Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 62020CC0037

Opinion of Advocate General Pitruzzella delivered on 20 January 2022.
WM and Sovim SA v Luxembourg Business Registers.
Requests for a preliminary ruling from the Tribunal d'arrondissement de Luxembourg.
Reference for a preliminary ruling – Prevention of the use of the financial system for the purposes of money laundering or terrorist financing – Directive (EU) 2018/843 amending Directive (EU) 2015/849 – Amendment to Article 30(5), first subparagraph, point (c), of Directive 2015/849 – Access for any member of the general public to the information on beneficial ownership – Validity – Articles 7 and 8 of the Charter of Fundamental Rights of the European Union – Respect for private and family life – Protection of personal data.
Joined Cases C-37/20 and C-601/20.

Court reports – general – 'Information on unpublished decisions' section

ECLI identifier: ECLI:EU:C:2022:43

 OPINION OF ADVOCATE GENERAL

PITRUZZELLA

delivered on 20 January 2022 ( 1 )

Joined Cases C‑37/20 and C‑601/20

WM (C‑37/20)

Sovim SA (C‑601/20)

v

Luxembourg Business Registers

(Requests for a preliminary ruling from the tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg))

(Reference for a preliminary ruling – Prevention of the use of the financial system for the purposes of money laundering and terrorist financing – Directive (EU) 2015/849 – Article 30(5) and (9) – Registers of beneficial ownership – Directive (EU) 2018/843 – Article 1(15)(c) and (g) – Access for any member of the general public to the information on beneficial owners – Validity – Charter of Fundamental Rights of the European Union – Articles 7 and 8 – Principle of transparency – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 5(1)(a) to (c) and (f) – Exemptions from access to the register of beneficial ownership – Conditions – Concepts of ‘exceptional circumstances’, ‘risk’ and ‘disproportionate risk’ – Proof)

1.

What is a fair balance between, on the one hand, the need for transparency in the beneficial ownership and control structures of companies, which is a key factor in the prevention of money laundering and terrorist financing, and, on the other hand, observance of the fundamental rights of the data subjects, which is to say the beneficial owners and, in particular, their rights to respect for privacy and the protection of personal data?

2.

That is, in essence, the fundamental question before the Court in the two cases addressed in this Opinion, which arise from two requests for a preliminary ruling from the Tribunal d’arrondissement du Luxembourg (Luxembourg District Court, Luxembourg).

3.

Those two requests concern the validity and interpretation of Article 30(5) and (9) of Directive (EU) 2015/849, ( 2 ) as amended by Directive (EU) 2018/843 (‘Directive 2015/849). ( 3 ) The directive introduced a regime of public access to the registers of the beneficial owners of corporate and other legal entities established in the Member States which, in principle, allows any member of the general public access to some of the beneficial ownership information contained in those registers, without it being necessary to demonstrate any interest of any kind.

4.

The referring court questions the validity of that regime in the light of the fundamental rights to respect for private and family life and the protection of personal data, enshrined in Articles 7 and 8 respectively of the Charter of Fundamental Rights of the European Union (‘the Charter’). It also questions the validity and scope of the system of exemptions from such public access put in place by that directive.

5.

In this context, the Court is also called upon to express a position on the relationship between this public access regime and various provisions of Regulation (EU) 2016/679. ( 4 )

I. Legal framework

A. European Union law

1.   Directives 2015/849 and 2018/843

6.

According to recital 2 of Directive 2015/849, ‘the soundness, integrity and stability of credit institutions and financial institutions, and confidence in the financial system as a whole could be seriously jeopardised by the efforts of criminals and their associates to disguise the origin of criminal proceeds or to channel lawful or illicit money for terrorist purposes.’ It is therefore necessary, according to recital 12 of that directive, ‘to identify any natural person who exercises ownership or control over a legal entity’.

7.

According to recital 14 of Directive 2015/849, ‘the need for accurate and up-to-date information on the beneficial owner is a key factor in tracing criminals who might otherwise hide their identity behind a corporate structure. Member States should therefore ensure that entities incorporated within their territory in accordance with national law obtain and hold adequate, accurate and current information on their beneficial ownership, in addition to basic information such as the company name and address and proof of incorporation and legal ownership. With a view to enhancing transparency in order to combat the misuse of legal entities, Member States should ensure that beneficial ownership information is stored in a central register located outside the company, in full compliance with Union law …’

8.

In that context, Article 3(6) of Directive 2015/849 defines the concept of ‘beneficial owner’, for the purposes of that directive, as ‘any natural person(s) who ultimately owns or controls the customer and/or the natural person(s) on whose behalf a transaction or activity is being conducted and includes at least:

(a)

in the case of corporate entities:

(i)

the natural person(s) who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity …’. ( 5 )

9.

Under Article 30 of Directive 2015/849: ( 6 )

‘1.   Member States shall ensure that corporate and other legal entities incorporated within their territory are required to obtain and hold adequate, accurate and current information on their beneficial ownership, including the details of the beneficial interests held. Member States shall ensure that breaches of this article are subject to effective, proportionate and dissuasive measures or sanctions.

3.   Member States shall ensure that the information referred to in paragraph 1 is held in a central register in each Member State …

4.   Member States shall require that the information held in the central register referred to in paragraph 3 is adequate, accurate and current, and shall put in place mechanisms to this effect. …

5.   Member States shall ensure that the information on the beneficial ownership is accessible in all cases to:

(a)

competent authorities and [financial intelligence units (FIUs)], without any restriction;

(b)

obliged entities, within the framework of customer due diligence in accordance with Chapter II;

(c)

any member of the general public.

The persons referred to in point (c) shall be permitted to access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held.

Member States may, under conditions to be determined in national law, provide for access to additional information enabling the identification of the beneficial owner. That additional information shall include at least the date of birth or contact details in accordance with data protection rules.

5a.   Member States may choose to make the information held in their national registers referred to in paragraph 3 available on the condition of online registration and the payment of a fee, which shall not exceed the administrative costs of making the information available, including costs of maintenance and developments of the register.

9.   In exceptional circumstances to be laid down in national law, where the access referred to in points (b) and (c) of the first subparagraph of paragraph 5 would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable, Member States may provide for an exemption from such access to all or part of the information on the beneficial ownership on a case-by-case basis. Member States shall ensure that these exemptions are granted upon a detailed evaluation of the exceptional nature of the circumstances. Rights to an administrative review of the exemption decision and to an effective judicial remedy shall be guaranteed. A Member State that has granted exemptions shall publish annual statistical data on the number of exemptions granted and reasons stated and report the data to the [European] Commission.

Exemptions granted pursuant to the first subparagraph of this paragraph shall not apply to credit institutions and financial institutions, or to the obliged entities referred to in point (3)(b) of Article 2(1) that are public officials.

…’

10.

Article 41(1) of Directive 2015/849 ( 7 ) provides that ‘the processing of personal data under this directive is subject to [the GDPR]’.

11.

Article 43(1) of Directive 2015/849 provides that ‘the processing of personal data on the basis of this directive for the purposes of the prevention of money laundering and terrorist financing as referred to in Article 1 shall be considered to be a matter of public interest under [the GDPR]’.

2.   The GDPR

12.

Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides, in paragraph 1 thereof:

‘Personal data shall be:

(a)

processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; … (“purpose limitation”);

(c)

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(f)

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”)’.

13.

Article 25 of the GDPR, entitled ‘Data protection by design and by default’ provides, in paragraph 2 thereof:

‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.’

14.

The GDPR includes a Chapter V, headed ‘Transfers of personal data to third countries or international organisations’, which contains Articles 44 to 50 of that regulation. Article 44, entitled ‘General principle for transfers’, reads:

‘Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this regulation is not undermined.’

15.

Article 49 of that regulation, entitled ‘Derogations for specific situations’, provides:

‘1.   In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(g)

the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

…’

B. Luxembourg law

16.

The Loi du 13 janvier 2019 instituant un Registre des bénéficiaires effectifs (Mémorial A No 15 of 2019) (Law of 13 January 2019 establishing a Register of Beneficial Ownership; ‘the Law of 13 January 2019’) provides, in Article 3 thereof, that a whole series of information on the beneficial owners of registered entities must be recorded and kept in the Register of Beneficial Ownership. This information includes the surname, forename(s), nationality or nationalities, the day, month and year of birth, the place of birth, the country of residence and the exact private or business address of the beneficial owner.

17.

Article 15 of the Law of 13 January 2019 provides:

‘1.   A registered entity or a beneficial owner may request, on a case-by-case basis and in the following exceptional circumstances, by way of a duly reasoned application addressed to the Administrator, that access to the information listed in Article 3 be restricted to national authorities, credit institutions, financial institutions, bailiffs and notaries acting in their capacity as public officers, where access to that information would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable.

2.   The Administrator shall provisionally restrict access to the information listed in Article 3 to national authorities upon receipt of the application and until notification of its decision and, in the event that the application is refused, for an additional period of fifteen days. Where an appeal is lodged against a refusal decision, the restriction of access to the information shall be maintained until such time as the refusal decision is no longer amenable to appeal.

…’

II. The facts underlying the disputes, the main proceedings and the questions referred for a preliminary ruling

A. Case C‑37/20

18.

WM is the beneficial owner of a total of 35 commercial companies and of the real estate company YO. Each of those companies lodged with Luxembourg Business Registers (‘LBR’), the Administrator of Luxembourg’s Register of Beneficial Ownership, an application pursuant to Article 15(1) of the Law of 13 January 2019 requesting that access to the information concerning WM in his capacity as beneficial owner of those companies be restricted to the institutions and authorities mentioned in that provision, to the exclusion of all others. In those applications, WM argued that disclosure of the information listed in Article 3 of the Law of 13 January 2019 would seriously, actually and immediately expose him and his family to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation.

19.

LBR rejected all of those applications. In particular, the application concerning the real estate company YO was rejected by decision of 20 November 2019.

20.

WM brought a legal action challenging that decision before the referring court. ( 8 ) WM maintains that his position as executive officer of the companies in respect of which the restriction of access to the information was requested requires him frequently to travel to countries whose political regime is unstable and where there is a high level of crime. That creates a significant risk of his being kidnapped, abducted, subjected to violence or even killed. That risk would be even greater if individuals with criminal intent were able to find out that he is the beneficial owner of one or other of the legal entities in question, since that status would lead to the assumption that he owns those entities.

21.

LBR, on the other hand, maintains that WM’s situation does not meet the requirements under the Law of 13 January 2019 which would justify the restriction of access to the information on his status as beneficial owner of the companies in question. LBR argues, in particular, that WM’s involvement in the activities of those companies is a matter of public knowledge, having been referred to many times in the press and being easy to ascertain by means of a simple Internet search.

22.

The referring court is called upon to judge whether WM fulfils the conditions laid down in Article 15(1) of the Law of 13 January 2019 in order for access to information on his status as beneficial owner of the real estate company YO to be restricted. It notes that that provision transposes Article 30(9) of Directive 2015/849 into Luxembourg law, and it entertains doubts concerning the interpretation of that provision of the directive.

23.

Those doubts concern the concepts of ‘exceptional circumstances’ and ‘risk’ referred to in Article 30(9) of Directive 2015/849. The referring court is also uncertain about the criterion of the ‘disproportionality’ of the risk justifying the restriction of access to the information.

24.

In that context, the Tribunal d’arrondissement du Luxembourg (Luxembourg District Court, Luxembourg) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)

The concept of “exceptional circumstances”

(a)

Is Article 30(9) of [Directive 2015/849], in so far as it makes the restriction of access to information concerning beneficial owners conditional upon “exceptional circumstances to be laid down in national law”, to be interpreted as allowing national law to define the concept of “exceptional circumstances” simply as being equivalent to “disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”, concepts which already constitute a condition for applying the restriction of access in accordance with the wording of [Article 30(a) of Directive 2015/849]?

(b)

In the event that Question 1(a) is answered in the negative, and in the situation where the transposing national law has not defined the concept of “exceptional circumstances” other than by a reference to the ineffective concepts of “disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”, is Article 30(9) [of Directive 2015/849] to be interpreted as allowing a national court to disregard the condition of “exceptional circumstances”, or must it make good the national legislature’s omission by using its own authority to determine the scope of the concept of “exceptional circumstances”? In the latter case, since, according to the wording of Article 30(9) [of that directive], that is a condition whose content is to be determined by national law, is it possible for the Court … to give guidance to the national court for that purpose? In the event that that last question is answered in the affirmative, what guidelines should the national court follow in determining the content of the concept of “exceptional circumstances”?

(2)

The concept of “risk”

(a)

Is Article 30(9) of [Directive 2015/849], in so far as it makes the restriction of access to information concerning beneficial owners conditional upon “disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”, to be interpreted as referring to a group of eight cases, the first of which corresponds to a general risk subject to the disproportionality requirement, while the other seven correspond to specific risks not subject to the disproportionality requirement, or as referring to a group of seven cases, each of which corresponds to a specific risk subject to the disproportionality requirement?

(b)

Is Article 30(9) of [Directive 2015/849], in so far as it makes the restriction of access to information concerning beneficial owners conditional upon a “risk”, to be interpreted as confining the assessment of the existence and extent of that risk solely to the relationships which the beneficial owner has with the legal entity with regard to which he or she specifically seeks to have access to information concerning his or her status as beneficial owner restricted or as also requiring account to be taken of the relationships which the beneficial owner concerned has with other legal entities? If account must be taken of relationships with other legal entities, must account be taken only of the status of beneficial owner in relation to other legal entities or must account also be taken of any relationship whatsoever with other legal entities? If account must be taken of any relationship whatsoever with other legal entities, is the assessment of the existence and extent of the risk affected by the nature of that relationship?

(c)

Is Article 30(9) of [Directive 2015/849], in so far as it makes the restriction of access to information concerning beneficial owners conditional upon a “risk”, to be interpreted as meaning that the protection resulting from restriction of access is not afforded where that information, or any other information provided by the beneficial owner to demonstrate the existence and extent of the “risk” faced, is easily available to third parties through other information channels?

(3)

The concept of “disproportionate risk”

What competing interests must be taken into consideration in the context of applying Article 30(9) of [Directive 2015/849] in so far as it makes the restriction of access to information concerning a beneficial owner conditional upon a “disproportionate” risk?’

B. Case C‑601/20

25.

Sovim SA is a limited liability company established and having its registered office in Luxembourg.

26.

On 12 August 2019, Sovim lodged an application under Article 15 of the Law of 13 January 2019 with LBR, seeking to restrict access to the information concerning its beneficial owner contained in the register.

27.

On 6 February 2020, LBR rejected that application.

28.

On 24 February 2020, Sovim brought an action before the Tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg), seeking, principally, a declaration that Article 12 of the Law of 13 January 2019, pursuant to which access to certain information contained in the Register of Beneficial Ownership is open to any person, and/or Article 15 of that law are inapplicable, and an order for the information provided by Sovim pursuant to Article 3 of the Law not to be made publicly accessible.

29.

Sovim claims, in the first place, that granting public access to the identity and personal data of the beneficial owner would infringe the right to respect for private and family life and the right to the protection of personal data, enshrined respectively in Articles 7 and 8 of the Charter. In the company’s view, the aim pursued by Directive 2015/849, on the basis of which the Law of 13 January 2019 was enacted, consists in the identification of the beneficial owners of companies used for the purposes of money laundering or terrorist financing, as well as ensuring certainty in commercial relationships and market confidence. However, it has not been shown how granting the public entirely unrestricted access to the data held in the Register of Beneficial Ownership enables those objectives to be attained. In the second place, Sovim claims that public access to the personal data held in the Register of Beneficial Ownership constitutes an infringement of several provisions of the GDPR.

30.

In the alternative, Sovim claims that the referring court should hold that there is a disproportionate risk in the present case, within the meaning of Article 15(1) of the Law of 13 January 2019, and accordingly make an order requiring LBR to limit access to the information referred to in Article 3 of that law. It submits in this connection that its beneficial owner would be subject to a significant, real and present disproportionate risk, as there would be a risk that he and his family would be kidnapped while travelling or staying in Africa.

31.

In that context, according to the referring court, the question arises of whether access by the general public to some of the data contained in the Register of Beneficial Ownership is compatible with the Charter and with the GDPR.

32.

In those circumstances the tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)

Is Article 1(15)(c) of [Directive 2018/843], in so far as it requires Member States to make information on beneficial owners accessible to the general public in all cases, with no requirement for a legitimate interest to be shown, a valid provision

(a)

in the light of the right to respect for private and family life guaranteed in Article 7 of the [Charter], interpreted in accordance with Article 8 of the [European Convention on Human Rights and Fundamental Freedoms, signed at Rome on 4 November 1950, ‘the ECHR’], having regard to the objectives stated, inter alia, in recitals 30 and 31 of Directive 2018/843 relating, in particular, to efforts to combat money laundering and terrorist financing, and

(b)

in the light of the right to the protection of personal data guaranteed by Article 8 of the Charter, in so far as it is intended, inter alia, to guarantee that personal data are processed lawfully, fairly and in a transparent manner in relation to the data subject, that the purposes for which such data are collected and processed are limited, and that the data are minimised?

(2)

(a)

Is Article 1(15)(g) of Directive 2018/843 to be interpreted as meaning that the exceptional circumstances to which it refers – in which Member States may provide for exemptions from access to all or part of the information on beneficial owners, where access on the part of the general public would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation – may be found only where it is demonstrated that there is a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation which is exceptional, which is actually borne by the beneficial owner as an individual, and which is significant, real and present?

(b)

If that question is answered in the affirmative, is Article 1(15)(g) of Directive 2018/843, thus interpreted, a valid provision in the light of the right to respect for private and family life guaranteed by Article 7 of the Charter and the right to the protection of personal data guaranteed by Article 8 of the Charter?

(3)

(a)

Is Article 5(1)(a) of [the GDPR], which requires data to be processed lawfully, fairly and in a transparent manner in relation to the data subject, to be interpreted as not precluding

that the personal data of a beneficial owner, recorded in a register of beneficial ownership, established in accordance with Article 30 of Directive 2015/849, are accessible to the general public, with no monitoring of access and no requirement for any member of the public to provide justification, and without the data subject (the beneficial owner) having any way of discovering who has accessed his or her personal data, or

that the data controller responsible for such a register of beneficial ownership provides access to the personal data of beneficial owners to an unlimited and indeterminable number of persons?

