

4.

Article 2 of Directive 95/46 is worded as follows:

‘For the purposes of this Directive:

(a)

“personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(b)

“processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(c)

“personal data filing system” (“filing system”) shall mean any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(d)

“controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;

(e)

“processor” shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

...’

5.

Article 3 of Directive 95/46 states:

‘1.   This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

2.   This Directive shall not apply to the processing of personal data:

in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

by a natural person in the course of a purely personal or household activity.’

6.

Article 8(1) of Directive 95/46 provides that ‘Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life’. Paragraph 2(d) of that article further provides that ‘paragraph 1 shall not apply where … processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects ...’.

B.   National law

7.

Directive 95/46 was transposed into Finnish law by henkilötietolaki 523/1999 (Law on personal data No 523/1999).

8.

Paragraph 3(3) of the Law on personal data defines a personal data filing system as a ‘set of personal data, connected by a common use and processed fully or partially by automatic means or organised using data sheets or lists or any other comparable method permitting the retrieval of data relating to persons easily and without excessive cost’.

9.

Paragraph 11 of the Law on personal data prohibits the processing of sensitive data, which include religious beliefs. Paragraph 12 of the Law on personal data provides, however, that such data may be processed if, when it concerns religious beliefs, it is collected as part of the activity of associations or other bodies upholding such beliefs and if it concerns the members of those associations or bodies or persons having regular links with them because of their aims and in so far as the data is not disclosed to a third party without the consent of the data subject.

10.

Paragraph 44 of the Law on personal data states that, at the request of the Data Protection Supervisor, the Data Protection Board may prohibit processing of personal data that is contrary to that law or to the rules and regulations issued on the basis thereof, and prescribe a period within which interested parties are to remedy the illegality or negligence.

II. The main proceedings, the questions referred for a preliminary ruling and the procedure before the Court

11.

On 17 September 2013, the Finnish Data Protection Board (‘the Board’) adopted, at the request of the Tietosuojavaltuutettu (the Data Protection Supervisor, the applicant in the main proceedings), a decision prohibiting the Jehovah’s Witnesses religious community (the defendant in the main proceedings, ‘the religious community’) collecting or processing personal data in connection with its door-to-door preaching if it did not meet the statutory conditions for the processing of personal data laid down in the Law on personal data. The Board thus took the view that the religious community and its members were controllers, within the meaning of Law No 523/1999, of the processing of sensitive personal data. The decision laid down a period of six months within which the religious community had to comply with that decision.

12.

The religious community appealed against that decision before the court of first instance, arguing that the case concerned the processing of personal data for strictly personal purposes within the meaning of the Law on personal data. By judgment of 18 December 2014, that court annulled the Board’s decision, holding that the religious community was not the controller of unlawful processing of personal data.

13.

The Data Protection Supervisor brought an appeal before the referring court, seeking to have the judgment of 18 December 2014 set aside.

14.

The activity of the members of the religious community is described by the referring court as follows. In the course of their proselytising, those members go from door to door, taking notes on meetings with persons who are, as a rule, unknown to those members. The data is collected as a memory aid for retrieving information useful for a subsequent visit. The persons thus visited whose data is recorded in the notes of the members of the religious community are not informed of this collecting or processing of their personal data. Lists or data sheets are the media used for collecting the data. The information in question is the name and address and a summary of the content of the conversation, relating, in particular, to religious beliefs and family circumstances. According to the referring court, preaching activity is arranged by the religious community in that the latter creates maps of districts and allocates areas among members for the purposes of evangelism. Congregations keep records about the preachers, indicating the number of publications they have distributed and the time each member has spent preaching.

15.

The religious community has previously used one of its publications to disseminate instructions on note taking. ( 3 ) The data was originally collected by means of forms, which the religious community ceased to be encouraged to use following a recommendation to that effect by the Data Protection Supervisor. The religious community’s congregations also keep a list, the so-called ‘refusal register’, of persons who have expressed the desire to receive no more visits by members of the religious community. According to the Data Protection Supervisor, that list appears to be compatible with the Law on personal data.

16.

The Data Protection Supervisor argues before the referring court that the data collected by members of the religious community in the course of their preaching activity constitutes a filing system because it has the same intended purpose and is recorded in order to serve as a memory aid for a subsequent visit. The data processing done from the individual notes taken is closely directed and organised by the religious community itself, which has authority de facto over the collection and processing of the data. The religious community and its members, when they take individual notes during their proselytising, ought together to be regarded as a data controller.

17.

The religious community argues, for its part, that preaching activity, during which, if appropriate, a member will take notes, is a personal religious practice. The notes thus taken are purely personal. The taking of notes and any subsequent processing of the data collected are independent of the existence of the religious community, which exercises no control even if it nonetheless acknowledges that it makes recommendations and gives spiritual guidance on the duty of every member to take part in evangelism. The members’ notes are not, however, disclosed to the religious community, which has no access to them. There is no system for collecting and retrieving the data. The religious community does not know who among its members takes notes following visits. The data collection relates only to data available from public sources such as the telephone directory and that data is destroyed as soon as it no longer proves useful. Data collected solely on members’ individual and personal initiative does not constitute a filing system and the religious community cannot be regarded as a controller of the processing of personal data. That is, moreover, the assessment of the Netherlands, Danish and Norwegian authorities, according to which the activity at issue in the main proceedings either falls outside the ambit of the national law governing the collection and processing of personal data or is not contrary to that law.

18.

According to the referring court, it is therefore necessary first to determine the scope of the Law on personal data corresponding to the scope of Directive 95/46. ( 4 ) In the light of the Court’s case-law, the activity of collecting and processing personal data in the context of a religious practice such as preaching appears not to fall within the exclusion provided for in the first indent of Article 3(2) of Directive 95/46, but some uncertainty remains as to whether preaching can be regarded as a purely personal or household activity within the meaning of the second indent of Article 3(2) of Directive 95/46. For the purpose of that assessment, the referring court raises the issue of the effect of the guidance contained in recital 12 of Directive 95/46, whereas the data collected would seem to go further than the data traditionally collected for the purpose of keeping an address book, particularly in that it may be sensitive and be collected in connection with persons unknown to the members, having regard, next, to the clarification provided by recital 18 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 ( 5 ) and, finally, to the role played by the religious community. The referring court presumes that determination of the scope of the second indent of Article 3(2) of Directive 95/46 will require a weighing up of, on the one hand, the fundamental right to respect for private life against, on the other hand, the no less fundamental freedom of religion, of which preaching is one form of expression.

