FAQ: Which national data protection laws apply?

What is the legislative basis for determining applicable law?

The provisions of art 4(1) of Directive 95/46/EC govern the application of a member state's legislation to the processing of personal data. Under art 4(1)(a) and 4(1)(c) it is the location of the data controller or the location of equipment used by the data controller which often determines applicable law.

Of significance to those questions is the issue of the data controller's 'establishment'. Recital 19 of Directive 95/46/EC provides some guidance in this regard, indicating that an 'establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect'.

Is there any additional formal guidance as to applicable law?

Continuing uncertainty of the position under the legislation relating to applicable law in different scenarios led to an Article 29 Working Party opinion on the issue in 2010. While this guidance is not binding it is strongly indicative of the approach likely to be taken by national regulators on the interpretation of the legislation.

Where do I start?

Before engaging with this question it is always worthwhile determining your own status. Are you a 'data controller' or a 'data processor' in all these Member States? The distinction can be subtle but it is very significant in determining whether data protection legislation applies to you. For an overview of the distinction see Practice Note: Data protection, data centres and cloud computing. Detailed guidance on the issue was given by the Article 29 Working Party Opinion 1/2010 on the concepts of "controller" and "processor".

Are we established for data protection purposes in more than one Member State?

Recital 19 (discussed above) suggests that courts and data protection authorities will look beyond the location of the legal form to the location where 'the effective and real exercise of activity through stable arrangements' occurs. In assessing 'establishment' care should be taken in relation to the term 'equipment' under art 4(1)(c) of Directive 95/46/EC. In Article 29 Working Party Opinion 8/2010 on applicable law a broad interpretation of the term 'equipment' is suggested because in other European Union languages the term is used in a wider sense of 'means'—both notions are used in the guidance.

We have establishments in a number of Member States. Which law applies?

Art 4(1)a of Directive 95/46/EC provides that a Member State shall apply its national data protection law where '...the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable'.

So, the notion of 'context of activities' requires analysis in each location. Article 29 Working Party Opinion 8/2010 on applicable law suggests giving consideration to three factors in the course of this analysis:

  • the degree of involvement of the establishment in the activities in the context of which personal data are processed
  • the nature of the activities of the establishments, and
  • the overall objective of the Directive in guaranteeing an effective protection to individuals, in a simple, workable and predictable way


To find out more about what LexisNexis does for in-house lawyers, click here.

Filed Under: Analysis

Relevant Articles
Area of Interest