(b)

Is Article 5(1)(b) of [the GDPR], which requires the purposes of data processing to be limited, to be interpreted as not precluding that the personal data of a beneficial owner, recorded in a register of beneficial ownership established in accordance with Article 30 of Directive 2015/849, are accessible to the general public, in circumstances where the data controller cannot guarantee that those data will be used only for the purpose for which they were collected, which is, in essence, the combating of money laundering and terrorist financing – a purpose in relation to which the general public is not the body responsible for compliance?

(c)

Is Article 5(1)(c) of [the GDPR], which requires data to be minimised, to be interpreted as not precluding the general public from having access, through a register of beneficial ownership established in accordance with Article 30 of Directive 2015/849, to data indicating, in addition to the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his or her beneficial interests, also his or her date and place of birth?

(d)

Does Article 5(1)(f) of [the GDPR], which requires data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and thus guarantees the integrity and confidentiality of such data, not preclude the provision of access to the personal data of beneficial owners held in a register of beneficial ownership, established in accordance with Article 30 of Directive 2015/849, on an unlimited and unconditional basis and with no undertaking to preserve the confidentiality of those data?

(e)

Is Article 25(2) of [the GDPR], which guarantees data protection by default, providing in particular that, by default, personal data must not made accessible without the individual’s intervention to an indefinite number of natural persons, to be interpreted as not precluding

that a register of beneficial ownership, established in accordance with Article 30 of Directive 2015/849, does not require members of the general public consulting the personal data of a beneficial owner on its website to create an account, or

that no information concerning the consultation of the personal data of a beneficial owner contained in such a register is disclosed to that beneficial owner, or

that no restriction on the extent and accessibility of the personal data at issue is applicable in the light of the purpose of their processing?

(f)

Are Articles 44 to 50 of [the GDPR], under which the transfer of personal data to a third country is subject to strict conditions, to be interpreted as not precluding that the personal data of a beneficial owner, contained in a register of beneficial ownership established in accordance with Article 30 of Directive 2015/849, are accessible in any circumstances to any member of the general public, with no requirement to demonstrate a legitimate interest and no limitations as to the location of that public?’

III. Analysis

33.

The six questions referred by the national court in its two requests for a preliminary ruling may effectively be reorganised into three groups.

34.

A first group of questions (namely, the first question and part (b) of the second question in Case C‑601/20) is directed at verifying the validity – in the light of the rights to respect for private and family life and to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter – of the regime of public access to information on beneficial owners and its system of exemptions, established by Article 30(5)(c) and Article 30(9) of Directive 2015/849.

35.

A second group of questions (the third question in Case C‑601/20), is aimed at establishing whether the regime of public access to information on beneficial owners is compatible with certain provisions of the GDPR.

36.

A third group of questions (all the questions referred in Case C‑37/20 and part (a) of the second question referred in Case C‑601/20) concerns the interpretation of Article 30(9) of Directive 2015/849, which concerns the system of exemptions from the regime of public access to the information on beneficial ownership.

37.

Before addressing these questions, I think it appropriate to make one or two preliminary observations. First, I shall make some general remarks about the principle of transparency in EU law, which is a key element in the present cases. Secondly, I shall set out the principal characteristics of the regime of public access to the information on the beneficial owners of corporate and other legal entities established by Directive 2015/849. Thirdly, I shall make some observations about the relationship between Directive 2015/849 and the GDPR.

A. Preliminary observations

1.   The principle of transparency

38.

Democracy is ‘the public governance of public powers’. That definition, offered by the authoritative political philosopher Norberto Bobbio, ( 9 ) highlights the inter-relationship between democracy and transparency. In the constitutional traditions of the Member States, the idea has progressively taken hold that the activities of the public authorities must be governed by transparency, and that any limitation of that transparency must be absolutely exceptional (a ‘glasshouse’ government).

39.

In contraposition to this transparency in public authority is the confidential nature of the private sphere, which is protected by the recognition of the fundamental right to the confidentiality of private life, now enshrined in Article 7 of the Charter. That right, particularly with the rise of digital technology, has extended to include the right to the protection of personal data, also enshrined by the Charter, in Article 8. This dichotomy between public and private is reflected in the dichotomy between the transparency and the confidentiality of private life.

40.

In today’s complex societies, however, the boundary between the public sphere and the private is not always clear. More and more frequently in fact there is interference between, and overlapping of the two. In particular, certain private conduct may, by its nature, have significant repercussions in the public dimension. Or, because of the public position occupied by the person in question, certain private conduct may be relevant to the public in a democratic society and to its institutions (the media, political parties, civil society organisations) which oversee the activities of the public authorities.

41.

Thus, for reasons objective or subjective, there may be a general interest in being informed about certain aspects of an individual’s private life. Consequently, instances where the confidentiality of private life and the protection of personal data come into conflict with the need for transparency are becoming more numerous. This calls for a sensitive weighing of the interests at play.

42.

It must be borne in mind in this connection that the principle of transparency plays an increasingly important role in EU law and is now enshrined in primary law, being stated in Articles 1 and 10 TEU and Article 15 TFEU. ( 10 ) Under EU law, this principle takes specific form first of all in the requirement for institutional and procedural openness with regard to activities of a public nature, such as the legislative process and administrative activities. From that perspective, openness contributes to strengthening the principles of democracy and respect for fundamental rights as laid down in Article 6 TEU and in the Charter. ( 11 ) The Court itself has acknowledged the connection between transparency and democracy, describing in its case-law the purpose of the principle of transparency as being to give citizens the widest possible access to information, with a view to reinforcing the democratic character of the institutions and the administration. ( 12 )

43.

However, the extension of the scope of the principle of transparency, in particular following the entry into force of the Treaty of Lisbon, ( 13 ) increased its importance in areas, such as the regulation of the financial markets, in which this principle assists in combating certain phenomena, such as corruption and terrorism, which can corrode democracy and so imperil that founding value of the European Union, enshrined in Article 2 TEU.

44.

The Court’s case-law also offers examples of situations where there has been interference between the two dichotomies I have mentioned, that between the public sphere and the private sphere and that between transparency and the confidentiality of private life.

45.

Thus, in its judgment of 9 November 2010, Volker und Markus Schecke and Eifert (C‑92/09 and C‑93/09, EU:C:2010:662), the Court held that the publication on the Internet of data by name relating to the beneficiaries of agricultural aid and the precise amounts of aid they received was liable to increase transparency with respect to the use of the aid in question. It stated that such information made available to citizens reinforced public control of the use to which the allotted money was put and contributed to the best use of public funds. ( 14 )

46.

Another recent judgment, delivered by the Grand Chamber of the Court, ( 15 ) concerned a Hungarian law which, inter alia, imposed on certain categories of civil society organisations receiving support from abroad public disclosure obligations regarding information on the persons providing the support from abroad and on that financial support. In its judgment, the Court held that the law in question introduced discriminatory and unjustified restrictions and infringed Article 63 TFEU and Articles 7, 8 and 12 of the Charter.

47.

In that context, the Court expressly acknowledged that, since some civil society organisations could, given the aims which they pursued and the means at their disposal, have a significant influence on public life and public debate, then the objective consisting in increasing transparency in respect of the financial support granted to such organisations could constitute an overriding reason in the public interest. ( 16 )

48.

As the examples I have given show, transparency, a characteristic of the public sector, can in some circumstances apply to certain activities – and to the associated data – of private individuals who, for one reason or another, impinge upon fundamental interests of the community. This is not a surprising development, if one considers that transparency is a ‘means’ that is employed beyond the perimeter of public authority in order to attain objectives of general interest. The constitutional issue which arises in the present cases concerns the manner in which the requirements of transparency can be reconciled with the protection of fundamental rights and, specifically, the right to the protection of privacy and the right to the protection of personal data.

2.   The regime of public access to information on the beneficial owners of corporate and other legal entities, established by Directive 2015/849

49.

It is appropriate to outline the main elements of the regime of public access to information on the beneficial owners of corporate and other legal entities that is the subject of the questions referred for a preliminary ruling in the present cases.

50.

As is clear from Article 1 and recital 5 thereof, Directive 2015/849 is aimed at averting threats to the integrity, proper functioning, reputation and stability of the financial system resulting from the use of that system for the purposes of money laundering and terrorist financing. ( 17 ) To that end, the directive sets out an efficient and comprehensive legal framework for addressing the collection of money or property for terrorist purposes by requiring Member States to identify, understand and mitigate the risks related to money laundering and terrorist financing. ( 18 )

51.

In that context, the need for accurate and up-to-date information on the beneficial owners of corporate and other legal entities established in the Member States – as defined in Article 3(6) of Directive 2015/849 – is a key factor in tracing criminals who might otherwise hide their identity behind a corporate structure. ( 19 )

52.

In accordance with Article 3(6) of Directive 2015/849, a beneficial owner is any natural person who ultimately owns or controls the customer and/or the natural person on whose behalf a transaction or activity is being conducted.

53.

Article 30(1) and (3) of Directive 2015/849 require the Member States to ensure that corporate and other legal entities incorporated within their territory ( 20 ) are required to obtain and hold adequate, accurate and current information on their beneficial ownership and that such information is held in a central register in each Member State. Those provisions do not specify exactly what beneficial ownership information must be sent to the central register, leaving that to each Member State to decide.

54.

In so far as access to that information is concerned, Article 30(5) of Directive 2015/849, in its original version, provided that the Member States must ensure that information on beneficial ownership is accessible in all cases to competent authorities and financial intelligence units, without any restriction (point (a)), to obliged entities, within the framework of customer due diligence (point (b)), and to any person or organisation that can demonstrate a legitimate interest (point (c)).

55.

It is apparent from recital 2 of Directive 2018/843 that, in light of ‘emerging new trends, in particular regarding the way terrorist groups finance and conduct their operations’, it was judged necessary to take ‘further measures … to ensure the increased transparency of financial transactions, of corporate and other legal entities’. As recital 5 of Directive 2018/843 states, those further measures, amending Directive 2015/849, should nevertheless be adopted ‘having due regard to the fundamental right to the protection of personal data, as well as the observance and application of the proportionality principle’.

56.

Thus, with a view to fostering a greater degree of transparency with regard to beneficial ownership, the original version of Article 30(5)(c) of Directive 2015/849 was amended by Directive 2018/843 so that the possibility of accessing information on beneficial ownership was henceforth open to ‘any member of the general public’, without it being necessary to prove any interest whatsoever.

57.

More specifically, under the second subparagraph of Article 30(5) of Directive 2015/849, any member of the general public is to be permitted to ‘access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held’. In addition, under the third subparagraph of Article 30(5), the Member States may provide for access ‘to additional information enabling the identification of the beneficial owner’, that additional information including ‘at least the date of birth or contact details in accordance with data protection rules’.

58.

In so far as concerns how this information is accessed, Directive 2018/843 inserted into Article 30 of Directive 2015/849 a new paragraph 5a, pursuant to which Member States may choose to make the information held in their national registers available on the condition of online registration and the payment of a fee, which is not to exceed the administrative costs of making the information available.

59.

The access which the general public has to information on beneficial ownership is not, however, unlimited. Indeed, Article 30(9) of Directive 2015/849 allows the Member States to provide for exemptions from access to information on beneficial ownership. In accordance with Article 30(9), as amended by Directive 2018/843, the Member States may provide for exemption from such access to the information, in exceptional circumstances to be laid down in national law, where access by obliged entities or by the general public would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable.

60.

As is apparent from recitals 30, ( 21 ) 31, ( 22 ) 32 ( 23 ) and 33 ( 24 ) of Directive 2018/843, the amendments which that directive made to Article 30 of Directive 2015/849 – and, in particular, the widening of access to information on beneficial ownership to ‘any member of the general public’, without it being necessary to demonstrate any interest whatsoever – were intended to promote greater transparency in the beneficial ownership and control structures of companies, with the primary objective of creating an environment less likely to be used for the purposes of money laundering and terrorist financing. ( 25 ) Increased transparency was also meant to have the positive side effect of increasing confidence in the financial markets. ( 26 )

61.

While the amendments which Directive 2018/843 made to Directive 2015/849 pursued the primary objective of promoting greater transparency, recital 34 ( 27 ) of Directive 2018/843 nevertheless expressly acknowledges the need to strike a fair balance between the general public’s interest in the prevention of money laundering and terrorist financing, on the one hand, and the fundamental rights of the data subjects, on the other.

62.

Accordingly, as recital 36 ( 28 ) of Directive 2018/843 states, it is with the aim of ensuring a proportionate and balanced approach and of guaranteeing, inter alia, the right to private life and personal data protection that Directive 2015/849 allows exemptions to the disclosure, through the registers, of beneficial ownership information and to the public’s access to such information, on the abovementioned conditions laid down in Article 30(9) of that directive.

3.   The relationship between Directives 2015/849 and 2018/843 and the GDPR

63.

The second group of questions, mentioned in point 35 of this Opinion, that is to say, those asked in the context of the third question in Case C‑601/20, invites the Court to assess the validity of the regime of public access to information on beneficial ownership, established by Directive 2015/849, in the light of various provisions of the GDPR.

64.

In those circumstances, it is appropriate to make certain preliminary observations regarding the relationship between these instruments of EU law, namely Directives 2015/849 and 2018/843, on the one hand, and the GDPR, on the other.

65.

First of all, it must be observed that these are acts of secondary law which, in the hierarchy of sources of EU law, are of equal rank.

66.

It is clear from the case-law that, when two acts of secondary law of equal rank do not contain a provision expressly giving one act primacy over the other, it is appropriate to ensure that each of those acts is applied in a manner compatible with the other and which enables a coherent application of them. ( 29 )

67.

In the present instance, there are express links between the acts in question. The most direct of these is established in Article 41(1) of Directive 2015/849, which, in the version as amended by Directive 2019/2177, provides that ‘the processing of personal data under this directive is subject to [the GDPR]’. Recital 38 of Directive 2018/843 also states that the GDPR ‘applies to the processing of personal data under this directive’ and that ‘the beneficiaries should be informed about their rights under the current Union legal data protection framework, as set out in [the GDPR]’. Article 43 of Directive 2015/849 also contains a reference to the GDPR.

68.

Despite the use of the phrase ‘subject to’ in Article 41(1) of Directive 2015/849, ( 30 ) these links do not seem, to my mind, to give the GDPR primacy over Directives 2015/849 and 2018/843, ( 31 ) such that the GDPR would, as such, constitute a criterion by which to assess the validity of the directives’ provisions.

69.

These links do, on the other hand, express the need for coordination between the processing of personal data resulting from the application of those directives, on the one hand, and the general EU-law framework for the protection of data established by the GDPR.

70.

Moreover, this general legal framework created by the GDPR implements – in particular (but not exclusively) in Articles 5 and 6 of the GDPR – the requirements flowing from the fundamental right to the protection of personal data, proclaimed in Article 8 of the Charter, and in particular those expressly mentioned in paragraph 2 of that article. ( 32 )

71.

It follows that, in order to conform to the requirements flowing from Article 8 of the Charter, the regime for the processing of data concerning beneficial owners, established by Directive 2015/849, must be interpreted in a manner consistent with the provisions of the GDPR, in accordance with the express provision in Article 41(1) of that directive.

72.

However, the requirements flowing from the rules of the GDPR must also be taken into account by the Member States’ authorities, in particular their national legislature, when regulating and applying the regime for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing put in place by the directives in question, and specifically the regime for the processing of personal data concerning beneficial owners which those two directives establish.

73.

It is, therefore, in the light of those principles that I shall analyse the questions referred by the national court for a preliminary ruling.

B. The validity of Article 30(5)(c) and Article 30(9) of Directive 2015/849 (the first question and part (b) of the second question referred in Case C‑601/20)

74.

By the first question referred in Case C‑601/20, the national court asks whether Article 30(5)(c) of Directive 2015/849, in so far as it requires Member States to make information on beneficial ownership accessible to any member of the general public, with no requirement for a legitimate interest to be demonstrated, is a valid provision in the light of the right to respect for private and family life and the right to the protection of personal data guaranteed by Articles 7 and 8 of the Charter respectively.

75.

By the part (b) of the second question referred in the same case, the national court asks whether Article 30(9) of Directive 2015/849, which allows the Member States to provide for exemptions from access of, in particular, any member of the general public to the information on beneficial ownership, is valid in the light of the those fundamental rights enshrined in the Charter.

76.

In my opinion, these two questions, concerning the validity of two different paragraphs of the same article of Directive 2015/849, should be analysed together. Indeed, these two questions are directed at two aspects of the same regime of public access to information on beneficial ownership, as put in place by that directive, the validity of which must, in my view, be assessed jointly. Indeed, I consider that, in order to answer the first question referred in Case C‑601/20, concerning the widening of access to this information to the general public, without it being necessary to demonstrate an interest of any kind, account must necessarily be taken of the system of exemptions provided for by Article 30(9) of the Directive 2015/849. The two questions are thus interlinked.

77.

I would also observe at the outset that it is clear from the order for reference that the first question referred in Case C‑601/20 does not take issue with the communication of information on beneficial ownership, the storage of that information in a central register or the regime of access to that information laid down by Article 30(5) of Directive 2015/849. This first question solely concerns the amendment which Directive 2018/843 made to Article 30(5)(c) of Directive 2015/849. It therefore simply concerns the removal of the requirement, stipulated in the previous version of the provision, that any person or organisation must demonstrate a ‘legitimate interest’, in order to have access to the information on beneficial ownership, and the consequent widening of access to information on beneficial ownership for ‘any member of the general public’, without it being necessary to demonstrate any interest whatsoever.

1.   The rights protected by Articles 7 and 8 of the Charter and the conditions applying to interference with those rights

78.

As regards the fundamental rights mentioned in these two questions concerning validity, it must be recalled that Article 7 of the Charter guarantees everyone the right to respect for his or her private and family life, home and communications. As for Article 8(1) of the Charter, that provision expressly acknowledges everyone’s right to the protection of personal data concerning them. According to settled case-law, those rights, which extend to any information relating to an identified or identifiable individual, are closely linked, inasmuch as access to a natural person’s personal data with a view to its retention or use affects that individual’s right to respect for his or her private life. ( 33 )

79.