19.

Secondly, the referring court raises the issue of the concept of ‘filing system’ within the meaning of Article 2(c) of Directive 95/46, it being understood that if the activity at issue in the main proceedings is not covered by the exclusion provided for in the second indent of Article 3(2) of that directive, the directive will not be applicable, when there is no automated processing of the data concerned, unless the data is contained in a ‘filing system’. In that context, the referring court emphasises the common purpose of the members’ notes, namely, to serve as an aide-mémoire and to facilitate retrieval of the data relating to a person on the occasion of subsequent visits.

20.

Thirdly, and finally, the referring court raises the question whether the religious community, alone or together with its members, can be regarded as a ‘controller’ within the meaning of Article 2(d) of Directive 95/46 when it appears to exercise effective control over the collecting activity although, at present, it has issued no written instructions or orders. That concept of ‘controller’ would seem to be given a broad definition in the Court’s case-law, ( 6 ) and the national court emphasises in particular, even if the religious community has perhaps no access to the data collected, the role of the religious community in encouraging doorstep proselytising and the fact that it has previously given its members instructions on the collection of data and was able to provide them with forms for that purpose.

21.

It was in those circumstances that the Korkein hallinto-oikeus (Supreme Administrative Court, Finland) decided to stay the proceedings and, by order for reference received at the Registry on 19 January 2017, referred the following questions to the Court for a preliminary ruling:

‘(1)

Must the exceptions to the scope of Directive 95/46 laid down in Article 3(2), first and second subparagraphs, of that directive be interpreted as meaning that the collection and other processing of personal data carried out by the members of a religious community in connection with door-to-door preaching fall outside that scope? When the applicability of the directive is assessed, what significance is to be given, on one hand, to the fact that it is the religious community and its congregations that arrange the preaching activity in connection with which the data is collected and, on the other, to the fact this involves the personal religious practice of the members of a religious community?

(2)

Must the definition of “filing system” in Article 2(c) of … Directive [95/46], examined in the light of recitals 26 and 27 of that directive, be interpreted to the effect that, taken as a whole, the personal data (consisting of names and addresses and other information about and characteristics of a person) collected not by automatic means in connection with the door to door preaching described above

(a)

does not constitute such a filing system, because the data does not include specific lists or data sheets or any other comparable search method as provided for in the definition laid down in the Finnish Law on personal data, or

(b)

does constitute such a filing system, because, taking account of its intended purpose, the information required for later use may in practice be searched easily and without unreasonable expense in accordance with the Finnish Law on personal data?

(3)

Must the phrase “alone or jointly with others determines the purposes and means of the processing of personal data” appearing in Article 2(d) of … Directive [95/46] be interpreted as meaning that a religious community that arranges activity in connection with which personal data is collected (in particular, by dividing the areas in which the activity is carried out among the various preachers, supervising the activity of those preachers and keeping a list of individuals who do not wish the preachers to visit them) may be regarded as a controller, in respect of the processing of personal data by its members, even if the religious community claims that only the individual preachers have access to the data they gather?

(4)

Must Article 2(d) [of Directive 95/46] be interpreted to the effect that in order for a religious community to be considered a controller it must have taken other specific measures, such as giving written instructions or orders directing the collection of data, or is it sufficient that that religious community can be regarded as having control de facto of its members’ activities?’

22.

In the present case, written observations have been submitted by the defendant in the main proceedings, the Finnish, Czech and Italian Governments and the European Commission.

23.

At the hearing before the Court on 28 November 2017, the Data Protection Supervisor, the defendant in the main proceedings, the Finnish Government and the Commission presented oral argument.

III. Analysis

A.   The jurisdiction of the Court

24.

This reference for a preliminary ruling is notable in that the defendant in the main proceedings strongly contests the ‘facts’ as established by the Data Protection Supervisor and presented by the referring court. The religious community argues that the Court ought not to agree to answer the questions referred by the Korkein hallinto-oikeus (Supreme Administrative Court), relying upon the judgment in Meilicke. ( 7 )

25.

For the record, in that judgment the Court recalled the rules relating to the preliminary ruling dialogue. Thus, if the Court is, in principle, obliged to answer the questions raised by the national court, which alone has direct knowledge of the facts of the case and is therefore best placed to assess the need of a preliminary ruling in order to give its judgment, the Court may nevertheless determine whether it has jurisdiction in order to ensure that its preliminary ruling will actually assist, not in the delivery of advisory opinions on general or hypothetical questions, but in the administration of justice in the Member States. It therefore falls to the national court to establish the facts of the case, so as to enable the Court to take cognisance of all the matters of fact and of law that may be relevant to the interpretation of EU law which it is called upon to give. ( 8 ) In Meilicke, ( 9 ) the Court in fact considered that it had been called upon to give a ruling on a hypothetical problem, without having before it the matters of fact or law necessary for it to give a useful answer to the questions submitted to it, and concluded that there was no need to adjudicate.

26.

In relying upon that case-law, the defendant in the case in the main proceedings is not unaware that the principle remains that of a strong presumption of relevance of the questions submitted by the referring court and that it is only in exceptional cases that the Court refuses to answer them. ( 10 ) However, the documents before the Court in the present case, and in particular the order for reference, do not contain such shortcomings that the Court would be overstepping the bounds of the function entrusted to it if it decided to answer the questions submitted by the referring court. ( 11 ) At all events, it is for the referring court, if this falls within its powers, ( 12 ) to establish the facts definitively. Those contained in the order for reference are, in any event, quite sufficient for the Court to give a ruling with full knowledge of the facts. ( 13 )

B.   The questions referred

1. The first question

27.

By its first question, the referring court seeks to establish whether the activity of members of the Jehovah’s Witnesses community may escape application of the rules of Directive 95/46 on the basis of, on the one hand, the first indent of Article 3(2) of that directive. In this regard, the defendant in the main proceedings maintains that the activity at issue in those proceedings, which is related to freedom of religion and peaceful and private religious expression, is covered by that exclusion. On the other hand, the national court is uncertain whether that activity may escape the application of the rules of Directive 95/46 on the basis of the second indent of Article 3(2), which excludes from the scope of the directive the processing of personal data ‘by a natural person in the course of a purely personal or household activity’. ( 14 )

(a) Preaching is not excluded from the scope of Directive 95/46 under the first indent of Article 3(2) of that directive

28.

