Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 62023CC0200

Opinion of Advocate General Medina delivered on 30 May 2024.


Court reports – general

ECLI identifier: ECLI:EU:C:2024:445

Provisional text

OPINION OF ADVOCATE GENERAL

MEDINA

delivered on 30 May 2024 (1)

Case C200/23

Agentsia po vpisvaniyata

v

OL,

in the presence of:

Varhovna administrativna prokuratura

(request for a preliminary ruling from the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria))

(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Publication in the commercial register of a company’s constitutive instrument containing personal data – Directive (EU) 2017/1132 – Controller – Right to the erasure of personal data)






I.      Introduction

1.        By its request for a preliminary ruling, the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria) asks the Court a set of questions concerning, in essence, the interaction between the provisions on the disclosure of the instrument of articles and memorandum of association of companies (‘the constitutive instrument’), which are the subject of coordination at EU level, (2) and Regulation (EU) 2016/679.(3)

2.        The request was made in proceedings between the Agentsia po vpisvaniyata (Registration Agency, Bulgaria; ‘the Agency’) and OL concerning the Agency’s refusal to erase certain personal data relating to OL contained in an instrument made available to the public in the commercial register.

II.    Legal framework

A.      European Union law

3.        Of relevance for the purposes of this Opinion are, in particular, Articles 14 and 16 of Directive 2017/1132, which replaced Directive 2009/101, and Articles 4 to 6 and 17 of the GDPR. In the interest of better readability, reference will be made to the wording of the relevant provisions of those articles in the context of the present analysis.

B.      Bulgarian law

4.        Article 2 of the Zakon za targovskia registar i registara na yuridicheskite litsa s nestopanska tsel (Law on the commercial register and the register of not-for-profit legal persons), (4) in the version applicable to the dispute in the main proceedings (‘the Law on the registers’), provides:

‘(1)      The commercial register and the register of not-for-profit legal persons [‘the registers’] are a common electronic database containing the circumstances entered pursuant to a law, and the acts made available to the public pursuant to a law, which concern traders and the branches of foreign traders, not-for-profit legal persons and the branches of foreign not-for-profit legal persons.

(2)      The circumstances and acts referred to in paragraph 1 shall be made available to the public without the information constituting personal data within the meaning of Article 4(1) of [the GDPR], with the exception of information that must be made available to the public by law.’

5.        In the words of Article 6(1) of the Law on the registers, all traders and non-for-profit legal persons are required to apply to be entered on the registers, stating the circumstances entry of which is requested and submitting the acts to be made available to the public.

6.        Article 11 of that law is worded as follows:

‘(1)      [The registers] shall be public. Everyone shall be entitled to access freely and free of charge the database constituting the registers.

(2)      The [Agency] shall ensure registered access to the file of the trader or not-for-profit legal person.’

7.        Article 13(1), (2), (6) and (9) of that law provides:

‘(1)      Entry, erasure and making available to the public shall be done on the basis of an application form.

(2)      The application shall include:

1.      the applicant’s details;

3.      the circumstance subject to entry, the entry erasure of which is requested, or the act to be made available to the public;

(6)      The application shall be accompanied by the documents or, as the case may be, the act to be made available to the public, in accordance with the requirements of the law. The documents shall be submitted in the form of an original, a copy authenticated by the applicant or a notarised copy. The applicant shall also submit authenticated copies of the acts to be made available to the public in the commercial register, in which personal data other than those required by law have been redacted.

(9)      Where the application or the attached documents refer to personal data which are not required by law, the persons who provided them are assumed to have consented to their being processed by the [Agency] and being made available to the public.’

8.        Point (3) of Article 101 of the Targovski zakon (Commercial Code), (5) in the version applicable to the dispute in the main proceedings (‘the Commercial Code’), provides that the company’s constitutive instrument must contain ‘the name, business name and unique identification code of members’.

9.        Under Article 119(1) of that code, the entry of a company on the commercial register requires, inter alia, submission of the constitutive instrument which is made available to the public. In accordance with paragraph 4 of that article, ‘for the purposes of amending or supplementing the constitutive instrument in the commercial register, a copy of that instrument containing all amendments and all addenda, authenticated by the body representing the company, shall be submitted for the purpose of being made available to the public.’

