BGH - II ZB 7/23
From GDPRhub
| BGH - II ZB 7/23 | |
|---|---|
 | |
| Court: | BGH (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 17 GDPR Article 18 GDPR Article 21 GDPR § 10a(3) HGB § 395 FamFG |
| Decided: | 23.01.2024 |
| Published: | |
| Parties: | CEE Projekte Verwaltung GmbH |
| National Case Number/Name: | II ZB 7/23 |
| European Case Law Identifier: | ECLI:DE:BGH:2024:230124BIIZB7.23.0 |
| Appeal from: | OLG Celle (Germany) 9 W 16/23 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | rechtsprechung-im-internet.de (in German) |
| Initial Contributor: | n/a |
The German Supreme Court ruled that a managing director cannot request the deletion of their date of birth and residence from the commercial register.
English Summary
Facts
The data subject is managing director of CEE Projekte Verwaltung GmbH, has been listed in the commercial register with their date of birth and residence since September 2012. In 2022, the data subject requested the deletion of their date of birth and residence from the commercial register, citing safety concerns due to their professional involvement with explosives, which could make them a target for kidnapping or robbery. The request was denied by the local court. Subsequently, the data subject appealed this decision, additionally requesting that the transmission of their personal data from the commercial register to third parties only occur after a balancing of interests. The appeal was rejected by the OLG Celle. The data subject then filed a legal complaint with the German Supreme Court, which also upheld the previous decisions, insisting on the necessity of these data being included in the commercial register.
Holding
The German Supreme Court upheld all lower court's decision, determining that the controller had no right to the deletion of their date of birth and residence from the commercial register under Article 17(1) GDPR. The court ruled that the inclusion of this information is crucial for fulfilling a legal obligation of the register court under both union and national law.
First, the court concluded that the data processing was mandated by law, rendering Article 17(3)(b) GDPR applicable, which permits data processing necessary for compliance with a legal obligation.
Second, the court found that the data subject's objections under Article 21(1) GDPR were invalid when the data processing is based on Article 6(1)(c) GDPR, necessitated by a legal duty imposed on the controller.
Lastly, the court noted that no restriction on processing could be requested under Article 18(1)(d) GDPR, as the data processing was lawful and essential for the register's public function. Hence, the Federal Court of Justice ruled that the residence and the date of birth of a managing director must be registered and publicly accessible to ensure the reliability and transparency of the commercial register.
The Federal Court of Justice therefore retained the decision to reject the data subject's legal complaint and ordered them to bear the costs of the proceedings.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Guiding Principles
1. The managing director of a GmbH (limited liability company) has no claim under Article 17(1) GDPR for the deletion of their date of birth and place of residence in the commercial register.
2. The place of residence of the managing director of a GmbH must be registered in the commercial register.
3. The right to object under Article 21(1) GDPR does not apply if the data processing is necessary for compliance with a legal obligation under Article 6(1)(c) GDPR. This also holds true if the processing would be permitted under Article 6(1)(e) GDPR. There is also no claim under Article 18(1)(d) GDPR for the restriction of processing in this case.
Procedural History
Previous decisions: OLG Celle, 24 February 2023, Case No.: 9 W 16/23, Decision
Previous decisions: AG Walsrode, 24 November 2022, Case No.: HRB 203886:
Ruling
The applicant's legal complaint against the decision of the 9th Civil Senate of the Higher Regional Court of Celle dated 24 February 2023 is dismissed at their expense.
Reasons
A.
1. The applicant is the managing director of S. Verwaltungs-GmbH and has been registered in the commercial register with their date of birth and the place of residence provided during the registration since September 2012.
2. On 21 November 2022, the applicant requested the removal of their date of birth and place of residence from the commercial register. The reasoning was that their professional activity involves handling explosives, posing a risk of kidnapping or robbery to obtain the substances they manage. Therefore, their date of birth and place of residence are also blocked in the registration system.
3. The local court - registry court - dismissed the application by decision dated 24 November 2022. The applicant's appeal, in which they alternatively requested that the transmission of their date of birth and place of residence from the commercial register to third parties be subject to a balancing of interests, was unsuccessful. With the approved legal complaint, the applicant continues to pursue their requests from the appeal stage.
B.
4. The legal complaint is unsuccessful.
5. I. The appeal court (OLG Celle, ZIP 2023, 1419) essentially reasoned its decision as follows:
6. There is no legal basis for the applicant's request. The applicant does not have a right to object under Article 21(1) GDPR according to § 10a(3) HGB. Consequently, there is also no right to restrict processing under Article 18(1)(d) GDPR. A right to deletion of data under Article 17(1) and (2) GDPR is excluded by Article 17(3)(b) GDPR because the registry court is obliged to process the data under § 387(2) FamFG in conjunction with § 43(4)(1)(b) HRV. The applicant cannot rely on § 395 FamFG either, as the inclusion of their date of birth and place of residence in the commercial register was not unlawful.
7. There are no doubts about the compatibility of § 10a(3) HGB with constitutional and European law, as the restriction of rights under Article 21 GDPR is covered by Article 23(1)(e) GDPR. It was neither sufficiently presented nor evident that the applicant's interest in keeping their date of birth and place of residence confidential outweighs the public interest in maintaining a functional and reliable commercial register to ensure the safety and ease of legal transactions.
8. Any claims based on legal norms outside the register procedure and data protection regulations, such as §§ 823, 839 BGB or § 1004 BGB (analogue) due to failure to comply with data protection regulations through the law implementing the Digitalisation Directive from 5 July 2021 (DiRUG), which allows free access to the commercial register, cannot be examined in the register procedure but would also be denied under the purpose of § 10a(3) HGB, which remains unaffected by DiRUG.
9. II. The legal complaint approved by the appeal court is admissible under § 70(1) FamFG and otherwise permissible. The applicant's right to legal complaint arises from the fact that their appeal against the registry court's decision was dismissed (cf. BGH, decision of 31 January 2023 - II ZB 10/22, BGHZ 236, 123 para. 7 with references).
10. III. The legal complaint is unfounded. The appeal court's decision withstands legal scrutiny in the outcome.
11. 1. The applicant does not have a claim for the removal of their date of birth and place of residence from their entry as GmbH managing director in the commercial register under either the GDPR or national law.
12. a) A claim for data removal under Article 17(1) and (2) GDPR (OJ L 119 of 4 May 2016, p. 1) is excluded by Article 17(3)(b) first scenario GDPR. The entry, storage, and disclosure of the date of birth and place of residence of a GmbH managing director in the commercial register is necessary for compliance with a legal obligation of the registry court within the meaning of Article 17(3)(b) first scenario GDPR.
13. aa) The GDPR is applicable in this case in terms of time (Article 99(2), Article 94(1), Recital 171 GDPR), territory (Article 3(1) and (2) GDPR), and subject matter (Article 2(1) GDPR).
14. The applicant's date of birth and place of residence are personal data within the meaning of Article 2(1), Article 4(1) GDPR. Their entry and storage in the electronically managed commercial register (§ 8(1), § 8a(1) HGB) are, as well as their disclosure through unrestricted access to the commercial register (§§ 9, 10(2) HGB), a processing operation within the meaning of Article 2(1) first and second scenarios, Article 4(2) GDPR. The registry court entrusted with the management of the electronic commercial register according to § 8(1) HGB is the controller for this data processing within the meaning of Article 4(7) GDPR (cf. ECJ, judgment of 9 March 2017 - C-398/15, ECLI:EU:C:2017:197 = BB 2017, 652 para. 35 - Manni [on Article 2(d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 of 23 November 1995, p. 31; hereinafter: Data Protection Directive]). This applies not only to the entry and storage of the data but also to their disclosure via the central register portal (www.handelsregister.de) set up on the internet according to § 9(1) sentence 4 HGB, because the registry court decides with the entry and transmission of the data to the portal operator which data are retrievable there.