However, the rights enshrined in Articles 7 and 8 of the Charter are not absolute rights and must be considered in relation to their function in society. ( 34 ) Thus, Article 8(2) of the Charter permits the processing of personal data where certain conditions are met. That provision states that personal data must be processed ‘fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’.

80.

Any limitation of the right to the protection of personal data or of the right to privacy must, in addition, satisfy the conditions laid down in Article 52(1) of the Charter. Such limitations must accordingly be provided for by law, respect the essence of those rights, genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others and comply with the principle of proportionality.

81.

In the assessment of measures limiting these rights, account must also be taken of the importance of the rights enshrined in Articles 3, 4, 6 and 7 of the Charter and of the importance of the objectives of protecting national security and combating serious crime in contributing to the protection of the rights and freedoms of others. ( 35 )

82.

Moreover, Article 52(3) of the Charter is intended to ensure the necessary consistency between the rights set out in the Charter and the corresponding rights guaranteed by the ECHR, of which account must be taken as the minimum threshold of protection. ( 36 ) The right to respect for private and family life enshrined in Article 7 of the Charter corresponds to the right guaranteed by Article 8 of the ECHR and must therefore be regarded as having the same meaning and the same scope. ( 37 )

83.

It is the light of those principles that the two questions concerning validity should be examined.

2.   The existence of interference with the rights set out in Articles 7 and 8 of the Charter and the seriousness of that interference

84.

In order to assess the validity of the provisions of Directive 2015/849 that have been called into question by the referring court, it is necessary, from the outset, to determine whether actions such as those contemplated by those provisions are liable to infringe the fundamental rights guaranteed by Articles 7 and 8 of the Charter and to constitute interference with those rights. If that is the case, it will also be necessary to determine the degree of seriousness of that interference. ( 38 )

85.

In so far as concerns, first of all, the existence of interference, I should begin by pointing out that the right to respect for private life with regard to the processing of personal data, recognised in Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual, ( 39 ) which is what is at issue in the present cases, since the beneficial owners of corporate and other legal entities, as defined in Article 3(6) of Directive 2015/849, are identifiable natural persons.

86.

Secondly, I should also point out that the information on beneficial ownership to which the general public has access, listed in the second subparagraph of Article 30(5) of Directive 2015/849 and mentioned in point 57 of this Opinion, is personal data. ( 40 ) It is clear from the case-law that the fact that the information was provided as part of a professional activity does not mean that it cannot be characterised as personal data. ( 41 )

87.

It is also clear from the case-law that, in order to determine whether personal data should benefit from the protection afforded by EU law, it is immaterial whether the information in question is particularly sensitive or not. The Court has already held that, for the purposes of characterising the existence of an interference with the fundamental right enshrined in Article 7 of the Charter, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference. ( 42 )

88.

Thirdly, as all the parties which have lodged observations with the Court have submitted, actions such as those contemplated by Article 30(5)(c) of Directive 2015/849 – which is to say, the making available and disclosure to the public, by the body responsible for keeping the register, of personal data concerning beneficial owners, such as that mentioned in point 57 of this Opinion – are actions that are liable to infringe the fundamental rights guaranteed by Articles 7 and 8 of the Charter. Those actions therefore constitute an interference with the rights guaranteed by Article 7 of the Charter. ( 43 ) They also constitute an interference with the right to the protection of personal data guaranteed by Article 8 of the Charter, since they constitute the processing of personal data ( 44 ) –subject to Article 8(2) thereof – ( 45 ) for which the said body is the ‘controller’. ( 46 )

89.

Additionally, in the present cases, once those data have been made available, they may be consulted by members of the general public who have accessed the information held and made available in the register and, in some cases, they may be stored or disseminated by those persons. ( 47 ) That access constitutes an additional interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter. ( 48 ) Immediately he or she gains access to the data contained in the register, a member of the general public is liable also to be considered the controller of that processing and of any subsequent processing. ( 49 )

90.

It must, therefore, be concluded that actions such as those which result from the application of Article 30(5)(c) of Directive 2015/849 constitute an interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter.

91.

Next, as regards the assessment of the seriousness of the interference, I should point out, in the first place, that, in the present cases, the number of individuals liable to be affected by this interference is not unlimited, indefinite and indeterminate, but is, on the contrary, limited. ( 50 ) Indeed, the natural persons who may be identified as beneficial owners of corporate or other legal entities, in accordance with the definition mentioned in point 85 of this Opinion, constitute a specific group of individuals. Those individuals are identified by virtue of their role within corporate and other legal entities, which is to say their position as beneficial owners of such entities. In addition, they are identified by reference to the objectives pursued ( 51 ) by the obligation to send the information in question to the register of beneficial ownership. There is, therefore, a relationship between the data subjects (the beneficial owners) and the purpose of the data processing.

92.

Nevertheless, I should also point out, in the second place, that the way in which the data in question are processed and which gives rise to the interference, that is to say, making that data available to the public, in principle, without any barrier to access, is capable of resulting in the widespread dissemination of that data.

93.

However, the provisions of Article 30 of Directive 2015/849 leave national legislatures with a degree of latitude in deciding how the general public should access the information on beneficial ownership and what procedures must be followed. In those circumstances, the extent of the effect on the fundamental rights at issue is liable to vary depending on how public access is provided.

94.

Thus, in some Member States, such as Luxembourg, the country concerned by the present cases, public access is by way of automated procedures, the information concerning the beneficial owners of corporate and other legal entities being made available on the Internet. Clearly, that kind of access, where the data can be freely obtained via the Internet, is liable to result in the maximum proliferation of the data. A data processing method of this kind can, therefore, lead to very wide dissemination of the data. ( 52 )

95.

In the third place, as regards the data to which this interference relates, it is clear from the Court’s case-law that the more categories of data there are that may be accessed, the more likely the interference is to be considered ‘serious’. ( 53 )

96.

It is clear from the second subparagraph of Article 30(5) of Directive 2015/849 that, in this instance – leaving aside the issue of the discretion left to the Member States, which I shall address in points 105 to 107 of this Opinion – the data fall into two categories: first, there is a series of data items relating to the civil identity of the beneficial owner (name, month and year of birth and nationality) and the country of residence, not further specified; secondly, there are data items relating to the nature and extent of the beneficial interest held. The other information contained in the Register of Beneficial Ownership is not affected by the actions constituting interference, mentioned in points 88 and 89 of this Opinion, which are the subject of the questions referred for a preliminary ruling in the present case.

97.

As for the first category, that is a limited set of data items which no doubt enable a person to be individually identified, but constitute essentially ‘contact data’ ( 54 ) or identification data, rather than ‘special’ personal data relating essentially to private life, including intimacy, or from which it might be possible to create a faithful, precise and comprehensive profile of the private identity of the person concerned. ( 55 ) Although these data items enable the person concerned, the beneficial owner, to be identified with a degree of precision, they do not, in my view, enable any particularly precise conclusions to be drawn regarding the private life of the person whose data are concerned. ( 56 )

98.

As for the second category of data, that comprises economic data revealing the nature of the beneficial interests held in the company or entity – such as a shareholding – and the extent of those interests, which might for example be expressed as a percentage of the entity’s share capital. While such data will certainly enable the extent of the beneficial owner’s interests in the company or other legal entity in question to be ascertained, and will thus have an economic significance, these data, like the first category of data, do not, in my view, enable any precise conclusions to be drawn about the private life of the data subject. ( 57 )

99.

The data concerning beneficial owners, which are accessible to any member of the general public, therefore appear to be less sensitive than certain other categories of personal data. ( 58 )

100.

In its observations, Sovim has nevertheless argued that unrestricted public access to the data referred to in the second subparagraph of Article 30(5) of Directive 2015/849 makes it possible to estimate the value of the assets of the person concerned and to identify preferences as to the type and size of investment. At the hearing, Sovim also argued that access to these data facilitates economic intelligence operations for profiling purposes.

101.

While access to data concerning the nature and extent of beneficial interests in a company admittedly enables some information about an individual’s assets to be acquired, two observations are nevertheless pertinent in this regard. First, corporate holdings are generally just a part of a person’s assets, which will normally comprise a diverse series of investments including investments of other types, such as financial or real-estate investment instruments. Access solely to data on corporate holdings thus generally provides only a limited view of a person’s assets. Secondly, unless the beneficial interests the nature and extent of which are disclosed are held in companies whose value is in some way public knowledge, it would seem unlikely that the precise value of the company, or of an investment shareholding in that company, could be determined without further information. It follows that, even though a limited view of a person’s assets can be acquired by having access to those data, that limited view will not enable any precise conclusions to be drawn about the quantum of those assets.

102.

Similar considerations apply, in my view, to the risk that access to this information might facilitate the economic profiling of individuals. While, admittedly, access to the data mentioned in point 98 of this Opinion makes it possible to identify the areas (or at least some of the areas) in which an individual invests, such access does not necessarily enable precise conclusions to be drawn regarding the investment profile of that individual. On this point, I would also observe that the specific manner in which the public is given access to the register will have an influence in this regard and may further attenuate this risk. For example, I note that, in Luxembourg, an Internet search for the data in question can be made only by reference to the legal entity concerned, and not by reference to the beneficial owner. The fact that it is not possible to search the register by person further reduces the possible risk of economic profiling of the data subject.

103.

That said, I would also point out that precise data on the nature and extent of beneficial interests held in a corporate or other legal entity may have a separate economic and commercial significance, in that they may, in some cases, elucidate the actual control structure of a company, which might not be evident from other sources of information.

104.

In conclusion, it follows from all the foregoing that the making available and disclosure to the public, by the body responsible for keeping a register, of data, such as those mentioned in point 57 of this Opinion, on beneficial ownership, and the public’s access to those data undoubtedly constitute interferences with the fundamental rights guaranteed by Articles 7 and 8 of the Charter. However, while it cannot be ruled out that those data will be very widely disseminated, in view of the discretion which Directive 2015/849 leaves to the Member States in deciding how the personal data in question are to be processed, I consider that, given the relatively restricted scope of the personal data subject to such interference and the fact that those data are not especially sensitive, the potential harm for individuals affected by such interference may be regarded as moderate. The interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter brought about by the actions mentioned in points 88 and 89 of this Opinion is therefore not, in my view, particularly serious, since data of that scope and nature do not in themselves enable precise information about the person concerned to be obtained and therefore do not directly and seriously affect the intimacy of their private life.

105.

That said, I must nonetheless point out that the second and third subparagraphs of Article 30(5) of Directive 2015/849 leave the Member States a discretion with regard to the data that may be made accessible to the general public. The second subparagraph provides that any member of the general public is to be permitted to access ‘at least’ the data mentioned in that subparagraph, which suggests that the Member States may provide for access to additional data. The third subparagraph provides that the Member States may, under conditions to be determined in national law, provide for access to ‘additional information’ enabling the identification of the beneficial owner, which include at least the date of birth or contact details in accordance with data protection rules.

106.

The EU legislature has therefore left the Member States a discretion to increase the amount of data on beneficial ownership to which the general public may have access beyond the items of data listed in the second subparagraph of Article 30(5) of Directive 2015/849 and mentioned in point 96 of this Opinion.

107.

Of course, this discretion to increase the amount of data concerning beneficial owners that is accessible to the general public could potentially give rise to increased interference with the fundamental rights which Articles 7 and 8 of the Charter guarantee such individuals. Leaving aside the indeterminate nature of the additional information that could be added by the Member States to the list of data items accessible to the general public, set out in the second subparagraph of Article 30(5) of Directive 2015/849 and mentioned in point 96 of this Opinion, ( 59 ) I consider that giving the public access to a person’s precise contact details (meaning their home address), as envisaged by the third subparagraph of Article 30(5) of Directive 2015/849, would be liable – by contrast with my conclusion in point 104 of this Opinion – to entail a serious interference in that person’s private life. The option Member States have of making additional information available must, therefore, be the subject of a separate assessment.

3.   The justification for the interference

108.

Since the regime of public access established by Directive 2015/849 gives rise to interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter, it is necessary to determine whether that limitation of those rights can be justified, in accordance with the provisions and principles mentioned in points 79 and 80 of this Opinion.

(a)   The requirement that any limitation of the rights set out in Articles 7 and 8 of the Charter must be provided for by law

109.

The first of the conditions that any limitation on the exercise of the rights enshrined in Articles 7 and 8 of the Charter must meet, which is mentioned both in Article 8(2) of the Charter and, as a general rule, in Article 52(1) thereof, requires that such limitations be ‘provided for by law’.

110.

According to the Court’s well-established case-law, ( 60 ) guided by the case-law of the European Court of Human Rights, ( 61 ) the requirement that any limitation on the exercise of a fundamental right must be ‘provided for by law’ does not merely concern the ‘legal’ origin of the interference, but also implies that the legal basis which permits the interference must itself define, clearly and precisely, the scope of the limitation. This second implication of the expression ‘provided for by law’, as in Articles 8(2) and 52(1) of the Charter and Article 8 ECHR, which concerns the ‘quality of the law’ and thus the accessibility and foreseeability of the measure at issue, is not only intended to ensure observance of the principle of legality and to provide protection against arbitrary interference, ( 62 ) but also satisfies the requirement for legal certainty.

111.

I would first of all observe that, in this instance, the obligation upon the body which keeps the register of beneficial ownership to make available to the public some of the information concerning beneficial owners which it has collected and stored, and the general public’s entitlement to access that data freely, are based on Article 30(5)(c) of Directive 2015/849 and on the provision of national law transposing that provision.

112.

Secondly, both the directives in question, Directive 2015/849 and 2018/843, and the national legislation transposing them were published in official journals that anyone may consult. In those circumstances, the requirement that the legal basis justifying the limitation in question must be transparent may be regarded as satisfied. ( 63 )

113.

Thirdly, I would observe that the second subparagraph of Article 30(5) of Directive 2015/849 sets out clearly and precisely a list of the collected and stored data items which the body responsible for keeping the register is obliged to make available to the public entitled to access it.

114.

However, I make that observation with some reservations regarding the fact that the Member States are free to make additional data available to the general public, by virtue of the words ‘at least’ in the second subparagraph and by virtue of the third subparagraph of Article 30(5) of Directive 2015/849. It is true that any public access to any ‘additional information’ that the Member States may decide upon, pursuant to that third subparagraph, must also be provided for by national law, must comply with the rules on data protection and must be intended solely to enable beneficial owners to be identified. However, the fact remains that that provision is comparable to a so-called ‘free text’ ( 64 ) provision and covers, in addition to the information listed precisely in the second subparagraph, other additional information that is not precisely defined or determinable.

115.

Where interference with the fundamental rights established by the Charter originates in an EU legislative act, it is for the EU legislature to determine the exact scope of that interference, in compliance with the criteria of clarity and precision set out in the case-law referred to in paragraph 110 of this Opinion. ( 65 ) It follows that, where the instrument chosen by that legislature is a directive, it cannot, in my view, be delegated to the Member States, when transposing the directive into their national laws, to determine the essential elements defining the scope of the interference, such as, in the case of limitations on the fundamental rights set out in Articles 7 and 8 of the Charter, the nature and extent of the personal data subject to processing.

116.

In the present case, by adopting Directives 2015/849 and 2018/843, the EU legislature itself imposed a limitation of the rights enshrined in Articles 7 and 8 of the Charter. The interference with those rights which those directives permit cannot, therefore, be regarded as resulting from a choice made by the Member States, ( 66 ) despite the discretion which they enjoy at the stage of transposition into national law. The legal basis for that interference is the two directives themselves. That being so, it was incumbent on the EU legislature, in accordance with the case-law mentioned in point 110 of this Opinion and the high standards of protection of fundamental rights set out in the Charter, to identify clearly and precisely the extent and nature of the personal data which are the subject of processing. Such identification constitutes an essential operation, which any legal basis introducing a measure limiting the exercise of the fundamental rights set out in Articles 7 and 8 of the Charter must carry out as clearly and precisely as possible. ( 67 )

117.

Consequently, the necessary conclusion in this case is that the legal basis which permits the interference, namely Directive 2015/849, itself defines, clearly and precisely, the scope of the limitation of the fundamental rights concerned only in so far as concerns the data accessible to the general public that are precisely defined in the list set out in the second subparagraph of Article 30(5) of Directive 2015/849. On the other hand, the discretion which is left to the Member States by the second and third subparagraphs of Article 30(5) of Directive 2015/849 to make available to the general public additional information that is not precisely defined does not satisfy that condition.

118.

It follows from the foregoing that it is only to the extent of the list of data items set out in the second subparagraph of Article 30(5) of Directive 2015/849 that the limitations on the exercise of the rights enshrined in Articles 7 and 8 of the Charter at issue are provided for by law, as is required by Article 52 of the Charter.

119.

In so far as concerns the requirements laid down in Article 8(2) of the Charter specifically, I noted in point 70 of this Opinion that these are given effect, inter alia, by Articles 5 and 6 of the GDPR.

120.

The requirement that data processing must be lawful, which is to say, that the data in question must be processed on the basis of the consent of the data subject concerned or some other legitimate basis laid down by law, ( 68 ) is stipulated in Article 5(1)(a) of the GDPR ( 69 ) and given effect by Article 6 of that regulation, which sets out an exhaustive and restrictive list of the cases in which the processing of personal data may be regarded as lawful. Thus, in order to be regarded as lawful, data processing must fall within one of the cases listed in Article 6. ( 70 )

121.

Two observations are pertinent in this regard.

122.

In the first place, it should be noted that the processing of personal data by the authority responsible for keeping a register of beneficial ownership pursuant to Article 30(5)(c) of Directive 2015/849 satisfies several grounds for legitimation provided for in Article 6 of the GDPR. ( 71 )

123.

First, that processing satisfies the condition laid down in Article 6(c) of the GDPR, concerning compliance with a legal obligation, since the authority is under an obligation to carry out that processing laid down by law, as I stated in point 111 of this Opinion.

124.

