Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV

EUR-Lex - 62017CJ0040 - EN - EUR-Lex × Skip to main content Log in My EUR-Lex My EUR-Lex Sign in Register My recent searches (0) English English Select your language Official EU languages: bg български es Español cs Čeština da Dansk de Deutsch et Eesti keel el Ελληνικά en English fr Français ga Gaeilge hr Hrvatski it Italiano lv Latviešu valoda lt Lietuvių kalba hu Magyar mt Malti nl Nederlands pl Polski pt Português ro Română sk Slovenčina sl Slovenščina fi Suomi sv Svenska EUR-Lex Access to European Union law <a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a> Experimental features × Choose the experimental features you want to try Do you want to help improving EUR-Lex ? This is a list of experimental features that you can enable. These features are still under development; they are not fully tested, and might reduce EUR-Lex stability. Don't forget to give your feedback! Warning! Experimental feature conflicts detected. Replacement of CELEX identifiers by short titles - experimental feature. It replaces clickable CELEX identifiers of treaties and case-law by short titles. Visualisation of document relationships. It displays a dynamic graph with relations between the act and related documents. It is currently only available for legal acts. Deep linking. It enables links to other legal acts referred to within the documents. It is currently only available for documents smaller than 900 KB. Apply EUR-Lex Access to European Union law This document is an excerpt from the EUR-Lex website You are here EUROPA EUR-Lex home EUR-Lex - 62017CJ0040 - EN Help Print Menu EU law Treaties Treaties currently in force Founding Treaties Accession Treaties Other treaties and protocols Chronological overview Legal acts Consolidated texts International agreements Preparatory documents EFTA documents Lawmaking procedures Summaries of EU legislation Browse by EU institutions European Parliament European Council Council of the European Union European Commission Court of Justice of the European Union European Central Bank European Court of Auditors European Economic and Social Committee European Committee of the Regions Browse by EuroVoc EU case-law Case-law Reports of cases Directory of case-law Official Journal Access to the Official Journal Official Journal L series daily view Official Journal C series daily view Browse the Official Journal Legally binding printed editions Special edition National law and case-law National transposition National case-law JURE case-law Information Themes in focus EUR-Lex developments Statistics ELI register What is ELI ELI background Why implement ELI Countries implementing ELI Testimonials Implementing ELI Glossary EU budget online Quick search Use quotation marks to search for an "exact phrase". Append an asterisk ( * ) to a search term to find variations of it (transp * , 32019R * ). Use a question mark ( ? ) instead of a single character in your search term to find variations of it (ca ? e finds case, cane, care). Search tips Need more search options? Use the Advanced search Document 62017CJ0040 Help Print Text Document information Summary / Keywords Case file Permanent link Download notice Save to My items Create an email alert Create an RSS alert ​ Judgment of the Court (Second Chamber) of 29 July 2019.#Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV.#Request for a preliminary ruling from the Oberlandesgericht Düsseldorf.#Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Article 2(d) — Notion of ‘controller’ — Operator of a website who has embedded on that website a social plugin that allows the personal data of a visitor to that website to be transferred to the provider of that plugin — Article 7(f) — Lawfulness of data processing — Taking into account of the interest of the operator of the website or of that of the provider of the social plugin — Article 2(h) and Article 7(a) — Consent of the data subject — Article 10 — Informing the data subject — National legislation allowing consumer-protection associations to bring or defend legal proceedings.#Case C-40/17. Judgment of the Court (Second Chamber) of 29 July 2019. Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV. Request for a preliminary ruling from the Oberlandesgericht Düsseldorf. Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Article 2(d) — Notion of ‘controller’ — Operator of a website who has embedded on that website a social plugin that allows the personal data of a visitor to that website to be transferred to the provider of that plugin — Article 7(f) — Lawfulness of data processing — Taking into account of the interest of the operator of the website or of that of the provider of the social plugin — Article 2(h) and Article 7(a) — Consent of the data subject — Article 10 — Informing the data subject — National legislation allowing consumer-protection associations to bring or defend legal proceedings. Case C-40/17. Judgment of the Court (Second Chamber) of 29 July 2019. Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV. Request for a preliminary ruling from the Oberlandesgericht Düsseldorf. Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Article 2(d) — Notion of ‘controller’ — Operator of a website who has embedded on that website a social plugin that allows the personal data of a visitor to that website to be transferred to the provider of that plugin — Article 7(f) — Lawfulness of data processing — Taking into account of the interest of the operator of the website or of that of the provider of the social plugin — Article 2(h) and Article 7(a) — Consent of the data subject — Article 10 — Informing the data subject — National legislation allowing consumer-protection associations to bring or defend legal proceedings. Case C-40/17. Court reports – general – 'Information on unpublished decisions' section ECLI identifier: ECLI:EU:C:2019:629 Expand all Collapse all Languages and formats available Language of the case Language BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV HTML EN Toggle Dropdown BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV PDF EN Toggle Dropdown BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV Document published in the digital reports of cases. They have official status. Multilingual display Language 1 English (en) Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Language 2 Please choose Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Language 3 Please choose Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Display Text JUDGMENT OF THE COURT (Second Chamber) 29 July 2019 ( *1 ) (Reference for a preliminary ruling — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Article 2(d) — Notion of ‘controller’ — Operator of a website who has embedded on that website a social plugin that allows the personal data of a visitor to that website to be transferred to the provider of that plugin — Article 7(f) — Lawfulness of data processing — Taking into account of the interest of the operator of the website or of that of the provider of the social plugin — Article 2(h) and Article 7(a) — Consent of the data subject — Article 10 — Informing the data subject — National legislation allowing consumer-protection associations to bring or defend legal proceedings) In Case C‑40/17, REQUEST for a preliminary ruling under Article 267 TFEU from the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany), made by decision of 19 January 2017, received at the Court on 26 January 2017, in the proceedings Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, interveners: Facebook Ireland Ltd, Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, THE COURT (Second Chamber), composed of K. Lenaerts, President of the Court, acting as President of the Second Chamber, A. Prechal, C. Toader, A. Rosas (Rapporteur) and M. Ilešič, Judges, Advocate General: M. Bobek, Registrar: D. Dittert, Head of Unit, having regard to the written procedure and further to the hearing on 6 September 2018, after considering the observations submitted on behalf of: – Fashion ID GmbH & Co. KG, by C.-M. Althaus and J. Nebel, Rechtsanwälte, – Verbraucherzentrale NRW eV, by K. Kruse, C. Rempe and S. Meyer, Rechtsanwälte, – Facebook Ireland Ltd, by H.-G. Kamann, C. Schwedler and M. Braun, Rechtsanwälte, and by I. Perego, avvocatessa, – Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, by U. Merger, acting as Agent, – the German Government, initially by T. Henze and J. Möller, and subsequently by J. Möller, acting as Agents, – the Belgian Government, by P. Cottin and L. Van den Broeck, acting as Agents, – the Italian Government, by G. Palmieri, acting as Agent, and P. Gentili, avvocato dello Stato, – the Austrian Government, initially by C. Pesendorfer, and subsequently by G. Kunnert, acting as Agents, – the Polish Government, by B. Majczyna, acting as Agent, – the European Commission, by H. Krämer and H. Kranenborg, acting as Agents, after hearing the Opinion of the Advocate General at the sitting on 19 December 2018, gives the following Judgment 1 This request for a preliminary ruling concerns the interpretation of Articles 2, 7, 10 and 22 to 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ( OJ 1995 L 281, p. 31 ). 2 The request has been made in proceedings between Fashion ID GmbH & Co. KG and Verbraucherzentrale NRW eV concerning Fashion ID’s embedding of a social plugin provided by Facebook Ireland Ltd on the website of Fashion ID. Legal context European Union law 3 With effect from 25 May 2018, Directive 95/46 was repealed and replaced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( OJ 2016 L 119, p. 1 ). However, in the light of the date of the facts in the dispute in the main proceedings, it is Directive 95/46 that is applicable to that dispute. 4 Recital 10 of Directive 95/46 states: ‘Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms[, signed in Rome on 4 November 1950,] and in the general principles of [EU] law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the [European Union]’. 5 Article 1 of Directive 95/46 provides: ‘1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. 2. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.’ 6 Article 2 of that directive provides: ‘For the purposes of this Directive: (a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; (b) “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; … (d) “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or [EU] laws or regulations, the controller or the specific criteria for his nomination may be designated by national or [EU] law; … (f) “third party” shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data; (g) “recipient” shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients; (h) “the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’ 7 Article 7 of that directive states: ‘Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or … (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection under Article 1(1).’ 8 Article 10 of Directive 95/46, headed ‘Information in cases of collection of data from the data subject’, provides: ‘Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information such as – the recipients or categories of recipients of the data, – whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, – the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.’ 