III. The dispute in the main proceedings and the questions referred for a preliminary ruling

10.      OL is a member of an ‘OOD’, a limited liability company governed by Bulgarian law, which on 14 January 2021 was entered in the commercial register. The application for registration was accompanied by the constituent instrument, dated 30 December 2020, signed by the members (‘the 2020 constitutive instrument’). That instrument, containing OL’s surname and forename, her identification number, the number of her identity card, the date and place of issue of that card and her permanent address, was registered and made available to the public in the form in which it had been submitted. On 8 July 2021, OL requested the Agency to erase the personal data relating to her contained in the 2020 constitutive instrument, stating that, if the processing of those data was based on her consent, she was revoking that consent. In the absence of a response from the Agency, OL brought an action before the Administrativen sad Dobrich (Administrative Court, Dobrich, Bulgaria), which annulled the Agency’s implied refusal to grant her request and referred the matter back to the Agency for a new decision. In order to comply with that judgment, and with a similar judgment in respect of the other company member who had taken the same step, the Agency, by letter of 26 January 2022, stated that an authenticated copy of the 2020 constitutive instrument in which the personal data of the company members, other than the personal data required by law, had been redacted, must be sent to it so that it might grant the request for erasure (‘the letter of 26 January 2022’). On 31 January 2022, OL again brought an action before the Administrativen sad Dobrich (Administrative Court, Dobrich) seeking annulment of the letter of 26 January 2022 and an order that the Agency compensate her for the non-material damage caused by that letter, which infringed the rights conferred by the GDPR. On 1 February 2022, before being notified of that action, the Agency of its own motion erased OL’s identification number, the data relating to her identity card and her address, but not her surname, forename and signature. By judgment of 5 May 2022, the Administrativen sad Dobrich (Administrative Court, Dobrich) annulled the letter of 26 January 2022 and ordered the Agency to pay compensation to OL in the amount of 500 Bulgarian leva (BGN) (approximately EUR 255), plus statutory interest, for the non-material damage, pursuant to Article 82 of the GDPR. According to that judgment, that damage consisted of negative emotions and experiences resulting from that letter, which gave rise to a breach of the right to erasure enshrined in Article 17(1) of the GDPR and the unlawful processing of her data contained in the constitutive instrument made available to the public. The Agency appealed on a point of law against that judgment before the referring court. It claims, inter alia, that it is controller but also recipient of the data transmitted in the context of the registration procedure and that, although it made a request to that effect before the company of which OL was a member was registered, it did not receive a copy of the company’s constitutive instrument in which the data that were not to be made available to the public were redacted. The entry of a commercial company cannot be refused on that ground alone. The Agency refers to an opinion of 2021 of the national supervisory authority, the Komisia za zashtita na lichnite danni (Commission for the Protection of Personal Data, Bulgaria), submitted under Article 58(3)(b) of the GDPR (‘the 2021 opinion’), (6) in which it is stated that the Agency is not permitted to alter the content of the acts which it receives for the purpose of being entered in the register. OL maintains that, as controller, the Agency cannot impose on other persons its own obligations to erase the data in question. She relies on national case-law according to which the 2021 opinion does not comply with the provisions of the GDPR.

11.      It was in those circumstances that the Varhoven administrativen sad (Supreme Administrative Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      May Article 4(2) of [Directive 2009/101] be interpreted as meaning that it imposes an obligation on the Member State to permit the disclosure of [a constitutive instrument], which is subject to registration under Article 119 of [the Commercial Code], in the case where that instrument contains not only the names of the members of the company, which are subject to compulsory disclosure under Article 2(2) of [the Law on the registers], but also other personal data? When answering this question, it is important to take into account that the [Agency] is a public-sector body against which the directly effective provisions of the aforementioned directive may be relied on, in accordance with the settled case-law of the Court of Justice (judgment of 7 September 2006, Vassallo, С-180/04, EU:C:2006:518, paragraph 26 and the case-law cited).

(2)      If the first question is answered in the affirmative, may it be assumed that, in the circumstances which gave rise to the dispute in the main proceedings, the processing of personal information by the [Agency] is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of Article 6(1)(e) of [the GDPR]?

(3)      If the first two questions are answered in the affirmative, may a national provision such as that contained in Article 13(9) of [the Law on the registers], in accordance with which, in the event that personal data not required by law are contained in an application [for registration] or in the documents annexed thereto, it must be assumed that the persons who made those data available consented to the processing thereof by the [Agency] and to the provision of public access thereto, be regarded as permissible, notwithstanding recitals 32, 40, 42, 43 and 50 of [the GDPR], as a clarification of the possibility of “voluntary disclosure”, within the meaning of Article 4(2) of [Directive 2009/101], even of personal data?

(4)      Is it permissible for provisions of national law intended to give effect to the obligation laid down in Article 3(7) of [Directive 2009/101], whereby Member States are to take the necessary measures to avoid any discrepancy between what is disclosed in accordance with paragraph 5 and what appears in the register or file, and to take into account the interests of third parties in being acquainted with the essential documents of the company and certain information concerning the company, as referred to in recital 3 of that directive, to prescribe a procedure (application forms, submission of copies of documents in which personal data have been redacted) for exercising the right of natural persons under Article 17 of [the GDPR] to obtain from the controller the erasure of personal data concerning him or her without undue delay, in the case where the personal data the erasure of which is sought are part of publicly disclosed (notified) documents which were made available to the controller, in accordance with a similar procedure, by another person who, in so doing, also determined the purpose of the processing initiated by him or her?

