This document is an excerpt from the EUR-Lex website
Document 62024CC0798
Opinion of Advocate General Norkus delivered on 18 December 2025.###
Opinion of Advocate General Norkus delivered on 18 December 2025.
Opinion of Advocate General Norkus delivered on 18 December 2025.
ECLI identifier: ECLI:EU:C:2025:998
Provisional text
OPINION OF ADVOCATE GENERAL
NORKUS
delivered on 18 December 2025 (1)
Case C‑798/24 [Jautiva (i)]
A and Others
joined parties:
Latvijas Republikas Saeima
(Request for a preliminary ruling from the Latvijas Republikas Satversmes tiesa (Constitutional Court, Latvia))
( Reference for a preliminary ruling – Directive (EU) 2017/1132 – Company law – Article 14(d)(ii) – Interpretation of the term ‘take part in the administration, supervision or control of the company’ – Obligation under national law to make available specified information in respect of every shareholder of a public limited liability company – Protection of natural persons with regard to the processing of personal data – Articles 7 and 8 of the Charter of Fundamental Rights of the European Union – Regulation (EU) 2016/679 – Article 5 – Principles relating to the processing of personal data – Article 6 – Lawfulness of processing – Principle of proportionality )
I. Introduction
1. This request for a preliminary ruling from the Latvijas Republikas Satversmes tiesa (Constitutional Court, Latvia) (2) concerns the obligation under Latvian law to make available to the general public certain specified information on the shareholders (3) of public limited liability companies (4) incorporated under Latvian law. The information in question may be consulted on the website of the companies register by ‘unidentified users’. (5) There is thus no requirement for members of the public to demonstrate a legitimate interest in obtaining such information.
2. The referring court seeks to ascertain whether the obligation to make available the information in question is required by EU law. It thus asks the Court whether the term persons who ‘take part in the administration, supervision or control of the company’ in Article 14(d)(ii) of Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (6) refers to any shareholder of a public limited company and whether a Member State is required to make publicly available specified information on every shareholder of such a company in accordance with Article 16(3) of that directive. In the event that such information must be made publicly available pursuant to Directive 2017/1132, the referring court queries whether Article 14(d)(ii) of that directive is valid in the light of the right to respect for private and family life guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union (‘the Charter’) and the right to the protection of personal data guaranteed by Article 8 of the Charter.
3. The Latvijas Republikas Satversmes tiesa (Constitutional Court) also seeks to ascertain whether Article 5(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (7) (‘the GDPR’) must be interpreted as authorising the making available to the public of such information without any requirement to demonstrate a legitimate interest in obtaining it, in order to secure certain purposes, namely: (i) to ensure a transparent business climate and to protect the interests of third parties; (ii) to prevent money laundering, terrorist and proliferation financing; (8) and (iii) to provide the information necessary for the enforcement of national, international and EU sanctions. In that regard, the referring court asks whether these objectives could reasonably be achieved in an equally effective manner in accordance with the procedure under Latvian law for requesting access to restricted information. (9)
4. Moreover, the referring court queries whether the reasoning in the judgment in Luxembourg Business Registers (10) – in which the Court held that the requirement under EU law that Member States ensure that information on the beneficial ownership of companies and of other legal entities incorporated within their territory is accessible in all cases to any member of the general public is invalid – may be extrapolated to the disclosure of information relating to all the shareholders of a public limited company notwithstanding the fact that the volume of information and the purpose of disclosure differ in the two situations.
II. Legal framework
A. European Union law
5. Articles 7 and 8 and Article 52(1) of the Charter, recitals 3, 7 and 8 and Articles 14 and 16 of Directive 2017/1132 and Articles 5 and 6 of the GDPR are of particular relevance to the present case.
B. Latvian law
6. Article 8 of the Komerclikums (Commercial Code) (11) is entitled ‘Content of entries in the commercial register’. Points 3 and 4 of Article 8(3) thereof provide:
‘(3) The information concerning a capital company to be entered in the commercial register is listed below:
…
3) the first name, surname, personal identification number (in the absence of a personal identification number, the date of birth, the number and date of issue of the identity document, the country and the authority which issued that document) and the position held by the members of the management board of the capital company and the members of the supervisory board (where the capital company has such a board);
4) the power of the members of the management board to bind the company individually or jointly;’
7. Article 12 of the Commercial Code, entitled ‘Publication in the commercial register’, provides:
‘(1) Entries in the commercial register may be relied on as against third parties once they have been published. …
…’
8. Article 235 of the Commercial Code, entitled ‘Information to be entered in the register of shareholders’, provides:
‘(1) Each entry in the register of shareholders shall indicate the company name, registration number, legal address and, where applicable, information about whether that company is subject to liquidation or insolvency proceedings, as well as the title of the document, “Entry in the register of shareholders”, and shall contain the following information:
1) the reference number and date of the entry;
2) the reference number of the registration, using consecutive numbering from the first entry in the register of shareholders;
3) the reference numbers relating to the shares;
4) data relating to shareholders:
a) for a natural person, the first name, surname, personal identification number (in the absence of a personal identification number, the date of birth, the number and date of issue of the identity document, the country and the authority which issued that document) and the address at which the person can be contacted,
b) for legal persons and partnerships, the name, registration number and legal address;
5) the shareholder’s email address, if the shareholder has requested that it be used by the company to communicate with him, her or it;
6) the category, number and nominal value of the shares of each shareholder, and the number of votes attached to them;
7) the status relating to the payment of shares;
8) the joint representative of the shareholders appointed in accordance with the procedure laid down in Article 157 of this code, indicating the information referred to in points 4 and 5 of paragraph 1 of this Article;
9) information on shares acquired by the company itself, providing reasons for their acquisition.
…’
9. The fifth paragraph of Article 4.10, point 2 of the first paragraph of Article 4.11, point 2(b) of the first paragraph of Article 4.15, point 3(a) of the first paragraph of Article 4.15, and the second, third and fourth paragraphs of Article 4.15 of the likums ‘Par Latvijas Republikas Uzņēmumu reģistru’ (Law on the companies register of the Republic of Latvia) (12) (‘the Law on the Companies Register’) provide:
‘Article 4.10 Right of access to information in the companies register
…
The companies register shall provide the information and documents contained in the public part of the registration file (first paragraph of Article 4.15) free of charge by way of online data transmission (including bulk downloading).
…
Article 4.11 Information to be published on the website of the companies register
The companies register shall ensure that an unidentified user has public access to the following most recent (up-to-date) information on its website concerning legal persons and legal facts recorded in the registers maintained by the companies register:
…
2) other information recorded in the register.
…
Article 4.15 Public and non-public parts of the registration file
The public part of the registration file shall include:
…
2) other information entered in the register:
…
b) information from the entry in the register of shareholders (members) of a capital company concerning the shareholders (members) of that company …,
…
3) the following documents forming part of the registration file:
a) in the commercial register – … the entry in the register of shareholders (members), …
…
The documents and information that form part of the registration file and are not referred to in the first paragraph of this Article shall be included in the non-public part of the registration file.
Where an entry in the register or registered information has been given the status of restricted information or its availability to the public has been restricted by legislation, it shall be included in the non-public part of the registration file.
The information and documents included in the non-public part of the registration file (paragraphs 2 and 3 of this Article) are restricted information and may be obtained by law enforcement authorities for the performance of tasks specified in laws and regulations, as well as, without restrictions, by the Finanšu izlūkošanas dienests [(Financial Intelligence Service, Latvia)] and supervisory and control authorities in the field of the prevention of money laundering and terrorist and proliferation financing, while other authorities must submit a reasoned request. Individuals shall request access to the information and documents contained in the non-public part of the registration file in accordance with the procedure for requesting restricted information provided for in the Informācijas atklātības likums [(Law on Freedom of Information)].’