The first indent of Article 3(2) of Directive 95/46 provides that Directive 95/46 is not to apply to the processing of personal data ‘in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law’. The argument of the defendant in the main proceedings is, in essence, that proselytising, in connection with which the data of the persons visited by members of the religious community are collected and processed, is an activity that falls outside the scope of EU law as provided for in that provision. ( 15 ) The Italian Government, for its part, in reaching the same conclusion as the defendant in the main proceedings, invokes Article 17 TFEU, which provides that the Member States have exclusive competence to regulate religious organisations.

29.

First and foremost, it should be borne in mind that it is clear from the settled case-law of the Court that Directive 95/46 defines its scope ‘in very broad terms’, in particular, not making the application of the rules on protection depend upon whether the processing is actually connected to freedom of movement between Member States. ( 16 ) Moreover, the Court has recalled too that the directive lays down no further limitation of its scope beyond those provided for in Article 3 thereof. ( 17 ) Having regard to the objective pursued by Directive 95/46 of ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data, ( 18 ) it is a requirement of that protection that ‘derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary’. ( 19 ) The first indent of Article 3(2) of Directive 95/46 must, like any derogating provision, be interpreted restrictively.

30.

The Court has, moreover, held that ‘the activities mentioned by way of example in the first indent of Article 3(2) of Directive 95/46 … are, in any event, activities of the State or of State authorities and unrelated to the fields of activity of individuals’. ( 20 ) It then stated that those activities ‘are intended to define the scope of the exception provided for there, with the result that that exception applies only to the activities which are expressly listed there or which can be classified in the same category (ejusdem generis)’. ( 21 )

31.

Above all, in a case concerning the activity of a catechist in a parish in Sweden, which consisted in setting up an internet page providing information to parishioners preparing for their confirmation, the Court ruled that ‘charitable or religious activities such as those carried out by [the applicant in the main proceedings in that case] cannot be considered equivalent to the activities listed in the first indent of Article 3(2) of Directive 95/46 and are thus not covered by that exception’. ( 22 ) Although Advocate General Tizzano had, in his Opinion in that case, argued the contrary, that was not because of the religious nature of the context in which the activity of the applicant in the main proceedings took place, but because there was no intention of seeking a profit, no cross-border element and no employment relationship, in other words, no connection at all between that activity and the exercise of the fundamental freedoms protected by the Treaty. ( 23 ) By its judgment in Lindqvist, ( 24 ) the Court not only ruled that, having regard to the essential objective of Directive 95/46, it need not be determined, before applying that directive, whether the activity concerned directly affected freedom of movement between Member States, ( 25 ) but also acknowledged, at least implicitly, that the activity of the applicant in the main proceedings, which formed part of the full exercise of her freedom of religion, was concerned more with the ‘field … of activity of individuals’ than with ‘activities of the State or of State authorities’, ( 26 ) which alone fall within the scope of the exclusion provided for in the first indent of Article 3(2) of Directive 95/46.

32.

Is the insertion of Article 17 TFEU by the Treaty of Lisbon a new element liable to influence the interpretation given by the Court in its judgment in Lindqvist? ( 27 )

33.

I think not.

34.

In that regard, it may usefully be recalled that, when the Court gave its judgment, its attention was necessarily drawn to the fact that the case in the main proceedings involved a religious activity. Nor was it unaware of Declaration No 11 on the status of churches and non-confessional organisations ( 28 ) annexed to the Treaty of Amsterdam, in accordance with which the European Union had already undertaken to respect and not to prejudice the status under national law of churches and religious associations or communities in the Member States. It seems difficult to argue that the legislature intended to exclude from the scope of Directive 95/46, on the basis of the first indent of Article 3(2), the activities of individuals linked to freedom of religion, when it established, a few provisions later, a specific scheme for data processing carried out by religious organisations. ( 29 ) It may, nevertheless, be objected that Directive 95/46 predates Declaration No 11 annexed to the Treaty of Amsterdam. However, despite the inclusion in the Treaty of Article 17 TFEU, as recalled in essence in recital 165 of Regulation 2016/679, it must be recognised that the EU legislature persisted on that course and saw no contradiction between, on the one hand, recognising the status of religious communities as determined by the Member States and, on the other hand, confirming that data processing by those same communities is to be subject to specific rules. ( 30 ) In any case, I find it hard to see how the exclusion of religious activities, at least such as those at issue in the main proceedings, from the scope of the first indent of Article 3(2) of Directive 95/46 could in any way threaten the ‘status’ of religious communities as defined by the Member States. ( 31 )

35.

Consequently, the activity at issue in the main proceedings does not fall within the exclusion provided for in the first indent of Article 3(2) of Directive 95/46.

(b) Preaching is not excluded from the scope of Directive 95/46 under the second indent of Article 3(2) thereof

36.

From a literal point of view, the second indent of Article 3(2) of Directive 95/46 provides that that directive is not to apply to the processing of personal data ‘by a natural person in the course of a purely personal or household activity’. ( 32 )

37.

At the outset, the interpretation proposed at the hearing by the defendant in the main proceedings must be rejected, according to which whether an activity is of a personal or household nature for the purposes of that provision should be assessed from the point of view of the person whose data is collected. The defendant in the main proceedings argues that, because the preaching members of the religious community enter the homes of the ‘visited’ persons, the activity in question is necessarily a household activity. Such an approach has never been followed by the Court when examining whether an activity was in fact a ‘personal or household’ activity within the meaning of the second indent of Article 3(2) of Directive 95/46, the point of view adopted having always been that of the person who collects or, more broadly, processes personal data. ( 33 )

38.

Next, it should be borne in mind that the finding above that it is necessary to adopt a restrictive interpretation of the derogation from the scope of Directive 95/46 contained in the first indent of Article 3(2) of that directive ( 34 ) applies as regards the interpretation of its second indent as well.

39.

