CJEU - Joined Cases C‑17/22 and C‑18/22 - HTB Neunte Immobilien Portfolio
| CJEU - C‑17/22 and C‑18/22 HTB Neunte Immobilien Portfolio | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(c) GDPR Article 6(1)(f) GDPR |
| Decided: | 12.09.2024 |
| Parties: | HTB Neunte Immobilien Portfolio geschlossene Investment UG & Co. KG Müller Rechtsanwaltsgesellschaft mbH Ökorenta Neue Energien Ökostabil IV geschlossene Investment GmbH & Co. KG WealthCap Photovoltaik 1 GmbH Co. KG WealthCap PEIA Komplementär GmbH WealthCap Investorenbetreuung GmbH |
| Case Number/Name: | C‑17/22 and C‑18/22 HTB Neunte Immobilien Portfolio |
| European Case Law Identifier: | ECLI:EU:C:2024:738 |
| Reference from: | AG München (Germany) |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | fb |
The CJEU ruled that not only a legislative act but also national case-law could stipulate a legal obligation in accordance with Article 6(1)(c) GDPR to disclose to a shareholder the identity of all other shareholders.
English Summary
Facts
In the main proceedings, the applicants are investment companies which hold shares indirectly through a trust company in investment funds.
The applicants request the defendants, which are trust companies, to disclose the names and addresses of all their partners with indirect shareholdings in the investment funds concerned.
The defendants object to such a disclosure, arguing that there are clauses prohibiting disclosure of those data to other shareholders. Moreover, they think that the only reason for which the applicants want to access this data is because they want to promote their own investment products.
This matter was brought before the Local Court of Munich (Amtsgericht München – AG München). According to this Court, the case law of the Federal Court of Justice (Bundesgerichtshof – BGH) and of the Higher Regional Court of Munich (Oberlandesgericht München – OLG München) obliges the defendants to share the data, except from the case when there is an abuse of rights.
However, the AG München is uncertain as to the compatibility of this case law with the GDPR and, therefore, stayed the proceedings and referred the matter to the CJEU for a preliminary ruling. In short, the Court asked the CJEU if Article 6(1)(b) and 6(1)(f) GDPR must be interpreted in the sense that a processing of personal data, consisting in disclosing the identity of all the partners with indirect shareholdings in a fund irrespective of the size of their shareholding in the capital of those funds, for the purpose of contacting them and negotiating the purchase of their shares or to coordinate with them, can be either
- regarded as necessary for the performance of a contract to which the data subjects are parties, or
- for the purposes of legitimate interests pursued by the controller or by a third party.
Holding
First, since the referring court made a reference to an obligation stemming from national case law, the CJEU considered necessary to reformulate the questions referred as extending to the interpretation of Article 6(1)(c) GDPR.
Secondly, the CJEU noted that Article 6(1) GDPR does not impose an obligation to process personal data, but merely allows to do so if a legal basis applies.
Article 6(1)(a) GDPR - Consent
Thirdly, as for Article 6(1)(a) GDPR, the CJEU pointed out that, in the case at hand, data subjects did not consent to their identity being disclosed to the applicants in the main case.
Article 6(1)(b) GDPR - Contract
Fourthly, as for Article 6(1)(b) GDPR, the court noted that, in previous case law, it had pointed out that, in order to rely on this legal basis, the processing must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject (see C-252/21, Meta Platforms and Others (General terms of use of a social network), para. 98).
However, in the case at hand, the contract the data subject has entered provides for the exact opposite principle, i.e. expressly prohibit the disclosure of their identity. In addition, the CJEU noted that the essential feature of acquiring an indirect shareholding through a trust company is precisely the anonymity of the partners.
Therefore, since the contract rather than requiring the disclosure, prohibits it, the CJEU excluded the applicability of Article 6(1)(b) GDPR in the case at hand.
Article 6(1)(f) GDPR - Legitimate interest
Fifthly, the CJEU analysed the applicability of Article 6(1)(f) GDPR. It pointed out that, according to its consistent case law, a three-step test must be carried out (see C-252/21, Meta Platforms and Others (General terms of use of a social network), para. 106).
- As for the first step, the controller must pursue a “legitimate interest” of itself or of a third party. In the case at hand, the AG München referred to an interest of a third party, i.e. the interest of a partner with an indirect shareholding in an investment fund to obtain personal data relating to the other indirect partners in order to enter into contract with them or negotiating with them the purchase of shares. The court pointed out that a wide range of interests is, in principle, capable of being regarded as legitimate (see C-26/22 and C-64/22, SCHUFA Holding (Discharge from remaining debts), para. 76) and ruled that this can be considered as a legitimate interest.
- As for the second step, this legitimate interest must not reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects. In this case, the CJEU noted that it would be possible, to ask data subjects if they wish to be contacted by the applicants and, only if this is the case, disclose their identity. Therefore, the court held that there could be other types of processing, different from the one at stake, that are less restrictive of the fundamental rights and freedoms of data subjects and pursue, in an equally efficient manner, the legitimate interest of the third party concerned.
- As for the third step, the interests or fundamental rights and freedoms of data subjects should not take precedence over the legitimate interests of the controller or of a third party. The CJEU pointed out that, on the one hand, data subjects could have an interest in the disclosure of their personal data to other shareholders. On the other hand, the CJEU held that it cannot be excluded that the interest of data subjects to remain anonymous may override the interest of the other parties to obtain their contact details. In this regard, the CJEU considered particularly important that, since the contract forbade the disclosure of their identity, it is likely that they could not reasonably expect this disclosure. Therefore, the CJEU concluded that – even though the final assessment is with the referring court - it appears doubtful that Article 6(1)(f) GDPR can be the appropriate legal basis.
Article 6(1)(c) GDPR - Legal obligation
Finally, as for Article 6(1)(c) GDPR, the CJEU noted that this provision provides that the processing of personal data is lawful if processing is necessary for compliance with a legal obligation to which the controller is subject. Moreover, Article 6(3) GDPR states that this processing must be based on EU law or on Member State law, and that that legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued.
In the case at hand, a legal obligation is not stemming from a legislative act but from case law stating that contractual clauses forbidding the disclosure of the shareholders’ identity are invalid. On this point, the CJEU pointed out that Recital 41 GDPR states that the legal basis under Article 6(1)(c) GDPR does not require a legislative act. However, other legal sources should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the CJEU and the European Court of Human Rights.
The CJEU ruled that it will be for the referring court to determine if these requirements are met and, in particular, if it is possible to ensure transparency between the shareholders in a way which is restrictive of the protection of personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