III. The dispute in the main proceedings and the questions referred for a preliminary ruling
10. The applicants in the proceedings before the Latvijas Republikas Satversmes tiesa (Constitutional Court) are 17 minority shareholders of a public limited company. They consider that point 2(b) of the first paragraph of Article 4.15 of the Law on the Companies Register (‘the contested provision’) is incompatible with Article 96 of the Latvijas Republikas Satversme (Constitution of the Republic of Latvia; ‘the Latvian Constitution’) which provides that ‘everyone has the right to the inviolability of their private life, home and correspondence.’
11. The applicants submit that the Latvian legislature failed to assess and justify the necessity to disclose shareholder information to the public and to treat it as generally accessible information. Once the information is made available to the public, there is no restriction on its subsequent use. There is thus a high risk that the information in question will be used for dishonest purposes such as fraud, extortion or blackmail. According to the applicants, the constitutionality of the contested provision must be assessed in the light of the judgment in Luxembourg Business Registers, which concerned the making available to the general public of information on the beneficial ownership of companies. Given that the Court considered in that case that similar data on beneficial ownership should not be made public, making available to the general public shareholders’ personal data is even more unjustified and disproportionate. The applicants, as minority shareholders, are neither the beneficial owners of the public limited company nor the persons responsible for its executive body or management body. They have neither the right nor the possibility to exercise control over that company.
12. The Saeima (Latvian Parliament) submits that the contested provision complies with Article 96 of the Latvian Constitution. It considers that the restriction of fundamental rights is legitimate in order to ensure a transparent business climate and to protect the interests of third parties, to combat money laundering and terrorist and proliferation financing and to enable everyone to comply with their obligations under the Starptautisko un Latvijas Republikas nacionālo sankciju likums (Law on international sanctions and national sanctions of the Republic of Latvia). In order to achieve these objectives, it is necessary to make the information in question available to everyone, without delay and without imposing an obligation to demonstrate a legitimate interest in requesting that information. The reasoning in the judgment in Luxembourg Business Registers, which related to only one legitimate objective – the prevention of money laundering and terrorist financing – cannot be extrapolated to the present case as the Latvian legislation in question serves several different legitimate objectives which justify the limitation of fundamental rights.
13. The Datu valsts inspekcija (State Data Protection Agency, Latvia), which intervened in the proceedings before the referring court as amicus curiae, considers that, contrary to the principle of transparency enshrined in the GDPR, the Law on the Companies Register does not identify a specific aim for which the processing of the personal data of shareholders of a public limited company is necessary. The volume of data processed and the question whether the aim of the data processing cannot be achieved by less extensive data processing must be assessed in the light of the principle of data minimisation. In the absence of a specifically identified aim, it is not possible to evaluate whether the extent of the personal data processing is proportionate. Therefore, the principles of purpose limitation and data minimisation are not respected.
14. The Financial Intelligence Service, which also intervened in the main proceedings as amicus curiae, considers that third parties must have access to the information in question in order to determine whether a commercial partner is subject to international or national sanctions.
15. The referring court seeks to ascertain whether the shareholders of public limited companies are persons taking part in the administration, supervision or control of the company within the meaning of Article 14(d)(ii) of Directive 2017/1132 and, therefore, whether that directive requires the disclosure of information on the shareholders of such companies. In the event that the Court holds that such shareholders fall within the scope of Article 14(d)(ii) of Directive 2017/1132 and that information relating to them must be disclosed and made publicly available pursuant to Article 16(3) of that directive, the referring court asks, inter alia, whether the former provision is valid in the light of Articles 7 and 8 of the Charter.
16. The referring court also queries whether the processing of the personal data of the shareholders of public limited companies is consistent with the principles set out in Article 5(1) of the GDPR, in particular, the principle of ‘data minimisation’, which reflects the principle of proportionality. That principle does not preclude making available personal data to the public where this is necessary for compliance with a legal obligation to which the controller is subject, pursuant to point (c) of the first subparagraph of Article 6(1) of the GDPR. Nonetheless, in accordance with Article 52(1) of the Charter, limitations on the fundamental rights to respect for private life and to the protection of personal data must be provided for by law, respect the essence of the fundamental rights and observe the principle of proportionality.
17. The referring court asks, in particular, whether in the light, inter alia, of the judgments in Luxembourg Business Registers and in Manni, (13) Article 5(1)(b) of the GDPR must be interpreted as meaning that processing the personal data of shareholders of a public limited company may serve the purpose of protecting the interests of third parties. It also asks whether the principles set out in Article 5(1) of the GDPR allow a Member State, in pursuit of that objective, to adopt legislation in accordance with which any person may obtain the personal data of any shareholder in a public limited company without being required to demonstrate a legitimate interest in obtaining such data. In addition, that court queries whether Article 5(1)(b) of the GDPR must be interpreted as meaning that processing the personal data of shareholders of a public limited company may serve the purpose of preventing money laundering and terrorist and proliferation financing. In that regard, according to the Latvian legislature, the purpose of making the data in question available to the general public is to enable everyone to contribute as much as possible to such prevention.
18. Lastly, the referring court queries whether Article 5(1)(b) of the GDPR must be interpreted as meaning that the processing of the personal data of shareholders of a public limited company may serve the purpose of providing the information necessary to enforce national, international and EU sanctions.
19. The referring court considers that making available to the public the personal data of the shareholders of a public limited company might be suitable, necessary and appropriate for achieving those legitimate objectives. However, when personal data are made available to the public online, it is not possible to ensure that those data are processed fairly and will not be further processed in a manner that is incompatible with the aforementioned purposes, as required by Article 5(1)(a) and (b) of the GDPR. That court thus has doubts, first, whether the disclosure in question properly balances the objectives of general interest pursued against the fundamental rights at issue and, secondly, whether there are adequate safeguards against the risk of misuse of such personal data.
20. Under Latvian law, access to restricted information must be requested in writing and the person requesting it must justify his or her request and indicate the purpose for which the information will be used. When the restricted information is communicated, the recipient of that information undertakes to use it only for the purposes for which it was requested. (14) It may take several days for that information to be communicated. If the request for information meets the requirements of the law and the information is requested only in electronic format and does not require further processing, the information will be provided within 10 days. The referring court therefore asks whether the procedure for requesting restricted information may be regarded as another means by which the aforementioned objectives could reasonably be achieved in an equally effective manner.
21. The Latvijas Republikas Satversmes tiesa (Constitutional Court) thus decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Must the concept of persons who “take part in the administration, supervision or control of the company”, used in Article 14(d) of Directive 2017/1132, be interpreted as referring to any shareholder in a public limited liability company, with the result that a Member State is obliged to disclose the information relating to every shareholder in a public limited company and make it publicly available in the register in accordance with Article 16(3) of Directive 2017/1132?
(2) If the first question is answered in the affirmative, is Article 14(d)(ii) of Directive 2017/1132, in so far as it provides for the disclosure of particulars relating to every shareholder in a public limited liability company, valid in the light of the right to respect for private and family life guaranteed by Article 7 of the Charter and the right to the protection of personal data guaranteed by Article 8 thereof?
(3) Must Article 5(1)(b) of the [GDPR] be interpreted as meaning that processing the personal data of shareholders in a public limited liability company may serve the purpose, in the first place, of ensuring a transparent business environment and protecting the interests of third parties; in the second place, of preventing money laundering and [terrorist and proliferation financing]; and, in the third place, of providing the information necessary for the enforcement of national, international and [EU] sanctions?
(4) Do the principles established in Article 5(1) of the [GDPR] allow for the establishment, in the interests of those purposes, of national legislation under which any person may obtain the personal data of any shareholder in a public limited liability company without being obliged to demonstrate a legitimate interest in obtaining such data?’