It is furthermore apparent from the case-law of the Court that the scope of the second indent of Article 3(2) of Directive 95/46 can be usefully clarified by recital 12 thereof, which cites, as an example of the processing of data carried out by a natural person in the exercise of exclusively personal or domestic activities, correspondence and the holding of records of addresses. ( 35 ) Consequently, ‘that exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals’, ( 36 ) that is to say, when the processing ‘is carried out in the purely personal or household setting of the person processing the data’. ( 37 ) The Court considers that this is clearly not the case with the processing of personal data ‘consisting in publication on the internet so that those data are made accessible to an indefinite number of people’ ( 38 ) or ‘the purpose of which is to make the data collected accessible to an unrestricted number of people’. ( 39 ) Thus, anything that is ‘directed outwards from the private setting of the person processing the data’ cannot be regarded as a purely personal or household activity for the purposes of the second indent of Article 3(2) of Directive 95/46. ( 40 )

40.

It is clear from the facts as presented to the Court by the referring court that the proselytising in the course of which the personal data of the persons visited is deemed to be collected goes beyond, at the very least, the household setting of the person processing the data, for proselytising, by its nature, involves entering into a relationship with persons who are, as a matter of principle, unknown and do not share the preacher’s faith. Unlike the holding of a record of addresses, for example, preaching necessarily leads to a ‘confrontation’ with the world beyond home and family unit. The nature of the data collected, including data enjoying enhanced protection under Directive 95/46, ( 41 ) also supports a clear distinction from the example referred to in recital 12 of Directive 95/46.

41.

It is also apparent from those facts that the role assigned, by the wording of the first question referred, to the religious community and its congregations of arranging the preaching activity necessarily leads to the conclusion that that activity goes beyond not only the household setting but also the private setting of the persons doing the proselytising.

42.

In view of the religious-community dimension of the preaching ( 42 ) and the fact that this necessarily means that the person processing the data in that context leaves his or her private and family setting in order to meet, in their homes, people who are not in their inner circle, the collecting and processing of personal data by members of a religious community in the context of door-to-door proselytising cannot be excluded from the scope of Directive 95/46 under the second indent of Article 3(2) thereof.

43.

Such an interpretation fully satisfies the requirements of strict interpretation of derogations from the scope of Directive 95/46 and their limitation to what is strictly necessary, and is perfectly in keeping with the objective pursued by that directive of ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular, their right to privacy, with respect to the processing of personal data. ( 43 )

44.

It remains, nevertheless, to be examined whether such an interpretation does not run counter to the other fundamental rights with which the protection of privacy and personal data must be reconciled ( 44 ) and whether it achieves a balanced weighting of that protection, on the one hand, against freedom of religion, of which the freedom to proselytise is a corollary, on the other. If the Court has hitherto held that the provisions of Directive 95/46 must necessarily be interpreted in the light of the fundamental rights set out in the Charter of Fundamental Rights of the European Union ( 45 ) (‘the Charter’) referring exclusively to Articles 7 and 8 thereof, ( 46 ) it is nevertheless equally clear that the other provisions of the Charter must be observed as well.

45.

Thus, Article 10(1) of the Charter provides that ‘everyone has the right to freedom of … religion. This right includes freedom to change religion or belief and freedom, either alone or in community with others and in public or in private, to manifest religion or belief, in worship, teaching, practice and observance’. The explanation on Article 10 of the Charter ( 47 ) states that that right corresponds to the right guaranteed in Article 9 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, signed at Rome on 4 November 1950 (‘the ECHR’), and, in accordance with Article 52(3) of the Charter, has the same meaning and scope. Consequently, freedom of religion may be limited only in the circumstances provided for in Article 9(2) of the ECHR, that is to say, any limitation must be prescribed by law and be necessary in a democratic society in the interests of public safety, for the protection of public order, health or morals, or for the protection of the rights and freedoms of others.

46.

The first lesson that can be drawn from Article 9(2) of the ECHR is that, contrary to the conclusion drawn by the defendant in the main proceedings at the end of its arguments, freedom of religion and its corollary the freedom to proselytise, however fundamental they may be, nevertheless do not constitute a kind of ‘fundamental meta-right’ occupying a position hierarchically superior to all others and subject to no limitations whatsoever. Therefore, the freedom to proselytise not only may but also must be reconciled with the protection of privacy in order to preserve ‘the protection of the rights and freedoms of others’, as required by that provision.

47.

The European Court of Human Rights (‘the ECtHR’) has held that, if religious freedom ‘is primarily a matter of individual conscience, it also implies freedom to manifest one’s religion alone and in private or in community with others, in public and within the circle of those whose faith one shares. Furthermore, the [ECtHR] has had occasion to point out that Article 9 [of the ECHR] enshrines negative rights, for example freedom not to hold religious beliefs and not to practise a religion’. ( 48 )

48.

However, door-to-door preaching does not seem to me to threaten, strictly speaking, the negative aspect of freedom of religion as defined by the ECtHR. I would add that, in my view, there can be no negative aspect to the freedom to proselytise, the latter necessarily implying an attempt to convince a person who does not share that faith or who has none at all. If I may so express it, the freedom to preach necessarily implies the existence of a ‘target’ public which cannot be granted the negative right not to be preached at, or not to be the object of an attempt at proselytism, without rendering meaningless the freedom in question and its potential outcome, which is also protected by both Article 9 of the ECHR and Article 10(1) of the Charter, that is to say, the freedom to change one’s religion. ( 49 )

49.

Nor does the door-to-door proselytising described by the referring court seem to me to go beyond the limits set by the ECtHR, which prohibits only improper proselytising. ( 50 ) ( 51 )

50.

In order for the interpretation of the second indent of Article 3(2) of Directive 95/46 proposed in point 42 of this Opinion to be altered by taking into account Article 9 of the ECHR and, consequently, Article 10(1) of the Charter, it would be necessary to find that making the activity at issue in the main proceedings subject to compliance with the rules of that directive constitutes an intolerable or disproportionate interference with the freedom to preach. However, in the case currently before the Court I find it hard to identify any such interference, the taking of notes and their transmission within the religious community being in no way of the same nature as preaching. Even if, however, such interference should be found to exist, it would still have to be ascertained whether it is provided for by law and whether it is necessary in a democratic society in order to attain the legitimate aim of protecting the rights and freedoms of others. However, the interference supposedly caused by the necessity of complying with the requirements of Directive 95/46 is indeed prescribed by law, in that it is specifically provided for by Directive 95/46 and, for the reasons set out above, is necessary in a democratic society for the protection of the rights of others, in particular the rights of the persons visited to privacy and to personal data protection, rights to which equal attention must be paid.

51.