15. bb) The applicant's request for complete removal of the data from the commercial register is generally covered by Article 17(1) and (2) GDPR.
16. Under Article 17(1) GDPR, the data subject may request the erasure of data concerning them from the controller responsible for processing under Article 17(2) GDPR if one of the reasons listed there applies. The term "erasure" within this provision is to be interpreted autonomously (cf. BGH, judgment of 27 July 2020 - VI ZR 405/18, BGHZ 226, 285 para. 17) and, unlike the "erasure" of commercial register entries under national law according to § 395(1) sentence 2 FamFG, §§ 16, 19 HRV (Commercial Register Regulation of 12 August 1937, RMBl. p. 515) which only occurs through redaction, includes making the personal data permanently unrecognizable in a way that makes it impossible to perceive the information previously embodied in the data to be erased (cf. Herbst in Kühling/Buchner, GDPR/BDSG, 4th ed., Article 17 GDPR para. 37 ff.; Roßnagel in Simitis/Hornung/Spiecker, Data Protection Law, Article 4(2) GDPR para. 30).
17. cc) However, the applicant's claim under Article 17(1) and (2) GDPR is excluded even if one of the erasure reasons under Article 17(1) GDPR were to be affirmed, due to Article 17(3)(b) first scenario GDPR, as the entry, storage, and disclosure of the applicant's date of birth and place of residence as a GmbH managing director in the commercial register is necessary for compliance with a legal obligation of the registry court within the meaning of this provision.
18. aaa) According to Article 17(3)(b) first scenario GDPR, Articles 17(1) and (2) GDPR do not apply if the processing is necessary for compliance with a legal obligation of the controller arising from Union law or the law of the Member State to which the controller is subject. This legal obligation does not necessarily have to be established in a parliamentary law (ECJ, judgment of 24 February 2022 - C-175/20, ECLI:EU:C:2022:124 = ZD 2022, 271 para. 52 - Valsts ieņēmumu dien
ests), as long as the requirements according to the constitutional order of the Member State are met. In accordance with the general rules for justifying interference with the fundamental rights guaranteed by the Charter (Article 52(1) of the Charter), the legal basis can also result from pre-constitutional customary law (cf. Opinion of Advocate General of 16 April 2015 - C-580/13, ECLI:EU:C:2015:243 para. 37 - Coty; Jarass, EU Charter of Fundamental Rights, 4th ed., Article 52 para. 26; BeckOK Data Protection Law/von Lewinski, as of 1.11.2023, Article 22 GDPR para. 44; Zöll in Taeger/Gabel, GDPR/BDSG/TTDSG, 4th ed., Article 88 para. 10). However, it must meet the requirements of Article 6(2) and (3) GDPR (cf. Peuker in Sydow/Marsch, GDPR/BDSG, 3rd ed., Article 17 GDPR para. 63; Herbst in Kühling/Buchner, GDPR/BDSG, 4th ed., Article 17 GDPR para. 74 f.; BeckOK Data Protection Law/Worms, as of 1.8.2023, Article 17 GDPR para. 83; Meentz/Hinzpeter in Taeger/Gabel, GDPR/BDSG/TTDSG, 4th ed., Article 17 GDPR para. 125). Therefore, the purpose of processing must be established in the legal basis (Article 6(3) sentence 2 GDPR). Additionally, the processing must be necessary for compliance with the legal obligation of the controller, this legal basis must pursue an objective of public interest and be proportionate to the legitimate aim pursued, and the processing must be limited to what is strictly necessary (ECJ, judgment of 4 July 2023 - C-252/21, ECLI:EU:C:2023:537 = RIW 2023, 516 para. 138 = NJW 2023, 2997 - Meta Platforms).
19. bbb) The registry court is legally obliged to the data processing in question.
20. (1) Under § 7(1) GmbHG, the company must be registered in the commercial register. The registration must include the legitimation of the managing directors according to § 8(1)(1) or (2) GmbHG. Any change in the persons of the managing directors must also be registered in the commercial register under § 39(1) GmbHG. The registration must also include the managing director's date of birth (§ 24(1) HRV). Although there is no explicit legal obligation to provide the managing director's place of residence during registration, it is at least established by customary law. Customary law stands as a source of law on par with statutory law and can thus also be the basis for a registry entry (BGH, decision of 4 April 2017 - II ZB 10/16, ZIP 2017, 1067 para. 22; decision of 31 January 2023 - II ZB 10/22, BGHZ 236, 123 para. 12). It arises from longer actual practice that is permanent, constant, uniform, and generally recognized as binding by the participants (cf. BGH, decision of 4 April 2017 - II ZB 10/16, ZIP 2017, 1067 para. 24; decision of 31 January 2023 - II ZB 10/22, BGHZ 236, 123 para. 18). These conditions are met regarding the provision of the managing director's place of residence during the registration of the company in the commercial register.
21. Providing the managing director's place of residence during registration corresponds to long-standing practice. This goes back to § 7(1), § 10(2) GmbHG in the version of the Reichsgesetz concerning limited liability companies from 20 April 1892 (RGBl. 1892 p. 477; hereinafter: old GmbHG), where the registration of managing directors (§ 7(1) old GmbHG) and the publication of their places of residence (§ 10(2) old GmbHG) were explicitly prescribed. Even after these provisions were amended by the law of 20 May 1898 (RGBl. 1898 p. 846) effective from 1 January 1900 into a form corresponding to the current § 7(1), § 10(1) sentence 1 GmbHG, it remained common practice to register managing directors (see Cohn, The Commercial and Cooperative Register, 2nd ed. 1901, § 60 I. p. 287; Hachenburg, GmbHG, 5th ed. 1926, § 7 note 3) with their place of residence in the commercial register (see Brand/Meyer zum Gottesberge, The Register Matters in Judicial Practice, 3rd ed. 1929, § 100 note 2. p. 295), as it was seen as a specification of the person to be registered (Hachenburg, GmbHG, 5th ed. 1926, § 10 note 6). With the issuance of the General Directive on the Organisation and Management of the Commercial Register (Commercial Register Directive) of 10 August 1937 (RGBl. p. 151; hereinafter: old HRV), the previously partly prescribed state-level registration of the managing director's place of residence in the commercial register (cf. BayObLG, decision of 4 April 1910 - Reg. V. 14/1910, BayObLGZ 11, 237, 240; Scholz, GmbHG, 1928, § 10 II. 1.) was uniformly and explicitly mandated (§ 43(4) old HRV). Since then, it has been standard notarial practice to provide the managing director's place of residence during the company registration (cf. Herrler/Haines, Corporate Law in Notarial and Design Practice, 2nd ed., § 6 para. 47; Krafka, Register Law, 12th ed., para. 971; Mayer/Weiler in Beck’s Notary Handbook, 8th ed., § 22 para. 194; Melchior/Böhringer in Gustavus, Commercial Register Applications, status: 10/2023, model text M 91a.1; Pfisterer in Beck’s Form Book GmbH Law, B. I. 5. note 8; Römermann/Strehle, Munich Lawyer's Handbook GmbH Law, 5th ed., § 3 para. 121, 124; Terbrack in Hauschild/Kallrath/Wachter, Notary Handbook Corporate and Business Law, 3rd ed., § 16 para. 74; Trölitzsch in Oppenländer/Trölitzsch, Practical Handbook of GmbH Management, 3rd ed., § 11 para. 41; Vossius in Widmann/Mayer, Conversion Law, status: August 2023, appendix 4, M 157; Wentrup in Beck’s Form Book Civil, Commercial and Economic Law, 14th ed., IX. 2.; MünchHdBGesR III/Wobst, 6th ed., § 8 para. 13; Report of the German Notary Institute DNotI-Report 2004, 89; Wachter, GmbHR 2023, 593, 595).
