CJEU - C-398/15 - Manni

From GDPRhub
Revision as of 09:24, 17 September 2021 by FA (talk | contribs) (Removed dispute section)
CJEU - C-398/15 Salvatore Manni
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 2 of First Council Directive 68/151/EEC (1968) on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community
Article 3 of First Council Directive 68/151/EEC (1968) on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community
Article 6 of Data Protection Directive 1995 (95/46/EC)
Article 6(1)(e) of Data Protection Directive 1995 (95/46/EC)
Article 7 of Charter of Fundamental Rights of the European Union
Article 8 of Charter of Fundamental Rights of the European Union
Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003
Directive 2009/101/EC (2009) on coordination of safeguards which, for the protection of the interests of members and third parties, are required by Member States of companies within the meaning of the second paragraph of Article 48 of the Treaty, with a view to making such safeguards equivalent
Directive 2012/17/EU (2012)
Article 7 of Data Protection Directive 1995 (95/46/EC)
Article 2188 of the Italian Civil Code (codice civil)
Decided: 09.03.2017
Parties: Camera di Commercio Lecce (Lecce Chamber of Commerce)
Salvatore Manni
Case Number/Name: C-398/15 Salvatore Manni
European Case Law Identifier: ECLI:EU:C:2017:197
Reference from: Corte suprema di cassazione
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: MH


The Court of Justice of the European Union held that Members States have to determine on a case-by-case basis whether the right to obtain the erasure of personal data from their national register of companies would outweighs the right to make these details publicly available for legal certainty and fair trading reasons. The data subject making the erasure request must demonstrate overriding and legitimate reasons.

English Summary

Facts

Article 2188 of the Italian civil code states that companies must be on a publicly available register.

Salvatore Manni is a sole director of a building company, Italiana Costruzioni Srl, awarded a building contract. Manni brought proceedings claiming that the properties in the building complex refused the sell on the basis that he was sole directore of another company ('Immobiliare Salentina’), delcared insolvent and struck off the register a few years prior.

Manni argued that personal data concerning him appeared on the registered and processed by a company which subsequently gave him a negative rating.

Mr Manni requested the Lecce Chamber of Commerce in charge of the register to erase, anonymise or block the data linking him to Immobiliare Salentina. He also asked for damages as compensation for injury to his reputation.

The Court of Lecce initially upheld his claim, ordered the Lecce Chamber of Commerce to anonymise his data and awarded him 2000 EUR in damages. The Lecce Chamber of Commerce appealed this decision to the Court of Cassation which referred questions to the Court of Justice for a preliminary ruling:

- Does the obligation to remove data no longer necessary for the purpose stated under Article 6(1)(e) take precedence over the Italian law obligation to include details on the register?

- Is there a derogation to the principle under Article 3 Directive 68/151 that there should be no time limit to data published in the companies registered?

Holding

The Court highlighted that under Article 2(1)(d) Directive 68/151, Member States must make the disclosure by companies of appointments, termination of office, legal proceedings, entering into administration etc... compulsory. Articles 3(1) and (3) of the same Directive outlines that this must be in a register of companies, which may consitute personal data of identified or identifiable natural persons as per the Data Protection Directive 95/46.

The Court held that the data controller for this personal data would be the authority responsible for maintaining the register.

The Court highlighted the fact that the Data Protection Directive aims to provide a high level of protection to fundamental rights and cited Google Spain (C-131/12). Additionally, the Court mentioned that the rights under the Data Protection Directive must be read in the light of the fundamental rights guaranteed by the EU Charter (Article 7, respect for private life and Article 8, right to data protection), citing Schrems I (C-362/14).

The Court went on to highlight the principle of "data quality" under Article 6 of the Data Protection Directive, as well as having a legitimate "criteria" for processing data under Article 7 of that same Directive. It considered that Articles 2 and 3 of Directive 68/151 provided several lawful bases for processing by the authority responsible for the register: legal obligation, public interest task and legitimate interest. The Court highlighted that it has previously held in Compass-Datenbank (C‑138/11) that the activity of a public authority storing data under a legal obligation would fall within the exercise of their public powers qnd in the public interest.

However, the Court noted that processing such data under that lawful basis is possible only so long as it is necessary for the purposes outlined (Article 6(1)(e) Data Protection Directive). If that is not the case, the data subject, has a right to obtain the erasure or blocking of the data.

The Court went on to determine the purpose of Directive 68/151 as providing legal certainty in relation to dealings between companies and third parties, as well as faciliatating the creation of the internal market. Additionally, caselaw (Daihatsu Deutschland, C‑97/96 and Springer, C‑435/02) outlines that Article 3 of Directive 68/151 is intended to enable third parties to inform themselves and protect themselves, reflecting the EEC Treaty wording (Article 54(3)(g)). However, the Directive 68/151 makes no mention of whether providing personal data on the register in necessary to achieve that aim. The Court nonetheless considered that it may be necessary to have that information despite the dissolution of a company for any rights and legal relations that may continue to exist. As each Member States have different limitation periods, there is no specific time frame for which this data may be required. Therefore, the Court found that Member States cannot guarantee that individuals, whose personal data is on their register, will have the right to obtain erasure or blocking of their data.

The Court did not consider that this cause an interference with the rights under the Charter as Directive 68/151 only requires limited personal data to be put on registers. Additionally, it considered it natural that individuals who choose to participate in trade through a company would be required to disclose data relating to their identity. Finally, it considered that the need to protect the interest of third parties and ensure legal certainty and fair trading for the internal market may take precedence. However, the Court did not exclude that in specific scenarios, there may be overriding and legitimate reasons for the data of the person concerned to be kept for a limited (and shorter) period of time after expiry. The burden of proof of demonstrating this specific reason falls on the data subject.

The Court concluded that the balancing of rights under the Data Protection Directive and Directive 68/151 should be done on a case by case basis. The Court therefore left it for the national court to make the assessment of whether Salvatore Manni's data protection rights outweigh the rights under Directive 68/151. The Court did note that the fact that Manni could not purchase the buildings based on the data available on the register would not be a sufficient reason.

Comment

This decision is quite interesting for anyone interested in the balancing of fundamental rights in the EU, especially when it comes to economic interests. Although the Court stated that it was for the national court to make the assessment, it considered that Manni's reasons (having been prevented from purchasing a building complex) were insufficient. It seems, from this judgement, that in 2017, the requirement of transparency for fair trading reasons seemed to outweigh the right to have personal data erased from publicly available registers.

Further Resources

Share blogs or news articles here!