(5)      In the situation underlying the dispute in the main proceedings, does the [Agency] act only as controller in relation to the personal data or is it also the recipient thereof, in the case where the purposes of processing those data were determined by another controller as part of the documents that were submitted for disclosure?

(6)      Does the handwritten signature of a natural person constitute information relating to an identified natural person, in the sense that it is covered by the term “personal data” within the meaning of Article 4(1) of [the GDPR]?

(7)      Is the concept of “non-material damage” in Article 82(1) of [the GDPR] to be interpreted as meaning that the assumption of non-material damage requires a noticeable disadvantage and an objectively comprehensible impairment of personal interests, or is the mere short-term loss of the data subject’s unfettered control over his or her data due to the publication of personal data in the commercial register, which did not have any noticeable or adverse consequences for the data subject, sufficient for that purpose?

(8)      May [the 2021 opinion], issued by the national supervisory authority, the [Commission for the Protection of Personal Data], in accordance with Article 58(3)(b) of [the GDPR], to the effect that the [Agency] does not have the option or power in law to restrict of its own motion or at the request of the data subject the processing of data which have already been disclosed, permissibly be regarded as proof, for the purposes of Article 82(3) [of the GDPR], that the [Agency] is in no way responsible for the circumstance which gave rise to the damage suffered by the natural person?’

IV.    The procedure before the Court

12.      The parties to the main proceedings, the Bulgarian and German Governments, Ireland, the Italian, Polish and Finnish Governments and the European Commission submitted written observations, under Article 23 of the Statute of the Court of Justice of the European Union, on either all or some of the questions referred. The parties to the main proceedings, the Bulgarian Government, Ireland and the Commission also presented oral argument at the hearing on 7 March 2024.

A.      Analysis

13.      At the Court’s request, this Opinion will focus on the fourth and fifth questions, which I propose to deal with together. Before carrying out my analysis, I consider it necessary to make some preliminary observations in relation to the reference for a preliminary ruling as a whole.

1.      Preliminary observations

14.      It should first of all be pointed out – as the parties to the main proceedings, the Commission and most of the Member States which submitted observations to the Court have observed – that the grounds of the order for referral, and the wording of the questions referred – including, in particular, the fourth question – refer to the provisions of Directive 2009/101. That directive, however, was repealed and replaced, as from 20 July 2017, by Directive 2017/1132, which is applicable ratione temporis to the facts of the main proceedings. In the remaining part of my analysis, I shall therefore refer solely to the latter directive.

15.      It should next be borne in mind that Directive 2017/1132, and in particular Articles 16 and 161 thereof, so far as the purpose of the examination of the present reference for a preliminary ruling is concerned, were amended by Directive (EU) 2019/1151, (7) which entered into force on 31 July 2019. While it is true, as the Commission emphasises, that the entry in the commercial register of the 2020 constitutive instrument containing OL’s personal data was made before 1 August 2021, the date of expiry of the period for the transposition of Directive 2019/1151, (8) some of the facts occurred after that date, including the sending by the Agency of the letter of 26 January 2022, the erasure by the Agency of its own motion of certain of those data and the re-publication of those data in the register, to which the respondent in the main proceedings refers in her written observations. It cannot therefore be precluded that it is the version of Directive 2017/1132, as amended by Directive 2019/1151, that is applicable ratione temporis in the context of the main proceedings, which it is for the referring court to determine. It is for that reason that I shall refer, in the remaining part of my analysis, to that version.

16.      I would already make clear, however, that the amendments introduced by Directive 2019/1151 have, as such, only a limited impact on the question as to the detailed rules according to which the authority of a Member State responsible for keeping the company register is supposed to ensure the protection of personal data in the exercise of its functions. However, it must be emphasised, more generally, that that directive aims to strengthen and consolidate the use of digital tools and processes in collecting and managing information flows concerning companies, which entails wider access to the personal data which they contain and increases the risk of breach of the right to protection of such data and the harmful nature of such breaches. (9) Such a process of digitisation, (10) together with intensification of cross-border accessibility to that information, also intended by the EU legislature, (11) requires particular attention when a balance must be struck between, on the one hand, the objectives of legal certainty and protection of third party rights which, as we shall see, underlie the rules on disclosure relating to companies, and, on the other hand, the fundamental rights to respect for private life and the protection of personal data. (12)