22. This continuous practice is recognized as legally binding by the participants. It is a general opinion that the company's registration must include the managing director's place of residence to be entered under § 43(4)(1)(b) HRV (Altmeppen, GmbHG, 11th ed., § 8 para. 4; Bayer in Lutter/Hommelhoff, GmbHG, 21st ed., § 8 para. 3; MünchKommGmbHG/Herrler, 4th ed., § 8 para. 18; Link in Gehrlein/Born/Simon, GmbHG, 6th ed., § 8 para. 12, 46; Schäfer in Henssler/Strohn, GesR, 5th ed., § 8 para. 3; Pfisterer in Saenger/Inhester, GmbHG, 4th ed., § 8 para. 5; Tebben/Kämper in Michalski/Heidinger/Leible/J. Schmidt, GmbHG, 4th ed., § 8 para. 10; BeckOGK HRV/Szalai, status: 15.10.2023, § 24 para. 7; Scholz/Veil, GmbHG, 13th ed., § 8 para. 9; Wicke, GmbHG, 4th ed., § 8 para. 3; Wöstmann in Rowedder/Pentz, GmbHG, 7th ed., § 8 para. 4; aA Wachter, GmbHR 2023, 593, 595). § 24(1) HRV does not contradict this, as § 43 HRV is the more specific provision systemically (BeckOGK HRV/Szalai, status: 15.10.2023, § 24 para. 7). The legislative idea underlying the Handelsrechtsreformgesetz of 22 June 1998 (BGBl. I p. 1474), which for the first time introduced
the obligation to provide the date of birth and replaced the previously required profession or status, assumed that the managing director's place of residence would continue to be provided (RegE of a law to revise the law of merchants and company names and to amend other commercial and corporate law provisions, BT-Drs. 13/8444, p. 85).
23. As a result of this customary law specification of § 7(1), § 8(1)(1) or (2), § 39(1) GmbHG, the obligation to provide the managing director's place of residence during the company registration is also sufficiently foreseeable and transparent for those subject to the law (Article 5(1)(a) GDPR, Recital 41 sentence 2 GDPR).
24. (2) As mentioned above, the registry court is obliged under § 10(1) sentence 1 GmbHG, § 387(2) FamFG, § 43(4)(1)(b) HRV to enter the managing director's date of birth and place of residence in the commercial register alongside their surname and first name (cf. BGH, decision of 3 February 2015 - II ZB 12/14, ZIP 2015, 1064 para. 15 at the end; Bayer in Lutter/Hommelhoff, GmbHG, 21st ed., § 10 para. 4; Link in Gehrlein/Born/Simon, GmbHG, 6th ed., § 10 para. 13; Ulmer/Habersack in Habersack/Casper/Löbbe, GmbHG, 3rd ed., § 10 para. 8; Scholz/Veil, GmbHG, 13th ed., § 10 para. 10; Wöstmann in Rowedder/Pentz, GmbHG, 7th ed., § 10 para. 10; Wachter, GmbHR 2023, 593, 596).
25. The entry must be made through permanent, unchanged content storage in the electronically managed commercial register (§ 8(1), § 8a(1) HGB) (see also § 387(2) FamFG, § 47(1) sentence 1 HRV). The registry court is prohibited under § 387(2) FamFG, § 12 sentence 2 HRV from removing existing entries through technical interventions or other measures. The deletion of an entry under §§ 393 ff. FamFG is not achieved through (technical) removal of the entry but as a separate entry to make the deletion process comprehensible to third parties in the register. Even unlawful entries are not removed but deleted by entering a note under a new consecutive number and redacting the unlawful entry (§ 395(1) sentence 2 FamFG, §§ 16, 19 HRV) (cf. BGH, decision of 3 February 2015 - II ZB 12/14, ZIP 2015, 1064 para. 20).
26. (3) Finally, the registry court is obliged under § 9(1) sentence 1 HGB to disclose the registered data in such a form that access to the commercial register is allowed to everyone for informational purposes through individual queries without the need to demonstrate a legitimate interest (BGH, decision of 12 July 1989 - IVa ARZ (VZ) 9/88, BGHZ 108, 32, 35 f.; decision of 3 February 2015 - II ZB 12/14, ZIP 2015, 1064 para. 24; decision of 24 May 2023 - VII ZB 69/21, ZIP 2023, 1640 para. 22). For this purpose, the entries from the commercial register must be made retrievable through the register portal (§ 9(1) sentence 2, § 10(1) HGB, § 52 HRV) by making them available for retrieval through this portal without delay (§ 10(2) HGB, § 32 HRV).
27. ccc) As the mentioned regulations do not provide for exceptions, either abstractly in general for certain groups of cases or specifically in individual cases with particular circumstances, nor do they grant the registry court any discretion or margin of appreciation in their application, this data processing is also actually necessary for the registry court to fulfill its legal obligations in the applicant's case.
28. ddd) These legal obligations of the registry court pursue an objective of public interest within the meaning of Article 6(3) sentence 2 and 4 GDPR. They aim to ensure the protection of the security, integrity, and ease of legal transactions in the commercial and corporate sector.
29. (1) The purpose of the commercial register is to enable the public to inform themselves about the legal relationships of merchants and companies and to announce circumstances that are of significant importance for legal transactions (information and publicity function; cf. BGH, decision of 24 October 1988 - II ZB 7/88, BGHZ 105, 324, 344; decision of 10 November 1997 - II ZB 6/97, ZIP 1998, 152; decision of 14 February 2012 - II ZB 15/11, ZIP 2012, 623 para. 16; decision of 3 February 2015 - II ZB 12/14, ZIP 2015, 1046 para. 18; decision of 31 January 2023 - II ZB 10/22, BGHZ 236, 123 para. 12; decision of 24 May 2023 - VII ZB 69/21, ZIP 2023, 1640 para. 20; decision of 19 September 2023 - II ZB 15/22, ZIP 2023, 2356 para. 28). The reliability of the register is ensured, on the one hand, by the registry law control of the registration applications and, on the other hand, by the fact that material legal effects are linked to the reliance on the entries in the register to a certain extent (§ 15 HGB; cf. BGH, decision of 3 February 2015 - II ZB 12/14, ZIP 2015, 1064 para. 18; decision of 24 May 2023 - VII ZB 69/21, ZIP 2023, 1640 para. 20). Without such information and its general accessibility through unrestrictedly accessible registers, legal transactions would be impaired in their security and ease, as legal transactions would otherwise either be conducted only after complicated and lengthy proof or without such proof, with the consequence of greater susceptibility to errors or fraudulent activities (cf. Recommendation and Report of the Committee for Labour and Social Affairs on the draft law to amend the Federal Supply Act and other regulations, BT-Drs. 18/12611, p. 67, 68 f.).
