Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
What is the legislative basis for determining applicable law?
The provisions of art 4(1) of Directive 95/46/EC govern the application of a member state's legislation to the processing of personal data. Under art 4(1)(a) and 4(1)(c) it is the location of the data controller or the location of equipment used by the data controller which often determines applicable law.
Of significance to those questions is the issue of the data controller's 'establishment'. Recital 19 of Directive 95/46/EC provides some guidance in this regard, indicating that an 'establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect'.
Is there any additional formal guidance as to applicable law?
Continuing uncertainty of the position under the legislation relating to applicable law in different scenarios led to an Article 29 Working Party opinion on the issue in 2010. While this guidance is not binding it is strongly indicative of the approach likely to be taken by national regulators on the interpretation of the legislation.
Where do I start?
Before engaging with this question it is always worthwhile determining your own status. Are you a 'data controller' or a 'data processor' in all these Member States? The distinction can be subtle but it is very significant in determining whether data protection legislation applies to you. For an overview of the distinction see Practice Note: Data protection, data centres and cloud computing. Detailed guidance on the issue was given by the Article 29 Working Party Opinion 1/2010 on the concepts of "controller" and "processor".
Are we established for data protection purposes in more than one Member State?
Recital 19 (discussed above) suggests that courts and data protection authorities will look beyond the location of the legal form to the location where 'the effective and real exercise of activity through stable arrangements' occurs. In assessing 'establishment' care should be taken in relation to the term 'equipment' under art 4(1)(c) of Directive 95/46/EC. In Article 29 Working Party Opinion 8/2010 on applicable law a broad interpretation of the term 'equipment' is suggested because in other European Union languages the term is used in a wider sense of 'means'—both notions are used in the guidance.
We have establishments in a number of Member States. Which law applies?
Art 4(1)a of Directive 95/46/EC provides that a Member State shall apply its national data protection law where '...the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable'.
So, the notion of 'context of activities' requires analysis in each location. Article 29 Working Party Opinion 8/2010 on applicable law suggests giving consideration to three factors in the course of this analysis:
To find out more about what LexisNexis does for in-house lawyers, click here.
0330 161 1234