IV. The procedure before the Court
22. Written observations were submitted by the applicants A and Others, the Finnish, Latvian, Norwegian, Polish and Swedish Governments, the European Parliament, the Council of the European Union and the European Commission.
23. The observations submitted by the Swedish Government, (15) the Parliament and the Council relate only to the first and second questions of the referring court.
V. Assessment
A. The first and second questions
24. By its first question, the Latvijas Republikas Satversmes tiesa (Constitutional Court) seeks to ascertain whether Article 14(d)(ii) of Directive 2017/1132, which refers to persons who ‘take part in the administration, supervision or control of the company’, must be interpreted as referring to any shareholder in a public limited company, (16) thereby requiring Member States to disclose information relating to every shareholder in such a company and make it publicly available in the register in accordance with Article 16(3) of Directive 2017/1132.
25. In accordance with Article 14(d) of Directive 2017/1132, Member States must take the measures necessary to ensure the compulsory disclosure by companies of the appointment, termination of office and particulars of the persons who either as a body constituted pursuant to law or as members of any such body are authorised to represent the company in dealings with third parties and in legal proceedings, or take part in the administration, supervision or control of that company. All the parties and interested parties who submitted observations consider that Article 14(d)(ii) of Directive 2017/1132 may not be interpreted as referring to any shareholder of a public limited company.
26. It must be emphasised that the main proceedings before the referring court concern an action brought by 17 minority shareholders. I shall therefore confine my assessment to that situation. It is settled case-law that in interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it is part. (17)
27. Article 14(d) of Directive 2017/1132 does not refer to shareholders or to the general meeting of shareholders. (18) Moreover, the term ‘take part in the administration, supervision or control of the company’ in Article 14(d)(ii) of Directive 2017/1132 is not defined by that directive (19) and the Court has not interpreted that provision. Despite the absence of such definition(s), it is clear, inter alia, from Articles 60 and 64 of Directive 2017/1132 that, for the purposes of that directive, there is a distinction between the administrative or management body of a company and the general meeting of its shareholders. That distinction applies, in my view, a fortiori, to individual shareholders.
28. In addition, the terms ‘appointment’ and ‘termination of office’ in Article 14(d) of Directive 2017/1132 are inconsistent with the status per se of shareholders of a public limited company. While certain shareholders may be appointed to the bodies and exercise the functions referred to in Article 14(d) of Directive 2017/1132, the obligatory disclosure of, inter alia, a shareholder’s identity and personal data in that context is inextricably based on his or her appointment to a body in question or the termination of office and the power to exercise certain functions rather than his or her status as a shareholder. (20) By contrast, shareholders enjoy or benefit from that status and the rights and obligations corresponding thereto, including the right to attend and vote at the general meeting of a company, by virtue of their ownership of shares of the company alone rather than by ‘appointment’ to a ‘body’ of the company. The terms ‘appointment’ and ‘termination of office’, which imply a specific mandate or function of responsibility (21) within a company, are thus incongruous with the status of shareholder per se and the rights and obligations attaching to that status in the context of Article 14(d) of Directive 2017/1132.
29. It follows therefore from its wording and the context in which it occurs in Directive 2017/1132 that Article 14(d)(ii) thereof does not apply to shareholders per se.
30. As regards the objectives of Directive 2017/1132, the second indent of Article 1 thereof states that that directive lays down measures concerning ‘the coordination of safeguards which, for the protection of the interests of members and third parties, are required by Member States of companies within the meaning of the second paragraph of Article 54 [TFEU], in respect of disclosure, the validity of obligations entered into by, and the nullity of, companies limited by shares or otherwise having limited liability, with a view to making such safeguards equivalent’. (22) Article 14 of Directive 2017/1132 lists the documents and particulars which the companies concerned must, as a minimum, (23) disclose. Those documents and particulars must, in accordance with Article 16(3) to (5) of that directive, be kept in the file or entered in the register, be accessible by obtaining a full or partial copy on request, and be disclosed by publication either of the full text or of a partial text, or by means of a reference, in the national gazette, or by an equally effective means. (24)
31. Given that the purpose of Directive 2017/1132, and in particular Article 14(d) thereof, is to protect the interests of the shareholders of a company and third parties by requiring the disclosure of information relating to certain specified persons whose functions or powers may be exercised to the detriment of those interests, (25) I do not perceive how increased transparency regarding the identity of each shareholder, particularly minority shareholders, which have no particular function or power within a company, (26) advances that purpose.
32. In that regard, the Court has emphasised in the judgment in Manni (27) that the data disclosed pursuant, inter alia, to Article 2(1)(d) of Directive 68/151 – which corresponds to Article 14(d) of Directive 2017/1132 – is limited in nature. (28) An interpretation of Article 14(d) of Directive 2017/1132 which would include information on each and every shareholder is clearly not of such a nature. (29) It is evident from recitals 3, 7 and 8 of Directive 2017/1132 that that directive only ensures minimum harmonisation or coordination of ‘certain aspects’ (30) of company law in order to protect shareholders, creditors and other third parties. Member States may thus adopt or retain in force stricter or additional provisions in the field of company law within the limits of EU law, (31) in particular the GDPR (32) and the principle of proportionality.
33. I therefore consider that the term persons who ‘take part in the administration, supervision or control of the company’, used in Article 14(d) of Directive 2017/1132, may not be interpreted as referring to any shareholder in a public limited company. A Member State is not obliged to disclose information relating to every shareholder in a public limited company and make it publicly available in the register in accordance with Article 16(3) of Directive 2017/1132.
34. Given that the second question of the referring court is dependent on an affirmative answer to its first question, I consider that the second question on the validity of Article 14(d)(ii) of Directive 2017/1132 in the light of Articles 7 and 8 of the Charter is moot.
B. The third and fourth questions
35. By its third and fourth questions, (33) the referring court seeks to ascertain whether Article 5(1) of the GDPR must be interpreted as authorising the processing of certain personal data of the shareholders of a public limited company, by making them available to any person without having to demonstrate a legitimate interest in obtaining such data, for the purposes of: (i) ensuring a transparent business climate and protecting the interests of third parties; (ii) preventing money laundering and terrorist and proliferation financing; and (iii) providing the information necessary for the enforcement of national, international and EU sanctions. In that regard, the Latvijas Republikas Satversmes tiesa (Constitutional Court) queries whether the principles of ‘purpose limitation’ and ‘data minimisation’ in points (b) and (c) of Article 5(1) of the GDPR (34) are respected. (35)
36. It is clear from the file before the Court that the requirement under Latvian law to make available to the general public certain specified information on the shareholders of public limited companies incorporated under Latvian law falls within the material scope of the GDPR. Article 2(1) of the GDPR provides that that regulation applies to any ‘processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system’, without any distinction being made according to the identity of the person who carried out the processing concerned. It follows that, subject to the cases mentioned in Article 2(2) and (3) thereof, the GDPR applies to processing operations carried out both by private persons and by public authorities. (36)
37. While the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the EU Treaty relating to common foreign and security policy is excluded from the material scope of the GDPR, I consider that that regulation applies to the processing of personal data when carrying out activities which fall within the scope of Article 215 TFEU. (37) It must be stressed, however, that certain rights of the data subject under the GDPR may be limited in accordance with Article 23 of that regulation. For example, Article 23(1)(a) of the GDPR provides that restrictions may be imposed under certain circumstances to safeguard national security.