Therefore, the protection afforded by Article 10(1) of the Charter cannot call into question the finding that the doorstep proselytising of members of the religious community is not a purely personal or household activity for the purposes of the second indent of Article 3(2) of Directive 95/46.

52.

In the light of those considerations, the answer to the first question raised by the referring court must be that door-to-door proselytising activity such as that at issue in the case in the main proceedings does not constitute a purely personal or household activity within the meaning of the second indent of Article 3(2) of Directive 95/46.

2. The second question

53.

The second question raised by the referring court asks the Court to examine again the scope of Directive 95/46, envisaged this time from the standpoint of Article 3(1), which provides that the directive ‘shall apply to the processing … of personal data which form part of a filing system or are intended to form part of a filing system’. Since it appears to be common ground that the processing of the data collected by members of the community is, at least in part, not automated, Directive 95/46 will apply only if there is a filing system defined by Article 2(c) of Directive 95/46 as ‘any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis’. The referring court argues that, for the purposes of the Law on personal data, the fact that there are no specific lists or data sheets or other comparable search method makes it impossible to classify as a ‘filing system’ the data processed by the members of the religious community. However, the same court raises the issue of the effect on that classification of the fact that the data can be easily searched for later use and without excessive cost, which are the two criteria set out in the Law on personal data.

54.

The defendant in the main proceedings again emphasises the highly theoretical nature of this second question, in view of the fact that it has not been established that notes are actually taken by its members in the course of their door-to-door proselytising, as is apparent from the reasoning of the request for a preliminary ruling. With regard to that repeated criticism, I would refer to point 25 et seq. of this Opinion. In keeping with the referring court’s analysis, the following arguments are based on the premiss that members of the religious community are likely to take notes in the course of that activity.

55.

It is important to refocus the debate on Directive 95/46 and its definition of the concept of filing system. Article 2(c) of Directive 95/46, the wording of which is rather cryptic, ( 52 ) must be read in conjunction with recital 27 of that directive, which states, on the one hand, that the scope of data protection may not depend on the techniques used, lest that create a serious risk of circumvention and that, on the other hand, as regards manual processing, the directive covers only filing systems, which must be structured according to specific criteria relating to individuals allowing easy access to the personal data. Moreover, the various criteria for determining the constituents of a structured set of personal data, and the various criteria governing access to such a set, may be laid down by each Member State.

56.

According to the Court’s case-law, Article 3(1) of Directive 95/46 defines very broadly the scope of that directive. ( 53 ) That provision is, therefore, not to be interpreted in such a way as to threaten the high level of protection conferred by Directive 95/46.

57.

It seems to me that, in spite of apparent decentralisation, ( 54 ) the notes taken, where appropriate, by members of the religious community may constitute a ‘filing system’ within the meaning of Directive 95/46. One of the very first criteria lending structure to that data set is the geographical criterion. To a certain extent, the member himself becomes a criterion structuring the data set in so far as the religious community allocates areas geographically. The community knows, therefore, that data relating to a particular person living in a specific neighbourhood may have been collected by a particular member. Even if the religious community does not indicate to its members the nature of the data collected, the latter can be inferred de facto from the objective pursued, that is to say, preparation for subsequent visits. The referring court has informed the Court that the data in question was the name and address and a summary of the contents of the conversation, relating in particular to religious beliefs and family circumstances. Such a structure, even if not particularly sophisticated, allows easy access to the data collected. It also perpetuates the memory of the religious community’s preaching work and it is easy to imagine that, if a member moves away, he will be in a position to transmit the information collected to a new member taking over in the geographical area in question. The criterion of the accessibility of the data appears, therefore, to be fulfilled. ( 55 )

58.

In those circumstances, it seems that the Finnish law requires a degree of sophistication greater than that required by Directive 95/46 in that it confines itself to classifying as a ‘filing system’ lists, data sheets or any other comparable search system. It therefore cannot be excluded out that the Law on personal data contains a restriction additional to what is provided for by Directive 95/46. However, the court making the reference did not put such a question to the Court, and it will have to draw all the appropriate inferences, including as regards its national law, from the answer which the Court will give to this second question.

59.

Therefore, Article 3(1) of Directive 95/46, read in conjunction with Article 2(c) of that directive, must be interpreted as meaning that the set of personal data collected, otherwise than by automatic means, by members of a religious community, in the context of an activity such as that at issue in the main proceedings, on the basis of specific geographical allocation and for the purposes of preparation for subsequent visits to people with whom a spiritual dialogue has been begun, is capable of constituting a filing system.

3. The third and fourth questions considered together

60.

By its third and fourth questions, which should be considered together, the referring court essentially asks the Court to determine whether Article 2(d) of Directive 95/46 must be interpreted as meaning that a religious community arranging preaching activity in the context of which personal data, accessible to the preachers alone, is collected may be regarded as a ‘controller’ within the meaning of that directive. For the purposes of that classification, the referring court also asks whether the religious community must adopt specific measures, such as written instructions addressed to its members, or whether it can be sufficient that that religious community should actually be in a position to direct its members’ activity.

61.

Before beginning the analysis, I wish to make a preliminary observation. The defendant in the main proceedings has denied, both in its written observations and in its oral argument before the Court, that it is the ‘controller’ of the data collected by its members, for the purposes of Directive 95/46, and has expressed some irritation at the statement that its members act on its instructions and not in response to divine command. However, I would reiterate that neither a finding that Directive 95/46 is applicable to the present case, nor a possible classification of the religious community as a ‘controller’ within the meaning of that directive, is to be given any implication above and beyond what they in fact are, which is an act of legal classification. It is clear from the Court’s case-law that the controller within the meaning of Directive 95/46 ‘must ensure, within the framework of its responsibilities, powers and capabilities, that the [data processing] activity meets the requirements of Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved’. ( 56 ) The issue is, therefore, that of a legal classification and by no means a questioning of the role of the religious community or the original foundation of the preaching activity.

62.

That having been made clear, I shall now turn to the analysis.

63.

In accordance with Article 2(d) of Directive 95/46, the controller is ‘the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data ...’. It is clear from the Court’s case-law that that concept must be defined broadly in order to meet the objective of effective and complete protection pursued by Directive 95/46 ( 57 ) and in the light of the decisive role of the controller within the system established by Directive 95/46. ( 58 )

64.