9 Article 22 of Directive 95/46 is worded as follows: ‘Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.’ 10 Article 23 of that directive states: ‘1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered. 2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.’ 11 Article 24 of that directive provides: ‘The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.’ 12 Article 28 of Directive 95/46 states: ‘1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive. These authorities shall act with complete independence in exercising the functions entrusted to them. … 3. Each authority shall in particular be endowed with: … – the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities. … 4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim. …’ 13 Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) ( OJ 2002 L 201, p. 37 ), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 ( OJ 2009 L 337, p. 11 ), (‘Directive 2002/58’) provides: ‘Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive [95/46], inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’ 14 Article 1(1) of Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers’ interests ( OJ 2009 L 110, p. 30 ), as amended by Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 ( OJ 2013 L 165, p. 1 ), (‘Directive 2009/22’) provides: ‘The purpose of this Directive is to approximate the laws, regulations and administrative provisions of the Member States relating to actions for an injunction referred to in Article 2 aimed at the protection of the collective interests of consumers included in the Union acts listed in Annex I, with a view to ensuring the smooth functioning of the internal market.’ 15 Article 2 of that directive provides: ‘1. Member States shall designate the courts or administrative authorities competent to rule on proceedings commenced by qualified entities within the meaning of Article 3 seeking: (a) an order with all due expediency, where appropriate by way of summary procedure, requiring the cessation or prohibition of any infringement; …’ 16 Article 7 of that directive states: ‘This Directive shall not prevent Member States from adopting or maintaining in force provisions designed to grant qualified entities and any other person concerned more extensive rights to bring action at national level.’ 17 Article 80 of Regulation 2016/679 reads as follows: ‘1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law. 2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.’ German law 18 Paragraph 3(1) of the version of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition) applicable to the dispute in the main proceedings (‘the UWG’) provides: ‘Unfair commercial practices shall be prohibited.’ 19 Paragraph 3a of the UWG is worded as follows: ‘A person shall be regarded as acting unfairly where he infringes a statutory provision that is also intended to regulate market behaviour in the interests of market participants and the infringement is liable to have a significantly adverse effect on the interests of consumers, other market participants or competitors.’ 20 Paragraph 8 of the UWG provides: ‘(1) Any commercial practice which is unlawful under Paragraph 3 or Paragraph 7 may give rise to an order to cease and desist and, where there is a risk of recurrence, to a prohibition order. An application for a prohibition order may be made as from the time at which there is a risk of such unlawful practice within the meaning of Paragraph 3 or Paragraph 7 occurring. … (3) Applications for the orders referred to in subparagraph (1) may be lodged by: … 3. qualified entities which prove that they are registered on the list of qualified entities pursuant to Paragraph 4 of the Unterlassungsklagegesetz [(Law on injunctions)] or on the list of the European Commission pursuant to Article 4(3) of Directive [2009/22]; …’ 21 Paragraph 2 of the Law on injunctions provides: ‘(1) Any person who infringes the provisions in place to protect consumers (consumer-protection laws), other than in the application or recommendation of general conditions of sale, may have an order to cease and desist and a prohibition order imposed on him in the interests of consumer protection. … (2) For the purposes of this provision, “consumer-protection laws” shall mean, in particular: … 11. the provisions that regulate the lawfulness (a) of the collection of a consumer’s personal data by a trader, or (b) of the processing or use of personal data collected about a consumer by a trader if the data are collected, processed or used for the purposes of publicity, market and opinion research, operation of a credit agency, preparation of personality and usage profiles, address trading, other data trading or comparable commercial purposes.’ 22 Paragraph 12(1) of the Telemediengesetz (Law on telemedia) (‘the TMG’) is worded as follows: ‘A service provider may collect and use personal data to make telemedia available only in so far as this Law or another legislative provision expressly relating to telemedia so permits or the user has consented to it.’ 23 Paragraph 13(1) of the TMG states: ‘At the beginning of the use operation the service provider shall inform the user, in a generally understandable way, regarding the nature, extent and purpose of the collection and use of personal data and the processing of his data in States outside the scope of application of Directive [95/46] unless the user has already been informed thereof. In the case of an automated process allowing subsequent identification of the user and which prepares the collection or use of personal data, the user shall be informed at the beginning of this process. The content of the information conveyed to the user must be retrievable for the user at any time.’ 24 Paragraph 15(1) of the TMG provides: ‘A service provider may collect and use the personal data of a user only to the extent necessary in order to facilitate, and charge for, the use of telemedia (data concerning use). Data concerning use include, in particular: 1. features allowing identification of the user, 2. information about the beginning, end and extent of the particular use, and 3. information about the telemedia used by the user.’ The dispute in the main proceedings and the questions referred for a preliminary ruling 25 Fashion ID, an online clothing retailer, embedded on its website the ‘Like’ social plugin from the social network Facebook (‘the Facebook “Like” button’). 26 It is apparent from the order for reference that one feature of the internet is that, when a website is visited, the browser allows content from different sources to be displayed. Thus, for example, photos, videos, news and the Facebook ‘Like’ button at issue in the present case can be linked to a website and appear there. If a website operator intends to embed such third-party content, he places a link to the external content on that website. When the browser of a visitor to that website encounters such a link, it requests the content from the third-party provider and adds it to the appearance of the website at the desired place. For this to occur, the browser transmits to the server of the third-party provider the IP address of that visitor’s computer, as well as the browser’s technical data, so that the server can establish the format in which the content is to be delivered to that address. In addition, the browser transmits information relating to the desired content. The operator of a website embedding third-party content onto that website cannot control what data the browser transmits or what the third-party provider does with those data, in particular whether it decides to save and use them. 27 With regard, in particular, to the Facebook ‘Like’ button, it seems to be apparent from the order for reference that, when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland as a result of that website including that button. It seems that that transmission occurs without that visitor being aware of it regardless of whether or not he or she is a member of the social network Facebook or has clicked on the Facebook ‘Like’ button. 28 Verbraucherzentrale NRW, a public-service association tasked with safeguarding the interests of consumers, criticises Fashion ID for transmitting to Facebook Ireland personal data belonging to visitors to its website, first, without their consent and, second, in breach of the duties to inform set out in the provisions relating to the protection of personal data. 29 Verbraucherzentrale NRW brought legal proceedings for an injunction before the Landgericht Düsseldorf (Regional Court, Düsseldorf, Germany) against Fashion ID to force it to stop that practice. 30 By decision of 9 March 2016, the Landgericht Düsseldorf (Regional Court, Düsseldorf) upheld in part the requests made by Verbraucherzentrale NRW, after having found that it has standing to bring proceedings under Paragraph 8(3)(3) of the UWG. 31 Fashion ID brought an appeal against that decision before the referring court, the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany). Facebook Ireland intervened in that appeal in support of Fashion ID. Verbraucherzentrale NRW brought a cross-appeal seeking an extension of the ruling made against Fashion ID at first instance. 32 Fashion ID argues before the referring court that the decision of the Landgericht Düsseldorf (Regional Court, Düsseldorf) is incompatible with Directive 95/46. 33 First, Fashion ID claims that Articles 22 to 24 of that directive envisage granting legal remedies only to data subjects whose personal data are processed and the competent supervising authorities. Consequently, it argues, the action brought by Verbraucherzentrale NRW is inadmissible due to the fact that that association does not have standing to bring or defend legal proceedings under Directive 95/46. 34 Second, Fashion ID asserts that the Landgericht Düsseldorf (Regional Court, Düsseldorf) erred in finding that it was a controller, within the meaning of Article 2(d) of Directive 95/46, since it has no influence either over the data transmitted by the visitor’s browser from its website or over whether and, where applicable, how Facebook Ireland uses those data. 35 In the first place, the referring court has doubts whether Directive 95/46 gives public-service associations the right to bring or defend legal proceedings in order to defend the interests of persons who have suffered harm. It takes the view that Article 24 of that directive does not preclude associations from being a party to legal proceedings, since, pursuant to that article, Member States are required to adopt ‘suitable measures’ to ensure the full implementation of that directive. Thus, the referring court concludes that national legislation allowing associations to bring legal proceedings in the interest of consumers may constitute such a ‘suitable measure’. 36 That court notes, in this regard, that Article 80(2) of Regulation 2016/679, which repealed and replaced Directive 95/46, expressly authorises the bringing of legal proceedings by such an association, which would tend to confirm that the latter directive did not preclude such an action. 