38. It is common ground in the present case that the legal obligation under Latvian law (38) to make available to the general public information on shareholders of public limited companies incorporated under Latvian law – who are natural persons – including their first name, surname, personal identification number, contact address or email address, the number and nominal value of their shares and the number of votes attached to those shares constitutes the processing of personal data for the purposes of points 1 and 2 of Article 4 of the GDPR. (39)
39. Given that the national provisions in question involve the processing of personal data falling within the scope of the GDPR, the Republic of Latvia is required, inter alia, to implement the GDPR. It follows that the access of any member of the general public to those data affects the fundamental right of the persons concerned to respect for their private life, guaranteed in Article 7 of the Charter. In addition, making those data available to the general public constitutes the processing of personal data falling under Article 8 of the Charter. Moreover, the making available of those personal data to third parties constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, irrespective of the subsequent use of the information communicated. The Court has stated, however, that for as long as the conditions governing the legal processing of personal data under the GDPR are fulfilled, such processing meets, in principle, the requirements of Articles 7 and 8 of the Charter. (40)
40. It is apparent from Article 1(2) of the GDPR, read in conjunction with recitals 4 and 10 thereof, that that regulation has the objective in particular of ensuring a high level of protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data. (41)
41. The GDPR ensures a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of their personal data throughout the European Union. Any processing of personal data must, subject to the derogations permitted in Article 23 of the GDPR, (42) observe the principles governing the processing of personal data and the rights of the person concerned set out, respectively, in Chapters II and III of that regulation. In particular, any processing of personal data must, first, comply with the principles set out in Article 5 of the GDPR and, secondly, satisfy the lawfulness conditions listed in Article 6 of the GDPR. (43) In addition, the rights of the data subject set out in Articles 12 to 22 of the GDPR must be respected. (44)
42. In accordance with Article 5(1) of the GDPR, personal data must be processed in accordance with a number of specified principles. Thus, personal data must be processed, inter alia, lawfully, fairly and in a transparent manner in relation to the data subject; (45) be collected for specified, explicit and legitimate purposes; (46) be adequate, relevant and limited to what is necessary in relation to those purposes; (47) be accurate and, where necessary, kept up to date; (48) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (49) and be processed in a manner that ensures appropriate security of the personal data. (50) These principles relating to the processing of personal data apply cumulatively. (51)
43. The first subparagraph of Article 6(1) of the GDPR sets out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as being lawful. (52) Thus, processing must fall within one of the cases provided for in the first subparagraph of Article 6(1) of the GDPR in order to be lawful. (53) Although the Latvijas Republikas Satversmes tiesa (Constitutional Court) does not explicitly state that the processing of the personal data in question in the present case is based on point (c) of the first subparagraph of Article 6(1) of the GDPR, this is the only case in the first subparagraph of Article 6(1) of the GDPR referred to by that court in its request for a preliminary ruling. (54) Given that the processing in question is specifically based on and required by national legislation (55) rather than being ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’, (56) I consider that that processing is based on point (c) of the first subparagraph of Article 6(1) of the GDPR as it is necessary for compliance with a legal obligation laid down by Member State law – in this case, Latvian law – to which the controller is subject. (57) The authority responsible for maintaining the commercial register of a Member State which publishes, in that register, personal data which are subject to compulsory disclosure under Directive 2017/1132 is a ‘controller’ of those data, particularly in so far as it makes them available to the public. (58)
44. Article 6(3) of the GDPR specifies, inter alia, in respect of situations in which processing is lawful pursuant to point (c) of the first subparagraph of Article 6(1), (59) that the purpose of the processing must be ‘determined in that legal basis’ (60) and that that legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued. (61)
45. It is unclear from the file before the Court whether the requirement that the purpose(s) of the processing be ‘determined in that legal basis’ has been complied with in the present case. In its observations before the referring court, the State Data Protection Agency stated that the Law on the Companies Register does not identify the purpose(s) for which the processing of the personal data of shareholders of a public limited company is necessary. It is thus incumbent on the referring court to verify whether this requirement under Article 6(3) of the GDPR has been satisfied in respect of the three purposes in question. Failure to satisfy the requirement in question will render the processing of personal data contrary to Article 6(3) of the GDPR. (62) Given the diverse legislative drafting techniques in the 27 Member States, I consider that it is adequate that the purpose(s) in question may be ascertained with ‘sufficient certainty’ from the text of the legislation or from its legislative context. (63)
46. The requirements pursuant to Article 6(3) of the GDPR that the processing meet an objective of public interest and be proportionate to the legitimate aim pursued constitute an expression of the requirements arising from Article 52(1) of the Charter and they must be interpreted in the light of the latter provision. In that regard, the Court has stated that the fundamental rights to respect for private life and to the protection of personal data, guaranteed in Articles 7 and 8 of the Charter, are not absolute rights, but must be considered in relation to their function in society and be weighed against other fundamental rights. Limitations may therefore be imposed, so long as, in accordance with Article 52(1) of the Charter, they are provided for by law, respect the essence of the fundamental rights and observe the principle of proportionality. According to settled case-law, the proportionality of the measures which result in interference with the rights guaranteed in Articles 7 and 8 of the Charter requires compliance not only with the requirements of appropriateness and of necessity (64) but also with that of the proportionate nature stricto sensu of those measures in relation to the objective pursued. (65) It must thus be assessed whether the national legislation in question strikes a fair balance between the interest(s) pursued by the Member State and the interest(s) of those adversely affected. (66) Consequently, it is necessary to measure the seriousness of the interference with the fundamental rights to respect for private life and to the protection of personal data, and to determine whether the importance of the objective of general interest pursued is proportionate to the seriousness of the interference. (67)
47. In order to assess the seriousness of that interference, account must be taken, inter alia, of the nature of the personal data at issue, in particular of any sensitivity of those data, and of the nature of, and specific methods for, the processing of the data at issue, in particular of the number of persons having access to those data and the methods of accessing them. (68)
48. It is common ground that the information made available to the general public on a shareholder who is a natural person includes his or her first name, surname and personal identification number, the address at which he or she may be contacted, his or her email address, (69) the class, number and nominal value of the shares held by the shareholder, and the number of votes attached to them. (70) That information is capable of enabling a profile to be drawn up concerning, first, certain personal identifying data and, secondly, at least to a certain extent, the state of the person’s wealth in Latvia and the economic sectors and specific undertakings in which he or she has invested in Latvia. The information in question is easily accessible to a potentially unlimited number of persons due, in particular, to the fact that it may be consulted on the website of the companies register. It may be freely accessed for reasons unrelated to the purposes pursued by the national legislation (71) in question and may be retained, disseminated and subject to further processing. Easy access by the general public to the information in question exposes data subjects to the possible abuse of their personal data, rendering it difficult or even impossible for them to defend themselves effectively against such abuse. The access in question thus constitutes a serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. (72)
1. The existence of an objective of general interest recognised by the European Union
49. The three purposes of the national legislation in question indicated by the referring court (73) are, in principle, in the EU public interest and, consequently, legitimate. (74) They are capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter provided they respect the principle of proportionality. (75)
50. As regards the purpose of ensuring a transparent business climate and protecting the interests of third parties, I consider that ensuring a transparent business climate alone is a rather vague and amorphous aspiration and thus may not be a legitimate purpose in and of itself. For the avoidance of doubt, I therefore consider, subject to verification by the referring court, that the relevant purpose of the Latvian legislation is to ensure a transparent business climate in order to protect the interests of third parties. In the light of Article 50(2)(g) TFEU, (76) which refers, in essence, to the protection of shareholders and third parties, (77) I consider that the purpose in question constitutes an objective of general interest recognised by the European Union.
51. In the judgment in Luxembourg Business Registers, (78) the Court stated that the prevention of money laundering and terrorist financing by providing the general public with access to information on beneficial ownership is an objective of general interest that is capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter. (79) I consider that the rationale underlying that judgment may also be applied in the present case.