The ‘Article 29’ Data Protection Working Party (‘the “Article 29” Working Party’) ( 59 ) takes the view that determination of the controller within the meaning of Article 2(d) of Directive 95/46 is ‘based on a factual rather than a formal analysis’ ( 60 ) and ‘amounts to determining respectively the “why” and the “how” of certain processing activities.’ ( 61 )

65.

The issue is therefore to ascertain whether the religious community determines the purposes and means of processing the data collected by its members. To that end, it should be recalled that it is clear from the wording of the third question referred that the religious community ‘arranges’ the activity in the context of which personal data are collected by its members, inasmuch as it allocates areas of activity among the various preachers, ( 62 ) monitors their activity and keeps a record of people who do not wish to be visited. Those elements are so many signs of centralisation of proselytising activity by the religious community. It is hard, in those circumstances, to continue to maintain that that activity and the collection of personal data which accompanies it, where appropriate, remain exclusively individual and entirely beyond the control of the religious community. ( 63 )

66.

There is, in my view, a sufficient body of evidence, having regard to the necessity of interpreting broadly the concept of ‘controller’ within the meaning of Directive 95/46 and to the pursuit of a high level of protection, for it to be considered that the religious community determines the purpose of the processing of the personal data collected by members, which is constantly to seek increasing numbers of the faithful through greater efficiency in evangelical activity by optimal preparation for visits.

67.

With regard to the determination of means by the religious community, this seems to me difficult to dispute for the period during which that community provided its members with forms and in articles published in its magazine gave very specific instructions for taking notes. If use of the forms seems to have ceased, I would note that the publications are, for their part, still available online and that guidance on note taking has again been issued, after the date of the decision contested in the dispute in the main proceedings. ( 64 )

68.

In any case, the question referred for a preliminary ruling starts from the premiss that there are no written instructions. For the purposes of determining the ‘controller’ within the meaning of Directive 95/46, I am inclined to consider, like the Finnish, Czech and Italian Governments, that excessive formalism would make it easy to circumvent the provisions of Directive 95/46 and that, consequently, it is necessary to rely upon a more factual than formal analysis in order to assess whether the religious community plays an effective role in determining the objectives and practical means of processing.

69.

Such an interpretation is further supported by the wording of Article 2(d) of Directive 95/46, which contains no express reference to a requirement of written instructions. It seems that this is also the meaning given to that provision by the ‘Article 29’ Working Party, according to which influence de facto may be sufficient for the purpose of determining the controller in respect of the processing of personal data. ( 65 )

70.

It is clear that a finding of influence de facto is beyond the jurisdiction of the Court and falls to the referring court. However, it would be helpful for the latter to bear in mind that the concept of ‘controller’ within the meaning of Directive 95/46 must be defined broadly. Although I have just concluded that the existence of written instructions is not to be required, so that that concept is not hemmed in by excessively strict formalism, whether there exists influence de facto should be assessed by the yardstick of reasonably verifiable standards. In that regard, I admit that I am not convinced by the Commission’s position that it is for the referring court to establish that any instructions given by the religious community are perceived by its members as ‘morally sufficiently binding’.

71.

As to the question whether the data controller must necessarily have access to that data, I note once more that such a requirement is not included in the definition given by Directive 95/46. That is also the view of the ‘Article 29’ Working Party, according to which inability to fulfil directly all the obligations of a controller, such as right of access, does not exclude the possibility of being a controller. ( 66 ) It is even precisely for that type of situation that Directive 95/46 expressly provides that control may be exercised jointly. ( 67 ) I therefore fully concur here with the view expressed by Advocate General Bot that ‘any interpretation which focuses on the existence of complete control over all aspects of data processing is likely to result in serious lacunae in the protection of personal data’. ( 68 )

72.

I shall therefore conclude the analysis by stating that, in the context of the case in the main proceedings, any finding of control by the religious community in no way excludes a parallel finding of shared control by the members of that community, since ‘the assessment of this joint control should mirror the assessment of “single” control, by taking a substantive and functional approach and focusing on whether the purposes and the essential elements of the means are determined by more than one party. The participation of parties in the determination of purposes and means of processing in the context of joint control may take different forms and does not need to be equally shared.’ ( 69 ) However, it seems apparent from the facts as presented to the Court by the referring court that members of the religious community can have a practical effect on the means of processing (in targeting the persons who will be visited, deciding whether to take notes, choosing the medium for those notes, determining the extent of the data collected, etc.).

73.

In the light of the foregoing, I suggest that the Court reply that Article 2(d) of Directive 95/46 must be interpreted as meaning that a religious community arranging proselytising activity in the context of which personal data is collected may be regarded as a controller even though it does not itself have access to the personal data collected by its members. For the purposes of determining the ‘controller’ within the meaning of Directive 95/46, there need be no written instructions, but it must be established, if appropriate by means of a body of evidence, that the controller is in a position to exert influence de facto over the activity of collecting and processing the personal data, which it is for the referring court to verify.

IV. Conclusion

74.

Having regard to all the foregoing considerations, I propose that the Court answer the questions referred for a preliminary ruling by the Korkein hallinto-oikeus (Supreme Administrative Court, Finland) as follows:

(1)

Door-to-door proselytising such as that at issue in the main proceedings does not fall within the exemption provided for in the first and second indents of Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

(2)

Article 3(1) of Directive 95/46, read in conjunction with Article 2(c) of that directive, must be interpreted as meaning that the set of personal data collected, otherwise than by automatic means, by members of a religious community, in the context of an activity such as that at issue in the main proceedings, on the basis of a specific geographical allocation and for the purposes of preparation for subsequent visits to people with whom a spiritual dialogue has been begun, is capable of constituting a filing system.

(3)

Article 2(d) of Directive 95/46 must be interpreted as meaning that a religious community arranging proselytising activity in connection with which personal data is collected may be regarded as a controller even though it does not itself have access to the personal data collected by its members. For the purposes of determining the ‘controller’ within the meaning of Directive 95/46, there need be no written instructions, but it must be established, if appropriate by means of a body of evidence, that the controller is in a position to exert influence de facto over the activity of collecting and processing the personal data, which it is for the referring court to ascertain.


( 1 ) Original language: French.

( 2 ) OJ 1995 L 281, p. 31.

( 3 ) The referring court refers here to two articles published in Our Kingdom Ministry magazine in November 2011 and June 2012.

( 4 ) The referring court cites, in that regard, the judgments of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596), and of 20 May 2003, Österreichischer Rundfunk and Others (C‑465/00, C‑138/01 and C‑139/01, EU:C:2003:294).