30. (2) The realization of this protected interest of legal transactions, to inform and ensure themselves about the representation relationships of the companies participating in business transactions, is particularly served by the entry, storage, and disclosure of the full name, date of birth, and place of residence of a GmbH managing director (cf. BGH, decision of 3 February 2015 - II ZB 12/14, ZIP 2015, 1064 para. 14). The person of the managing director is one of the basic information about a limited liability company because they are the authorized representative organ of the company, which may legally bind the company as a legal entity in legal transactions (§ 35 GmbHG). To grant an elementary minimum of security for those who come into legal contact with the company and have an interest in ensuring that the declarations of intent given or received for the company are attributed to an authorized person with effect for and against the company, the possibility of reliably knowing the person who acts as the managing director for the company must be given. Therefore, to identify the authorized representative organ in legal transactions, the managing director's first and last name along with their date of birth and place of residence are entered in the commercial register (§ 43(4)(1)(b) HRV) and made public together with the company's full entry (§ 10 HGB) (BGH, decision of 3 February 2015 - II ZB 12/14, ZIP 2015, 1064 para. 15).
31. (3) This valuation is in line with the jurisprudence of the Court of Justice of the European Union, which, already under the Data Protection Directive, has decided that the storage and disclosure of the personal details of the representatives of capital companies, as provided for in Articles 2(1)(d) and (j) of the Publicity Directive (First Directive 68/151/EEC of the Council of 9 March 1968 on the coordination of safeguards, which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of Article 58(2) of the Treaty, to make such safeguards equivalent throughout the Community [OJ L 65 p. 8], as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003 [OJ L 221 p. 13]), serve both to protect the interests of third parties, who bear increased economic risk due to the limitation of liability to the company's assets, and to ensure the legal certainty in the relationships between companies and third parties, the integrity of commercial transactions, and the smooth functioning of the internal market (ECJ, judgment of 9 March 2017 - C-398/15, ECLI:EU:C:2017:197 = BB
2017, 652 para. 43, 48 ff. - Manni). This case law on the Data Protection Directive is also generally applicable to the GDPR (ECJ, judgment of 17 June 2021 - C-597/19, ECLI:EU:C:2021:492 = GRUR 2021, 1067 para. 107 - M.I.C.M.).
32. eee) This purpose of data processing is not explicitly mentioned as such in the above-mentioned legal bases but is derived from the provision in § 9(1) sentence 1 HGB, which states that "access to the commercial register... is allowed to everyone for informational purposes through individual queries" (cf. RegE of a law on electronic registers and judicial costs for telecommunications - ERJuKoG, BT-Drs. 14/6855, p. 17). This satisfies the statutory purpose specification requirement of Article 6(3) sentence 2 GDPR (cf. BFH, BB 2023, 2717 para. 43; Frenzel in Paal/Pauly, GDPR/BDSG, 3rd ed., Article 6 GDPR para. 41; BeckOK IT Law/Borges/Steinrötter, as of 1.1.2022, Article 6 GDPR para. 68 with references).
33. fff) The legal obligations of the registry court are proportionate to the legitimate aim pursued (Article 6(3) sentence 4 GDPR).
34. (1) In the balance required by Article 6(3) sentence 4 GDPR, it must be considered that Article 1(2) GDPR in conjunction with Recitals 1, 4, and 10 aims to ensure a high level of protection of the fundamental rights and freedoms of natural persons concerning the processing of personal data (ECJ, judgment of 13 May 2014 - C-131/12, ECLI:EU:C:2014:317 = NJW 2014, 2257 para. 66 - Google Spain and Google; judgment of 9 March 2017 - C-398/15, ECLI:EU:C:2017:197 = BB 2017, 652 para. 37 - Manni [each on the Data Protection Directive]; judgment of 24 February 2022 - C-175/20, ECLI:EU:C:2022:124 = ZD 2022, 271 para. 52 - Valsts ieņēmumu dienests). However, this right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and balanced against other fundamental rights while respecting the principle of proportionality (ECJ, judgment of 8 December 2022 - C-460/20, ECLI:EU:C:2022:962 = RIW 2023, 217 para. 56 - Google).
35. This balance is determined solely by the Union's fundamental rights when the regulations applicable in the legal dispute are fully harmonized by Union law; otherwise, the fundamental rights of the Basic Law apply (cf. BVerfGE 152, 216 para. 33, 42 f., 46, 77, 81 - Right to be forgotten II). Whether the Union's fundamental rights apply here due to the harmonized level of data protection pursued by the GDPR (Recitals 9 and 10 GDPR) (so for the exclusion of the right to erasure under Article 17(3)(a) in conjunction with Article 6(1)(f) GDPR: BVerfGE 152, 216 para. 39 ff. - Right to be forgotten II and BGH, judgment of 27 July 2020 - VI ZR 405/18, BGHZ 226, 285 para. 25; judgment of 3 May 2022 - VI ZR 832/20, NJW 2022, 2476 para. 18; in contrast to the regulatory area covered by the so-called "media privilege": BVerfGE 152, 152 para. 74 - Right to be forgotten I), or in light of the general opening clause in Article 17(3)(b) GDPR with room for national regulation (cf. Paal in Paal/Pauly, GDPR/BDSG, 3rd ed., Article 17 GDPR para. 43; Kühling/Martini et al., The GDPR and National Law, p. 27 ff.) the fundamental rights of the Basic Law, does not require a decision. The data processing by the registry court in question is proportionate when applying either the Union's fundamental rights or the fundamental rights of the Basic Law.
36. (2) When applying the Union's fundamental rights, the provisions of the GDPR must be interpreted in light of Articles 8 (protection of personal data) and 7 (respect for private and family life) of the Charter (cf. already ECJ, judgment of 13 May 2014 - C-131/12, ECLI:EU:C:2014:317 = NJW 2014, 2257 para. 68 f. - Google Spain and Google; judgment of 6 October 2015 - C-362/14, ECLI:EU:C:2015:650 = NJW 2015, 3151 para. 38; judgment of 9 March 2017 - C-398/15, ECLI:EU:C:2017:197 = BB 2017, 652 para. 39 - Manni [each on the Data Protection Directive]; as well as ECJ, judgment of 24 February 2022 - C-175/20, ECLI:EU:C:2022:124 = ZD 2022, 271 para. 52 - Valsts ieņēmumu dienests; judgment of 1 August 2022 - C-184/20, ECLI:EU:C:2022:601 = RIW 2023, 49 para. 66 - Vyriausioji tarnybinės etikos komisija), which in turn correspond to Article 8 ECHR (right to respect for private and family life) (cf. Article 52(3) Charter; ECJ, judgment of 8 December 2022 - C-460/20, ECLI:EU:C:2022:962 = RIW 2023, 217 para. 59 - Google; BGH, judgment of 27 July 2020 - VI ZR 405/18, BGHZ 226, 285 para. 27).
37. According to Article 8(2) Charter, personal data may only be processed fairly for specified purposes and based on the consent of the data subject or another legitimate legal basis. Furthermore, Article 52(1) Charter provides that limitations on the Union's fundamental rights are permissible if they are provided for by law, respect the essence of the rights, and comply with the principle of proportionality. Limitations may only be made if they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others. They must be confined to what is strictly necessary and the rule must provide clear and precise rules governing the scope and application of the measure in question (ECJ, judgment of 1 August 2022 - C-184/20, ECLI:EU:C:2022:601 = RIW 2023, 49 para. 70 - Vyriausioji tarnybinės etikos komisija with references).
38. These requirements are met here.
39. (a) The above-mentioned provisions contain clear and precise rules on the scope and application of the processing of the date of birth and place of residence of a GmbH managing director by entry, storage, and disclosure on the internet by the registry court. The resulting limitation respects the essence of the data subject's fundamental rights to protection of personal data and respect for their private life, as the processing only affects a few data not belonging to the core area of this fundamental right and pursues objectives recognized as being of general interest by the Union.