Secondly, that processing satisfies the condition laid down in Article 6(e) of the GDPR, concerning the performance of a task carried out in the public interest with which the body in question is entrusted. ( 72 ) Indeed, by keeping the register of beneficial ownership and performing all the tasks provided for by Article 30 of Directive 2015/849 in relation to that register, that body is helping to attain the public interest objective pursued by the directive, namely the combating and prevention of money laundering and terrorist financing. ( 73 ) Moreover, Article 43(1) of Directive 2015/849 expressly states that the processing of personal data on the basis of that directive for the purposes of the prevention of money laundering and terrorist financing, as referred to in that directive, is considered to be a matter of public interest under the GDPR.

125.

Thirdly, that same processing satisfies the condition laid down in Article 6(f) of the GDPR, concerning the pursuit of a legitimate interest by the controller or by a third party having access to the data. By allowing access to the data, the body is in fact enabling those third parties to contribute to the objective pursued by the directive.

126.

In the second place, I would point out that it is clear from the Court’s case-law that neither Article 5 nor Article 6 of the GDPR lays down a general and absolute prohibition preventing a public authority, or a body entrusted by law to keep a register such as a register of beneficial ownership, from being empowered, or indeed compelled, under national legislation to disclose personal data to the public where such disclosure is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. ( 74 )

127.

It follows that Articles 5 and 6 of the GDPR do not per se preclude the keeping of a register containing personal data to which the general public – an unlimited and indeterminate number of people – has access, with no monitoring and without having to provide justification and without the data subject being able to discover who has had access to his or her data. The question that arises is, rather, one concerning the proportionality of that approach, in the light of the public interest objective pursued and in view of the degree of seriousness of the interference with the fundamental rights of the persons concerned.

128.

It follows from the foregoing that, the data processing carried out under Article 30(5)(c) of Directive 2015/849 is lawful within the meaning of Article 8(2) of the Charter and Articles 5(1)(a) and (6) of the GDPR.

(b)   Observance of the essence of the rights enshrined in Articles 7 and 8 of the Charter

129.

Any limitation on the exercise of fundamental rights must not only be founded on a sufficiently precise legal basis, but must also observe the essence of those rights. The requirement, set out in Article 52(1) of the Charter, that any limitation of the rights and freedoms guaranteed by the Charter must respect the essence of those rights and freedoms means that, when an interference compromises that essence, no legitimate objective can justify it. The interference is then deemed to be contrary to the Charter without it being necessary to examine whether it is appropriate and necessary for the purpose of achieving the objective pursued. ( 75 )

130.

It is clear from both the wording of Article 52(1) of the Charter and the Court’s case-law that the assessment of whether there has been interference with the essential content of the fundamental right in question must be carried out prior to, and independently of the assessment of the proportionality of the measure at issue, and that this is therefore an autonomous test. ( 76 )

131.

That being said, in this instance, the limitations at issue on the exercise of the rights enshrined in Articles 7 and 8 of the Charter, which arise from the processing of the data listed in the second subparagraph of Article 30(5) of Directive 2015/849, do not, in my view, compromise the essence of those rights.

132.

Indeed, as regards the right to respect for private and family life, as is clear from points 96 to 104 of this Opinion, the interference resulting from the data processing mentioned in the preceding point does not enable precise information about the persons concerned to be obtained and therefore does not directly and seriously impinge on the intimacy of their private life. It follows that the limitation of this right resulting from the regime of public access to information on beneficial ownership, established by Directive 2015/849, cannot be regarded as compromising the essential content of the fundamental right enshrined in Article 7 of the Charter. ( 77 )

133.

As regards the right to the protection of personal data, guaranteed by Article 8 of the Charter, in the case-law of the Court the view is taken that the essence of that right is preserved when the purposes for which the data may be processed are circumscribed and the processing is accompanied by rules intended to ensure, inter alia, the security, confidentiality and integrity of the data and to protect the data against unlawful access and processing. ( 78 )

134.

First of all, the purposes which justify the processing of corporate beneficial ownership data under the regime established by Article 30 of Directive 2015/849 are circumscribed. Indeed, the processing of that information is justified solely in order to attain the public interest objectives mentioned in that directive and, in so far as the public’s access to that information is concerned, mentioned in point 138 et seq. below and, in particular, that of combating and preventing money laundering and terrorist financing.

135.

Next, it is clear from Article 41 of Directive 2015/849, as well as from recital 38 of Directive 2018/843, that the GDPR applies to the processing of personal data carried out under the regime of public access to information on beneficial ownership established by those two directives. Those directives must, as I mentioned in points 65 and 72 of this Opinion, be interpreted in a manner consistent with the GDPR, and the GDPR lays down rules intended to ensure, inter alia, the security, confidentiality and integrity of data and to protect data against unlawful access and processing.

136.

In those circumstances, the limitations of the right to the protection of personal data, guaranteed by Article 8 of the Charter, which result from the regime of public access to information on beneficial ownership established by Directive 2015/849 cannot be regarded as affecting the essence of that fundamental right either.

137.

On the other hand, as regards the ‘additional information’ mentioned in points 105 to 107, and 114 to 116 of this Opinion, since that additional information is not precisely defined, it is not possible to determine whether or not the limitations of the fundamental rights in question resulting from the regime of public access to such information are liable to compromise the essence of the rights enshrined in Articles 7 and 8 of the Charter.

(c)   The public interest objectives pursued by the regime of public access to information on beneficial ownership

138.

In order to be justified under Article 52(1) of the Charter, limitations of the fundamental rights guaranteed by Articles 7 and 8 of the Charter must meet objectives of general interest.

139.

Directive 2018/843 sets out in some detail, in recital 4 and in recitals 30 to 38, ( 79 ) the reasons which led the EU legislature to alter the regime of public access to information on beneficial ownership initially established by Directive 2015/849.

140.

As I already mentioned in points 50 and 60 of this Opinion, those recitals explain that this regime serves the principal aim of Directive 2015/849, stated in Article 1(1) thereof, of preventing the European Union’s financial system from being used for the purposes of money laundering and terrorist financing. In that context, the amendments made by Directive 2018/843 were intended to promote greater transparency in the beneficial ownership and control structures of companies, with the primary objective of creating an environment less likely to be used for the purposes of money laundering and terrorist financing. ( 80 ) In those circumstances, since Directive 2018/843 aims not only to detect and investigate money laundering, but also to prevent it from occurring, enhanced transparency is meant to be a powerful deterrent. ( 81 )

141.

In that context, recital 30 of Directive 2018/843 mentions a number of specific aims of the regime of public access to beneficial ownership information. Such access is intended, first of all, to allow greater scrutiny of information by civil society, including the press and civil society organisations. Secondly, it contributes to preserving trust in the integrity of business transactions and of the financial system. Thirdly, it contributes to combating the misuse of corporate and other legal entities and legal arrangements for the purposes of money laundering or terrorist financing, both by helping in investigations and through reputational effects, given that anyone who could enter into transactions is aware of the identity of the beneficial owners. Fourthly, it is meant to facilitate the timely and efficient availability of information for financial institutions as well as authorities, including authorities of third countries, involved in combating such offences. Fifthly, it is meant to help in investigations into money laundering, associated predicate offences and terrorist financing.

142.

The specific purpose of the measure at issue – which is to say, the amendment of Article 30(5)(c) of Directive 2015/849 by Directive 2018/843, which removed the requirement that any person or organisation must demonstrate a ‘legitimate interest’ in order to gain access to the information on beneficial ownership – was, therefore, to increase transparency, so as to assist in the prevention of money laundering and terrorist financing.

143.

I would point out in this connection, first of all, that it is clear from the Court’s case-law that preventing the European Union’s financial system from being used for the purposes of money laundering and terrorist financing is a legitimate aim which the Member States have endorsed at both international ( 82 ) and EU level and which is capable of justifying a restriction of rights protected by the EU legal order. ( 83 )

144.

Secondly, the purpose of the measure referred to in point 142 above is connected with the principle of transparency, which, as I discussed in points 38 to 48 of this Opinion, is enshrined in primary law.

145.

Thirdly, the Court has acknowledged in its case-law that the objective of preventing money laundering and terrorist financing is related to the aim of protecting public order. ( 84 ) Consistently with that case-law, it must be considered that the measure at issue pursues the objectives of preventing serious crime (money laundering) and preventing serious threats to public security (terrorism), objectives which, according to the case-law, are capable of justifying even serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. ( 85 )

(d)   Observance of the principle of proportionality

146.

In accordance with the second sentence of Article 52(1) of the Charter, limitations on the exercise of a fundamental right recognised by the Charter may be made only if they comply with the principle of proportionality.

147.

In that regard, according to the settled case-law of the Court, the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives. ( 86 )

(1) The appropriateness of the measure for attaining the objective pursued

148.

From the outset, the question is whether the measure at issue, described in point 142 above, is appropriate for attaining the objectives pursued, mentioned in points 140 to 142 of this Opinion.

149.

It does not appear to be disputed that wider access to information on beneficial ownership, such as was made possible by the measure at issue, is liable to expose more instances of misuse of corporate and other legal entities and legal arrangements for the purposes of money laundering or terrorist financing and that allowing such wider access is an appropriate means of creating an environment less likely to be used for such activities.

150.

It follows that this wider access is an additional means of deterring such conduct that is appropriate as an aid in the prevention of money laundering and terrorist financing. ( 87 )

(2) The strict necessity of the interference

151.

According to the settled case-law of the Court, the protection of the fundamental right to respect for private life at EU level requires that derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary. ( 88 )

152.

That requirement of necessity is not met where the objective of general interest pursued can reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed in Articles 7 and 8 of the Charter, since derogations and limitations in relation to the principle of protection of such data must apply only in so far as is strictly necessary. ( 89 )

153.

In addition, an objective of general interest may not be pursued without having regard to the fact that it must be reconciled with the fundamental rights affected by the measure and by properly balancing the objective of general interest against the rights at issue. ( 90 )

154.

More specifically, the proportionality of a limitation of the rights enshrined in Articles 7 and 8 of the Charter must be assessed by measuring the seriousness of the interference entailed by such a limitation and by verifying that the importance of the public interest objective pursued by that limitation is proportionate to that seriousness. ( 91 )

155.

In order to satisfy that requirement of proportionality, the legislation in question which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the individuals whose personal data are affected have sufficient guarantees that their data will be effectively protected against the risk of abuse. It must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary. The need for such safeguards is all the greater where personal data are subject to automated processing, particularly where there is a significant risk of unlawful access to those data. ( 92 )

156.

It is the light of those principles that the strict necessity of the interference in question must be assessed.

(i) The extent of the information disclosure

157.

The first question is whether the data processing at issue is strictly necessary in order to attain the public interest objectives pursued, having regard to the types of data that are disclosed and to which the general public has access. Indeed, one of the criteria by which the Court assesses the proportionality of a measure entailing interference with the rights enshrined in Articles 7 and 8 of the Charter is whether the personal data processed are adequate, relevant and not excessive. ( 93 )

158.

Moreover, the condition relating to the need for processing must be examined in conjunction with the ‘data minimisation’ principle enshrined in Article 5(1)(c) of the GDPR, in accordance with which personal data must be ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’. ( 94 ) The referring court mentions this provision of the GDPR expressly in part (c) of the third question in Case C‑601/20.

159.

As I have mentioned, only some of the personal data which corporate and other legal entities must send to the register of beneficial ownership pursuant to Article 30(1) and (3) of Directive 2015/849 may be accessed by the general public. Leaving aside the ‘additional information’ mentioned in points 105 to 107 and 114 to 116 of this Opinion, these are the data items listed in the second subparagraph of Article 30(5) of the directive and mentioned in point 57 of this Opinion. Other data that may be kept in the register to which the authorities responsible for combating the money laundering and terrorist financing have access – such as, in the case of Luxembourg, the national identity number and exact address – cannot be accessed by the general public. Except for the ‘additional information’, therefore, the data that are processed can be clearly and precisely identified, as is required by the case-law. ( 95 )

160.

Nonetheless, it is still necessary to consider whether these data items may be regarded as being limited to what is necessary in relation to the purposes pursued by the public access regime established by Directive 2015/849.

161.

In this connection, it should be recalled that recital 34 of Directive 2018/843 expressly mentions compliance with the data minimisation requirement, stating that ‘the set of data to be made available to the public should be limited, clearly and exhaustively defined, and should be of a general nature, so as to minimise the potential prejudice to the beneficial owners. At the same time, information made accessible to the public should not significantly differ from the data currently collected. In order to limit the interference with the right to respect for their private life in general and to protection of their personal data in particular, that information should relate essentially to the status of beneficial owners … and should strictly concern the sphere of economic activity in which the beneficial owners operate.’

162.

As I mentioned in points 96 to 98 of this Opinion, the data to which the public is allowed access in this instance fall into two categories: data from which the identity of the beneficial owner may be learned and data relating to the nature and extent of the beneficial interests held.

163.

As for the first category of data items, I consider than an indication of the name, month and year of birth may be regarded as the necessary minimum for the correct identification of a beneficial owner. In so far as nationality ( 96 ) and the country of residence are concerned, those data enable beneficial owners to be identified more precisely and also clarify whether or not the investment or shareholding is local, which seems to be relevant and necessary information in the determination of potential money laundering or terrorist financing threats.

164.

As for the second category of data items, it seems to me that an indication of the nature and extent of the beneficial interests held is, again, the necessary minimum for identifying the size of the investment or shareholding, which is equally relevant in the assessment of the risks of misuse of corporate and other legal entities for the purposes of money laundering or terrorist financing.

165.

As regards the ‘additional information’ that I have mentioned – to which the Member States may, using the discretion they enjoy under the second and third subparagraphs of Article 30(5) of Directive 2015/849, allow the general public access – first of all, as discussed in points 114 to 116 of this Opinion, that information is not identified clearly and precisely. It therefore does not satisfy the requirement of proportionality, as is apparent from the case-law referred to in point 155 of this Opinion. Furthermore, it does not appear to be necessary for the purposes of identifying beneficial owners either. Indeed, a beneficial owner can be identified on the basis of the information listed in that second subparagraph, in accordance with the principle of data minimisation. ( 97 )

(ii) The range of persons having access to the data on beneficial ownership and the regime governing access to those data

166.

The question then arises of whether it is strictly necessary, in order to attain the public interest objectives pursued, for the general public, an unlimited and indeterminate number of people, to have access to the data in question. Associated with that question is the question of whether it is strictly necessary for that access to be provided with no monitoring and without any justification having to be furnished. That second question, concerning the conditions of third-party access, arises directly from the removal, by Directive 2018/843, of the requirement to demonstrate a legitimate interest in order to be allowed access, initially stipulated in the original version of Article 30(5)(c) of Directive 2015/849. The referring court raises all these issues in part (a) of the third question in Case C‑601/20.

167.

As regards, the question of access to the data in question for an unlimited and indeterminate number of people, I would observe that that is a natural consequence of the decision to establish a regime of public access to a register. Indeed, any public register may potentially be accessed by an unlimited and indeterminate number of people. As I explained in points 126 and 127 of this Opinion, according to the case-law, EU law does not per se preclude the keeping of a register containing personal data to which the public has access.

168.

However, as I noted in point 77 of this Opinion, the first question in Case C‑601/20 does not take issue with the EU legislature’s decision that registers of beneficial ownership should be established that are public, that is, open to access by third parties and not just public authorities. That first question solely concerns the conditions of access to the register for third parties or, in other words, the removal by Directive 2018/843 of the requirement to demonstrate the existence of a legitimate interest, in order to be allowed access.

169.

Nonetheless, in its observations, Sovim has questioned whether it is necessary, in order to combat money laundering and the financing of terrorism, for the general public to have access. More specifically, Sovim argues that public access to information on beneficial ownership is neither useful nor necessary for that purpose, since it is the competent public authorities, which have considerable resources and legal means at their disposal, that perform that task. In my view, however, that argument overlooks the fact that the regime of public access to information on beneficial ownership, while being a complement to the authorities’ task of detecting and suppressing those crimes, is aimed precisely at the objective of preventing such activities. As is clear from recitals 30 to 33 of Directive 2018/843 ( 98 ) and as I explained in point 140 et seq. of this Opinion, it is the pursuit of this objective of prevention that guided the EU legislature in its reform of 2018.

170.

In that context, if the objective pursued is to create an environment less likely to be used for the purposes of money laundering and terrorist financing, and if the means chosen is to increase transparency with regard to beneficial ownership, so that civil society has greater oversight of that information, then it would appear necessary to establish, for those purposes, a public register of beneficial ownership to which third parties have access. Those third parties include (but are not limited to) the press and civil society organisations, ( 99 ) which have been referred to as ‘democratic auxiliaries’ ( 100 ) and play a fundamental role in ensuring civil society’s oversight of activities which may impinge upon essential interests of the community. ( 101 ) Such an objective does not appear attainable by other means. ( 102 )

171.

That said, however, according to the case-law mentioned in point 152 of this Opinion, analysing whether the interference at issue is strictly necessary implies an examination of whether that objective of preventing money laundering and terrorist financing, pursued through increased transparency, could not also be attained in a manner that is less restrictive of the rights of the individuals concerned than allowing any member of the general public to have access, without monitoring and without having to provide any justification. More specifically, it is necessary to determine whether that objective could not be attained if access to the information on beneficial ownership were restricted, as before the 2018 reform, to those who can demonstrate a legitimate interest in obtaining that information. That is the second question which I mentioned in point 165 of this Opinion, concerning the conditions of access.

172.

I must note in this connection that it is apparent from the Commission’s impact assessment ( 103 ) – accompanying the proposal for a directive that resulted in the adoption of Directive 2018/843 ( 104 ) – that the application of the criterion of legitimate interest, the definition of which was left to the national laws of the Member States under the original version of Directive 2015/849, had resulted in the excessive restriction of access to registers of beneficial ownership and a lack of uniform conditions of access to such registers in the European Union.

173.

More specifically, the Member States had pointed to difficulties in defining the concept of legitimate interest and in determining the categories of individuals and organisation that were able to demonstrate a legitimate interest with regard to money laundering and terrorist financing. As the Commission pointed out at the hearing, that difficulty in defining the concept had resulted, in some cases, in excessive restrictions on access to the information contained in the registers.

174.

