Art. 29 WG over toepasselijk recht
Artikel 29 Werkgroep, WP 179, Opinie 8/2010 inzake toepasselijk recht. De praktijk worstelt met de vraag welk recht van toepassing is op verwerking van persoonsgegevens in internationale context. De Werkgroep heeft de volgende mening (p. 2):
"With regard to Article 4(1)a, the reference to "an" establishment means that the applicability of a Member State's law will be triggered by the location of an establishment of the controller in that Member State, and other Member States’ laws could be triggered by the location of other establishments of that controller in those Member States. To trigger the application of the national law, the notion of the "context of activities" of the establishment is decisive. It implies that the establishment of the controller is involved in activities implying the processing of personal data, taking into consideration its degree of involvement in the processing activities, the nature of the activities and the need to guarantee effective data protection."
Dit kan als volgt uitwerken (p. 13):
"In the third scenario, the controller is established in Austria and outsources the processing to a processor in Germany. The processing in Germany is in the context of the activities of the controller in Austria. That is to say, the processing is carried out for the business purposes of, and on instructions from the Austrian establishment. Austrian law will be applicable to the processing carried out by the processor in Germany. In addition, the processor will be subject to the requirements of German law in relation to the security measures it is obliged to put in place in connection with the processing. Such arrangements would require coordinated supervision by the German and Austrian DPAs."
Tot slot doet de Artikel 29 Werkgroep de suggestie om de wetgeving als volgt aan te passen (p. 31):
"[...] The Working Party considers that Article 4(1)a as it stands now leads to a workable but sometimes complex solution, which seems to argue in favour of a more centralised and harmonised approach.
c. The change envisaged in order to simplify the rules for determining applicable law would consist of a shift back to the country of origin principle: all establishments of a controller within the EU would then apply the same law regardless of the territory in which they are located. In this perspective, the location of the main establishment of the controller would be the first criterion to be applied. The fact that several establishments exist within the EU would not trigger a distributed application of national laws."
Voor een interessante discussie over toepasselijk recht tussen Lokke Moerel en het Cbp, zie Computerrecht 2008, 61, 168 en 169.
Update 10/1/2010: Zie ook dit interessante artikel van Lokke Moerel d.d. 23 december 2010 (pdf of link), met de makkelijke titel: "The long arm of EU data protection law: Does the Data Protection Directive apply to processing of personal data of EU citizens by websites worldwide?", International Data Privacy Law, 2011.