CJEU - C-231/22 - État belge (Data processed by an official journal): Difference between revisions
No edit summary |
No edit summary |
||
Line 56: | Line 56: | ||
As per national law, the new articles were prepared by the notary of the majority shareholder, sent to the the registry of the court (Companies Court) and then forwarded by the court to the Office of the Moniteur belge for publication. | As per national law, the new articles were prepared by the notary of the majority shareholder, sent to the the registry of the court (Companies Court) and then forwarded by the court to the Office of the Moniteur belge for publication. | ||
The notary, upon realising the mistake, requested the deletion of the above sensitive paragraphs, invoking the majority shareholder's (whom the notary represented) right to erasure under [[Article 17 GDPR|Article 17 GDPR]]. Moniteur Belge refused, motivating the majority shareholder to file a complaint with the Belgian DPA. The Belgian DPA reprimanded Moniteur Belge and ordered them to comply within 30 days. The Belgian State appealed this decision to the Brussels Court of Appeal seeking an annulment of the DPA's decision. Specifically, they argued that it was uncertain whether Moniteur Belge was a controller as per [[Article | The notary, upon realising the mistake, requested the deletion of the above sensitive paragraphs, invoking the majority shareholder's (whom the notary represented) right to erasure under [[Article 17 GDPR|Article 17 GDPR]]. Moniteur Belge refused, motivating the majority shareholder to file a complaint with the Belgian DPA. The Belgian DPA reprimanded Moniteur Belge and ordered them to comply within 30 days. | ||
The Belgian State appealed this decision to the Brussels Court of Appeal seeking an annulment of the DPA's decision. Specifically, they argued that it was uncertain whether Moniteur Belge was a controller as per [[Article 4 GDPR|Article 4(7) GDPR]] given that the passage has been processed by several 'successive controllers' (the notary who drew up the extract, the registry of the court and Moniteur Belge who published the extract as it stood due to national law requirements). Moreover, since the parties did not claim joint controllership, was Moniteur Belge therefore, soley responsible for complaince with the GDPR. | |||
With this in mind, the court referred two questions to the CJEU: | With this in mind, the court referred two questions to the CJEU: | ||
1) Does [[Article | 1) Does [[Article 4 GDPR|Article 4(7) GDPR]] mean that a Member State's official journal responsible for publishing official documents under national law (such as the one in the case), has the status of data controller? | ||
2) If so, does [[Article 5 GDPR#2|Article 5(2) GDPR]] mean that only that journal in question need to comply with the data controller's responsibilities? Or are the responsibiltiies incumbent cumulatively on each successive controller? | 2) If so, does [[Article 5 GDPR#2|Article 5(2) GDPR]] mean that only that journal in question need to comply with the data controller's responsibilities? Or are the responsibiltiies incumbent cumulatively on each successive controller? | ||
=== Holding === | === Holding === | ||
The CJEU held that the journal was a data controller under as defined by [[Article 7 GDPR#4|Article 7 | The CJEU held that the journal was a data controller under as defined by [[Article 7 GDPR#4|Article]] 4(7) GDPR and that they were soley responsible for compliance, unless joint responsibilities arise. | ||
On the first question the court | |||
The court | |||
== Comment == | == Comment == | ||
This is a very practical judgement | |||
== Further Resources == | == Further Resources == | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' |
Revision as of 14:08, 15 January 2024
CJEU - C-231/22 Belgian State (Données traitées par un journal officiel) | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 4(2) GDPR Article 4(7) GDPR Article 17(1) GDPR |
Decided: | 11.01.2024 |
Parties: | LM Belgian State (Données traitées par un journal officiel) |
Case Number/Name: | C-231/22 Belgian State (Données traitées par un journal officiel) |
European Case Law Identifier: | ECLI:EU:C:2024:7 |
Reference from: | |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | sh |
The CJEU clarified that a controller can be determined not just explicitly but also implicitly from national law.
English Summary
Facts
The articles of association of a company were changed by a natural person who was the majority shareholder. The new articles mistakingly included the names of two partners of the company along with the name of the majority shareholder, the money they received from changing the articles and their bank account details.
As per national law, the new articles were prepared by the notary of the majority shareholder, sent to the the registry of the court (Companies Court) and then forwarded by the court to the Office of the Moniteur belge for publication.
The notary, upon realising the mistake, requested the deletion of the above sensitive paragraphs, invoking the majority shareholder's (whom the notary represented) right to erasure under Article 17 GDPR. Moniteur Belge refused, motivating the majority shareholder to file a complaint with the Belgian DPA. The Belgian DPA reprimanded Moniteur Belge and ordered them to comply within 30 days.
The Belgian State appealed this decision to the Brussels Court of Appeal seeking an annulment of the DPA's decision. Specifically, they argued that it was uncertain whether Moniteur Belge was a controller as per Article 4(7) GDPR given that the passage has been processed by several 'successive controllers' (the notary who drew up the extract, the registry of the court and Moniteur Belge who published the extract as it stood due to national law requirements). Moreover, since the parties did not claim joint controllership, was Moniteur Belge therefore, soley responsible for complaince with the GDPR.
With this in mind, the court referred two questions to the CJEU:
1) Does Article 4(7) GDPR mean that a Member State's official journal responsible for publishing official documents under national law (such as the one in the case), has the status of data controller?
2) If so, does Article 5(2) GDPR mean that only that journal in question need to comply with the data controller's responsibilities? Or are the responsibiltiies incumbent cumulatively on each successive controller?
Holding
The CJEU held that the journal was a data controller under as defined by Article 4(7) GDPR and that they were soley responsible for compliance, unless joint responsibilities arise.
On the first question the court
The court
Comment
This is a very practical judgement
Further Resources
Share blogs or news articles here!