The application of the criterion of ‘legitimate interest’ had also made intra-Union access to the registers, which is to say, access for obliged entities and financial intelligence units in other Member States, complicated and slow. In particular, in order to gain access to a Member State’s register, a financial intelligence unit in another Member State would have to request the financial intelligence unit in the Member State in question to access the register, which made the procedure much more cumbersome and slower.

175.

The Commission’s impact assessment noted that the complete opening of the registers, on the other hand, with the removal of the requirement first to demonstrate a legitimate interest in order to gain access, would make access simpler, quicker, less complicated and more consistent across the European Union.

176.

In my view, those considerations clearly show that, if, in order to attain the objective of prevention which I addressed in points 140 to 142 and 170 of this Opinion, the measure at issue was aimed at achieving the maximum possible transparency of the information in question and reducing to a minimum any barriers to access to that information that might impede fast, effective access to it, both for members of the public and for any other person or organisation interested in accessing the information, then it was necessary to remove the requirement first to demonstrate a legitimate interest, in order to gain that access. ( 105 ) Since access to information on beneficial ownership is generally a key factor in tracing criminals, ( 106 ) only by removing this requirement was it possible to ensure that there would be no barriers to access to that information and to achieve the maximum possible transparency.

177.

It follows that, in order to attain that objective of preventing money laundering and terrorist financing, by increasing transparency with regard to the beneficial owners of corporate and other legal entities, the removal of the requirement to demonstrate a legitimate interest appears to have been strictly necessary.

178.

Similar considerations apply, in my view, to another aspect of the public access regime established by Directive 2015/849, namely the circumstance – highlighted by the referring court in the first indent of part (a) and the second indent of part (e) of the third question in Case C‑601/20 – that the information on beneficial ownership may be accessed without the data subject being able to discover who has accessed his or her personal data.

179.

As the Commission has rightly pointed out, if the beneficial owner were notified that data concerning him or her had been accessed, and particularly if that notification were automatic, that could deter people from accessing beneficial ownership information and thus compromise the objective of prevention, pursued by means of increased transparency. Indeed, as was asserted at the hearing, it cannot be ruled out that, in some cases, individuals seeking to access beneficial ownership information for the purposes of investigating crime, such as journalists, could become the target of reprisals. Any requirement for the data subject to be so notified could also jeopardise investigations by putting the data subject on alert. It follows that this aspect of the public access regime also appears to be necessary for attaining the objective of prevention which I discussed in points 140 to 142 and 170 of this Opinion.

180.

I must also point out in this connection that, in accordance with Article 14(5)(c) of the GDPR, the provisions concerning the information to be provided where the personal data have not been obtained from the data subject do not apply, inter alia, where ‘obtaining or disclosure is expressly laid down by Union … law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests’. That provision applies precisely when EU law establishes a regime of public access to a register containing personal data, provided, of course, that that regime complies with the principle of proportionality. ( 107 )

181.

That said, Article 30(5a) of Directive 2015/849 clearly provides that Member States may choose to make the information held in their national registers of beneficial ownership available on the condition of online registration. Recital 36 of Directive 2018/843 explains that such registration may be required ‘in order to identify any person who requests information from the register’. As I shall discuss in more detail in points 204 to 208 below, the ex post disclosure of that identity could prove necessary in order to enable the data subject, the beneficial owner, to pursue possible abuses resulting from the misuse of his or her data.

(iii) The system of exemptions laid down by Article 30(9) of Directive 2015/849

182.

As I stated in point 76 of this Opinion, the proportionality of the limitations of the fundamental rights guaranteed by Articles 7 and 8 of the Charter resulting from the regime of public access to the information held in the registers of beneficial ownership provided for by Article 30(5) of Directive 2015/849 can only be assessed in the light of the system of exemptions from that access, established by Article 30(9). The referring court questions the validity of this system of exemptions with regard to the fundamental rights in question, in part (b) of the second question in Case C‑601/20.

183.

Article 30(9) of the directive provides that, ‘in exceptional circumstances to be laid down in national law, where the access referred to in points (b) and (c) of the first subparagraph of paragraph 5 would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable, Member States may provide for an exemption from such access to all or part of the information on the beneficial ownership on a case-by-case basis.’

184.

It is apparent from recital 36 of Directive 2018/843 that those exemptions were laid down ‘with the aim of ensuring a proportionate and balanced approach and to guarantee the rights to private life and personal data protection’. ( 108 )

185.

I would point out in this connection that the wording of Article 30(9) appears to leave the Member States a margin of discretion, inasmuch as it uses the words ‘[may] provide’. Those words apparently give the Member States merely an option to provide for exemptions from public access to the information on beneficial ownership.

186.

It should be noted, however, that it is settled case-law that, since the transposition of a directive by the Member States is covered, in any event, by the situation, referred to in Article 51 of the Charter, in which the Member States are implementing Union law, the level of protection of fundamental rights provided for in the Charter must be achieved in such a transposition, irrespective of the Member States’ discretion in transposing the directive. ( 109 )

187.

The Court has inferred from that that it is, therefore, for the Member States, on transposing a directive and, in particular, the exceptions and limitations referred to in that directive, to ensure that they rely on an interpretation thereof which enables a fair balance to be struck between the various fundamental rights protected by the EU legal order. ( 110 )

188.

It follows that, when applying the measures transposing a directive, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with that directive but also make sure that they do not rely on an interpretation of it which would be in conflict with those fundamental rights or with the other general principles of EU law, such as the principle of proportionality. ( 111 )

189.

Those principles derived from the case-law apply a fortiori in the present instance, with regard to laying down exemptions from public access to beneficial ownership information. Indeed, although such public access is of considerable importance in the prevention of money laundering and terrorist financing and is connected with the principle of transparency, which, as I explained in points 38 to 48 of this Opinion, is enshrined in primary law, it does not fall within the scope of the fundamental rights.

190.

It follows from the foregoing considerations that, in a situation such as that in the present cases, the Member States may not, when implementing the regime of public access to the information kept in the registers of beneficial ownership provided for by Directive 2015/849, refrain from ensuring the protection of the fundamental rights of beneficial owners as provided for by the Charter.

191.

In the transposition and implementation of Directive 2015/849, irrespective of the discretion which that directive leaves them, the Member States are, therefore, required to ensure the protection of those fundamental rights against any disproportionate interference with them. That protection is, therefore, not confined solely to disproportionate risks in the seven cases of risk expressly specified in Article 30(9) of the Directive, but extends to all the fundamental rights of beneficial owners. Consequently, in accordance with the Charter, it must be concluded that the Member States are not only entitled to grant exemptions, but obliged to grant exemptions restricting public access to information concerning beneficial owners in the event of disproportionate interference with the latter’s fundamental rights.

192.

It follows that Article 30(9) of Directive 2015/849, read in the light of the Charter, and in particular Article 51(1) thereof, should be interpreted as meaning that the Member States are not only entitled to provide for exemptions from public access to information concerning the beneficial owners of corporate and other legal entities held in the national registers of beneficial ownership, but are obliged to provide for and grant such exemptions where that access would expose the beneficial owner, in exceptional circumstances, to a disproportionate risk of interference with his or her fundamental rights as provided for by the Charter.

193.

Interpreted thus, I see nothing that would affect the validity of the provision contained in Article 30(9) of Directive 2015/849.

(iv) The existence of adequate safeguards against the risks of misuse

194.

Lastly, a series of questions arises concerning the existence, in the legislation in question which entails the interference, of adequate safeguards to protect the data subjects, the beneficial owners, against the risks of misuse. The requirement for such safeguards, which is necessary to ensure compliance with the principle of proportionality, flows both from the case-law mentioned in point 155 of this Opinion and from various provisions of the GDPR, to which the national court refers in the third question in Case C‑601/20.

– The principle of purpose limitation

195.

In the first place, there arises the question, highlighted by the national court in part (b) of the third question, of compliance with the principle of purpose limitation, expressly laid down in Article 5(1)(b) of the GDPR. ( 112 )

196.

Thus the question arises of whether it is compatible with the requirement of proportionality, in the light of that provision, for data concerning beneficial owners to be accessible to the general public in circumstances where the data controller, which is to say the authority or body responsible for keeping the register, cannot guarantee that those data will be used only for the purpose for which they were collected, which is, essentially, the combating of money laundering and terrorist financing. ( 113 )

197.

It is important to bear in mind in this connection that it is clear from the case-law that all processing of personal data must comply, first, with the principles relating to the processing of data set out in Article 5 of the GDPR and, secondly, with one of the principles relating to the lawfulness of processing listed in Article 6 of that regulation. ( 114 ) As I mentioned in point 119 of this Opinion, those two provisions give effect to the requirements laid down in Article 8(2) of the Charter.

198.

Where different persons are involved in the processing of certain data, the Court has, in its case-law, looked at the specific operations at issue within the processing of data in order to identify the relevant controller or controllers. ( 115 ) The Court has found that, in such situations, the concept of ‘controller’ does not necessarily refer to a single entity and may concern several actors, with each of them then being subject to the applicable data protection provisions. ( 116 )

199.

In this instance, the register administrator’s making the data in question available to the general public and that public’s access to those data are two sides of the same coin. Indeed, by disclosing, pursuant to the obligation laid down in Article 30(5)(c) of Directive 2015/849, the information on beneficial ownership, the register’s administrator makes it possible for members of the general public to access that information freely. As follows from the considerations set out in points 142 and 171 to 177 of this Opinion, the EU legislature considered it necessary to make provision for such free access in order to assist with the prevention of money laundering and terrorist financing, by means of increasing transparency with regard to the beneficial owners of corporate and other legal entities.

200.

However, as I noted in point 89 of this Opinion, a member of the general public is liable also to be considered the controller of that processing, as defined in Article 4(2) of the GDPR, immediately he or she gains access to the data contained in the register, and of any subsequent processing. ( 117 )

201.

It follows that, in accordance with the requirements I mentioned in point 197 of this Opinion, when carrying out any future data processing operations, the member of the general public will then also have to comply with the principles relating to data quality laid down in Article 5 of the GDPR and ground his or her processing operation or operations in one of the scenarios under Article 6(1) of the GDPR. ( 118 )

202.

As regards the fact raised by the referring court that the body responsible for keeping the register is not in a position to ensure that the data will be used exclusively for the purpose for which they were collected, it is clear from the Court’s case-law that a natural or legal person cannot be considered to be a controller in the context of operations that precede or are subsequent in the overall chain of processing for which that person does not determine either the purposes or the means. ( 119 )

203.

Moreover, it follows from the requirements I mentioned in point 197 of this Opinion that any subsequent use of the data by a member of the general public that is not in accordance with Article 6 of the GDPR will be unlawful. Measures may, therefore, be taken to stop such use, pursuant to Article 17(1)(d), such as making an application for de-referencing to the search engine operator.

204.

I would also point out in this connection that recital 38 of Directive 2018/843 clearly states that, in order to prevent misuse of the information contained in the registers and to balance out the rights of beneficial owners, Member States might find it appropriate to consider making information relating to the requesting person along with the legal basis for their request available to the beneficial owner.

205.

Such a possibility presupposes, however, that the body or authority responsible for keeping the register of beneficial ownership, such as LBR in the present cases, is aware of the identity of the persons who access the data kept in that register, which in turn presupposes the requirement of registration, in particular online registration, in order to be able to access those data, such registration being envisaged as merely an option by Article 30(5a) of Directive 2015/849.

206.

Although I observed in points 99 and 104 of this Opinion that, in this instance, the data in question do not appear to be particularly sensitive and that the potential harm for individuals affected by the interference at issue may be regarded as moderate, the fact remains that the possibility that that data will be used unlawfully or misused cannot be ruled out.

207.

It follows that, in order to ensure that the data subjects, the beneficial owners, have adequate safeguards to protect them effectively against the risk of misuse, it is necessary, in my view, for the bodies or authorities responsible for keeping the registers of beneficial ownership in the Member States to be able to identify the members of the general public who access those registers and for them to be able, when necessary in order to ensure the observance of fundamental rights, in particular those guaranteed by Articles 7 and 8 of the Charter, to make information relating to those persons available to beneficial owners.

208.

Thus, in my view, an interpretation of Directive 2015/849 that is consistent with the fundamental rights guaranteed by Articles 7 and 8 of the Charter requires that the option, provided for in Article 30(5a) of Directive 2015/849, of making the information held in the national registers of beneficial ownership available on the condition of online registration, be considered an obligation incumbent on the Member States so that they may ensure that the bodies or authorities responsible for keeping the registers of beneficial ownership are aware of the identities of the persons who access those registers. ( 120 )

– The integrity and confidentiality of the data

209.

In the second place, there is the question highlighted by the referring court in part (d) of the third question in Case C‑601/20, concerning observance of the principle of data integrity and confidentiality, laid down in Article 5(1)(f) of the GDPR.

210.

It is therefore necessary to consider whether it is compatible with the requirement of proportionality for access to be given to the personal data of beneficial owners held in a register established in accordance with Article 30 of Directive 2015/849 on an unlimited and unconditional basis and with no undertaking to preserve the confidentiality of those data, in light of the requirements of Article 5(1)(f) of the GDPR, which requires that data be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, so as to ensure the integrity and confidentiality of those data.

211.

The principle of integrity and confidentiality covers the so-called ‘data security’ principle, which requires, inter alia, that appropriate technical or organisational measures be implemented to prevent harm being caused to data subjects. That principle is associated with and supplemented by Articles 24 and 32 of the GDPR, which contain provisions concerning, respectively, the responsibility of the controller and security of processing.

212.

In so far as specifically concerns data integrity, I note that recital 38 of Directive 2018/843 states that ‘only personal data that is up to date and corresponds to the actual beneficial owners should be made available’. It follows that only correct information, as communicated to the register by the corporate or other legal entity concerned, is to be accessible and disseminated. As I suggested in point 202 of this Opinion, in cases such as the present, the controller cannot be considered as being responsible for any alterations or manipulations that occur in the course of subsequent processing.

213.

However, it is incumbent on each Member States to ensure that the body or authority responsible for keeping its register of beneficial ownership implements adequate technical and organisational measures to prevent any unauthorised processing of the data kept in the register. It is for the referring court to ascertain whether that is actually the case in this instance. ( 121 )

(v) Weighing the objective of general interest against the fundamental rights at issue

214.

All of the matters which I have analysed in this Opinion should, in my view, be taken into account when attempting to strike the right balance between the public interest objective pursued by the regime of public access to the registers of beneficial ownership established by Directive 2015/849 and the fundamental rights at issue, namely those enshrined in Articles 7 and 8 of the Charter.

215.

First of all, as I explained in points 110 to 118 of this Opinion, it is only to the extent of the list of data items set out in the second subparagraph of Article 30(5) of Directive 2015/849 that the limitations on the exercise of the rights resulting from that regime are provided for by law, as is required by Article 52 of the Charter. It follows that, in seeking this balance, account should be taken solely of those data items, and not of the ‘additional information’ mentioned in points 105 to 107, 114 to 116, 159 and 165 of this Opinion.

216.

Next, as I observed in my analysis of interference, in points 91 to 94 of this Opinion specifically, this regime of public access to beneficial ownership information ensures very broad access to that information, without it being necessary to demonstrate an interest of any kind in order to access it. Coupled with automated means of access, such as the free access via the Internet in Luxembourg, this regime can give rise to very wide dissemination of the data in question concerning beneficial owners.

217.

Nonetheless, this regime does not, in my view, result in disproportionate interference with the fundamental rights of the data subjects, in particular, their right to respect for private life and their right to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter.

218.

Indeed, in the first place, as is clear from points 95 to 102 of this Opinion, leaving aside the so-called ‘additional information’, this regime allows the public access to only a rather limited number of personal data items. ( 122 ) Accordingly, although the regime may lead to wide dissemination of those data items, given the limited amount of personal data that is subject to the interference and the fact that those data are not particularly sensitive, the potential harm caused to the individuals affected by that interference is moderate.

219.

In the second place, as I noted in point 91 of this Opinion, the public access regime established by Directive 2015/849 does not concern an indefinite and indeterminate number of individuals, but requires a relationship to exist between those individuals, the beneficial owners, and the purpose of the data processing, which is the prevention of money laundering and the financing of terrorism.

220.

I should point out in this connection that the Court has already held that it is justified that natural persons who choose to participate in trade through corporate or other legal entities are required to disclose certain information relating to their identity and their functions within or interests in that entity, in view of the pursuit of public interest objectives which are, in some way, connected with that choice. ( 123 )

221.

As I observed in point 79 of this Opinion, the rights enshrined in Articles 7 and 8 of the Charter are not absolute rights and must be considered in relation to their function in society. Given that, it seems justifiable to me to impose moderate limitations on those rights in the case of individuals who have chosen to participate in trade through corporate and other legal entities, for the purpose of preventing serious crime such as money laundering or, regarding security and public order, the financing of terrorism.

222.

It is true that the regime of public access to information on beneficial ownership affects, in a comprehensive manner, all beneficial owners without it being necessary for the individuals whose data are disclosed to be, even indirectly, in a situation which is liable to give rise to suspicions of money laundering or terrorist financing. It thus applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with money laundering or terrorist financing. ( 124 )

223.

However, in the third place, the regime of public access to information on beneficial ownership, in addition to entailing no serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, establishes, in Article 30(9) of Directive 2015/849, a system of exemptions from public access to that information, which I mentioned in point 182 et seq. of this Opinion. This system of exemptions was introduced expressly with the aim of ensuring a proportionate and balanced approach and guaranteeing the observance of fundamental rights. ( 125 ) It is integral to the balance between the interests involved sought by the EU legislature and it is an essential element of the regime of public access to information on beneficial ownership that limits any potentially serious harm and protects beneficial owners against possible abuse of their fundamental rights. ( 126 )

224.

The approach taken in Directive 2015/849 to the relationship, structured in paragraphs 5 and 9 of Article 30, between public access to information on beneficial ownership, on the one hand, and the system of derogations, on the other, is moreover consistent with the Court’s case-law. Indeed, it is apparent from that case-law that, although, in the weighing of the public interest objective pursued against the fundamental rights enshrined in Articles 7 and 8 of the Charter – given the importance of the public interest objective pursued by the limitation of those rights in relation to the moderate severity of the interference – it is the need to prevent serious crime and to avert possible threats to public security that must, in principle, prevail, it cannot, however, be ruled out that there may be particular situations in which the overriding and legitimate reasons relating to the specific case of the data subject justify, exceptionally, the restriction of access to the personal data concerning him or her recorded in the register. ( 127 )

225.