52. As regards the disclosure of information necessary for the enforcement of sanctions, the Court has stated that restrictive measures may be imposed on the exercise of the freedom to pursue a trade or profession and on the exercise of the right to property. Those measures must correspond to objectives of general interest – such as the objectives of the Union’s external action stated in Article 21 TEU – and must not constitute, in relation to the aim pursued, a disproportionate and intolerable interference, impairing the very substance of the rights guaranteed. (80) I consider, by extension, that the enforcement of such restrictive measures, including the adoption of measures providing access to information necessary to ensure that enforcement, constitutes an objective of general interest recognised by the European Union.
2. Whether the interference at issue is appropriate, necessary and proportionate stricto sensu
(a) The purpose of ensuring a transparent business climate in order to protect the interests of third parties
53. For the reasons I have indicated in point 31 of the present Opinion, I do not consider that the obligation under Latvian law in question which targets every shareholder of a public limited company, regardless of whether they have any particular function or power within the company, promotes or fosters the purpose of ensuring a transparent business climate in order to protect the interests of third parties. Moreover, while Directive 2017/1132 does not purport to be exhaustive in nature and merely harmonises and coordinates certain aspects of company law, there is no indication in the file before the Court that that directive (81) proved insufficient for the purpose of ensuring a transparent business climate in order to protect the interests of third parties, thereby necessitating the adoption of the national legislation in question. (82) I therefore consider that the interference is both inappropriate and unnecessary. I also consider that that legislation is disproportionate stricto sensu as it fails to strike a fair balance between the interests pursued by the Latvian legislature and the interests of shareholders.
(b) The purposes of creating an environment to promote the prevention of money laundering and terrorist and proliferation financing and the availability of information necessary for the enforcement of national, international and EU sanctions
54. The obligation under Latvian law to make available to the general public certain specified information on the shareholders of public limited companies incorporated under Latvian law and the corresponding absence of any requirement to demonstrate a legitimate interest in obtaining such information is, in my view, appropriate for achieving the objectives of general interest of creating an environment that promotes and fosters the prevention of money laundering, terrorist and proliferation financing and the availability of information necessary for the enforcement of national, international and EU sanctions. I consider, by analogy with the judgment in Luxembourg Business Registers, that the public nature of the access in question and the increased transparency resulting therefrom which enables greater public scrutiny of the ownership of public limited companies contributes to the attainment of those objectives of general interest. (83)
55. It must thus be ascertained whether those two purposes could reasonably be achieved just as effectively by other measures less prejudicial to the rights of the shareholders of the public limited companies concerned (84) and whether the interference at issue is disproportionate stricto sensu in relation to those objectives, which entails, inter alia, a weighing up of the importance of those objectives and the seriousness of that interference.
56. As regards the purpose of creating an environment that promotes and fosters the prevention of money laundering and terrorist and proliferation financing, the referring court considers that persons other than obliged entities, as listed in Article 2 of Directive 2015/849, (85)‘may also have a legitimate interest in carrying out an examination of the customer on their own initiative’. Furthermore, pursuant to Article 3.1 of the Noziedzīgi iegūtu līdzekļu legalizācijas un terorisma un proliferācijas finansēšanas novēršanas likums (Law on the prevention of money laundering and terrorist and proliferation financing), the obligation to report any suspicious transaction is incumbent on persons other than, inter alia, the obliged entities.
57. On the matter of the enforcement of sanctions, according to the referring court, the Council adopts regulations which often include financial restrictive measures consisting of: (i) the freezing of funds and economic resources of designated persons and entities; and (ii) a prohibition on making funds and economic resources available to such persons and entities. (86) Moreover, access to information on all shareholders of a public limited company may be necessary as, in accordance with Article 2(2) of the Law on international sanctions and national sanctions of the Republic of Latvia, (87) every person is required to respect and implement international and national sanctions.
58. It is useful to observe that the Court recalled in the judgment in Luxembourg Business Registers (88) that combating money laundering and terrorist financing is as a priority a matter for the public authorities and for entities such as credit or financial institutions which, by reason of their activities, are subject to specific obligations in that regard. In any event, Article 30(5) of Directive 2015/849 ensures that not only competent authorities, EU Financial Intelligence Units (89) and obliged entities, but also any person or organisation that can demonstrate a legitimate interest, have access to information on the beneficial ownership (90) of, inter alia, corporate entities. (91)
59. As regards restrictive measures, as I indicated in my Opinion in Čiekuri-Shishki, (92) a regulation laying down these measures is principally implemented by the State bodies having a particular specialised competence for financial supervision. Those bodies have the necessary means and are therefore empowered to implement the financial sanctions imposed, such as asset freezing or a prohibition on granting credits or making payments to certain persons or bodies. They are responsible for ordering specific measures against the persons and bodies on the lists referred to by the regulation.
60. Nonetheless, as recalled in the Best Practices (93) ‘all persons and entities subject to the Union jurisdiction are obliged to inform the competent authorities of any information at their disposal which would facilitate the application of the financial restrictive measures.’ (94) In addition, regulations laying down restrictive measures prohibit making available, directly or indirectly, funds or economic resources to designated persons or entities. (95) I consider that the implementation of that obligation can be fulfilled by means other than unfettered access to personal data on all shareholders such as by requesting access to shareholder information on a case-by-case basis. (96) In particular, where a person has a reasonable suspicion that he or she may make funds or economic resources directly or indirectly available to designated persons or entities, he or she has an evident legitimate interest in requesting information held by the companies register in that regard. It must also be emphasised that in the absence of a legitimate interest, it would be overly burdensome and disproportionate to require all persons to verify on an ongoing basis the identity of each and every shareholder of all their commercial partners. (97) This is all the more evident as the shareholders of a public limited company may change frequently.
61. It follows that while the general public’s unfettered access to information on shareholders of public limited companies in accordance with the Latvian legislation in question may contribute to some limited extent to combating money laundering, terrorist and proliferation financing and the enforcement of national, international and EU sanctions, I consider, by analogy with the judgment in Luxembourg Business Registers, (98)that it is not strictly necessary for those purposes. Furthermore, the potential benefits derived from such processing do not offset the serious interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter. (99)
62. I would also stress that given that, in accordance with point 6 of Article 3 of Directive 2015/849, the beneficial owner of a corporate entity is the natural person(s) who owns or controls, inter alia, 25% plus one share of the equity, the Court’s reasoning in the judgment in Luxembourg Business Registers applies a fortiori to the Latvian legislation in question in the present proceedings which requires the disclosure of information on each shareholder of a public limited company irrespective of whether he or she has a controlling interest or not.
63. The referring court also asks whether the procedure for requesting restricted information pursuant to the Law on Freedom of Information may be regarded as another means by which the objectives in question could be achieved in an equally effective manner. It would appear (100) that in accordance with Article 11(4) and point 1.1 of Article 14(1) of the Law on Freedom of Information, a person may have access to shareholder information, (101) provided he or she makes a request in writing, justifies his or her request and indicates the purpose for which the information will be used. The recipient of such disclosed information undertakes to use it only for the purposes for which it was requested. If the request for information meets the requirements of the law and the information is requested only in electronic format and does not require further processing, the information will be provided within 10 days. The referring court stated, however, that the ‘companies register, as data controller and sender of information, is not in a position to verify whether a person requesting information does indeed have an interest in obtaining the information requested. In those circumstances, the requirement to indicate a legitimate interest must be regarded as a formal obstacle to obtaining the information.’ (102)
64. Suffice it to state that the processing of personal data pursuant to the Law on Freedom of Information in order to combat money laundering and terrorist and proliferation financing (103) and the enforcement of sanctions must comply with Union law, in particular the GDPR and the principle of proportionality. Given the fact that Article 30(5) of Directive 2015/849 requires that information on the beneficial ownership be accessible not only to, inter alia, competent authorities and obliged entities, but also to any person or organisation capable of demonstrating a legitimate interest, the statement by the referring court that the companies register may not be able to verify whether a person has such an interest (104) is somewhat perplexing in the light of the obligation on Member States pursuant to that provision. (105)
65. In any event, the procedure for access to shareholder information in accordance with Article 11(4) and point 1.1 of Article 14(1) of the Law on Freedom of Information (106) indicated in points 20 and 63 of the present Opinion does not appear to be overly burdensome or prolonged and seeks to reconcile in concreto the various interests involved. It would appear therefore (107) that the national procedure in question is a means by which the objectives in question could be achieved in an equally effective manner.