37 Further, that court is uncertain whether the operator of a website, such as Fashion ID, that embeds on that website a social plugin allowing personal data to be collected can be considered to be a controller within the meaning of Article 2(d) of Directive 95/46 despite the latter having no control over the processing of the data transmitted to the provider of that plugin. In this context, the referring court refers to the case that gave rise to the judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein ( C‑210/16 , EU:C:2018:388 ), which dealt with a similar question. 38 In the alternative, in the event that Fashion ID is not to be considered to be a controller, the referring court is uncertain whether that directive exhaustively regulates that notion, such that it precludes national legislation that establishes civil liability for a third party who infringes data protection rights. The referring court asserts that it would be possible to envisage Fashion ID being liable on this basis under national law as a ‘disrupter’ (‘ Störer ’). 39 If Fashion ID had to be considered to be a controller or was at least liable as a ‘disrupter’ for any data protection infringements by Facebook Ireland, the referring court is uncertain whether the processing of the personal data at issue in the main proceedings is lawful and whether the duty to inform the data subject under Article 10 of Directive 95/46 rests with Fashion ID or with Facebook Ireland. 40 Thus, first, with regard to the conditions for the lawfulness of the processing of data as provided for in Article 7(f) of Directive 95/46, the referring court expresses uncertainty as to whether, in a situation such as that at issue in the main proceedings, it is appropriate to take into account the legitimate interest of the operator of the website or that of the provider of the social plugin. 41 Second, that court is unsure who is required to obtain the consent of and inform the data subjects whose personal data are processed in a situation such as that at issue in the main proceedings. The referring court takes the view that the matter of who is obliged to inform the persons concerned, as provided for in Article 10 of Directive 95/46, is particularly important given that any embedding of third-party content on a website gives rise, in principle, to the processing of personal data, the scope and purpose of which are, however, unknown to the person embedding that content, namely the operator of the website concerned. That operator could not, therefore, provide the information required, to the extent that it is required to, meaning that the imposition of an obligation on the operator to inform the data subjects would, in practice, amount to a prohibition on the embedding of third-party content. 42 In those circumstances, the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling: ‘(1) Do the rules in Articles 22, 23 and 24 of Directive [95/46] preclude national legislation which, in addition to the powers of intervention conferred on the data-protection authorities and the remedies available to the data subject, grants public-service associations the power to take action against the infringer in the event of an infringement in order to safeguard the interests of consumers? If Question 1 is answered in the negative: (2) In a case such as the present one, in which someone has embedded a programming code in his website which causes the user’s browser to request content from a third party and, to this end, transmits personal data to the third party, is the person embedding the content the “controller” within the meaning of Article 2(d) of Directive [95/46] if that person is himself unable to influence this data-processing operation? (3) If Question 2 is answered in the negative: Is Article 2(d) of Directive [95/46] to be interpreted as meaning that it definitively regulates liability and responsibility in such a way that it precludes civil claims against a third party who, although not a “controller”, nonetheless creates the cause for the processing operation, without influencing it? (4) Whose “legitimate interests”, in a situation such as the present one, are the decisive ones in the balancing of interests to be undertaken pursuant to Article 7(f) of Directive [95/46]? Is it the interests in embedding third-party content or the interests of the third party? (5) To whom must the consent to be declared under Articles 7(a) and 2(h) of Directive [95/46] be given in a situation such as that in the present case? (6) Does the duty to inform under Article 10 of Directive [95/46] also apply in a situation such as that in the present case to the operator of the website who has embedded the content of a third party and thus creates the cause for the processing of personal data by the third party?’ Consideration of the questions referred The first question 43 By its first question the referring court asks, in essence, whether Articles 22 to 24 of Directive 95/46 must be interpreted as precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the laws protecting personal data. 44 As a preliminary point, it should be noted that, under Article 22 of Directive 95/46, Member States are required to provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question. 45 The third indent of Article 28(3) of Directive 95/46 states that a supervisory authority that is responsible under Article 28(1) of that directive for monitoring the application within the territory of a Member State of the provisions adopted by that Member State pursuant to that directive is endowed with, inter alia, the power to engage in legal proceedings where the national provisions adopted pursuant to that directive have been violated or to bring those violations to the attention of the judicial authorities. 