Furthermore, in the fourth place, Directive 2015/849 provides that the GDPR applies to the processing of personal data that takes place in the context of that regime. Consequently, that processing is subject to the rules designed to ensure the security and protection of the data in question. ( 128 )

226.

In that context, in order to limit the scale of the interference and specifically the risks, albeit limited, of economic profiling of the data subject, which I discussed in point 102 of this Opinion, the Member States are required, in the exercise of the discretion left them by Directive 2015/849, to put in place procedures for accessing the data in question and, in particular, to implement methods for searching the database constituting the register, with the aim of minimising the interference with the fundamental rights of beneficial owners.

227.

Lastly, as I explained in points 207 and 208 of this Opinion, in order to ensure that the data subjects, the beneficial owners, have adequate safeguards to protect them effectively against the risk of misuse, the information held in the national registers of beneficial ownership should be made available on the condition of registration, in particular online registration, so that the national bodies or authorities responsible for keeping the registers of beneficial ownership are able to identify the persons who access those registers and are able, when necessary in order to ensure the observance of fundamental rights, in particular those guaranteed by Articles 7 and 8 of the Charter, to make information relating to those persons available to beneficial owners.

228.

Interpreted in this way, the provisions of the first subparagraph of Article 30(5), of Article 30(5a) and of Article 30(9) of Directive 2015/849, which establish the regime of public access to information on beneficial ownership, should not be considered as being invalid in the light of the right to respect for private and family life and the right to the protection of personal data guaranteed, respectively, by Articles 7 and 8 of the Charter.

229.

On the other hand, it is clear from the considerations I set out in points 105 to 107, 114 to 116, 159 and 165 of this Opinion that, in my view, the second subparagraph of Article 30(5) of Directive 2015/849 must be declared partly invalid and that the third subparagraph thereof should be declared invalid.

4.   Conclusion regarding the validity of the public access regime established by Directive 2015/849

230.

It follows from all the foregoing considerations that, in my view, the answer to the first question and to part (b) of the second question referred for a preliminary ruling in Case C‑601/20 should be as follows:

the second subparagraph of Article 30(5) of Directive 2015/849 is invalid in so far as it provides that any member of the general public is to be permitted to access ‘at least’ the data items set out in that subparagraph, leaving open the possibility of any member of the general public being permitted to access data concerning beneficial owners other than the data indicated in that subparagraph;

the third subparagraph of Article 30(5) of Directive 2015/849 is invalid;

Article 30(5a) of Directive 2015/849, read in the light of Articles 7, 8 and Article 52(1) of the Charter, is to be interpreted as meaning that it is incumbent on the Member States to ensure that the national bodies or authorities responsible for keeping the registers of beneficial ownership are aware of the identities of the persons who access those registers;

Article 30(9) of Directive 2015/849, read in the light of the Charter, and in particular Article 51(1) thereof, interpreted as meaning that the Member States are not only entitled to provide for exemptions from access by the general public to information concerning the beneficial owners of corporate and other legal entities held in the national registers of beneficial ownership, but are obliged to provide for and to grant such exemptions where, in exceptional circumstances, that access would expose the beneficial owner to a disproportionate risk of interference with his or her fundamental rights, as provided for by the Charter, is valid;

an examination of the first question and of part (b) of the second question in Case C‑601/20 reveals nothing further that might affect the validity of Article 30(5) and (9) of Directive 2015/849.

C. The third question referred for a preliminary ruling in Case C‑601/20, concerning the interpretation of the GDPR

231.

By the third question referred for a preliminary ruling in Case C‑601/20, the referring court in fact asks six separate questions designed, essentially, to verify the compatibility of the regime of public access to information on beneficial ownership established by Directive 2015/849 with a number of provisions of the GDPR.

232.

First of all, I set out in points 63 to 72 of this Opinion the reasons for which, in my view, the GDPR cannot as such constitute a criterion by which to assess the validity of the provisions of Directives 2015/843 and 2018/849. I have also stated that those directives must nevertheless be interpreted in a manner consistent with the provisions of the GDPR, in accordance with the express provision laid down in Article 41(1) of Directive 2015/843, as amended by Directive 2019/2177.

233.

Next, I consider that, in light of the considerations I set out in my analysis of the validity of the regime of public access to information on beneficial ownership in points 74 to 229 of this Opinion, there is no need to answer parts (a) to (e) of the third question in Case C‑601/20. Indeed, all of the doubts expressed by the referring court in those questions with regard to various provisions of the GDPR have been answered in the course of that analysis.

234.

Accordingly, part (f) of the third question alone remains to be answered. By this question, the referring court asks, essentially, about the relationship between the regime of public access to information on beneficial ownership and Articles 44 to 50 of the GDPR, under which the transfer of personal data to a third country is subject to strict conditions, with particular reference to the fact that the data of a beneficial owner recorded in a register of beneficial ownership are accessible in any circumstances to any member of the general public, with no requirement to demonstrate a legitimate interest and no limitations as to the location of that public.

235.

In must be borne in mind in this connection that Chapter V of the GDPR, which contains Articles 44 to 55, governs the transfer of personal data to third countries and international organisations.

236.

As the Commission and the Finnish Government have pointed out, Article 49 of the GDPR provides – in the absence of an adequacy decision pursuant to Article 45(3) of the GDPR or of appropriate safeguards pursuant to Article 46 of the GDPR – for a certain number of derogations for specific situations in which a transfer or set of transfers of personal data to a third country may take place.

237.

In particular, Article 49(1)(g) of the GDPR specifically governs transfers from registers which, according to Union law or Member State law, are intended to provide information to the public.

238.

It is clear from that provision, as well as from paragraph 2 of Article 49, read in the light of recital 111 of the GDPR, that this derogation applies where the transfer is made from a register which according to Union or Member State law is intended to provide information to the public (and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest), that the transfer can be made only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled, and that the transfer may not involve the entirety of the personal data or entire categories of the personal data contained in the register.

239.

I must observe in this connection that, as the Commission rightly mentions, Article 49(1)(g) and (2) of the GDPR apply specifically to any transfers ‘from’ a public register. The mere fact of a register’s being public, however, does not in itself constitute a transfer.

240.

It follows from the foregoing considerations that the answer to part (f) of the third question in Case C‑601/20 should be that the provisions of Chapter V of the GDPR are to be interpreted as not precluding a register which is in part accessible to the public, without any requirement to demonstrate a legitimate interest and without any limitation as to the location of the public. However, a transfer made from such a register may, in accordance with Article 49(1)(g) of the GDPR, be made only if the conditions for consultation of the register laid down by law are fulfilled and only if the consultation does not involve the entire register.

D. Interpretation of Article 30(9) of Directive 2015/849 (first, second and third questions referred for a preliminary ruling in Case C‑37/20 and part (a) of the second question referred in Case C‑601/20)

241.

By the questions referred in Case C‑37/20 and by part (a) of the second question referred in Case C‑601/20, the national court asks the Court of Justice about the interpretation of Article 30(9) of Directive 2015/849, which establishes a system of exemptions from general public access to the information held in the registers of beneficial ownership.

242.

I have already examined this system and Article 30(9) of Directive 2015/849 in points 182 to 193 of this Opinion. It is nevertheless appropriate to analyse, on the basis of the considerations set out in those points of the Opinion, the specific questions raised by the referring court.

1.   The concept of ‘exceptional circumstances’ (first question referred in Case C‑37/20)

243.

The first question referred in Case C‑37/20 concerns the concept of ‘exceptional circumstances’ as provided for by Article 30(9) of Directive 2015/849. This question falls into two parts.

244.

By the first part of the question, the referring court asks, in substance, whether Article 30(9) of Directive 2015/849 is to be interpreted as allowing a Member State to confine itself to defining in its national law the concept of ‘exceptional circumstances’ referred to in that provision simply as being ‘disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation’, concepts which, in accordance with the wording of that provision, in any event already constitute a condition for applying exemptions limiting public access to the information concerning beneficial owners. In the second part of the first question, the referring court essentially asks what powers it has and what criteria it should apply in order to determine the content of the concept of ‘exceptional circumstances’ if the national transposing law has not defined that concept other than by referring to the circumstances already expressly mentioned in Article 30(9) of Directive 2015/849.

245.

I would first of all observe in this connection that the express reference in Article 30(9) of Directive 2015/849 to national law for the definition of the exceptional circumstances which justify the provision of exemptions limiting the general public’s access to information concerning beneficial owners reveals the EU legislature’s intention to leave the Member States a discretion with regard to the identification of those exceptional circumstances.

246.

Nonetheless, as I explained in point 186 et seq. of this Opinion, it is clear from settled case-law that, irrespective of any discretion which they enjoy in transposing a directive, the Member States are required to ensure the protection of fundamental rights against any disproportionate interference with them.

247.

It also follows from that passage of this Opinion that Article 30(9) of Directive 2015/849, read in the light of Article 51(1) of the Charter, is to be interpreted as meaning that the Member States are obliged to allow exemptions from general public access to information concerning the beneficial owners of corporate and other legal entities held in the national registers of beneficial ownership where, in exceptional circumstances, that access would expose the beneficial owner to a disproportionate risk of interference with his or her fundamental rights as provided for by the Charter.

248.

The duty of protection which rests on the Member States is, therefore, not limited exclusively to disproportionate risk in the seven cases of risk expressly specified in Article 30(9) of Directive 2015/849, but extends to disproportionate risks of infringement of any of the beneficial owner’s fundamental rights.

249.

That being so, I consider that Article 30(9) of Directive 2015/849 is to be interpreted as meaning that it is for the Member States to define in their national law the situations which constitute ‘exceptional circumstances’ for the purposes of that provision. Since that provision does not contain any further stipulation as to the form in which the Member States are to define that concept, there is nothing to prevent a Member State from defining ‘exceptional circumstances’, as the Grand-Duchy of Luxembourg has done, simply by reference to the cases already referred to in that provision, provided, however, that the transposition of the directive into national law enables beneficial owners to be protected against disproportionate infringements of their fundamental rights.

250.

As I indicated in point 188 of this Opinion, national courts must interpret their national law in a manner consistent with Directive 2015/849, but must also make sure that they do not rely on an interpretation of that directive which would be in conflict with fundamental rights. It follows that the national court must rely on an interpretation of the provisions of that directive which authorise exemptions which, while being consistent with their wording and safeguarding their effectiveness, fully adheres to the fundamental rights enshrined in the Charter. ( 129 )

251.

As the Commission has correctly asserted, the national court may find it necessary, to that end, itself to determine specifically the nature and scope of the exceptional circumstances in which exemptions from public access to the information on beneficial ownership are permitted, but only to the extent necessary fully to protect the fundamental rights of beneficial owners.

252.

With regard to any such determination the national court may have to make in order to interpret Directive 2015/849 in a manner consistent with the fundamental rights guaranteed by the Charter, I would point out, first of all, that it must take account of the fact that the detailed evaluation of the ‘exceptional’ nature of the circumstances must be carried out on a case-by-case basis, as is clear from the very wording of Article 30(9) of the directive.

253.

Secondly, in making that determination, the national court must take account of the fact that, since Article 30(9) of Directive 2015/849 provides for exemptions from a general rule, that of public access to the information on beneficial ownership, in accordance with the settled case-law of the Court, it must in principle interpret that provision strictly. ( 130 )

254.

Thirdly, in making that determination, the national court must take account of the fact that the use of the word ‘exceptional’ indicates that the circumstances which may justify exemption must be out of the ordinary and must give rise to a disproportionate risk of infringement of fundamental rights. ( 131 ) In that context, the express mention in the provision in question of risks affecting the right to life, the right to integrity of the person and the right to security of person, protected, respectively, by Articles 2, 3 and 6 of the Charter, provides a benchmark for determining how serious the infringement of fundamental rights must be in order to justify exemption.

2.   The concept of ‘risk’ (second question referred for a preliminary ruling in Case C‑37/20)

255.

The second question referred for a preliminary ruling in Case C‑37/20 concerns the concept of ‘risk’ employed in Article 30(9) of Directive 2015/849. It falls into three parts.

256.

In the first part of this question, the referring court asks, in substance, whether Article 30(9) of Directive 2015/849 is to be interpreted as meaning that the existence of a ‘disproportionate risk’ constitutes an independent ground justifying exemption from public access to the information on beneficial ownership or whether, alternatively, the requirement that the risk be disproportionate constitutes a condition that applies to each of the specific risks mentioned in that provision, namely the risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation.

257.

The reason for which this question has arisen, as the referring court points out, is that there is divergence in the drafting of the various language versions of Article 30(9) of Directive 2015/849, as well as divergence, in some language versions, between the wording of that provision and the wording of recital 36 of Directive 2018/843, which explains and justifies the amended version of directive 2015/849. ( 132 )

258.

According to the Court’s settled case-law, the wording used in one language version of a provision of EU law cannot serve as the sole basis for the interpretation of that provision or be made to override the other language versions. Provisions of EU law must be interpreted and applied uniformly in the light of the versions existing in all languages of the European Union. Where there is divergence between the various language versions of an EU legislative text, the provision in question must be interpreted by reference to the general scheme and the purpose of the rules of which it forms part. ( 133 )

259.

That being so, as is apparent from the considerations set out in points 185 to 192 of this Opinion, it is not only the existence of a disproportionate risk in the seven cases of risk expressly specified in Article 30(9) of Directive 2015/849 that can justify exemption from public access to information concerning a beneficial owner, but any disproportionate risk, in exceptional circumstances, that the fundamental rights of the beneficial owner could be infringed.

260.

In so far as concerns, specifically, the assessment to determine whether there is a disproportionate risk that the fundamental rights of the beneficial owner could be infringed, that must be carried out on a case-by-case basis. That assessment must include a detailed evaluation of the exceptional circumstances and be based on an analysis of all the relevant facts of the particular case.

261.

By the second part of the second question in Case C‑37/20, the referring court asks, in substance, whether Article 30(9) of Directive 2015/849 is to be interpreted as meaning that it is necessary, when determining the existence of the risk or the disproportionate nature of the risk upon which the restriction of access to the information on beneficial ownership is conditional, to take account solely of the relationship which the beneficial owner in question has with the legal entity with regard to which the restriction of public access to the information is requested, or to take account also of the relationships which the beneficial owner has with other legal entities. If it is the latter, the referring court wishes to know whether account must be taken only of the status of beneficial owner or of any relationship whatsoever with other legal entities. Again, if it is the latter, the referring court wishes to know whether the nature of the relationship has an effect on the assessment of the existence and extent of the risk.

262.

I would observe, in this connection, that there is no clear indication in the wording of Directive 2015/849 with regard to these questions. However, as I pointed out in point 260 of this Opinion, the assessment to determine whether there is a disproportionate risk that the fundamental rights of the beneficial owner could be infringed must be carried out on a case-by-case basis, must include an evaluation of the exceptional circumstances and must aim to ensure adequate protection of the beneficial owner against disproportionate infringements of his or her fundamental rights.

263.

That being so, it cannot be ruled out that, in some cases, in order to ensure such adequate protection, it will be necessary to take account not only of the relationship which the beneficial owner has with the legal entity which is the subject of the application for specific exemption, but also of the relationships which that beneficial owner has with other legal entities.

264.

Nevertheless, first of all, I share the Commission’s view that, since it is a question here of assessing the risks which an individual faces as beneficial owner of one or more legal entities, the relationships in question must be inherently in the nature of beneficial ownership of those entities, such that other relationships of a different type cannot, in principle, be taken into consideration in the assessment.

265.

Secondly, it is for the beneficial owner or the entity seeking the benefit of exemption from public access to the information to prove that the relationships which the beneficial owner has with legal entities other than those covered by the application for exemption are relevant to the assessment of whether there is a disproportionate risk of infringement of the latter’s fundamental rights, and that those relationships demonstrate or corroborate the existence of a disproportionate risk or the disproportionate nature of a risk. That apportionment of the burden of proof, ( 134 ) which requires the applicant to prove the existence and relevance of such relationships in order for exemption to be granted, is essential in order to prevent the competent authorities of the Member States from finding themselves under an obligation, such as the Austrian Government has alluded to, systematically to carry out unreasonably extensive investigations before being able to rule out the existence of disproportionate risks of infringement of the fundamental rights of beneficial owners.

266.

By the third part of the second question in Case C‑37/20, the referring court asks, in substance, whether Article 30(9) of Directive 2015/849 is to be interpreted as meaning that exemption from public access to the information concerning beneficial owners may be granted where that information is easily available to third parties through other information channels.

267.

On this point, I consider, like the Commission and the Austrian Government that, since, as I observed in points 260 and 262 of this Opinion, Directive 2015/849 requires the Member States to ensure that exemptions from public access to information on beneficial ownership are granted on the basis of a detailed evaluation of the exceptional nature of the circumstances and by reference to the risks resulting from the disclosure of that information, Article 30(9) of the directive must be interpreted as implicitly excluding the possibility of such exemption being granted when the information in question is easily available to third parties through other information channels.

3.   The evidential requirements relating to disproportionate risk (part (a) of the second question referred in Case C‑601/20)

268.

By part (a) of the second question in Case C‑601/20, the national court asks, essentially, about the requirements concerning the evidence of disproportionate risk and of exceptional circumstances that must be adduced in order to justify exemption under Article 30(9) of Directive 2015/849.

269.

In so far as concerns, in the first place, the burden of proof, it is not disputed that this rests with the beneficial owner. It is the beneficial owner who must demonstrate to the authority or body responsible for keeping the register that the conditions for exemption under Article 30(9) of the directive are fulfilled. Accordingly, the responsible authority or body cannot be required to carry out its own investigations, which would potentially extend world-wide, in order to establish the existence of exceptional circumstances and disproportionate risk; that authority or body must rely on the evidence provided by the beneficial owner in support of the application for exemption.

270.

In so far as concerns, in the second place, the standard of proof, I take the view that the beneficial owner must establish the existence of a disproportionate risk of infringement of his or her fundamental rights and the existence of exceptional circumstances with a sufficient degree of probability.

271.