66. I therefore consider (108) that the obligation under Latvian law to make available to the general public certain specified information on the shareholders of public limited companies incorporated under Latvian law and the corresponding absence of any requirement to demonstrate a legitimate interest in obtaining such information in order to create an environment that promotes and fosters the prevention of money laundering, terrorist and proliferation financing and the availability of information necessary for the enforcement of national, international and EU sanctions is disproportionate stricto sensu.
VI. Conclusion
67. In the light of all the foregoing considerations, I propose that the Court answer the questions referred by the Latvijas Republikas Satversmes tiesa (Constitutional Court, Latvia) as follows:
(1) Article 14(d) and Article 16(3) of Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law
must be interpretated as meaning that the term persons who ‘take part in the administration, supervision or control of the company’, used in Article 14(d) of Directive 2017/1132, may not be interpreted as referring to any shareholder in a public limited company. A Member State is not obliged to disclose information relating to every shareholder in a public limited company and make it publicly available in the register in accordance with Article 16(3) of Directive 2017/1132.
(2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in particular Articles 5 and 6 thereof,
must be interpreted as precluding national legislation that provides for the processing of certain personal data of the shareholders of a public limited company, by making them available to any person without having to demonstrate a legitimate interest in obtaining such data, for the purposes of ensuring a transparent business climate in order to protect the interests of third parties, of preventing money laundering and terrorist and proliferation financing and of providing the information necessary for the enforcement of national, international and EU sanctions.
1 Original language: English.
i The name of the present case is a fictitious name. It does not correspond to the real name of any party to the proceedings.
2 Which was lodged at the Registry of the Court of Justice on 19 November 2024.
3 The 17 shareholders in question are natural persons.
4 I shall also refer to these companies as public limited companies for convenience.
5 See the Latvian legislation in point 9 of the present Opinion.
7 OJ 2016 L 119, p. 1.
8 This relates to the financing of the proliferation of weapons of mass destruction.
9 As regards the details of that procedure, see point 20 of the present Opinion. See also points 63 to 65 hereof.
10 Judgment of 22 November 2022, Luxembourg Business Registers (C‑37/20 and C‑601/20, ‘the judgment in Luxembourg Business Registers’, EU:C:2022:912).
11 Of 13 April 2000 (Latvijas Vēstnesis, 2000, No 158/160).
12 Of 20 November 1990 (Latvijas Republikas Augstākās Padomes un Valdības Ziņotājs, 1990, No 49).
13 Judgment of 9 March 2017 (C‑398/15, ‘the judgment in Manni’, EU:C:2017:197).
14 See Article 11(4) of the Law on Freedom of Information.
15 The Swedish Government formally submitted observations in respect of the first question of the referring court. However, it also considered that Article 14(d)(ii) of Directive 2017/1132 is valid in the light of Articles 7 and 8 of the Charter, thereby addressing in its observations the second question of the referring court.
16 It is clear from Article 13 of Directive 2017/1132 and Annex II to that directive – the latter of which refers in respect of Latvia to ‘akciju sabiedrība, sabiedrība ar ierobežotu atbildību, komanditsabiedrība’ – that Article 14(d)(ii) and Article 16(3) of that directive apply, inter alia, to public limited companies incorporated under Latvian law. For purely illustrative purposes in the English language, it must be observed that Annex II to that directive refers to ‘companies incorporated with limited liability’ in respect of Ireland.
17 See, to that effect, judgment of 21 December 2023, DOBELES AUTOBUSU PARKS and Others (C‑421/22, EU:C:2023:1028, paragraph 40).
18 For purely illustrative purposes, see Article 72 of Directive 2017/1132, which refers to ‘shareholders’, ‘the general meeting’ and ‘the administrative or management body’. It is clear that these are three distinct legal concepts for the purposes of Directive 2017/1132.
19 See also point (e) of Article 3 of Directive 2017/1132, which provides that ‘the statutes or the instrument of incorporation of a company shall always give at least the following information: … in so far as they are not legally determined, the rules governing the number of, and the procedure for, appointing members of the bodies responsible for representing the company vis-à-vis third parties, administration, management, supervision or control of the company and the allocation of powers among those bodies’.
20 See, by contrast, Article 1 of Directive (EU) 2025/25 of the European Parliament and of the Council of 19 December 2024 amending Directives 2009/102/EC and (EU) 2017/1132 as regards further expanding and upgrading the use of digital tools and processes in company law (OJ L, 2025/25), which has replaced Article 3 of Directive 2009/102 and provides that ‘where a company becomes a single-member company because all its shares come to be held by a single person, that fact, together with the identity of the sole member, shall be recorded in the file or entered in the register as referred to in Article 16(1) and (2) of [Directive 2017/1132] and made publicly available through the system of interconnection of registers referred to in Article 16(1) of that Directive.’ It follows that where the EU legislature requires the disclosure of information on individual shareholders of a company in the register in accordance, inter alia, with Article 16 of Directive 2017/1132, it provides for that requirement in an explicit manner.
21 See Articles 106 and 152 of Directive 2017/1132 on the civil liability of members of the administrative or management bodies of a company in certain instances.
22 The Court has stated that it is apparent from recitals 7 and 8 of Directive 2017/1132 that the purpose of the disclosure provided for by that directive is to protect in particular the interests of third parties in relation to joint stock companies and limited liability companies, since the only safeguards they offer to third parties are their assets. To that end, the basic documents of a company should be disclosed in order for third parties to be able to ascertain their contents and other information concerning the company, especially particulars of the persons who are authorised to bind the company (judgment of 4 October 2024, Agentsia po vpisvaniyata, C‑200/23, ‘the judgment in Agentsia po vpisvaniyata’, EU:C:2024:827, paragraph 77).
23 This is evident from the use of the term ‘at least’ in Article 14 of Directive 2017/1132. See also the reference to ‘basic documents’ in recital 8 of that directive.
24 See the judgment in Agentsia po vpisvaniyata, paragraph 53.
25 See recitals 3, 7 and 8 of Directive 2017/1132. Recital 3 refers to the protection of creditors, while recitals 7 and 8 and Article 14(d)(i) of Directive 2017/1132 refer to third parties. I consider that while these terms are not synonyms, the third parties most likely in need of protection pursuant to Directive 2017/1132 are a company’s creditors. However, the very wording of Article 50(2)(g) TFEU, which is one of the legal bases of that directive, refers to the need to protect the interests of third parties generally, without distinguishing or excluding any categories falling within the ambit of that term, and consequently the third parties referred to in that article cannot be limited in particular merely to creditors of the company concerned. See, by analogy, the judgment in Manni, paragraph 51.
26 The terms ‘are authorised to represent the company in dealings with third parties and in legal proceedings’ and ‘take part in the administration, supervision or control of the company’ in Article 14(d) of Directive 2017/1132 may be considered noscitur a sociis. The EU legislature thus intended that they be treated in a similar manner. The mere status of minority shareholder in a public limited company alone does not authorise a shareholder to represent the company in dealings with third parties and in legal proceedings.