40. (b) The principle of proportionality is respected. The data processing by the registry court does not exceed what is necessary to achieve the permissible objectives of the relevant provisions and the disadvantages caused do not outweigh the objectives pursued (cf. ECJ, judgment of 22 January 2013 - C-283/11, ECLI:EU:C:2013:28 para. 50 = AfP 2013, 123; judgment of 8 April 2014 - C-293/12, ECLI:EU:C:2014:238 para. 46 = NJW 2014, 2169; judgment of 30 June 2016 - C-134/15, ECLI:EU:C:2016:498 para. 33 ff.; cf. Kingreen in Calliess/Ruffert, EUV/AEUV, 6th ed., Article 52 EU Charter of Fundamental Rights para. 65 ff. with references).
41. (aa) The provision of the date of birth and place of residence is suitable to enable a reliable individualization and identification of the managing director, corresponding to the legitimate objective of the limitation. The same applies to the disclosure of this information through general publication on the internet, which allows interested third parties to easily obtain information about the persons entrusted with the representation of the company.
42. (bb) The storage and unrestricted disclosure of both pieces of information on the internet is also necessary to achieve the objective.
43. (aaa) Necessity in this sense exists, as indicated by Recital 39 of the GDPR, when the pursued objective of public interest cannot be achieved as
effectively by other means that are less intrusive on the data subject's fundamental rights, especially the rights to respect for private life and to protection of personal data under Articles 7 and 8 of the Charter. Exceptions and limitations on the principle of protecting such data must be confined to what is strictly necessary (ECJ, judgment of 1 August 2022 - C-184/20, ECLI:EU:C:2022:601 = RIW 2023, 49 para. 85 f. - Vyriausioji tarnybinės etikos komisija with references; see also the data minimization principle in Article 5(1)(c) GDPR).
44. (bbb) The provision of the immutable date of birth is necessary to identify the managing director, as it largely eliminates confusion in cases of name similarity (cf. RegE of a law to revise the law of merchants and company names and to amend other commercial and corporate law provisions [Commercial Law Reform Act - HRefG], BT-Drs. 13/8444, p. 84 [to § 125 FGG-E]; Born in Ebenroth/Boujong, HGB, 5th ed., § 106 para. 34; Kollbach, ZVI 2006, 544, 547 f.; Preis/Wentz, ZD 2023, 461, 463; Prütting/Brinkmann, ZVI 2006, 477, 478 f.; Weichert, ZGI 2023, 11, 16).
45. The additional provision of the place of residence is necessary not only in the case of particularly common names but also considering that the full date of birth may not always be easily verifiable by third parties, to contribute to a clear identification by a local limitation of the person (cf. Haas/Wöstmann in Röhricht/Graf von Westphalen/Haas/Mock/Wöstmann, HGB, 6th ed., § 106 para. 11; Weichert, ZGI 2023, 11, 16; generally also MünchKommHGB/Fleischer, 5th ed., § 106 para. 20; aA Wachter, GmbHR 2003, 593 para. 32). Although the distinguishing power of the place of residence depends on the respective circumstances, particularly its size, and can therefore vary (cf. Paefgen in Habersack/Casper/Löbbe, GmbHG, 3rd ed., § 40 para. 37; Handelsrecht Committee of the DAV, NZG 2005, 586, 587 f.; Wachter, GmbHR 2023, 593, 595), no equally effective, less burdensome form of data processing is apparent. Using another distinctive personal characteristic (such as place of birth or full private address) would involve an intrusion of at least equal weight (cf. Weichert, ZGI 2023, 11, 16).
46. The provision of the place of residence also offers, even if it does not have to be identical to the residence under §§ 7 ff. BGB (cf. Haas/Wöstmann in Röhricht/Graf von Westphalen/Haas/Mock/Wöstmann, HGB, 6th ed., § 106 para. 11), the possibility to determine the current address through a simple registration inquiry at the registration authority responsible for that place of residence under § 44(1)(4) BMG. This can be necessary to effect any necessary service of process (cf. §§ 166 ff. ZPO), for example, in asserting direct claims against the managing director. The changeability of the place of residence also does not argue against this if the change of residence is not considered notifiable, as the departure registration authority still holds the current address (cf. § 33(1) sentence 1, § 3(1)(12) BMG; aA Klink, Data Protection in Electronic Justice, 2010, p. 247; Trendelenburg, BB 2023, 1172).
47. (ccc) Finally, the necessity of disclosing this data through unrestricted retrievability on the internet is also to be affirmed. The goal of providing every interested person with the possibility to easily, regardless of their location and without time delay, obtain reliable information about the essential details of the founding of commercial companies and the persons entrusted with their representation can only be achieved by allowing unrestricted, uncomplicated access to this data on the internet (cf. ECJ, judgment of 9 March 2017 - C-398/15, ECLI:EU:C:2017:197 = BB 2017, 652 para. 51 - Manni [on the GmbH managing director]; opinion of the Advocate General of 14 September 2023 - C-115/22, ECLI:EU:C:2023:676, juris para. 169 on the online publication of doping violations).
48. (cc) The disadvantages caused by this data processing are not disproportionate to the objectives pursued. The data subject's fundamental rights to the protection of personal data and respect for their private life must be subordinated to the objectives pursued by the processing of their date of birth and place of residence within the scope of their registration as a GmbH managing director in the commercial register, which is to ensure the security, integrity, and ease of legal transactions in the commercial and corporate sector.
49. (aaa) When weighing the interference with the rights of the affected managing director (see Recital 76 GDPR), it is initially to be noted that the data processing in question is limited to a few personal data, which do not belong to the particularly sensitive data within the meaning of Recital 51 sentence 1 GDPR nor reach deeply into the personal sphere (cf. Prütting/Brinkmann, ZVI 2006, 477, 479 [on the date of birth]). This also applies to the provision of the place of residence, as it does not reveal the full private address but only provides a local limitation.
50. The severity of the interference, however, generally arises from the fact that this data is made accessible to a potentially unlimited number of people through unrestricted availability on the internet, allowing anyone, including those who may seek this information for reasons unrelated to the intended purpose of the processing, to access it freely. Additionally, the data can be processed, linked, and used for a variety of purposes, including planning crimes against the data subject (cf. ECJ, judgment of 1 August 2022 - C-184/20, ECLI:EU:C:2022:601 = RIW 2023, 49 para. 102, 104 - Vyriausioji tarnybinės etikos komisija; ECJ, judgment of 22 November 2022 - C-37/20 and C-601/20, ECLI:EU:C:2022:912 = WM 2023, 63 para. 42 f. – Luxembourg Business Registers; BVerfGE 128, 1, 52 f.).
51. However, the intensity of this interference is mitigated in several ways.
52. (α) First, it should be considered that the managing director, by taking office and applying for registration in the commercial register, themselves or through their representative gives rise to the data processing, being aware at that moment of the associated disclosure of the data in the commercial register (cf. ECJ, judgment of 9 March 2017 - C-398/15, ECLI:EU:C:2017:197 = BB 2017, 652 para. 59 - Manni; BVerfGE 128, 1, 53 [on the location register for the cultivation of genetically modified organisms]; BVerfG, NJW 2008, 1505 para. 78).
