The GDPR (Regulation (EU) 2016/679) has been much discussed in these last few months, so much so that we are all aware, like it or not, that the Regulation applies “to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system” (art. 2), with the exception of, inter alia, the processing of personal data by a natural person in the course of a purely personal or household activity. But when can we speak of “filing system”? And what exactly does “personal or household” activity entail? In an interesting decision published on 10 July 2018 the Court of Justice of the European Union (“CJUE”) provided its own interpretation of these concepts with regard to the processing of personal data by Jehovah’s Witnesses who proselytize door to door. The question the CJEU was asked to examine upon referralfrom the Supreme Administrative Court of Finland dates back to 2013 and is, therefore, still subject to application of Directive 95/46/EC (the so-called “mother” directive, now repealed by the GDPR). However, the principles of law established by the CJEU decision could be applicable to the GDPR as well. The Court began by stating that the collection byJehovah’s Witnesses of excerpts of conversations with the people they contact and the names and addresses thereof, in a structured mannerand for the purpose of being able to easily retrieve said data for subsequent visits, constitutes a “filing system”, understood as a “structured set of personal data” (according to the definition of art. 2 (c) Directive 95/46/EC). As to the exemptions provided by the mother directive, the Court ruled out theapplication of both the exemption relating to the purely “personal or household” nature of the processing, and the exemption relating to “State” processing. The Court justified its finding in relation to the former by arguing that the processing in question entails diffusionof the data within the religious community, also in order to deal with the requests of any persons who no longer wish to be contacted. The fact that the processing occurs within the context of freedom of religiondoes not automatically mean that personal aims are being pursued. The Court justified its finding in relation to the latter by arguing that the processing was linked to individual religious initiative and not to State activity. The Court concluded that the collection and processing of personal data by members of religious communities who proselytizedoor-to-door comes within the scope of application of rules of EU law on the protection of personal data. Therefore, religious community and its proselytizingmembers are to be considered “data controllers” and as such are subject to all consequences provided by the law. Hence, Jehovah’s Witnesses and other religious communities which proselytize in this manner must also abide by the GDPR.