27 The judgment in Manni concerned the interpretation of First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community (OJ, English Special Edition: Series I Volume 1968(I), p. 41), as amended, and Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31). Directive 68/151 was repealed and replaced by Directive 2009/101/EC of the European Parliament and of the Council of 16 September 2009 on coordination of safeguards which, for the protection of the interests of members and third parties, are required by Member States of companies within the meaning of the second paragraph of Article 48 of the Treaty, with a view to making such safeguards equivalent (OJ 2009 L 258, p. 11), as amended by Directive 2012/17/EU of the European Parliament and of the Council of 13 June 2012 (OJ 2012 L 156, p. 1). Directive 95/46 was repealed and replaced by the GDPR.
28 See paragraph 58. That case related not only to the disclosure of the identity and the respective functions of persons having the power to bind the company concerned and to represent it or take part in the administration, supervision or control of that company, but also to the disclosure of information concerning the appointment of liquidators and their powers. See, by contrast, the judgment in Luxembourg Business Registers, paragraphs 63 to 88, in which the Court held, in essence, that a requirement that Member States ensure that information relating to the identity of the beneficial owner as well as to the nature and extent of the beneficial interest held in corporate or other legal entities is accessible in all cases to the general public breached the principle of proportionality as the interference with the rights guaranteed in Articles 7 and 8 of the Charter was not limited to what was strictly necessary in order to prevent the use of the financial system for the purposes of money laundering or terrorist financing and was disproportionate stricto sensu.
29 I also consider that such widespread disclosure sits somewhat uncomfortably with the concept of a public limited company. This is perhaps more evident from the meaning conveyed by the Spanish-, French- and Portuguese-language terms ‘sociedad anónima’, ‘société anonoyme’ and ‘sociedade anónima de responsabilidade limitada’, respectively, used in Annex II to Directive 2017/1132.
30 See the title itself of Directive 2017/1132.
31 See, by analogy, judgment of 18 April 2024, Citadeles nekustamie īpašumi (C‑22/23, EU:C:2024:327, paragraph 48).
32 In accordance with Article 161 of Directive 2017/1132, as amended by Directive (EU) 2019/1151 of the European Parliament and of the Council of 20 June 2019 amending Directive (EU) 2017/1132 as regards the use of digital tools and processes in company law (OJ 2019 L 186, p. 80), the processing of any personal data carried out in the context of that directive is subject to the GDPR.
33 I consider that it is opportune to answer those two questions together.
34 In order to answer the referring court’s questions, I consider that it is necessary to examine other provisions of the GDPR, in particular Article 6 thereof.
35 It must be recalled that the system of cooperation established by Article 267 TFEU is based on a clear separation of functions between the national courts and the Court. In proceedings brought on the basis of that article, the interpretation of provisions of national law is a matter for the courts of the Member States, not for the Court of Justice, and the Court has no jurisdiction to rule on the compatibility of rules of national law with provisions of EU law. However, the Court does have jurisdiction to provide the national court with all the guidance as to the interpretation of EU law necessary to enable the national court to determine whether the national rules are compatible with EU law (judgment of 11 September 2025, Cairo Network and Others, C‑764/23 to C‑766/23, EU:C:2025:691, paragraph 43).
36 Judgment of 2 March 2023, Norra Stockholm Bygg (C‑268/21, EU:C:2023:145, paragraph 26 and the case-law cited). The Court has stated that the definition of the material scope of the GDPR, as set out in Article 2(1) of that regulation, is very broad and that the exceptions to that scope, as provided for in Article 2(2) thereof, must be interpreted restrictively (judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer, C‑34/21, EU:C:2023:270, paragraph 33 and the case-law cited).
37 See, by analogy, judgment of 6 October 2020, Bank Refah Kargaran v Council (C‑134/19 P, EU:C:2020:793, paragraphs 29, 30 and 37). For an explanation of the relationship between Chapter 2 of Title V of the EU Treaty and Article 215 TFEU, see my Opinion in Čiekuri-Shishki (C‑480/24, EU:C:2025:672, points 27, 28, 32 and 33).
38 See Article 235(1) of the Commercial Code and the fifth paragraph of Article 410, point 2 of the first paragraph of Article 411 and points 2(b) and 3(a) of the first paragraph of Article 415 of the Law on the Companies Register.
39 See, by analogy, judgments of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes) (C‑175/20, EU:C:2022:124, paragraphs 30 to 38), and of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraph 65). See also judgment of 3 April 2025, Ministerstvo zdravotnictví (Data concerning the representative of a legal person) (C‑710/23, EU:C:2025:231, paragraphs 22 to 31 and the case-law cited).
40 See, by analogy, judgment of 5 June 2023, Commission v Poland (Independence and private life of judges) (C‑204/21, EU:C:2023:442, paragraphs 327 to 329 and 332 and the case-law cited).
41 Judgment of 5 June 2023, Commission v Poland (Independence and private life of judges) (C‑204/21, EU:C:2023:442, paragraph 332).
42 See also recital 73 of the GDPR.
43 Judgments of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraphs 207 and 208 and the case-law cited), and of 3 April 2025, Ministerstvo zdravotnictví (Data concerning the representative of a legal person) (C‑710/23, EU:C:2025:231, paragraph 33).
44 Judgment of 11 July 2024, Meta Platforms Ireland (Representative action) (C‑757/22, EU:C:2024:598, paragraph 49 and the case-law cited). See, however, Article 23 of the GDPR.
45 See Article 5(1)(a) of the GDPR.
46 See Article 5(1)(b) of the GDPR. This provision enshrines the principle of purpose limitation. See also Article 8(2) of the Charter which requires personal data to be processed fairly for specified purposes.
47 See Article 5(1)(c) of the GDPR. This provision enshrines the principle of data minimisation which gives expression to the principle of proportionality. See, to that effect, judgment of 9 January 2025, Mousse (C‑394/23, EU:C:2025:2, paragraph 24 and the case-law cited). The principle of data minimisation requires the controller, inter alia, to limit the period of collection of the personal data in question to what is strictly necessary in the light of the objective of the envisaged processing. Moreover, the controller may not engage in the collection of personal data in a generalised and indiscriminate manner and must refrain from collecting data which are not strictly necessary having regard to the purpose of the processing (judgment of 4 October 2024, Schrems (Communication of data to the general public), C‑446/21, EU:C:2024:834, paragraphs 52 and 59 and the case-law cited).
48 See Article 5(1)(d) of the GDPR.
49 See Article 5(1)(e) of the GDPR.
50 See Article 5(1)(f) of the GDPR.
51 Judgment of 20 October 2022, Digi (C‑77/21, EU:C:2022:805, paragraph 47). Moreover, in accordance with Article 5(2) of the GDPR, the controller bears the burden of proving that those data are collected in compliance with Article 5(1). This is referred to as the ‘principle of accountability’ (judgment of 14 March 2024, ÚjpestiPolgármesteriHivatal, C‑46/23, EU:C:2024:239, paragraph 32 and the case-law cited).
52 Judgment of 22 June 2021, LatvijasRepublikasSaeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraph 99 and the case-law cited).
53 The first subparagraph of Article 6(1) of the GDPR therefore overlaps with and expands on the principle of lawful processing set out in Article 5(1)(a) of that regulation. See, to that effect, judgment of 20 October 2022, Digi (C‑77/21, EU:C:2022:805, paragraphs 49 and 56 to 59 and the case-law cited).
54 The Commission considers that it is apparent from the request for a preliminary ruling that the processing in the present case is based on point (c) of the first subparagraph of Article 6(1) of the GDPR. The Norwegian Government submits that the national provisions on which the fourth question is based constitute a ‘legal obligation’ to process the information in question pursuant to point (c) of the first subparagraph of Article 6(1) of the GDPR. The Polish and Finnish Governments, however, also refer to point (e) of the first subparagraph of Article 6(1) of the GDPR.
