CJEU - C-200/23 - Agentsia po vpisvaniyata
CJEU - C-200/23 Agentsia po vpisvaniyata | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 4(7) GDPR Article 4(9) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 17(1)(c) GDPR Article 17(1)(d) GDPR Article 58(3)(b) GDPR Article 82 GDPR Directive (EU) 2017/1132 |
Decided: | 04.10.2024 |
Parties: | Agentsia po vpisvaniyata |
Case Number/Name: | C-200/23 Agentsia po vpisvaniyata |
European Case Law Identifier: | ECLI:EU:C:2024:827 |
Reference from: | Varhoven administrativen sad (Bulgaria) |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | fb |
The CJEU ruled that a national authority managing the commercial register cannot refuse to act on an erasure request regarding personal data contained in a constitutive document if the publication of that personal data is not prescribed by national or EU law.
English Summary
Facts
The data subject is a shareholder of a company in Bulgaria. On 14 January 2021, the company’s constitutive instrument was sent to the Registration Agency (Agentsia po vpisvaniyata), the Bulgarian authority managing the commercial register (the controller in the case at hand).
This instrument, which includes the surname, first name, identification number, identity card number, date and place of issue of that card, as well as the data subject’s address and signature, was made available to the public by the Agency as submitted.
On 8 July 2021, the data subject requested the controller to erase the personal data relating to her contained in that constitutive instrument.
In order to comply with this request, on 26 January 2022 the controller requested the data subject to provide a copy of the instrument in which the personal data of the company members, other than the personal data required by law, were redacted.
On 31 January 2022, the data subject brought an action before the Administrative Court of Dobrich (Administrativen sad Dobrich) seeking annulment of the controller’s decision and an order that the controller compensate her for the alleged non-material damage.
On 5 May 2022, this court annulled the decision and ordered the controller to pay compensation to data subject in the amount of BGN 500 (approximately €255). The court ruled that, first, the damage consisted in psychological and emotional suffering, i.e. fear of possible abuse, as well as the sense of powerlessness and disappointment that her personal data could not be protected.
Second, the damage stemmed also from the controller’s decision, which had led to an infringement of the right to erasure and the unlawful processing of her data contained in the constitutive instrument.
The controller appealed this judgement in front of the Supreme Administrative Court (Varhoven administrativen sad), which stayed the proceedings and referred the following questions to the CJEU:
- if Article 21(2) Directive 2017/1132 must be interpreted as imposing on a Member State an obligation to permit the disclosure, in the commercial register, of a company’s constitutive instrument subject to compulsory disclosure under that directive and containing personal data other than the minimum personal data required, disclosure of which is not required by the law of that Member State;
- if yes, may it be assumed that, in the case at hand, the processing of personal data by the controller is necessary for a task in the public interest, within the meaning of Article 6(1)(e) GDPR;
- If yes, may a national provision, in accordance with which, in the event that personal data not required by law are contained in an application for registration, it must be assumed that the persons who made those data available consented to the processing thereof and to the provision of public access thereto, be regarded as permissible;
- if Article 17 GDPR must be interpreted as precluding legislation or a practice of a Member State which leads the authority responsible for maintaining the commercial register to refuse any request for erasure of personal data, not required by that directive or by the law of that Member State, contained in a company’s constitutive instrument published in that register, where a copy of that instrument in which those data have been redacted has not been provided to that authority, contrary to the procedural rules laid down by that legislation;
- if Article 4(7) and 4(9) GDPR, must be interpreted as meaning that the authority responsible for maintaining the commercial register which publishes, in that register, personal data contained in a company’s constitutive instrument, which is subject to compulsory disclosure under Directive 2017/1132 and was transmitted to it in an application for registration of the company concerned in that register, is both a ‘recipient’ of those data and a ‘controller’ of those data, within the meaning of that provision;
- whether Article 4(1) GDPR must be interpreted as meaning that the handwritten signature of a natural person is covered by the concept of ‘personal data’ within the meaning of that provision;
- whether Article 82(1) GDPR must be interpreted as meaning that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’ or whether that concept of ‘non-material damage’ requires that the existence of additional tangible adverse consequences be demonstrated;
- whether Article 82(3) GDPR must be interpreted as meaning that an opinion of the supervisory authority of a Member State, issued on the basis of Article 58(3)(b) GDPR, is sufficient to exempt from liability, under Article 82(2) GDPR, the authority responsible for maintaining the commercial register of that Member State which has the status of ‘controller’, within the meaning of Article 4(7) GDPR.
Holding
First question
As for the first question, the CJEU ruled that Article 21(2) Directive 2017/1132 does not impose on a Member State an obligation relating to the disclosure, in the commercial registry, of personal data contained in the constitutive instrument which are not required to be disclosed either by other provisions of EU law or by the law of the Member State concerned, but which appear in a document subject to compulsory disclosure under that directive.