53. The legal complaint's assertion that unrestricted access to this data was only created on 1 August 2022 with the introduction of general and free access to the commercial register for everyone via the internet through DiRUG (Law to Implement the Digitalisation Directive of 5 July 2021, BGBl. I p. 3338) is without merit, as the applicant's data in question has been freely accessible on the internet since its entry and publication in 2012. Traditional access to the commercial register at the registry office was always permitted to everyone without special requirements such as a legitimate interest (see § 9(1) HGB in the version valid until 14 December 2001) or identification of the person taking the insight (cf. BGH, decision of 24 May 2023 - VII ZB 69/21, ZIP 2023, 1640 para. 28 with references). This unrestricted "everyone's right" to inspect was already expanded to automated access with effect from 15 December 2001 (by the law on electronic registers and judicial costs for telecommunications of 10 December 2001, BGBl. I p. 3422 - ERJuKoG) by replacing the previously applicable approval procedure with unrestricted approval subject to prohibition (RegE for ERJuKoG, BT-Drs. 14/6855, p. 18 on the amendment of § 9a HGB old version). Although this automated retrieval was initially still subject to registration and fees, the announcements of register entries, including the entry of the applicant's personal data as a GmbH managing director, were freely accessible to everyone on the internet via the announcement portal since the introduction of the mandatory electronic commercial register on 1 January 2007 (RegE of a law on electronic commercial registers and cooperative registers as well as the company register (EHUG), BT-Drs. 16/960, p. 1, 34). This was already the case
when the applicant was entered and announced in 2012 for several years. The fact that with DiRUG from 1 August 2022, retrieval fees in commercial register matters have generally been abolished (RegE for DiRUG, BT-Drs. 19/28177, p. 2, 4, 93 f., 145) has not extended access to his registered data.
54. (β) The weight of the interference due to the unrestricted internet disclosure of the data is also relativized by ensuring that no targeted search for natural persons is possible, and access to data from the commercial register through the register portal is limited to individual queries (§ 9(1) sentence 1 HGB, § 52 sentence 2 HRV), preventing mass retrievals of register data and their inappropriate processing (Recommendation and Report of the Committee for Law and Consumer Protection on DiRUG, BT-Drs. 19/30523, p. 100).
55. (bbb) Conversely, the objective of data processing, ensuring the security, integrity, and ease of legal transactions in the commercial and corporate sector, would be significantly impaired by either the complete removal of the data from the commercial register or a restriction on access via the internet. Without this data, a sufficiently secured reliable identification of the representative of such a company through the register would no longer be possible, and restricting access to third parties with a legitimate interest would involve additional, often significant, effort, especially in cross-border business transactions.
56. (ccc) Given this, the legislature has found an appropriate compromise between the information interest of legal transactions and the confidentiality interest of the affected persons by limiting the registered and disclosed information to a few personal basic data while observing the principle of data minimization (Article 5(1)(c) GDPR) and ensuring data security (Article 5(1)(f) GDPR). The prescribed register publicity is the "price" to be accepted for access to commercial transactions, particularly in the form of a limited liability company (cf. J. Schmidt, Festschrift Bergmann, 2018, p. 637, 652; see also MünchKommHGB/Fleischer, 5th ed., § 106 para. 20; Haas/Wöstmann in Röhricht/Graf von Westphalen/Haas/Mock/Wöstmann, HGB, 6th ed., § 106 para. 11 [each on § 106(2)(1) HGB]).
57. (ddd) A different assessment does not result even if, as claimed by the applicant, there is a generally increased threat level for the managing director due to the company's object of activity.
58. The applicant's cited concern of being exposed to the risk of kidnapping or robbery due to their professional handling of explosive materials can similarly arise in many other professional activities involving dangerous substances or valuable assets. Allowing exceptions to the processing of basic data of a GmbH managing director based on such a general threat would undermine the public interest function of the commercial register (even with a mere access restriction).
59. It is also not apparent that the unrestricted access to the date of birth and place of residence on the internet would significantly increase a generally existing occupational risk. While it is true that a potentially unlimited number of people could easily obtain this information and electronically research the affected person's private circumstances using the place of residence, the unrestricted accessibility of the date of birth and place of residence in the commercial register has not been exploited in a significant way nor increased the risk for the applicant. The procedural complaint regarding this by the applicant has been reviewed and found not to be substantiated (§ 74(3) sentence 4 FamFG, § 564 ZPO).
60. (eee) The national regulations on data processing in the registration and vehicle registers allowing for exceptions to the unrestricted disclosure of the data in special circumstances in individual cases (§ 51 BMG, § 41(2) StVG) do not argue against the legality of the data processing in question. The Court of Appeal has correctly pointed out that the registration register (§ 3 BMG) and the local and central vehicle registers (§ 33(2) StVG) contain more extensive personal data, especially the address of the registered persons. The interference weight of such a disclosure, particularly of the full address, cannot be compared with the limited disclosure of the managing director's data in the commercial register. This results in a tiered protection concept where the basic data visible in the commercial register allows for further data retrieval from other registers with corresponding additional safeguards.
61. (fff) This balance result is consistent with the jurisprudence of the Court of Justice of the European Union.
62. (α) In balancing the conflicting interests in the case of disclosure of fewer personal data of the representative organ of a capital company, the need to protect third parties' interests against these companies, ensure legal certainty, the integrity of commercial transactions, and the smooth functioning of the internal market generally take precedence over the fundamental rights of the data subject under Articles 7 and 8 of the Charter (ECJ, judgment of 9 March 2017 - C-398/15, ECLI:EU:C:2017:197 = BB 2017, 652 para. 57, 60 - Manni [on the Data Protection Directive]). This does not exclude that there may be special situations where, for overriding, legitimate reasons arising from the specific case, it is exceptionally justified to restrict access to the registered personal data after a sufficiently long period following the dissolution of the company to third parties demonstrating a particular interest in accessing the data. However, apart from the fact that even in such cases complete removal from the register is not considered, the final decision on whether the affected person is granted the right to request such a decision lies with the national legislator (ECJ, judgment of 9 March 2017 - C-398/15, ECLI:EU:C:2017:197 = BB 2017, 652 para. 60 - Manni [with reference to Article 14(1)(a) of the Data Protection Directive]).
63. (β) The applicant's cited decision of the Court of Justice of the European Union of 22 November 2022 on public access to information about the beneficial owners of registered companies or legal entities (ECJ, judgment of 22 November 2022 - C-37/20 and C-601/20, ECLI:EU:C:2022:912 = WM 2023, 63 para. 87- Luxembourg Business Registers) does not lead to a different assessment.
64. The Court's reasoning, which led to the invalidation of the provision in Article 1(15)(c) of the Fifth Anti-Money Laundering Directive (Directive [EU] 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive [EU] 2015/849 on the prevention of the use of the financial system for money laundering or terrorist financing and amending Directives 2009/138/EC and 2013/36/EU [OJ 2018, L 156 p. 43]), which required Member States to ensure that information on beneficial owners is accessible to the public in all cases, are not applicable to the present balance. The Court has clarified that the provisions of the Fifth Anti-Money Laundering Directive on public access to information about beneficial owners of companies and other legal entities differ in both objectives and scope of personal data covered from the obligation to disclose the personal details of a capital company's organ under the Publicity Directive (ECJ, judgment of 22 November 2022 - C-37/20 and C-601/20, ECLI:EU:C:2022:912 = WM 2023, 63 para. 87- Luxembourg Business Registers; J. Schmidt, BB 2023, 1859, 1874; Wachter, GmbHR 2023, 593, 597). The disclosure of the data necessary for identifying the representative organ aims to inform the entire public, while the transparency of beneficial owners intended to prevent money laundering and terrorist financing primarily concerns authorities and certain entities and does not require disclosure to all members of the public in all cases (cf. ECJ, judgment of 22 November 2022 - C-37/20 and C-601/20, ECLI:EU:C:2022:912 = WM 2023, 63 para. 83 - Luxembourg Business Registers). Additionally, the Court's decision involved not just a few basic personal data but information that could create a more comprehensive profile with certain personal identification data, the economic situation of the affected person, and the economic sectors, countries, and specific companies they have invested in (ECJ, judgment of 22 November 2022 - C-37/20 and C-601/20, ECLI:EU:C:2022:912 = WM 2023, 63 para. 41 - Luxembourg Business Registers).