55 See, in particular, the fifth paragraph of Article 410, point 2 of the first paragraph of Article 411 and points 2(b) and 3(a) of the first paragraph of Article 415 of the Law on the Companies Register.
56 See point (e) of the first subparagraph of Article 6(1) of the GDPR. This provision is somewhat akin to the flexibility clause in Article 352 TFEU, which enables, under certain conditions, the adoption of measures necessary to fulfil a legitimate objective even though their adoption is not specifically provided for.
57 See, by analogy, judgments of 5 June 2023, Commission v Poland (Independence and private life of judges) (C‑204/21, EU:C:2023:442, paragraph 339 and the case-law cited), and of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraph 71). See, by contrast, the judgment in Agentsia po vpisvaniyata, paragraphs 107 to 110, in which the Court considered that the processing of personal data was not based on a legal obligation laid down by EU or Member State law but appeared to be carried out in connection with a task performed in the public interest within the meaning of point (e) of the first subparagraph of Article 6(1) of the GDPR.
58 See the judgment in Agentsia po vpisvaniyata, paragraph 83. See also, by analogy, judgment of 11 January 2024, État belge (Data processed by an official journal) (C‑231/22, EU:C:2024:7, paragraphs 35 to 38).
59 Such processing must be regarded as provided for by law, within the meaning of Article 52(1) of the Charter (judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraph 72).
60 In his Opinion in I. (Sale of a database) (C‑693/22, EU:C:2024:162, point 68), Advocate General Pikamäe considered that this implies, in particular, the existence of legal provisions which expressly mention the nature and purpose of the processing.
61 The judgment in Agentsia po vpisvaniyata, paragraph 104. See also Article 5(1)(b) of the GDPR, which enshrines the principle of purpose limitation and states that personal data shall be collected for ‘specified, explicit and legitimate purposes’. According to recital 39 of the GDPR, ‘the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. …’.
62 See also Article 5(1)(b) of the GDPR.
63 See, by analogy, judgment of 11 January 2024, État belge (Data processed by an official journal) (C‑231/22, EU:C:2024:7, paragraph 30).
64 It must thus be ascertained whether the interference with the rights guaranteed in Articles 7 and 8 of the Charter which results from the general public’s access to information on each shareholder is limited to what is strictly necessary, in the sense that the objective could not reasonably be achieved in an equally effective manner by other means less prejudicial to those fundamental rights of the data subjects. See, by analogy, the judgment in Luxembourg Business Registers, paragraph 66.
65 See, by analogy, the judgment in Luxembourg Business Registers, paragraph 63 and the case-law cited.
66 Judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraphs 69 and 70 and the case-law cited), and the judgment in Luxembourg Business Registers, paragraphs 59 to 66 and the case-law cited. See also recital 4 of the GDPR.
67 Judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraph 98).
68 Judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraphs 98 and 99 and the case-law cited). See also judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network) (C‑252/21, EU:C:2023:537, paragraph 134) on the relevance of the scale of the processing in question.
69 If he or she has requested that it be used by the company to communicate with him or her.
70 See Article 235(1) of the Commercial Code.
71 As indicated by the referring court.
72 See, by analogy, the judgment in Luxembourg Business Registers, paragraphs 41 to 44 and the case-law cited.
73 In his Opinion in Digi Távközlési és Szolgáltató (C‑77/21, EU:C:2022:248, point 40), Advocate General Pikamäe stated that it is entirely conceivable, in practice, that personal data may be collected or further processed for a number of purposes. This is clearly envisaged and recognised by the GDPR, as is reflected in the wording of Article 5(1)(b) and Article 6(1)(a), as well as recitals 32 and 50 of that regulation.
74 See, by analogy, judgment of 5 June 2023, Commission v Poland (Independence and private life of judges) (C‑204/21, EU:C:2023:442, paragraph 353).
75 See, by analogy, the judgment in Luxembourg Business Registers, paragraph 59 and the case-law cited.
76 This is one of the legal bases of Directive 2017/1132.
77 See also the judgment in Manni, paragraphs 49 to 51, which links (i) access to essential information relating to the constitution of trading companies and to the powers of persons authorised to represent them; to (ii) the protection of the interests of third parties generally.
78 See paragraphs 58 and 59 and the case-law cited, and Opinion of Advocate General Pitruzzella in Joined Cases Luxembourg Business Registers (C‑37/20 and C‑601/20, EU:C:2022:43 points 143 to 145 and the case-law cited). See, by analogy, judgment of 2 March 2023, PrivatBank and Others (C‑78/21, EU:C:2023:137, paragraph 61).
79 See also Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ 2015 L 141, p. 73) and Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (OJ L, 2024/1640). I would stress that Article 43 of Directive 2015/849 states that ‘the processing of personal data on the basis of this Directive for the purposes of the prevention of money laundering and terrorist financing as referred to in Article 1 shall be considered to be a matter of public interest under [the GDPR].’
80 See, to that effect, judgment of 28 March 2017, Rosneft (C‑72/15, EU:C:2017:236, paragraphs 148 to 150).
81 And the national legislation transposing it.
82 This is a matter for the referring court to ascertain.
83 See the judgment in Luxembourg Business Registers, paragraph 67. See also, by analogy, judgments of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraph 83), and of 5 June 2023, Commission v Poland (Independence and private life of judges) (C‑204/21, EU:C:2023:442, paragraph 367).
84 To respect for their private life and to the protection of their personal data.
85 Obliged entities have access within the framework of customer due diligence. See, in particular, Chapter II of that directive.
86 See, to that effect, paragraph 30 of General Secretariat of the Council of the European Union, ‘Restrictive measures (sanctions) – Update of the EU best practices for the effective implementation of restrictive measures’, 11623/24, 3 July 2024, available at: https://data.consilium.europa.eu/doc/document/ST‑11623-2024-INIT/en/pdf (‘the Best Practices’).
87 See the written submissions of the Latvian Government, paragraph 40. See also Article 5 of the Law on international sanctions and national sanctions of the Republic of Latvia.
88 See paragraph 83.
89 They have access to the information in question in all cases without restriction.
90 As defined by point 6 of Article 3 of Directive 2015/849.
91 This must be coupled with other publicly available information in relation to companies such as that under Directive 2017/1132.
92 C‑480/24, EU:C:2025:672, point 34.
93 See paragraph 41.
94 Emphasis added.
95 See also, for illustrative purposes, Article 2(2) of Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ 2014 L 78, p. 6), as amended by Council Implementing Regulation (EU) 2022/1985 of 20 October 2022 (OJ 2022 L 272I, p. 1). See, by analogy, judgment of 17 January 2019, SH (C‑168/17, EU:C:2019:36, paragraphs 51 and 53 and the case-law cited).
96 See, for example, the procedure for requesting restricted information pursuant to the Law on Freedom of Information and the limits thereto, outlined in points 20 and 63 to 65 of the present Opinion.
97 Which are public limited companies.
98 See paragraph 76 of that judgment.
99 See, by analogy, the judgment in Luxembourg Business Registers, paragraph 85.
100 Subject to verification by the referring court.
101 In its request for a preliminary ruling, the referring court refers to ‘restricted information’.
102 Emphasis added.
103 Directive 2015/849 carries out only minimum harmonisation, as Article 5 thereof allows Member States to adopt or retain in force stricter provisions where those provisions seek to strengthen the fight against money laundering and terrorist financing, within the limits of Union law (judgment of 2 March 2023, PrivatBank and Others, C‑78/21, EU:C:2023:137, paragraph 64).
104 Albeit in relation to shareholders in general.
105 See the judgment in Luxembourg Business Registers, paragraph 72. See also Article 30(3) of Directive 2015/849.
106 It is not clear from the file before the Court what relationship, if any, exists between those provisions.
107 Subject to verification by the referring court.
108 Subject to the verifications which it is for the referring court to carry out.