CJEU - C-231/22 - Belgian State (Données traitées par un journal officiel)
| CJEU - C-231/22 Belgian State (Données traitées par un journal officiel) | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4(7) GDPR Article 5(2) GDPR Article 17(1) GDPR Article 26(1) GDPR |
| Decided: | 11.01.2024 |
| Parties: | LM Belgian State (Données traitées par un journal officiel) |
| Case Number/Name: | C-231/22 Belgian State (Données traitées par un journal officiel) |
| European Case Law Identifier: | ECLI:EU:C:2024:7 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | sh |
The CJEU clarified that a controller, as defined by Article 4(7) GDPR, can be determined implicitly from national law.
English Summary
Facts
The statute of a company was changed by a natural person who was the majority shareholder. As a consequence of the changes, some personal data of him and the other company's partners were wrongly included. Among such data, there were names, monetary amounts and bank account details. As per national law, the new articles were prepared by the notary of the majority shareholder, and sent to the the registry of the court (Companies Court) and then forwarded by the court to the Office of the Moniteur belge for publication.
After the publication, the notary, having realised the mistake, was authorised to request the deletion of the above sensitive data on behalf of the data subject (the majority shareholder) under Article 17 GDPR. The Moniteur Belge refused and the data subject filed a complaint with the Belgian DPA. The Belgian DPA reprimanded the Moniteur Belge and ordered them to comply with the erasure request within 30 days.
The Belgian State appealed this decision to the Brussels Court of Appeal seeking an annulment of the DPA's decision. Specifically, they argued that it was uncertain whether the Moniteur Belge was a controller as per Article 4(7) GDPR. The passage had been processed by several 'successive controllers' (the notary who drew up the extract, the registry of the Court and the Moniteur Belge, who published the extract as it stood due to national law requirements). Moreover, since the parties did not claim joint controllership, it was uncertain whether the Moniteur Belge was solely responsible for compliance with the GDPR.
With this in mind, the court referred two questions to the CJEU:
1) Does Article 4(7) GDPR mean that a Member State's official journal, responsible for publishing official documents under national law (such as the one in the case), has the status of a data controller?
2) If so, does Article 5(2) GDPR mean that only that journal in question need to comply with the data controller's responsibilities? Or are the responsibilities incumbent cumulatively on each successive controller?
Holding
The CJEU held that the journal (the Moniteur belge) was a data controller as defined by Article 4(7) GDPR and that, unless joint responsibilities arise, they were solely responsible for compliance under the principle of accountability arising out of Article 5(2) GDPR.
On the first question the Court decided that Belgian national law determined, at least implicitly, the purposes and means of the processing performed by the Moniteur belge. Thus, making it a controller as per Article 4(7) GDPR. The Court justified its decision by noting that the definition of controller must be read broadly to determine the effective and complete protection of data subjects. Moreover, excluding the Moniteur belge as a controller would be contra to previous case law (C‑131/12 Google Spain) which has also followed this broad approach. As Article 4(7) asks whether the entity determines the purposes and means of the processing, the CJEU questioned whether those purposes and means are in this case determined by national law. While the Moniteur belge is not vested by national law with the power to determine the purposes and means of the data processing operations that it performs, the Court upon hearing orally the duties of the Moniteur belge, determined that national law implicitly gave them the power to determine the purposes and means of processing. This was because, on the facts, Moniteur belge automatically produces a printed and electronic copy of the data and further provides these to citizens. While it is true that the Moniteur belge must publish the document in question as it stands, it is the Moniteur belge alone that undertakes that task and then disseminates the act or document concerned to the public. The fact that the Moniteur belge cannot ammed this content is linked to the purposes and means of processing, which is in this case determined by national law.
On the second question the court determined that Article 5(2) GDPR when read in conjunction with Article (4)7 is limited to only apply to the entity classified as the 'controller'. However, should the reffering court or national law determine that there is joint responsibility for processing, then Article 5(2) will apply to all the controllers responsible. First, the court viewed the processing activities of the Moniteur belge to be different from those of the notary and court. The operations performed by the Moniteur belge are entrusted to it by national legislation, ivolve inter alia the digital transformation of the data contained in the acts submitted to it and their publication. The Moniteur belge is soley responsible for compliance because this is what Belgian national law has outlined. As the court noted, Article (4)7 also permits national law to itself determine those purposes and means and nominate the controller or provide for the specific criteria for its nomination. Second, the concept of joint controllership is extremely broad. Article 26(1) GDPR provides for joint responsibility where two or more controllers jointly determine the purposes and means of the processing of personal data and the responsibilities of joint controllers of personal data does not depend on the existence of an arrangement between the various controllers (C‑683/21 Nacionalinis visuomenės sveikatos centras). A person can have joint responsibility/joint controllership simply by exerting influence over the processing of personal data, for his, her or its own purposes. Moreover, joint responsibility of several actors for the same processing does not require each of them to have access to the personal data concerned. Should national law imply or state joint responsibility, then Article 5(2) will extend to all those jointly responsible controllers, who will all be responsible for complaince with the GDPR.
Comment
This is a very practical judgement and extends the concept of controllership as need be within the limits of legal certainity to ensure a high level protection of fundamental rights.
There has been some debate (see Peter Craddock) over whether legal bases (Article 6) can therefore, also be implied according to national law. However, there is little indication that this would be the case. The the aim of closing gaps in accountability does not de facto lead to broadening legal grounds for processing activities.
Further Resources
Share blogs or news articles here!