( 5 ) OJ 2016 L 119, p. 1. According to that recital, the regulation is not to apply to the processing of personal data by a natural person ‘in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity’. I would point out from the outset that Regulation 2016/679 will be applicable, as provided for in Article 99 thereof, only from 25 May 2018, which is why my analysis will focus on Directive 95/46, as expressly referred to in the questions put to the Court.

( 6 ) The referring court refers here to the judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317).

( 7 ) Judgment of 16 July 1992 (C‑83/91, EU:C:1992:332).

( 8 ) See judgment of 16 July 1992, Meilicke (C‑83/91, EU:C:1992:332, paragraph 26).

( 9 ) Judgment of 16 July 1992 (C‑83/91, EU:C:1992:332).

( 10 ) See judgments of 18 June 1998, Corsica Ferries France (C‑266/96, EU:C:1998:306, paragraph 27); of 28 September 2006, Gasparini and Others (C‑467/04, EU:C:2006:610, paragraph 44); and of 20 October 2011, Interedil (C‑396/09, EU:C:2011:671, paragraph 23).

( 11 ) See, by contrary inference, judgment of 16 July 1992, Meilicke (C‑83/91, EU:C:1992:332, paragraph 33).

( 12 ) The referring court is, in fact, a supreme court whose powers to review the facts as established by the court of first instance could be limited.

( 13 ) In that regard, contrary to what is argued by the defendant in the main proceedings, the present case cannot be compared to that giving rise to the judgment in Benedetti (judgment of 3 February 1977 (52/76, EU:C:1977:16)), which was characterised by a serious want of precision and of detailed findings in relation to the facts (see judgment of 3 February 1977, Benedetti (52/76, EU:C:1977:16, paragraphs 10, 14, 16, 19 and 22)) that then prevented the Court from properly and effectively exercising its duties. Moreover, there is no doubt that the defendant in the main proceedings actually has the status of party in the case in the main proceedings and that it has been in a position to express itself, since it actually brought the matter before the court of first instance, which, as I have pointed out, upheld its action (by contrary inference, see judgment of 3 February 1977, Benedetti (52/76, EU:C:1977:16, paragraph 12)).

( 14 ) Emphasis added.

( 15 ) To support the argument that the first indent of Article 3(2) of Directive 95/46 excludes not only the activities referred to in Titles V and VI TEU but, more broadly, any activity which does not fall within the scope of EU law, the defendant in the main proceedings relies upon the wording of Article 2(2) of Regulation 2016/679. Nevertheless, it seems to me that the clarification contained in Article 2(2)(a) of Regulation 2016/679 is rather superfluous, since, in any event, no rule of EU law can apply outside the scope of EU law.

( 16 ) Judgment of 20 May 2003, Österreichischer Rundfunk and Others (C‑465/00, C‑138/01 and C‑139/01, EU:C:2003:294, paragraph 43).

( 17 ) Judgment of 16 December 2008, Satakunnan Markkinapörssi and Satamedia (C‑73/07, EU:C:2008:727, paragraph 46).

( 18 ) See judgments of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317, paragraph 66 and case-law cited); of 11 December 2014, Ryneš (C‑212/13, EU:C:2014:2428, paragraph 27); and of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 37).

( 19 ) Judgment of 11 December 2014, Ryneš (C‑212/13, EU:C:2014:2428, paragraph 28). See also judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650, paragraph 92).

( 20 ) Judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 43).

( 21 ) Judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 44).

( 22 ) Judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 45).

( 23 ) See Opinion of Advocate General Tizzano in Lindqvist (C‑101/01, EU:C:2002:513, points 36 et seq., and 44).

( 24 ) Judgment of 6 November 2003 (C‑101/01, EU:C:2003:596).

( 25 ) Judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 42).

( 26 ) According to the wording used by the Court in paragraph 43 of the judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596).

( 27 ) Judgment of 6 November 2003 (C‑101/01, EU:C:2003:596).

( 28 ) OJ 1997 C 340, p. 133.

( 29 ) See Article 8(2)(d) of Directive 95/46.

( 30 ) See Article 9(2)(d) of Regulation 2016/679 and Article 91 of that regulation, which expressly provides that religious associations are to be subject to the supervision of an independent authority with regard to compliance with data protection requirements.

( 31 ) I should like to point out here that religion does not, as a matter of principle and as such, fall outwith the scope of EU law, and that EU law acts, to cite only the following examples, both to protect the freedom of belief and religious expression of individuals at their place of work (see recent judgments of 14 March 2017, Bougnaoui and ADDH (C‑188/15, EU:C:2017:204), and of 14 March 2017, G4S Secure Solutions (C‑157/15, EU:C:2017:203)), and to make the activities of churches subject to the rules of competition law where those activities do not have a strictly religious purpose (see judgment of 27 June 2017, Congregación de Escuelas Pías Provincia Betania (C‑74/16, EU:C:2017:496, paragraph 43)).

( 32 ) Emphasis added.

( 33 ) See, judgment of 11 December 2014, Ryneš (C‑212/13, EU:C:2014:2428, paragraphs 31 and 33).

( 34 ) See point 29 of this Opinion.

( 35 ) See judgments of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 46), and of 16 December 2008, Satakunnan Markkinapörssi and Satamedia (C‑73/07, EU:C:2008:727, paragraph 43).

( 36 ) Judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 47).

( 37 ) Judgment of 11 December 2014, Ryneš (C‑212/13, EU:C:2014:2428, paragraph 31).

( 38 ) Judgment of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 47).

( 39 ) Judgment of 16 December 2008, Satakunnan Markkinapörssi and Satamedia (C‑73/07, EU:C:2008:727, paragraph 44).

( 40 ) Judgment of 11 December 2014, Ryneš (C‑212/13, EU:C:2014:2428, paragraph 33). I would like to point out here that I find particularly regrettable the confusion arising from recital 18 of Regulation 2016/679, according to which a personal or household activity is an activity ‘thus with no connection to a professional or commercial activity’, a recital which could suggest that, if an activity is neither a professional nor a commercial activity, it is necessarily a personal or household activity and therefore falls outside the scope of the regulation. Such a reading would clearly jeopardise the level of protection afforded by EU law in that it would exclude any voluntary activity, for example, from the scope of Regulation 2016/679.

