CJEU - C-231/22 - Belgian State (Données traitées par un journal officiel): Difference between revisions

Revision as of 15:44, 15 January 2024

CJEU - C-231/22 Belgian State (Données traitées par un journal officiel)

Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 4(2) GDPR Article 4(7) GDPR Article 17(1) GDPR
Decided:	11.01.2024
Parties:	LM Belgian State (Données traitées par un journal officiel)
Case Number/Name:	C-231/22 Belgian State (Données traitées par un journal officiel)
European Case Law Identifier:	ECLI:EU:C:2024:7
Reference from:
Language:	24 EU Languages
Original Source:	Judgement
Initial Contributor:	sh

The CJEU clarified that a controller, as defined by Article 4(7) GDPR, can be determined not just explicitly but also implicitly from national law.

English Summary

Facts

The articles of association of a company were changed by a natural person who was the majority shareholder. The new articles mistakingly included the names of two partners of the company along with the name of the majority shareholder, the money they received from changing the articles and their bank account details.

As per national law, the new articles were prepared by the notary of the majority shareholder, sent to the the registry of the court (Companies Court) and then forwarded by the court to the Office of the Moniteur belge for publication.

The notary, upon realising the mistake, requested the deletion of the above sensitive paragraphs, invoking the majority shareholder's (whom the notary represented) right to erasure under Article 17 GDPR. The Moniteur Belge refused, motivating the majority shareholder to file a complaint with the Belgian DPA. The Belgian DPA reprimanded the Moniteur Belge and ordered them to comply with the erasure request within 30 days.

The Belgian State appealed this decision to the Brussels Court of Appeal seeking an annulment of the DPA's decision. Specifically, they argued that it was uncertain whether the Moniteur Belge was a controller as per Article 4(7) GDPR given that the passage has been processed by several 'successive controllers' (the notary who drew up the extract, the registry of the court and the Moniteur Belge who published the extract as it stood due to national law requirements). Moreover, since the parties did not claim joint controllership, was the Moniteur Belge therefore, soley responsible for complaince with the GDPR.

With this in mind, the court referred two questions to the CJEU:

1) Does Article 4(7) GDPR mean that a Member State's official journal responsible for publishing official documents under national law (such as the one in the case), has the status of data controller?

2) If so, does Article 5(2) GDPR mean that only that journal in question need to comply with the data controller's responsibilities? Or are the responsibiltiies incumbent cumulatively on each successive controller?

Holding

The CJEU held that the journal was a data controller under as defined by Article 4(7) GDPR and that, unless joint responsibilities arise, they were soley responsible for compliance under the principle of accountability arising out of Article 5(2) GDPR,.

On the first question the court decided that Belgian national law determined, at least implicitly, the purposes and means of the processing of personal data performed by the Moniteur belge. Thus, making it a controller as per Article 4(7) GDPR. The court justified its decision by noting that the definition of controller must be read broadly to determine the effective and complete protection of data subjects. As Article 4(7) asks whether the entitiy determines the purposes and means of the processing, the CJEU questioned whether those purposes and means are in this case determined by national law. While the Moniteur belge is not vested by national law with the power to determine the purposes and means of the data processing operations that it performs, the court upon hearing orally the duties of the Moniteur belge determined that national law implicitly gave the Moniteur belge the power to determine the purposes and means of processing.

On the second question the court

Comment

This is a very practical judgement

Further Resources

Share blogs or news articles here!

@@ Line 67: / Line 67: @@
 === Holding ===
-The CJEU held that the journal was a data controller under as defined by [[Article 7 GDPR#4|Article]] [[Article 4 GDPR|4(7) GDPR]] and that they were soley responsible for compliance under the principle of accountability arising out of [[Article 5 GDPR|Article 5(2) GDPR,]] unless joint responsibilities arise.
+The CJEU held that the journal was a data controller under as defined by [[Article 7 GDPR#4|Article]] [[Article 4 GDPR|4(7) GDPR]] and that, unless joint responsibilities arise, they were soley responsible for compliance under the principle of accountability arising out of [[Article 5 GDPR|Article 5(2) GDPR,.]]
 On the first question the court decided that Belgian national law determined, at least implicitly, the purposes and means of the processing of personal data performed by the Moniteur belge. Thus, making it a controller as per [[Article 4 GDPR|Article 4(7) GDPR.]] The court justified its decision by noting that the definition of controller must be read broadly to determine the effective and complete protection of data subjects. As Article 4(7) asks whether the entitiy determines the purposes and means of the processing, the CJEU questioned  whether those purposes and means are in this case determined by national law. While the Moniteur belge is not vested by national law with the power to determine the purposes and means of the data processing operations that it performs, the court upon hearing orally the duties of the Moniteur belge determined that national law ''implicitly'' gave the Moniteur belge the power to determine the purposes and means of processing.