CJEU - C-231/22 - Belgian State (Données traitées par un journal officiel)
CJEU - C-231/22 Belgian State (Données traitées par un journal officiel) | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 4(7) GDPR Article 5(2) GDPR Article 17(1) GDPR Article 26(1) GDPR |
Decided: | 11.01.2024 |
Parties: | LM Belgian State (Données traitées par un journal officiel) |
Case Number/Name: | C-231/22 Belgian State (Données traitées par un journal officiel) |
European Case Law Identifier: | ECLI:EU:C:2024:7 |
Reference from: | |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | sh |
The CJEU clarified that a controller, as defined by Article 4(7) GDPR, can be implicitly determined by national law. Implied controllership under national law also extends to the concept of joint controllers.
English Summary
Facts
The statute of a company was changed by a natural person who was the majority shareholder. As a consequence of the changes, some personal data of him and the other company's partners were wrongly included. Among such data, there were names, monetary amounts and bank account details. As per national law, the new articles were prepared by the notary of the majority shareholder, and sent to the the registry of the court (Companies Court) and then forwarded by the court to the Office of the Moniteur belge for publication.
After the publication, the notary, having realised the mistake, was authorised to request the deletion of the above sensitive data on behalf of the data subject (the majority shareholder) under Article 17 GDPR. The Moniteur Belge refused and the data subject filed a complaint with the Belgian DPA. The Belgian DPA reprimanded the Moniteur Belge and ordered them to comply with the erasure request within 30 days.
The Belgian State appealed this decision to the Brussels Court of Appeal seeking an annulment of the DPA's decision. Specifically, they argued that it was uncertain whether the Moniteur Belge was a controller as per Article 4(7) GDPR. The passage had been processed by several 'successive controllers' (the notary who drew up the extract, the registry of the Court and the Moniteur Belge, who published the extract as it stood due to national law requirements). Moreover, since the parties did not claim joint controllership, it was also uncertain whether the Moniteur Belge was solely responsible for compliance with the GDPR.
With this in mind, the court referred two questions to the CJEU:
1) Does Article 4(7) GDPR mean that a Member State's official journal, responsible for publishing official documents under national law (such as the one in the case), has the status of a data controller?
2) If so, does Article 5(2) GDPR mean that only that journal in question need to comply with the data controller's responsibilities? Or are the responsibilities incumbent cumulatively on each successive controller?
Holding
First, the CJEU held that the journal (the Moniteur belge) was a data controller as defined by Article 4(7) GDPR. Second, unless joint responsibilities arise, they are solely responsible for compliance under the principle of accountability arising out of Article 5(2) GDPR.
On the first question:
Article 4(7) GDPR defines a controller as the: natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (Underline emphasis added).
As this case involved national law, the Court used the second part of Article 4(7) (underlined) to determine whether the Moniteur belge was a controller. In doing so, it looked at whether Belgian national law determined a controller. Moniteur belge is not explicitly vested by national law with the power to determine the purposes and means of data processing operations. However, the Court determined that national law implicitly did so and that this was sufficient to make the Moniteur belge a controller under Article 4(7) GDPR. The Court justified this broadened scope by stating that definition of controller must be read broadly to determine effective and complete protection of data subjects (see C‑131/12 Google Spain).
To be implicitly a controller under national law, three positive criteria must be fulfilled:
1) There must be no apparent designation of powers under national law. In this case, not only was the Moniteur belge under national legislation not vested with explicit powers to determine the purpose and means of processing, but neither was the public entity in charge of it (FPS Justice).
2) The law must implicitly determine the purpose of the controller's processing. In this case, Moniteur belge's role under national law is to publish the documents as received from the companies court. This publication serves the purpose of informing the public of the existence of those acts as to make them enforceable against third parties.
3) The law must implicitly determine the means of the controller's processing. In this case, Moniteur belge's must publish these cases to the public. The processing is therefore performed by automated means. Both a paper and electronic copy is produced for citizens to access.
The Moniteur belge, therefore, fulfilled the criteria needed to be an implicit controller under Belgian national law. Nonetheless, the court went further to identify two factors that do not exclude an entity from being an implicit controller under national law:
1) The entity in question does not need to have legal personality. This is because the wording of Article 4(7) GDPR makes it clear that a controller can be a natural person as well as a public authority. These do not have legal personalities, meaning that this is not a limiting factor when determining implied controllership.
2) The entity in question does not need to check the data before publishing it. This is because the Moniteur belge, under national law, is confined to the role of publishing the data as it stands.[1] If Article 4(7) would be applied literally, it would contradict its objective and exclude Moniteur belge as a controller simply because it cannot exercise control over the personal data contained in its publications. Ex-post control and discretion over the content of the data is, therefore, not essential for implied controllership.
On the second question:
The Court determined that the Moniteur belge is classified as a controller within the meaning of Article 4(7) GDPR. Article 5(2) limits the principle of accountability to the controller. In this case, the Moniteur belge is solely responsible for compliance with the GDPR as Belgian law has implicitly designated only it as the controller.
The court, however, went further and applied the concepts it developed in the first question to joint controllers. National law can determine/nominate a sole controller under Article 4(7) GDPR. The Court utilised this reasoning to point out that national law can likewise determine a chain of processing operations involving numerous joint controllers. This interpretation is supported by Article 26(1) GDPR which states that joint controllers must arrange their responsibilities unless national law determines this for them. This is also supported by case law C‑683/21 Nacionalinis visuomenės sveikatos centras where the arrangement between various controllers was determined by national law and it was held that joint controllership does not require each responsible entity to have access to the personal data concerned. The combination of Article 4(7) and 26(1), therefore, means that national law can determine joint controllers. Since (as reasoned above) the concept of controllership can be implicitly determined, this also means that national law can also implicitly determine joint controllers. The court noted that when this is the case, Article 5(2) GDPR will apply and make all controllers jointly responsible for compliance with the GDPR.
However, whether joint controllership is implied by national law is for national courts to determine. Therefore, in its answer, the CJEU sent the question back to the referring court. Should they determine that there is no implied joint controllership, the Moniteur belge will be solely responsible for compliance with the GDPR under Article 5(2) GDPR.
Comment
This is a very practical judgement and extends the concept of controllership as need be within the limits of legal certainity to ensure a high level protection of fundamental rights.
There has been some debate (see Peter Craddock) over whether legal bases (Article 6) can therefore, also be implied according to national law. However, there is little indication that this would be the case. The the aim of closing gaps in accountability does not de facto lead to broadening legal grounds for processing activities.
Further Resources
Share blogs or news articles here!
- ↑ This is the case in many civil law countries where laws, company constitutions etc. are often published automatically.