65. (ggg) Whether in special exceptional cases, such as proof of specific threats to life and limb, a different assessment or possibly restrictive interpretation of the legal requirements might be warranted (cf. e.g., MünchKommHGB/Fleischer, 5th ed., § 106 para. 20: exceptionally stating another specific identification feature instead of the place of residence), does not require a decision here.
66. As mentioned above, no indications of a specific threat to the applicant have been established. The fact that, according to the applicant's statement, a blocking notice is entered in the registration register (§ 51 BMG) and a transmission block in the vehicle registers (§ 41(2) StVG) is not sufficient, as these registers contain significantly more extensive data on the applicant, especially their full address, and thus their disclosure would involve an intrusion of different weight or greater risk potential. Contrary to the applicant's representation, the Federal
Administrative Court, in its decision on the imposition of a transmission block under § 41(2) StVG concerning the applicant, did not state that their date of birth and place of residence had to be blocked but referred to the applicant's "holder data, i.e., in particular their name, address, and the license plates assigned to their vehicles" as the source of the danger.
67. (3) A balance in light of the fundamental rights of the Basic Law leads to no different result.
68. The processing of the applicant's date of birth and place of residence by the registry court interferes with the applicant's fundamental right to informational self-determination (Article 2(1) in conjunction with Article 1(1) GG), which also extends to basic data such as date of birth and place of residence (cf. BVerfGE 65, 1, 41 f.; 128, 1, 44; BVerfG, NJW 2008, 1435 para. 18).
69. However, this interference is constitutionally justified (generally on the commercial register: BeckOK HGB/Beurskens, as of 15.4.2023, § 9 para. 7; Schaub in Ebenroth/Boujong, HGB, 4th ed., § 9 para. 2; Staub/Koch/Harnos, HGB, 6th ed., § 9 para. 4; Ries in Röhricht/Graf von Westphalen/Haas/Mock/Wöstmann, HGB, 6th ed., § 9 para. 1; Roth/Stelmaszczyk in Koller/Kindler/Drüen, HGB, 10th ed., § 9 para. 1). The right to informational self-determination is not unrestrictedly guaranteed. The individual must accept restrictions of this right that are in the overriding interest of others or the general public. These restrictions require a constitutional legal basis that must particularly meet the principle of proportionality (BVerfGE 65, 1, 43 f.; 128, 1, 46; BVerfG, NJW 2008, 1435 para. 21).
70. These requirements are met by § 10(1) sentence 1 GmbHG, § 43(4)(1)(b) HRV, and § 9(1), § 10(2) HGB. Reference can be made to the above statements in this regard. Even when applying national assessment standards, these provisions provide a sufficiently precise legal basis, and the resulting restrictions on the applicant's rights are justified by an overriding public interest. No circumstances giving rise to a different assessment are apparent, either generally or specifically in the applicant's case.
71. b) The applicant also has no claim under national law for the removal of the entry of their date of birth and place of residence from their registration as a GmbH managing director in the commercial register.
72. Regardless of whether and to what extent claims from national law could be invoked in the application area of the GDPR, given the objective of the Regulation to achieve a consistent level of data protection (cf. Lüttringhaus in Gebauer/Wiedmann, European Civil Law, 3rd ed., chap. 30 para. 82 ff.; BGH, decision of 26 September 2023 - VI ZR 97/22, WM 2023, 2096), the requirements of the claims considered here, arising from § 1004(1) sentence 2 analogously, § 823(1), § 839 BGB, Article 2(1) GG for removal and/or future cessation (cf. BGH, judgment of 19 May 1981 - VI ZR 273/79, BGHZ 80, 311, 319; judgment of 17 December 1985 - VI ZR 244/84, NJW 1986, 2505, 2506; judgment of 15 September 2015 - VI ZR 175/14, BGHZ 206, 347 para. 17 f., 28; BVerwGE 69, 366, 370; 82, 76, 95; 105, 288) are not met. The data processing in question is, as outlined above, not unlawful but takes place within the scope of constitutionally and EU law-compliant legal obligations of the registry court. This also applies to the application of these obligations in the applicant's case; therefore, a restrictive interpretation of these regulations is not warranted.
73. 2. The Court of Appeal also correctly denied the applicant's alternative claim to restrict the disclosure of their date of birth and place of residence, such that transmission to third parties would only occur after a balance of interests.
74. a) The applicant has no right to restriction of processing under Article 18(1) and (2) or Article 21(1) sentence 2 GDPR.
75. aa) The restriction reasons mentioned in Article 18(1)(a) to (c) GDPR do not apply. The applicant has not disputed the accuracy of the registered data, the processing of the data in question is lawful, and the data is still needed for the purposes of processing by the registry court.
76. bb) The applicant also cannot demand a restriction of processing under Article 18(1)(d) or Article 21(1) sentence 2 GDPR due to their objection, as the conditions for an objection right under Article 21(1) sentence 1 GDPR are not met.
77. A right to object under Article 21(1) sentence 1 GDPR does not exist if the data processing - as here - is necessary to fulfill a legal obligation of the controller pursuant to Article 6(1)(c) GDPR. This also applies if the processing would simultaneously be permitted under Article 6(1)(e) GDPR (LSG Darmstadt, RDV 2020, 95, 96; Gierschmann/Assion/Nolte/Veil, GDPR, Article 6 para. 95; Heberlein in Ehmann/Selmayr, GDPR, 2nd ed., Article 6 para. 23; Herbst in Kühling/Buchner, GDPR/BDSG, 4th ed., Article 21 GDPR para. 12; Herbst in Kühling/Buchner, GDPR/BDSG, 4th ed., § 36 BDSG para. 17; Munz in Taeger/Gabel, GDPR/BDSG/TTDSG, 4th ed., Article 21 GDPR para. 10; Kamann/Braun in Ehmann/Selmayr, GDPR, 2nd ed., Article 21 para. 13; Kremer in Laue/Kremer, The new data protection law in operational practice, 2nd ed., § 4 para. 76; BeckOK IT Law/Steinrötter, as of 1.1.2023, Article 21 GDPR para. 10; Bieresborn, NZS 2018, 10, 13; also Martini in Paal/Pauly, GDPR/BDSG, 3rd ed., Article 21 GDPR para. 28, 45a [exclusion on the level of legal consequences]; cf. also Gierschmann/Veil, GDPR, 1st ed., Article 21 para. 27 f.; Brühann in Grabitz/Hilf, The Law of the European Union, as of May 1999, Article 14 Data Protection Directive [A 30] para. 6 [on Article 14 of the Data Protection Directive]).