( 41 ) See Article 8(1) of Directive 95/46.

( 42 ) I would point out that I fully concur with the position, put forward by the defendant in the main proceedings at the hearing before the Court, that members of the religious community engage in evangelical work voluntarily, in some circumstances in response to a divine injunction for which the religious community and congregations are not, as such, responsible, with the result that it is entirely possible for evangelical work to exist without the structure of a religious community. However, that is not what is at issue, since at present such a structure actually exists and it seeks to promote, encourage and organise evangelical work, according to the factual assessment carried out by the referring court.

Moreover, for the purpose of classifying the activity at issue in the main proceedings, some inspiration can be drawn from the Opinion of Advocate General Tizzano in Lindqvist (C‑101/01, EU:C:2002:513), which indicated that the activity of a catechist performed by the applicant in the main proceedings could not fall within the scope of the second indent of Article 3(2) of Directive 95/46, in particular on the grounds that that activity had a ‘strong social connotation’ in the parish community (see paragraph 34 that Opinion). I concur with his implicit idea that a religious community does not constitute an extension of the private or household setting of its members, notwithstanding the deeply intimate nature of any religious choice.

( 43 ) See judgments of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317, paragraph 66 and case-law cited), and of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 37).

( 44 ) By analogy, see judgment of 16 December 2008, Satakunnan Markkinapörssi and Satamedia (C‑73/07, EU:C:2008:727, paragraph 53).

( 45 ) OJ 2007 C 303, p. 1.

( 46 ) See judgments of 11 December 2014, Ryneš, C‑212/13 (EU:C:2014:2428, paragraph 29), and of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 39). For the period prior to the Charter, see judgment of 20 May 2003, Österreichischer Rundfunk and Others (C‑465/00, C‑138/01 and C‑139/01, EU:C:2003:294, paragraph 68).

( 47 ) OJ 2007 C 303, p. 17.

( 48 ) ECtHR, 21 February 2008, Alexandridis v. Greece (CE:ECHR:2008:0221JUD001951606, § 32 and case-law cited).

( 49 ) See ECtHR, 25 May 1993, Kokkinakis v. Greece (CE:ECHR:1993:0525JUD001430788, § 31).

( 50 ) ‘First of all, a distinction has to be made between bearing Christian witness and improper proselytism. The former corresponds to true evangelism, which a report drawn up in 1956 under the auspices of the World Council of Churches describes as an essential mission and a responsibility of every Christian and every Church. The latter represents a corruption or deformation of it. It may, according to the same report, take the form of activities offering material or social advantages with a view to gaining new members for a Church or exerting improper pressure on people in distress or in need; it may even entail the use of violence or brainwashing; more generally, it is not compatible with respect for the freedom of thought, conscience and religion of others’ (ECtHR, 25 May 1993, Kokkinakis v. Greece (CE:ECHR:1993:0525JUD001430788, § 48)).

( 51 ) ‘The [ECtHR] emphasises at the outset that while religious freedom is primarily a matter of individual conscience, it also implies, inter alia, freedom to “manifest [one’s] religion”, including the right to try to convince one’s neighbour, for example through “teaching” … . Article 9 does not, however, protect every act motivated or inspired by a religion or belief. It does not, for example, protect improper proselytism, such as the offering of material or social advantage or the application of improper pressure with a view to gaining new members for a Church’ (ECtHR, 24 February 1998, Larissis and Others v. Greece (CE:ECHR:1998:0224JUD002337294, § 45)).

( 52 ) Regulation 2016/679 does not provide any clarification, since it reproduces, as they stand, Articles 2(c) and 3(1) of Directive 95/46 (see Articles 2(1) and 4(6)) of Regulation 2016/679).

( 53 ) Judgment of 20 May 2003, Österreichischer Rundfunk and Others (C‑465/00, C‑138/01 and C‑139/01, EU:C:2003:294, paragraph 43).

( 54 ) Which, in any event, does not exclude the existence of a filing system within the meaning of Directive 95/46.

( 55 ) See also paragraph 6 of the request for a preliminary ruling.

( 56 ) Judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317, paragraph 38).

( 57 ) See judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317, paragraph 34).

( 58 ) See Opinion of Advocate General Bot in Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2017:796, point 44).

( 59 ) As its name suggests, this is the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established on the basis of Article 29 of Directive 95/46, the opinions of which have a solely advisory status (see the second subparagraph of Article 29(1) of that directive).

( 60 ) Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ adopted by the ‘Article 29’ Working Party on 16 February 2010 (00264/10/EN, WP 169, p. 1).

( 61 ) Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ adopted by the ‘Article 29’ Working Party on 16 February 2010 (00264/10/EN, WP 169, p. 13).

( 62 ) It is apparent from the request for a preliminary ruling that the religious community keeps records indicating the number of community publications a member has disseminated and the amount of time he has spent preaching.

( 63 ) The Commission argued, at the hearing before the Court and without being contradicted by the defendant in the main proceedings, that participation in preaching is a requirement for being baptised.

( 64 ) Although it is for the referring court to rule on the relevant facts of the case, a quick search on the website of the religious community, available in several languages including Finnish, and in particular in the archives of its magazine, demonstrates that the religious community not only organises evangelical work by providing advice for that purpose but also encourages note taking during that activity: see, for example, on page 3 of the January 2014 issue of the magazine Our Kingdom Ministry, the paragraph entitled ‘Water Seeds of Truth’ (‘Make a record of the date of each visit, the literature that was left, and the subjects and scriptures that were discussed’) (available in English from the page https://www.jw.org/en/publications/kingdom-ministry/ and in Finnish from https://www.jw.org/fi/julkaisut/valtakunnan-palveluksemme/).

( 65 ) Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ adopted by the ‘Article 29’ Working Party on 16 February 2010 (00264/10/EN, WP 169, p. 9). See, to the same effect, Opinion of Advocate General Bot in Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2017:796, point 46).

( 66 ) Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ adopted by the ‘Article 29’ Working Party on 16 February 2010 (00264/10/EN, WP 169, p. 22).

( 67 ) See Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ adopted by the ‘Article 29’ Working Party on 16 February 2010 (00264/10/EN, WP 169, p. 22).

( 68 ) Opinion of Advocate General Bot in Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2017:796, point 62).

( 69 ) Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ adopted by the ‘Article 29’ Working Party on 16 February 2010 (00264/10/EN, WP 169, p. 32).

Top