Second and Third question
In light of the answer to the first question, there was no need for the CJEU to answer the second question.
Fifth question
As for the fifth question, which the CJEU answered before the fourth question, the CJEU held that, in the case at hand, the Agency is to be considered a recipient under Article 4(9) GDPR since, following the application for registration of a company in the commercial register, the Agency receives a document containing personal data.
As for the concept of controller, the CJEU recalled that, according to Article 4(7) GDPR, an entity falls into that definition if it determines, alone or jointly with others, the purposes and means of the processing or if those purposes and means are determined by EU law or by national law.
On this point, the court held that by transcribing and storing personal data received in connection with an application for registration of a company in the commercial register and by disclosing those data, where appropriate, on request to third parties, the Agency at hand carries out processing of personal data for which it is the ‘controller’ (see C-398/15, Manni, para. 35).
As far as the purposes are concerned, the court noted that the purpose of Directive 2017/1132 is to guarantee legal certainty in relation to dealings between companies and third parties. As for this purpose, the applicant has no influence on the determination of the subsequent purposes and processing carried out by that authority. On the other hand, with their application, the applicant pursues different purposes which are their own, namely fulfilling the formalities necessary for that registration.
Finally, the court added that it has no relevance in determining that the Agency is the controller that the Agency was not sent a copy of the constitutive instrument in which the personal data not required by law were redacted.
Fourth question
As for the fourth question, the court analysed on which legal basis the controller could rely for the processing activity at hand.
First, the court noted that Article 13(9) of the Bulgarian Law on the registers (Zakon za targovskia registar i registara na yuridicheskite litsa s nestopanska tsel) sets a presumption that an applicant gives their consent to the processing when sending an application for the registration of a company. The court ruled that this cannot be regarded as a valid legal basis under Article 6(1)(a) GDPR since the consent is not freely given, specific, informed and unambiguous.
Secondly, as for Article 6(1)(c) GDPR, the court pointed out that Directive 2017/1132 does not require the systematic processing of all personal data contained in a constitutive instrument. Therefore, there is not a legal basis under Article 6(1)(c) GDPR to publish further personal data, like the data subject’s signature, that are not under a compulsory publication according to EU or national law.
Thirdly, as for Article 6(1)(e) GDPR, the CJEU noted that, according to the referring court, the processing activity at hand falls within the exercise of public powers and constitutes a task carried out in the public interest.
However, the CJEU pointed out that this legal basis requires, in addition, that the processing genuinely meets the objectives of general interest pursued, without going beyond what is necessary in order to achieve those objectives. In particular, the requirement of necessity is not met where the objective of general interest pursued can reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of data subjects.
In the case at hand, the court ruled that the making available to the public, online, of personal data which are not required either by Directive 2017/1132 or by national law cannot be regarded in itself as being necessary in order to achieve the objectives pursued by that directive.
Finally, as for the erasure request filed by the data subject, the CJEU ruled that:
- If the referring court will conclude that the processing is not lawful, the controller would need to erase the data concerned without undue delay, according to Article 17(1)(d) GDPR;
- In the opposite case, Article 17(1)(c) GDPR would apply. According to the latter read in conjunction with Article 21(1) GDPR, the data subject enjoys a right to object to processing and a right to erasure, unless there are overriding legitimate grounds. In the case at hand, the CJEU did not see any overriding legitimate ground.
Sixth question
First, the CJEU recalled that the definition of personal data under Article 4(1) GDPR is very broad (see e.g. C-487/21, Österreichische Datenschutzbehörde and CRIF, para. 23).
Secondly, the CJEU pointed out that it had already ruled that the handwriting of a natural person provides information relating to that person (see C-434/16, Nowak, para. 37).
Finally, it noted that the handwritten signature of a natural person is, in general, used to identify that person.
Therefore, it ruled that Article 4(1) GDPR must be interpreted as meaning that the handwritten signature of a natural person is covered by the concept of ‘personal data’.
Seventh question
As for the seventh question, the court held that Article 82(1) GDPR must be interpreted as meaning that a loss of control, for a limited period, by the data subject over their personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause “non-material damage”.
However, this is true only if the data subject demonstrates that she has actually suffered such damage, however minimal.
On the contrary, the concept of “non-material damage” does not require that the existence of additional tangible adverse consequences is demonstrated.
Eight question
First, the court pointed out that, pursuant to Article 82 GDPR, a data subject has the right to compensation if three cumulative conditions are satisfied (the existence of an infringement of GDPR; the existence of a damage; a causal link between that damage and that infringement).
On the other hand, Article 82(3) GDPR states that a controller is to be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. According to the court, this provision must be interpreted restrictively.
Moreover, the court recalled that an opinion under Article 58(3)(b) GDPR is not legally binding.
Therefore, the court held that such an opinion is not sufficient to exempt the controller from liability.
Comment
The court deemed not necessary to answer questions 2 and 3.
Further Resources
Share blogs or news articles here!