Accordingly, the mere presence of a remote or hypothetical risk of harm will not be sufficient. Moreover, the perception of the disproportionate risk must not be a subjective one, but must be based on specific, real and current evidence. To that end, the beneficial owner will have to adduce specific, precise and substantial indicia of the threat of infringement of his or her fundamental rights and of the exceptional circumstances.

4.   The criterion of ‘disproportionality’ (third question referred in Case C‑37/20)

272.

By the third question in Case C‑37/20, the national court asks about the criterion of the ‘disproportionality’ of the risk justifying the restriction of access to the information, as provided for in Article 30(9) of Directive 2015/843.

273.

The court asks what competing interests must be taken into consideration in assessing whether a disproportionate risk to a beneficial owner exists which, under Article 30(9) of Directive 2015/849, justifies exemption from public access to the information concerning him or her. It considers that that criterion points, in a general way, to the weighing of two interests equally deserving of protection and therefore asks what the competing interests are that must be reconciled on applying that criterion. In its view, these appear to be the objective of transparency pursued by Directive 2015/849, on the one hand, and, on the other, the protection of the beneficial owner’s physical and psychological integrity and property, by means of efforts to avert a general risk and/or one of the specific risks indicated in Article 30(9) of the directive. However, recital 36 of Directive 2018/843 also mentions the right to private life and the right to personal data protection.

274.

As I discussed in point 138 et seq. of this Opinion, the objective of preventing money laundering and terrorist financing, by means of increased transparency with regard to the beneficial owners of corporate and other legal entities, is the primary objective of the regime of public access to information on beneficial ownership resulting from the amendments introduced by Directive 2018/843. That objective does not, however, fall directly within the scope of the fundamental rights. I also observed that the exemptions from the principle of public access to such information, provided for by Article 30(9) of Directive 2015/849, which, as derogations, must be interpreted strictly, are aimed at striking a fair balance between that objective – which, as I indicated in points 38 to 48, 144 and 189 of this Opinion, relates to requirements laid down in primary law – and observance of the fundamental rights of beneficial owners, as is made expressly clear, moreover, in recital 34 of Directive 2018/843. Furthermore, as is clear from the case-law principles which I mentioned in points 188 and 250 of this Opinion, the interpretation of Directive 2018/843 must not be in conflict with the fundamental rights laid down in the Charter.

275.

In that context, rather that refer, as the national court does, to the weighing of ‘competing interests’, it seems more appropriate to me to frame the analysis by reference to the existence of exemptions from the general principle of public access the aim of which is to prevent infringements of the fundamental rights of beneficial owners which might, in exceptional circumstances, result from such access. Accordingly, the task of the national authorities responsible for assessing applications for exemption is to verify that exceptional circumstances exist which would expose the beneficial owner to a disproportionate risk of infringement of one or more of the fundamental rights laid down in the Charter.

276.

The reasons justifying public access to beneficial ownership information are stated expressly in recitals 30 and 31 of Directive 2018/843, and I have mentioned them already in points 139 to 142 of this Opinion. They include, first of all, the possibility of greater scrutiny of information by civil society, which contributes to preserving trust in the integrity of business transactions and of the financial system, secondly, the contribution to combating the misuse of corporate entities and other legal arrangements for the purposes of money laundering or terrorist financing, and thirdly, facilitating the timely and efficient availability of information for financial institutions as well as authorities involved in combating such offences.

277.

Moreover, as I have already observed in points 220 and 221 of this Opinion, the case-law states that it appears justified that natural persons who choose to engage in business as beneficial owners of companies or other legal entities should be required to make available and accessible certain information from which they may be identified as the beneficial owners of such legal entities, especially since they are aware of that requirement when they decide to engage in that activity. ( 135 )

278.

However, in the assessment that must be made pursuant to Article 30(9) of Directive 2015/849, while it follows from the foregoing that, in the weighing-up to be carried out under that provision, the public interest in having access to information concerning beneficial owners should, as a general principle, prevail, it is expressly envisaged that there may be particular situations in which the overriding and legitimate reasons relating to the specific case of the beneficial owner concerned justify, exceptionally, the restriction of public access to the information concerning him or her, in order not to expose him or her to a disproportionate risk of infringement of his or her fundamental rights. ( 136 )

279.

Having regard to all the foregoing considerations, the answer to this third question should, in my view, be that, in the assessment of whether a disproportionate risk to the beneficial owner exists which, in accordance with Article 30(9) of Directive 2015/849, justifies exemption from public access to the information concerning him or her, it is necessary to take into account, first, the specific risks mentioned in that provision, as well as the fundamental rights of the person concerned, including in particular the right to private life and the right to the protection of personal data, as protected, respectively, by Articles 7 and 8 of the Charter, and, secondly, the interest of the public and of society as a whole in knowing the identity of beneficial owners with a view to preventing the use of the financial system for the purposes of money laundering and terrorist financing.

IV. Conclusion

280.

In light of the foregoing considerations, I propose that the Court answer the questions referred by the Tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg) for a preliminary ruling in Cases C‑37/20 and C‑602/20, as follows:

(1)

The second subparagraph of Article 30(5) of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, as amended by Directive (EU) 2018/843 of the Parliament and of the Council of 30 May 2018, is invalid in so far as it provides that any member of the general public is to be permitted to access ‘at least’ the data items set out in that subparagraph, leaving open the possibility of any member of the general public being permitted to access data concerning beneficial owners other than the data indicated in that subparagraph;

(2)

The third subparagraph of Article 30(5) of Directive 2015/849, as amended by Directive 2018/843, is invalid;

(3)

Article 30(5a) of Directive 2015/849, as amended by Directive 2018/843, read in the light of Articles 7, 8 and Article 52(1) of the Charter of Fundamental Rights of the European Union, is to be interpreted as meaning that it is incumbent on the Member States to ensure that the bodies or authorities responsible for keeping the registers of beneficial ownership are aware of the identities of the persons who access those registers;

(4)

Article 30(9) of Directive 2015/849, as amended by Directive 2018/843, read in the light of the Charter of Fundamental Rights, and in particular Article 51(1) thereof, interpreted as meaning that the Member States are not only entitled to provide for exemptions from access by the general public to information concerning the beneficial owners of corporate and other legal entities held in the national registers of beneficial ownership, but are obliged to provide for and to grant such exemptions where, in exceptional circumstances, that access would expose the beneficial owner to a disproportionate risk of interference with his or her fundamental rights, as provided for by the Charter, is valid;

(5)

An examination of the first question and of part (b) of the second question in Case C‑601/20 reveals nothing further that might affect the validity of Article 30(5) and (9) of Directive 2015/849, as amended by Directive 2018/849;

(6)

The provisions of Chapter V of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) are to be interpreted as not precluding a register which is in part accessible to the public, without any requirement to demonstrate a legitimate interest and without any limitation as to the location of the public. However, a transfer made from such a register may, in accordance with Article 49(1)(g) of that regulation, be made only if the conditions for consultation of the register laid down by law are fulfilled and only if the consultation does not involve the entire register;

(7)

Article 30(9) of Directive 2015/849, as amended by Directive 2018/843, is to be interpreted as meaning that it is for the Member States to define in their national law the situations which constitute ‘exceptional circumstances’ for the purposes of that provision. Since that provision does not contain any further stipulation as to the form in which the Member States are to define that concept, there is nothing to prevent a Member State from defining ‘exceptional circumstances’ simply by reference to the cases already referred to in that provision, provided, however, that the transposition of the directive into national law enables beneficial owners to be protected against disproportionate infringements of their fundamental rights. To that end, the national court may find it necessary itself to determine specifically the nature and scope of the exceptional circumstances in which exemptions from public access to the information concerning beneficial owners are permitted, but only to the extent necessary fully to protect the fundamental rights of beneficial owners. That assessment must take into account, first, the fact that the detailed evaluation of the ‘exceptional’ nature of the circumstances must be carried out on a case-by-case basis, secondly, that, since this involves derogation from a general rule, the provision in question must, in principle, be interpreted strictly, and thirdly, that the circumstances which may justify exemption must be out of the ordinary and must give rise to a disproportionate risk of infringement of fundamental rights;

(8)

Article 30(9) of Directive 2015/849, as amended by Directive 2018/843, is to be interpreted as meaning that the requirement that the risk be disproportionate constitutes a condition that applies to each of the specific risks mentioned in that provision, namely the risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, and to any infringement of the fundamental rights of the beneficial owner which justifies exemption from public access to the information concerning him or her. In determining the existence or disproportionate nature of such a risk, account may be taken, in appropriate cases, of the relationships which the beneficial owner in question has with companies and other legal entities, as well as with trusts and other legal arrangements having a structure or functions similar to those of trusts, as beneficial owner thereof, other than the entity in relation to which exemption from public access to the information concerning him or her is sought. Nevertheless, it is for the beneficial owner or the entity seeking the benefit of exemption from public access to the information to prove that those relationships are relevant and demonstrate or corroborate the existence of a disproportionate risk of infringement of the fundamental rights of the beneficial owner in question. Article 30(9) of Directive 2015/849 excludes the possibility of exemption from public access to the information on beneficial ownership being granted when that information is easily available to third parties through other information channels;

(9)

It is for the beneficial owner concerned to establish the disproportionate risk and the exceptional circumstances capable of justifying exemption under Article 30(9) of Directive 2015/849, as amended by Directive 2018/843. To that end, the beneficial owner must establish the existence of a disproportionate risk of infringement of his or her fundamental rights and the existence of exceptional circumstances with a sufficient degree of probability and must adduce specific, precise and substantial indicia of the threat of infringement of his or her fundamental rights and of the exceptional circumstances;

(10)

In the assessment of whether a disproportionate risk to the beneficial owner exists which, in accordance with Article 30(9) of Directive 2015/849, as amended by Directive 2018/843, justifies exemption from public access to the information concerning him or her, it is necessary to take into account, on the one hand, the specific risks mentioned in that provision, as well as the fundamental rights of the person concerned, including in particular the right to private life and the right to the protection of personal data, as protected, respectively, by Articles 7 and 8 of the Charter of Fundamental Rights and, on the other hand, the interest of the public and of society as a whole in knowing the identity of beneficial owners with a view to preventing the use of the financial system for the purposes of money laundering and terrorist financing.


( 1 ) Original language: French.

( 2 ) Directive of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ 2015 L 141, p. 73).

( 3 ) Directive of the European Parliament and of the Council of 30 May 2018 amending Directive 2015/849 (OJ 2018 L 156, p. 43).

( 4 ) Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, ‘the GDPR’).

( 5 ) The second subparagraph of that point (i) of Article 3(6)(a) states that ‘a shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a natural person shall be an indication of direct ownership. A shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a corporate entity, which is under the control of a natural person(s), or by multiple corporate entities, which are under the control of the same natural person(s), shall be an indication of indirect ownership.’

( 6 ) Article 1(15) of Directive 2018/843 amended or replaced paragraphs 1 to 7, 9 and 10 of the original version of Article 30 of Directive 2015/849 and also inserted a new paragraph 5a.

( 7 ) This article was amended by Directive (EU) 2019/2177 of the European Parliament and of the Council of 18 December 2019 amending Directive 2009/138/EC on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II), Directive 2014/65/EU on markets in financial instruments and Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money-laundering or terrorist financing (OJ 2019 L 334, p. 155).

( 8 ) It is apparent from the order for reference that proceedings are also pending before the President of the Commercial Division of the referring court challenging the refusal decisions concerning the other commercial companies.

( 9 ) Bobbio, N., Il futuro della democrazia, Einaudi, Turin, p. 76.

( 10 ) See also Article 298(1) TFEU and Article 42 of the Charter.

( 11 ) See, in this respect, recital 2 of Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ 2001 L 145, p. 43) and judgment of 4 September 2018, ClientEarth v Commission (C‑57/16 P, EU:C:2018:660, paragraph 75 and the case-law cited).

( 12 ) Judgment of 9 November 2010, Volker und Markus Schecke and Eifert (C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 68). See also, on this point, Opinion of Advocate General Sharpston in those Cases (EU:C:2010:353, point 66 and the case-law cited).

( 13 ) See judgment of 18 July 2017, Commission v Breyer (C‑213/15 P, EU:C:2017:563, paragraph 50 and the case-law cited).

( 14 ) See, in particular, paragraph 75 of judgment of 9 November 2010, Volker und Markus Schecke and Eifert (C‑92/09 and C‑93/09, EU:C:2010:662).

( 15 ) Judgment of 18 June 2020, Commission v Hungary (Transparency of associations) (C‑78/18, EU:C:2020:476).

( 16 ) See judgment of 18 June 2020, Commission v Hungary (Transparency of associations) (C‑78/18, EU:C:2020:476 paragraph 79).

( 17 ) See, on this point, Opinion of Advocate General Richard de la Tour in Ecotex BULGARIA (C‑544/19, EU:C:2020:931, point 46).

( 18 ) See recital 1 of Directive 2018/843.

( 19 ) Member States can, for that purpose, use a central database which collects beneficial ownership information, or the business register, or another central register.

( 20 ) Specific rules regarding information on the beneficial ownership of trusts and other types of legal arrangement having a similar structure or function are laid down in Article 31 of Directive 2015/849.

( 21 ) Recital 30 of Directive 2018/843 reads: ‘Public access to beneficial ownership information allows greater scrutiny of information by civil society, including by the press or civil society organisations, and contributes to preserving trust in the integrity of business transactions and of the financial system. It can contribute to combating the misuse of corporate and other legal entities and legal arrangements for the purposes of money laundering or terrorist financing, both by helping investigations and through reputational effects, given that anyone who could enter into transactions is aware of the identity of the beneficial owners. It also facilitates the timely and efficient availability of information for financial institutions as well as authorities, including authorities of third countries, involved in combating such offences. The access to that information would also help investigations on money laundering, associated predicate offences and terrorist financing.’

( 22 ) Recital 31 of Directive 2018/843 reads: ‘Confidence in financial markets from investors and the general public depends in large part on the existence of an accurate disclosure regime that provides transparency in the beneficial ownership and control structures of companies. This is particularly true for corporate governance systems that are characterised by concentrated ownership, such as the one in the Union. On the one hand, large investors with significant voting and cash-flow rights may encourage long-term growth and firm performance. On the other hand, however, controlling beneficial owners with large voting blocs may have incentives to divert corporate assets and opportunities for personal gain at the expense of minority investors. The potential increase in confidence in financial markets should be regarded as a positive side effect and not the purpose of increasing transparency, which is to create an environment less likely to be used for the purposes of money laundering and terrorist financing.’

( 23 ) Recital 32 of Directive 2018/843 reads: ‘Confidence in financial markets from investors and the general public depends in large part on the existence of an accurate disclosure regime that provides transparency in the beneficial ownership and control structures of corporate and other legal entities as well as certain types of trusts and similar legal arrangements. Member States should therefore allow access to beneficial ownership information in a sufficiently coherent and coordinated way, by establishing clear rules of access by the public, so that third parties are able to ascertain, throughout the Union, who are the beneficial owners of corporate and other legal entities as well as of certain types of trusts and similar legal arrangements.’

( 24 ) Recital 33 of Directive 2018/843 reads: ‘Member States should therefore allow access to beneficial ownership information on corporate and other legal entities in a sufficiently coherent and coordinated way, through the central registers in which beneficial ownership information is set out, by establishing a clear rule of public access, so that third parties are able to ascertain, throughout the Union, who are the beneficial owners of corporate and other legal entities …’.

( 25 ) See recital 31 of Directive 2018/843, set out in footnote 22 to this Opinion, and the last sentence in particular.

( 26 ) Ibidem.

( 27 ) The first sentence of recital 34 of Directive 2018/843 reads: ‘In all cases, both with regard to corporate and other legal entities, as well as trusts and similar legal arrangements, a fair balance should be sought in particular between the general public interest in the prevention of money laundering and terrorist financing and the data subjects’ fundamental rights.’

( 28 ) Recital 36 of Directive 2018/843 reads: ‘Moreover, with the aim of ensuring a proportionate and balanced approach and to guarantee the rights to private life and personal data protection, it should be possible for Member States to provide for exemptions to the disclosure through the registers of beneficial ownership information and to access to such information, in exceptional circumstances, where that information would expose the beneficial owner to a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation. It should also be possible for Member States to require online registration in order to identify any person who requests information from the register, as well as the payment of a fee for access to the information in the register.’

( 29 ) See, to that effect, judgment of 28 June 2012, Commission v Éditions Odile Jacob (C‑404/10 P, EU:C:2012:393, paragraph 110). See also judgment of 29 June 2010, Commission v Bavarian Lager (C‑28/08 P, EU:C:2010:378, paragraph 56).

( 30 ) Indeed, it is the processing of personal data that is ‘subject to’ the GDPR, not the directive as such. I also note that the expression ‘subject to’ was used in the original version of Article 41, with reference to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

( 31 ) Equally, there is no lex generalis vs. lex specialis relationship between the GDPR and the two directives, by contrast with what may be the case between the GDPR and other directives (see, inter alia, in that regard, recital 173 and Article 95 of the GDPR).

( 32 ) See, to that effect, with reference, inter alia, to Articles 6 and 7 of Directive 95/46, which correspond to Articles 5 and 6 of the GDPR, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 40). For a very recent analysis of the scope of the GDPR, see Opinion of Advocate General Richard de la Tour in Facebook Ireland (C‑319/20, EU:C:2021:979, points 50 to 52).

( 33 ) See, to that effect, judgment of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559, paragraph 170 and the case-law cited).

( 34 ) See judgment of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559, paragraph 172 and the case-law cited).

( 35 ) See, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 122).

( 36 ) See, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 124 and the case-law cited).

( 37 ) See judgment of 18 June 2020, Commission v Hungary(Transparency of associations) (C‑78/18, EU:C:2020:476, paragraph 122 and the case-law cited).

( 38 ) Determining the degree of seriousness of the interference is necessary in view of the fact that, in accordance with the case-law, the assessment of observance of the principle of proportionality will require a weighing of the seriousness of the interference entailed by the limitation of those rights against the importance of the public interest objective pursued by the limitation, which might justify it. See, on this point, inter alia, judgments of 2 October 2018, Ministerio Fiscal (C‑207/16, EU:C:2018:788, paragraph 55), and of 2 March 2021, Prokuratuur (Conditions of access to data relating to electronic communications) (C‑746/18, EU:C:2021:152, paragraph 32 and the case-law cited). See, for further detail, the case-law mentioned in points 152 and 153 of this Opinion.