46 Article 28(4) of Directive 95/46 provides that a supervisory authority is to hear claims lodged by an association representing a data subject, within the meaning of Article 2(a) of that directive, concerning the protection of his rights and freedoms in regard to the processing of personal data. 47 However, no provision of that directive obliges Member States to provide, or expressly empowers them to provide, in their national law that an association can represent a data subject in legal proceedings or commence legal proceedings on its own initiative against the person allegedly responsible for an infringement of the laws protecting personal data. 48 Nevertheless, it does not follow from the above that Directive 95/46 precludes national legislation allowing consumer-protection associations to bring or defend legal proceedings against the person allegedly responsible for such an infringement. 49 Under the third paragraph of Article 288 TFEU, the Member States are required, when transposing a directive, to ensure that it is fully effective, but they retain a broad discretion as to the choice of ways and means of ensuring that it is implemented. That freedom of choice does not affect the obligation imposed on all Member States to which the directive is addressed to adopt all the measures necessary to ensure that the directive concerned is fully effective in accordance with the objective which it seeks to attain (judgments of 6 October 2010, Base and Others, C‑389/08 , EU:C:2010:584 , paragraphs 24 and 25 , and of 22 February 2018, Porras Guisado, C‑103/16 , EU:C:2018:99 , paragraph 57 ). 50 In this regard, it must be noted that one of the underlying objectives of Directive 95/46 is to ensure effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data (see, to that effect, judgments of 13 May 2014, Google Spain and Google, C‑131/12 , EU:C:2014:317 , paragraph 53 , and of 27 September 2017, Puškár, C‑73/16 , EU:C:2017:725 , paragraph 38 ). Recital 10 of Directive 95/46 adds that the approximation of the national laws applicable in this area must not result in any lessening of the protection which they afford but must, on the contrary, seek to ensure a high level of protection in the European Union (judgments of 6 November 2003, Lindqvist, C‑101/01 , EU:C:2003:596 , paragraph 95 , of 16 December 2008, Huber, C‑524/06 , EU:C:2008:724 , paragraph 50 , and of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10 , EU:C:2011:777 , paragraph 28 ). 51 The fact that a Member State provides in its national legislation that it is possible for a consumer-protection association to commence legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data in no way undermines the objectives of that protection and, in fact, contributes to the realisation of those objectives. 52 Nevertheless, Fashion ID and Facebook Ireland submit that, since Directive 95/46 fully harmonised national provisions on data protection, any legal proceedings not expressly provided for by that directive are precluded. They argue that Articles 22, 23 and 28 of Directive 95/46 provide for legal proceedings brought only by data subjects and data protection supervisory authorities. 53 That argument, however, cannot be accepted. 54 Directive 95/46 does indeed amount to a harmonisation of national legislation on the protection of personal data that is generally complete (see, to that effect, judgments of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10 , EU:C:2011:777 , paragraph 29 , and of 7 November 2013, IPI, C‑473/12 , EU:C:2013:715 , paragraph 31 ). 55 The Court has thus held that Article 7 of that directive sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful and that Member States cannot add new principles relating to the lawfulness of the processing of personal data to that article or impose additional requirements that have the effect of amending the scope of one of the six principles provided for in that article (judgments of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10 , EU:C:2011:777 , paragraphs 30 and 32 , and of 19 October 2016, Breyer, C‑582/14 , EU:C:2016:779 , paragraph 57 ). 56 The Court has, however, also held that Directive 95/46 lays down rules that are relatively general since it has to be applied to a large number of very different situations. Those rules have a degree of flexibility and, in many instances, leave to the Member States the task of deciding the details or choosing between options, meaning that, in many respects, Member States have a margin of discretion in implementing that directive (see, to that effect, judgments of 6 November 2003, Lindqvist, C‑101/01 , EU:C:2003:596 , paragraphs 83 , 84 and 97 , and of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10 , EU:C:2011:777 , paragraph 35 ). 57 This is also the case for Articles 22 to 24 of Directive 95/46, which, as the Advocate General noted in point 42 of his Opinion, are worded in general terms and do not amount to an exhaustive harmonisation of the national provisions stipulating the judicial remedies that can be brought against a person allegedly responsible for an infringement of the laws protecting personal data (see, by analogy, judgment of 26 October 2017, I, C‑195/16 , EU:C:2017:815 , paragraphs 57 and 58 ). 