78. aaa) Under Article 21(1) sentence 1 GDPR, the data subject has the right to object if the data processing is based on Article 6(1)(e) (in the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (for the purposes of the legitimate interests pursued by the controller or by a third party). The regulation, according to its wording, applies only in cases of data processing based on Article 6(1)(e) or (f) GDPR. Unlike the provision in Article 14(1)(a) of the Data Protection Directive, which required Member States to recognize the right to object "at least in the cases" referred to in Article 7(e) and (f) of the Directive (corresponding to Article 6(1)(e) and (f) GDPR), the norm does not contain a similar opening for other legal bases of Article 6(1) GDPR. However, the wording does not clearly state that the right to object is limited to cases where the processing is solely justified by Article 6(1)(e) or (f) GDPR (cf. Martini in Paal/Pauly, GDPR/BDSG, 3rd ed., Article 21 GDPR para. 28).
79. bbb) Such a limitation is supported by the systematics of the GDPR.
80. The legal bases of Article 6(1) GDPR are generally independent and equal, meaning each legal basis under Article 6(1) sentence 1 GDPR justifies the processing independently and completely (cf. BeckOK Data Protection Law/Albers/Veit, as of 1.8.2023, Article 6 GDPR para. 24; BeckOK IT Law/Borges/Steinrötter, as of 1.1.2022, Article 6 GDPR para. 6 with references). If data processing is necessary to fulfill a legal obligation under Article 6(1)(c) GDPR, it is not necessary to check
whether it would also be covered by Article 6(1)(e) GDPR (ECJ, judgment of 1 August 2022 - C-184/20, ECLI:EU:C:2022:601 = RIW 2023, 49 para. 71 - Vyriausioji tarnybinės etikos komisija; judgment of 4 July 2023 - C-252/21, ECLI:EU:C:2023:537 = NJW 2023, 2997 = RIW 2023, 516 para. 94 - Meta Platforms). This independent legitimizing effect of the other legal bases would be undermined if the right to object were extended to legal bases not mentioned in Article 21(1) sentence 1 GDPR (cf. Martini in Paal/Pauly, GDPR/BDSG, 3rd ed., Article 21 GDPR para. 45a at the end).
81. This is particularly true for processing based on a legal obligation under Article 6(1)(c) GDPR, as the legislator has made a binding decision on the legality and proportionality of the processing. In contrast, the legal bases under Article 6(1)(e) and (f) GDPR are authorization bases, where the decision on data processing in the specific case is ultimately left to the controller. Allowing a right to object in cases where processing is based on both (c) and (e) would undermine the legislator's decision.
82. ccc) The purpose of Article 21(1) GDPR also supports this interpretation.
83. According to Recital 69 GDPR, the data subject should also be able to object to processing that may be lawful under Article 6(1)(e) or (f) GDPR, allowing for a review and possible correction of the balancing of interests conducted by the controller in their specific case (cf. Herbst in Kühling/Buchner, GDPR/BDSG, 4th ed., Article 21 GDPR para. 15; Gierschmann/Veil, GDPR, Article 21 para. 74). However, this is not applicable if the data processing is necessary to fulfill a legal obligation of the controller, as the legislator has already conducted this balancing for the controller, without allowing for individual case assessments (cf. BeckOK Data Protection Law/Forgó, as of 1.11.2021, Article 21 GDPR para. 16 f.; Gola in Gola/Heckmann, GDPR/BDSG, 3rd ed., § 36 BDSG para. 10). If the controller has doubts about the legality or proportionality of their legal obligation, they must legally challenge it through the appropriate channels, even if these doubts are based on data protection considerations (cf. opinion of the Advocate General of 14 September 2023 - C-115/22, ECLI:EU:C:2023:676, juris para. 135 ff.). Allowing a right to object under Article 21(1) GDPR cannot circumvent or undermine the legislator's balancing, which legitimizes the processing under Article 6(1)(c) GDPR.
84. ddd) Moreover, there would be no grounds arising from the applicant's specific situation under Article 21(1) sentence 1 GDPR to substantiate their objection. Due to the norm structure of Article 21(1) sentence 2 GDPR, which requires a balance, the data subject must present specific facts about their particular situation to justify the exemption from the data collection (Schulz in Gola/Heckmann, GDPR/BDSG, 3rd ed., Article 21 para. 9 f.). This is lacking in this case, as the compelling reasons for the storage and disclosure of the applicant's date of birth and place of residence, based on the particularly protectable information interest of legal and commercial transactions, outweigh the applicant's protectable interests, rights, and freedoms, even considering the general occupational risk asserted by the applicant.
85. b) No claim for the requested restriction of access to the applicant's date of birth and place of residence by means of a balance of interests under national law arises either.
86. The restriction of the right to object in Article 21(1) sentence 1 GDPR to the cases mentioned there of Article 6(1)(e) and (f) GDPR represents a final harmonization. Unlike in Article 14(a) of the Data Protection Directive ("at least in the cases"), Article 21(1) GDPR no longer allows Member States to extend the scope of the right to object beyond the specified cases (cf. Kamann/Braun in Ehmann/Selmayr, GDPR, 2nd ed., Article 21 para. 15). A recourse to national regulations is therefore excluded.
87. Furthermore, the applicant would have no corresponding claim under national law, as the entry and disclosure of their date of birth and place of residence in the unrestrictedly accessible register folder is legally prescribed and, as explained, neither generally nor specifically in the applicant's case, encounter any EU or constitutional law concerns.
88. IV. A request for a preliminary ruling to the Court of Justice of the European Union under Article 267(3) TFEU is not necessary. The application of EU law to the present case does not raise any interpretative questions that are not already clear in themselves or sufficiently clarified by the cited case law of the Court of Justice of the European Union (cf. ECJ, judgment of 6 October 1982 - C-283/81, ECLI:EU:C:1982:335 = NJW 1983, 1257 para. 14, 16, 21 - C.I.L.F.I.T. et al.).
89. This is particularly true for the criteria and standards for interpreting and applying Article 17(3)(b) sentence 1, Article 6(1) sentence 1(c), (3) and Article 21(1) GDPR as well as the Union's fundamental rights. Determining whether data processing is necessary to fulfill a legal obligation under Article 6(1) sentence 1(c) GDPR is primarily a matter for national courts (judgment of 4 July 2023 - C-252/21, ECLI:EU:C:2023:537 = NJW 2023, 2997 = RIW 2023, 516 para. 96 - Meta Platforms). The same applies to balancing the affected rights and interests, considering the circumstances of the individual case (cf. ECJ, judgment of 17 June 2021 - C-597/19, ECLI:EU:C:2021:492 = GRUR 2021, 1067 para. 111 - M.I.C.M.; judgment of 4 July 2023 - C-252/21, ECLI:EU:C:2023:537 = NJW 2023, 2997 = RIW 2023, 516 para. 110 - Meta Platforms; BVerfGE 152, 216 para. 137 ff. - Right to be forgotten II). The interpretation of Article 21(1) sentence 1 GDPR, excluding a right to object when data processing is necessary to fulfill a legal obligation under Article 6(1) sentence 1(c) GDPR, is clearly evident (acte clair, cf. ECJ, judgment of 6 October 1982 - C-283/81, ECLI:EU:C:1982:335 = NJW 1983, 1257 f. - C.I.L.F.I.T.). Moreover, an objection by the applicant under Article 21(1) sentence 2 GDPR would also be unfounded.
90. The legal complaint's questions regarding the limits imposed on Member States by Article 23 GDPR for legislative measures (here § 10a(3) HGB), particularly concerning the necessary safeguards against abuse, when they exclude the right to object for reasons of protecting other important objectives of general public interest, and whether the exclusion of the right to object by legislative measures of Member States is also covered by Article 23 GDPR in cases of threats to the life and limb of the data subject, do not arise.
Born
B. Grüneberg
V. Sander
von Selle
Adams