( 39 ) See, inter alia, Opinion 1/15 (EU-Canada PNR Agreement), of 26 July 2017 (EU:C:2017:592, paragraph 122 and the case-law cited).

( 40 ) See, by analogy, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 34). On this point, see also the definition of ‘personal data’ given in Article 4(1) of the GDPR.

( 41 ) Judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 34 and the case-law cited).

( 42 ) Judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 115 and the case-law cited).

( 43 ) See, by analogy, judgment of 9 November 2010, Volker und Markus Schecke and Eifert (C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 58).

( 44 ) See, to that effect, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 126 and the case-law cited).

( 45 ) Moreover, Article 4(2) of the GDPR defines as processing, inter alia, the ‘dissemination or otherwise making available’ of data.

( 46 ) See, to that effect, judgments of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 35), and of 22 June 2021, Latvijas Republikas Saeima(Penalty points) (C‑439/19, EU:C:2021:504, paragraph 101).

( 47 ) See, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima(Penalty points) (C‑439/19, EU:C:2021:504, paragraph 101), concerning the category of ‘personal data relating to criminal convictions and offences’ and therefore also the specific guarantees under Article 10 of the GDPR.

( 48 ) See, by analogy, judgment of 2 October 2018, Ministerio Fiscal (C‑207/16, EU:C:2018:788, paragraph 51). See also judgment of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559, paragraph 171 and the case-law cited).

( 49 ) Within the meaning of Article 4(7) of the GDPR. On this point, see, by analogy, Opinion of Advocate General Bobek in SS (Processing of personal data for tax purposes) (C‑175/20, EU:C:2021:690, point 45).

( 50 ) For an analysis of a case in which the number of persons capable of being affected by the interference was limited, see Opinion of Advocate General Saugmandsgaard Øe in Ministerio Fiscal (C‑207/16, EU:C:2018:300, point 34).

( 51 ) On the public interest objective pursued by the regime of public access to information on beneficial ownerships, see, for further detail, point 137 et seq. of this Opinion.

( 52 ) The Court has addressed on a number of occasions already the public disclosure of personal data. In addition to the judgments which I have already cited, namely, judgments of 9 November 2010, Volker und Markus Schecke and Eifert (C‑92/09 and C‑93/09, EU:C:2010:662); of 9 March 2017, Manni (C‑398/15, EU:C:2017:197); and of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504), a similar case is still pending (Case C‑184/20, Vyriausioji tarnybinės etikos komisija) and concerns national legislation providing for the publication on the Internet of personal data contained in declarations of interests which serve to prevent conflicts of interests and corruption in the public sector (see Opinion of Advocate General Pikamäe of that case (EU:C:2021:991)).

( 53 ) See, in this regard, my Opinion in Prokuratuur (Conditions of access to data relating to electronic communications) (C‑746/18, EU:C:2020:18, point 79).

( 54 ) See, to that effect, Opinion of Advocate General Saugmandsgaard Øe in Ministerio Fiscal (C‑207/16, EU:C:2018:300, point 35).

( 55 ) See, to that effect, Opinion of Advocate General Cruz Villalón in Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2013:845, points 64, 65 and 74).

( 56 ) See, to that effect, judgment of 2 October 2018, Ministerio Fiscal (C‑207/16, EU:C:2018:788, paragraph 60, in fine).

( 57 ) (See, to that effect, judgment of 2 October 2018, Ministerio Fiscal,C‑207/16, EU:C:2018:788, point 60, in fine).

( 58 ) I would point out in this connection that the GDPR lays down, in Article 9, special rules for the processing of personal data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

( 59 ) This aspect is addressed in point 114 et seq. of this Opinion.

( 60 ) See, inter alia, judgments of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559, paragraph 175); of 8 September 2020, Recorded Artists Actors Performers (C‑265/19, EU:C:2020:677, paragraph 86 and the case-law cited); and of 6 October 2020, Privacy International (C‑623/17, EU:C:2020:790, paragraph 65).

( 61 ) See, inter alia, judgments of the ECtHR of 8 June 2006, Lupsa v. Romania, (CE:ECHR:2006:0608JUD001033704, § 32 and 33), and of 15 December 2020, Piskìn v. Türkiye (CE:ECHR:2020:1215JUD00333991, § 206). As for the need to interpret ‘provided for by law’ in Article 52(1) of the Charter in the same way as the European Court of Human Rights has interpreted that expression, see Opinion of Advocate General Wathelet in WebMindLicenses (C‑419/14, EU:C:2015:606, points 134 to 143).

( 62 ) See judgment of 17 December 2015, WebMindLicenses (C‑419/14, EU:C:2015:832, paragraph 81).

( 63 ) The requirement that personal data must be processed in a transparent manner is expressly mentioned in Article 5(1)(a) of the GDPR and by the referring court in part (a) of the third question in Case C‑601/20.

( 64 ) See, on this point, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 160).

( 65 ) As well as compliance with the principle of proportionality. On this issue, see point 165 below.

( 66 ) See, a contrario, judgment of 3 December 2019, Czech Republic v Parliament and Council (C‑482/17, EU:C:2019:1035, paragraph 135).

( 67 ) A comparable situation is at issue in Ligue des droits humains (C‑817/19), in which I shall deliver an Opinion shortly.

( 68 ) See recital 40 of the GDPR.

( 69 ) The referring court mentions the requirement that data be processed lawfully, pursuant to Article 5(1)(a) of the GDPR, in Question 3(a) in Case C‑601/20.

( 70 ) See, inter alia, judgment of 22 June 2021, Latvijas Republikas Saeima(Penalty points) (C‑439/19, EU:C:2021:504, paragraph 99 and the case-law cited)

( 71 ) See, by analogy, with reference to the authority responsible for keeping the companies register, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 42).

( 72 ) See also, on this point, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraph 99, last sentence).

( 73 ) See, for further detail, point 137 et seq. of this Opinion.

( 74 ) As stated explicitly in its judgment of 22 June 2021, Latvijas Republikas Saeima(Penalty points) (C‑439/19, EU:C:2021:504, paragraphs 103 and 104). Similarly, the case which gave rise to the judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197) concerned third-party access to a register containing personal data.

( 75 ) The Opinion of Advocate General Saugmandsgaard Øe in Facebook Ireland and Schrems (C‑311/18, EU:C:2019:1145, point 272).

( 76 ) For an extensive analysis of the question of observance of the essential content of the rights enshrined in Articles 7 and 8 of the Charter, I would refer to my Opinion in Ligue des droits humains (C‑817/19), which is shortly to be delivered.

( 77 ) See, to that effect, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 150).

( 78 ) See, to that effect, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 150).

( 79 ) Those recitals are mentioned in footnotes 21 to 24 and 27 to and in points 161, 181, 184, 204 and 212 of this Opinion.

( 80 ) See recital 31 of Directive 2018/843 and, specifically, the last sentence, set out in footnote 23 to this Opinion.

( 81 ) See recital 4 in fine of Directive 2018/843.

( 82 ) This objective reflects the international tendency toward greater overall transparency in the economic and financial environment. See the Commission proposal on the adoption of Directive 2018/843 (COM(2016) 450 final, p. 4). See also recital 4 of Directive 2018/843.

( 83 ) See, to that effect, judgments of 25 April 2013, Jyske Bank Gibraltar (C‑212/11, EU:C:2013:270, paragraphs 62 and 64 and the case-law cited), and of 10 March 2016, Safe Interenvíos (C‑235/14, EU:C:2016:154, paragraph 102). On the combating of money laundering and terrorist financing, see also judgment of 31 May 2018, Zheng (C‑190/17, EU:C:2018:357, paragraph 38).

( 84 ) See judgments of 25 April 2013, Jyske Bank Gibraltar (C‑212/11, EU:C:2013:270, paragraph 64), and of 10 March 2016, Safe Interenvíos (C‑235/14, EU:C:2016:154, paragraph 102).

( 85 ) Judgments of 2 October 2018, Ministerio Fiscal (C‑207/16, EU:C:2018:788, paragraphs 56 and 57); of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 140); and of 2 March 2021, Prokuratuur(Conditions of access to data relating to electronic communications) (C‑746/18, EU:C:2021:152, paragraph 35). See also Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 149).

( 86 ) See, inter alia, judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 46 and the case-law cited).

( 87 ) This is highlighted, moreover, in recital 4 of Directive 2018/843, which states that ‘the prevention of money laundering and of terrorist financing cannot be effective unless the environment is hostile to criminals seeking shelter for their finances through non-transparent structures.’

( 88 ) See Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 140) and judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 130 and the case-law cited).

( 89 ) See, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima(Penalty points) (C‑439/19, EU:C:2021:504, paragraphs 109 and 110). See also Opinion of Advocate General Pikamäe in Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2021:991, point 54).

( 90 ) See Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 140) and judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 130 and the case-law cited).

( 91 ) See, to that effect, judgments of 2 October 2018, Ministerio Fiscal, C‑207/16, (EU:C:2018:788, paragraph 55 and the case-law cited); of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 131); and of 2 March 2021, Prokuratuur(Conditions of access to data relating to electronic communications) (C‑746/18, EU:C:2021:152, paragraph 32).

( 92 ) See Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 141) and judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 132).

( 93 ) See in particular, to that effect, judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 57). As regards the requirement to confine the categories of data to which a measure makes access possible to what is strictly necessary in order to attain the objective pursued, see, most recently, judgment of 2 March 2021, Prokuratuur (Conditions of access to data relating to electronic communications) (C‑746/18, EU:C:2021:152, paragraph 38).

( 94 ) See, to that effect, judgment of 11 December 2019, Asociaţia de Proprietari bloc M5A-ScaraA (C‑708/18, EU:C:2019:1064, paragraph 48). See also Opinion of Advocate General Pikamäe in Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2021:991, point 64).

( 95 ) See to that effect, inter alia, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 154).

( 96 ) Recital 34 of Directive 2018/843 also states that, ‘with regard to information on beneficial owners, Member States can provide for information on nationality to be included in the central register particularly for non-native beneficial owners. In order to facilitate registry procedures and as the vast majority of beneficial owners will be nationals of the State maintaining the central register, Member States may presume a beneficial owner to be of their own nationality where no entry to the contrary is made.’

( 97 ) In part (c) of the third question in Case C‑601/20, the national court questions the addition by the Luxembourg legislature, in the exercise of the discretion left to the Member States by the third subparagraph of Article 30(5) of Directive 2015/843, of the beneficial owner’s full date of birth, including the day of birth, and place of birth. In its observations, Sovim has also questioned the need for the addition of this information.

( 98 ) See footnotes 21 to 24 to this Opinion.

( 99 ) See recitals 30 to 32 of Directive 2018/843, set out in footnotes 21 to 23 to this Opinion.

( 100 ) See, for that expression, Opinion of Advocate General Pikamäe in Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2021:991, footnote 49).

( 101 ) See, in this regard, point 48 of this Opinion.

( 102 ) In my view, this objective of prevention cannot be attained by the competent public authorities for the detection and suppression of the crimes in question acting alone. I do not therefore endorse the reference which the European Data Protection Supervisor made at the hearing to paragraph 88 of judgment of 20 May 2003, Österreichischer Rundfunk and Others (C‑465/00, C‑138/01 and C‑139/01, EU:C:2003:294).

( 103 ) Document SWD(2016) 223 final of 5 July 2016 (see in particular pages 99 to 104).

( 104 ) Document COM(2016) 450 final of 5 July 2016.

( 105 ) Another option that does not seem to have been considered (or, at least, it is not apparent from the available documents) might have been to define in EU law the concept of a ‘legitimate interest’ justifying access to the register. However, leaving aside the difficulty of defining that concept and the continuing risk that the authorities or bodies responsible for keeping the registers in the various Member States would interpret or apply that concept differently, it is clear that any requirement to demonstrate an interest of some kind in accessing the register constitutes a barrier to access and is therefore liable to make access to the information slower and less efficient.

( 106 ) As is apparent from recital 25 of Directive 2018/843, which states that ‘the need for accurate and up-to-date information on the beneficial owner is a key factor in tracing criminals who might otherwise be able to hide their identity behind a corporate structure.’

( 107 ) The reference to this provision answers, in my view, the arguments which Sovim put forward in its observations about the incompatibility of the public access regime in question with the requirements of Article 14 of the GDPR, which flow from the obligation of transparency imposed by Article 5(1) of that regulation.

( 108 ) See footnote 28 to this Opinion.

( 109 ) See judgments of 29 July 2019, Pelham and Others (C‑476/17, EU:C:2019:624, paragraph 79); of 29 July 2019, Spiegel Online (C‑516/17, EU:C:2019:625, paragraph 20); and of 15 April 2021, Federazione nazionale delle imprese elettrotecniche ed elettroniche (Anie) and Others (C‑798/18 and C‑799/18, EU:C:2021:280, paragraph 31).

( 110 ) See, with reference to the exceptions and limitations provided for in Article 5(2) and (3) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ 2001 L 167, p. 10), judgment of 29 July 2019, Spiegel Online (C‑516/17, EU:C:2019:625, paragraph 38 and the case-law cited).

( 111 ) See judgments of 29 July 2019, Spiegel Online (C‑516/17, EU:C:2019:625, paragraph 52 and the case-law cited), and of 27 March 2014, UPC Telekabel Wien (C‑314/12, EU:C:2014:192, paragraph 46 and the case-law cited).

( 112 ) The same issue is raised, with reference to Article 25(2) of the GDPR, in the third indent of part (e) of this third question.

( 113 ) In part (b) of the third question in Case C‑601/20, the referring court also highlights the fact that the general public is not the body responsible for combating money laundering and terrorist financing. On this point I would refer to my observations in point 169 of this Opinion.

( 114 ) See, inter alia, judgment of 22 June 2021, Latvijas Republikas Saeima(Penalty points) (C‑439/19, EU:C:2021:504, paragraph 96 and the case-law cited). See also, by analogy, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 41).

( 115 ) See, in this regard, point 44 of Opinion of Advocate General Bobek in SS(Processing of personal data for tax purposes) (C‑175/20, EU:C:2021:690), which refers to judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, specifically, paragraphs 72 to 74).

( 116 ) See Opinion of Advocate General Bobek in SS (Processing of personal data for tax purposes) (C‑175/20, EU:C:2021:690, paragraph 44) which refers to judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629 specifically paragraphs 72 to 74). See also, on this point, judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraph 65).

( 117 ) See, to that effect, by analogy, Opinion of Advocate General Bobek in SS(Processing of personal data for tax purposes) (C‑175/20, EU:C:2021:690, point 45 and the case-law cited).

( 118 ) See, to that effect, by analogy, Opinion of Advocate General Bobek in SS(Processing of personal data for tax purposes) (C‑175/20, EU:C:2021:690, point 45 and the case-law cited).

( 119 ) Judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, specifically paragraphs 72 to 74. See also Opinion of Advocate General Bobek in SS(Processing of personal data for tax purposes) (C‑175/20, EU:C:2021:690, point 44).

( 120 ) This answer makes it unnecessary, in my view, to answer the first indent of part (e) of the third question in Case C‑601/20.

( 121 ) I would observe in this connection that Sovim has asserted in its observations that recent articles in the press have highlighted the existence of security vulnerabilities associated with LBR’s failure to implement appropriate technical and organisational measures. These vulnerabilities have resulted in the unauthorised processing of data held in Luxembourg’s Register of Beneficial Ownership. In particular, data were extracted from the register’s database in such a way that it became possible to search the database not only by company name, but also by beneficial owner.

( 122 ) See, to that effect, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 58).

( 123 ) See, to that effect, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 59).

( 124 ) In its observations, Sovim has highlighted this fact and referred, by analogy, to judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238; see paragraph 58 in particular).

( 125 ) See recital 36 of Directive 2018/843, set out in footnote 28 to this Opinion.

( 126 ) This factor clearly distinguishes the present cases from the situation analysed by the Court in its judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238).

( 127 ) See, to that effect and by analogy, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 59).

( 128 ) This is another factor which clearly distinguishes the present cases from the situation analysed by the Court in its judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238).

( 129 ) See judgment of 29 July 2019, Spiegel Online (C‑516/17, EU:C:2019:625, paragraph 59).

( 130 ) See judgments of 29 July 2019, Spiegel Online (C‑516/17, EU:C:2019:625, paragraph 53), and of 17 January 2013, Commission v Spain (C‑360/11, EU:C:2013:17, paragraph 18 and the case-law cited).

( 131 ) On the criterion of ‘disproportionality’, see also in this Opinion the answer which I go on to suggest for the third question referred for a preliminary ruling in Case C‑37/20.

( 132 ) Thus, in certain language versions, including the French, Spanish and English versions, the amended wording of Article 30(9) of Directive 2015/849 refers to the situation where access to the information would expose the beneficial owner to ‘disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation’, whereas recital 36 refers to the situation where such access would expose the beneficial owner to ‘a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation’. In these different language versions, the wording of the provision gives credence to the hypothesis that the ‘disproportionate risk’ constitutes a case of risk independent from the other seven types of risk listed, whereas it seems to follow from the wording of the recital that the requirement of disproportionality constitutes a condition to be fulfilled in order for exposure to any of the seven types of risk to justify exemption from public access to the information on beneficial ownership. (In its observations, the Commission confirms that the Czech, Danish, Croatian, Dutch, Polish, Portuguese, Romanian and Swedish versions also fall into this group of language versions). In other language versions, including the German and Italian versions, there is no such divergence. (In its observations, the Commission confirms that the Greek, Hungarian, Slovak and Slovenian versions also fall into this group of language versions).

( 133 ) See, inter alia, judgment of 23 January 2020, Bundesagentur für arbeit (C‑29/19, EU:C:2020:36, paragraph 48 and the case-law cited).

( 134 ) On the matter of evidential requirements, see also in this Opinion the answer I go on to suggest for part (a) of the second question referred for a preliminary ruling in Case C‑601/20.

( 135 ) See, by analogy, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 59).

( 136 ) See, to that effect, by analogy, judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 60).

Top