58 In particular, although Article 22 of that directive requires Member States to provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the personal data processing in question, that directive does not, however, contain any provisions specifically governing the conditions under which that remedy may be exercised (see, to that effect, judgment of 27 September 2017, Puškár, C‑73/16 , EU:C:2017:725 , paragraphs 54 and 55 ). 59 In addition, Article 24 of Directive 95/46 provides that Member States are to adopt ‘suitable measures’ to ensure the full implementation of the provisions of that directive, without defining such measures. It seems that a provision making it possible for a consumer-protection association to commence legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data may constitute a suitable measure, within the meaning of that provision, that contributes, as observed in paragraph 51 above, to the realisation of the objectives of that directive, in accordance with the Court’s case-law (see, to that effect, judgment of 6 November 2003, Lindqvist, C‑101/01 , EU:C:2003:596 , paragraph 97 ). 60 Moreover, contrary to what is claimed by Fashion ID, the fact that a Member State can provide for such a possibility in its national legislation does not appear to be such as to undermine the independence with which the supervisory authorities must perform the functions entrusted to them under Article 28 of Directive 95/46, since that possibility affects neither those authorities’ freedom to take decisions nor their freedom to act. 61 In addition, although it is true that Directive 95/46 does not appear among the measures listed in Annex I to Directive 2009/22, the fact nonetheless remains that, under Article 7 of the latter directive, that directive did not provide for an exhaustive harmonisation in that respect. 62 Last, the fact that Regulation 2016/679, which repealed and replaced Directive 95/46 and has been applicable since 25 May 2018, expressly authorises, in Article 80(2) thereof, Member States to allow consumer-protection associations to bring or defend legal proceedings against a person who is allegedly responsible for an infringement of the laws protecting personal data does not mean that Member States could not grant them that right under Directive 95/46, but confirms, rather, that the interpretation of that directive in the present judgment reflects the will of the EU legislature. 63 In the light of all the findings above, the answer to the first question is that Articles 22 to 24 of Directive 95/46 must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The second question 64 By its second question, the referring court asks, in essence, whether the operator of a website, such as Fashion ID, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46, despite that operator being unable to influence the processing of the data transmitted to that provider as a result. 65 In this regard, it should be noted that, in accordance with the aim pursued by Directive 95/46, namely to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data, Article 2(d) of that directive defines the concept of ‘controller’ broadly as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16 , EU:C:2018:388 , paragraphs 26 and 27 ). 66 As the Court has held previously, the objective of that provision is to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects (judgments of 13 May 2014, Google Spain and Google, C‑131/12 , EU:C:2014:317 , paragraph 34 , and of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16 , EU:C:2018:388 , paragraph 28 ). 67 Furthermore, since, as Article 2(d) of Directive 95/46 expressly provides, the concept of ‘controller’ relates to the entity which ‘alone or jointly with others’ determines the purposes and means of the processing of personal data, that concept does not necessarily refer to a single entity and may concern several actors taking part in that processing, with each of them then being subject to the applicable data-protection provisions (see, to that effect, judgments of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16 , EU:C:2018:388 , paragraph 29 , and of 10 July 2018, Jehovan todistajat, C‑25/17 , EU:C:2018:551 , paragraph 65 ). 68 The Court has also held that a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller within the meaning of Article 2(d) of Directive 95/46 (judgment of 10 July 2018, Jehovan todistajat, C‑25/17 , EU:C:2018:551 , paragraph 68 ). 69 Furthermore, the joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned (see, to that effect, judgments of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16 , EU:C:2018:388 , paragraph 38 , and of 10 July 2018, Jehovan todistajat, C‑25/17 , EU:C:2018:551 , paragraph 69 ). 70 That said, since the objective of Article 2(d) of Directive 95/46 is to ensure, through a broad definition of the concept of ‘controller’, the effective and comprehensive protection of the persons concerned, the existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, with the result that the level of liability of each of them must be assessed with regard to all the relevant circumstances of the particular case (see, to that effect, judgment of 10 July 2018, Jehovan todistajat, C‑25/17 , EU:C:2018:551 , paragraph 66 ). 71 In this regard, it should be pointed out, first, that Article 2(b) of Directive 95/46 defines ‘processing of personal data’ as ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’. 72 It is apparent from that definition that the processing of personal data may consist in one or a number of operations, each of which relates to one of the different stages that the processing of personal data may involve. 73 Second, it follows from the definition