17.      Still by way of preliminary observation, I note that the dispute in the main proceedings concerns the removal in the commercial register of a Member State of personal data the publication of which is not required either by Directive 2017/1132 or by the law of the Member State concerned, and also the liability of the national authority responsible for keeping that register for the non-material damage caused by the refusal to give immediate and unconditional effect to the request for the erasure of such data. On the other hand, the dispute in the main proceedings does not directly concern the obligations borne by such an authority in respect of the protection of personal data upon the entry in the commercial register of the constitutive instrument of a company which contains data the publication of which is not compulsory. That question is nonetheless implicit, as is apparent from the fact that a considerable number of the intervening Member States devoted a large part of their observations to it, proposing a radical reformulation of the first four questions referred or of some of them. In the remaining part of my analysis, I shall address certain aspects of that question, while remaining within the limits defined by the subject matter of the main proceedings and by the questions at which this Opinion is targeted.

2.      The fourth and fifth questions

18.      By its fourth question, the admissibility of which is disputed by the Bulgarian Government, the referring court seeks in essence to ascertain whether Directive 2017/1132 must be interpreted as meaning that it permits the right of natural persons, in this instance the members of a limited liability company referred to in that directive, (13) to have personal data relating to them erased from that register may be made subject to specific procedural conditions, where such data are not included in the information subject to compulsory disclosure under national law, but appear in the constitutive instrument of that company that was made available to the public when the company was entered in the commercial register. By its fifth question, the referring court, on the other hand, asks the Court to clarify whether, in the case of such data, the authority responsible for keeping the commercial register acts as a ‘controller’ within the meaning of Article 4(7) of the GDPR or whether it is also the ‘recipient’ of the data which it processes, within the meaning of Article 4(9) of that regulation, the purposes of the processing of those data having been determined in advance by a third party.

19.      As I have already said, it is appropriate, in my view, to deal with those two questions together. For that purpose, I shall address the various issues which they raise in the following order. After briefly outlining the scope of the obligations relating to disclosure of the companies referred to in Annex II to Directive 2017/1132, I shall examine, in the first place, the question of who is the controller of the personal data contained in acts subject to compulsory disclosure in the context of the entry of a company in the commercial register of a Member State where, as in this instance, the disclosure of the data concerned is not required either by harmonised EU law or by the law of the Member State concerned. In the second place, I shall address the question of what, in this instance, is the legal basis of the processing of such data. In the third place, I shall deal with the question whether, once those data have been disclosed when the instrument containing them was made available to the public, the data subjects have a right to erasure in accordance with Article 17 of the GDPR. Last, in the fourth place, I shall address the question whether such a right may be subject to procedural rules such as those mentioned by the referring court.

20.      Before I carry out that analysis, it is appropriate to respond to the objections raised by the Bulgarian Government to the admissibility of the fourth question. That government maintains that the fourth question concerns, in essence, the compatibility with Article 16(7) of Directive 2017/1132 – in the version prior to the amendments introduced by Directive 2019/1151 – of national legislation which has not yet been adopted. The question is therefore hypothetical. In that regard, I observe that the referring court is required to adjudicate, at last instance, on the legality of the Agency’s refusal to erase certain of the respondent’s personal data contained in an instrument made available to the public following the entry of those data in the commercial register, and on the consequences of that refusal. In order to do so, the referring court is required to assess, by reference to the provisions of Directive 2017/1132 and of the GDPR, whether such a refusal may be justified, inter alia, by the fact that the authenticated copy of that act, with the personal data in question redacted, was not placed on the file. The preliminary ruling sought is therefore necessary to allow the referring court to give judgment in the dispute before it. Furthermore, in spite of the ambiguous wording of the fourth question, it is clear from the order for reference that that question does not seek an opinion on the compatibility with EU law of national legislation which has not yet been adopted, but asks the Court to provide the elements of interpretation of EU law which the referring court needs in order to resolve the dispute which it is required to settle. To my mind, the fourth question is therefore admissible.

3.      Brief overview of the scope of the obligations relating to disclosure of the acts and information concerning the companies listed in Annex II to Directive 2017/1132

21.      Article 14 of Directive 2017/1132 provides that, for the forms of companies that appear in Annex II to that directive, Member States are to publish ‘at least’ the acts and information listed in that article. Among the acts subject to compulsory disclosure, Article 14 of that directive refers, in points (a) to (c), to ‘the instrument of constitution, and the statutes if they are contained in a separate instrument’, and any amendments thereto. In accordance with Article 4(i) of that directive, the compulsory information to be provided in the statutes, the instrument of incorporation or a separate document includes the identity of the natural or legal persons or companies or firms by which or in whose name the statutes or the instrument of incorporation have been signed. Among the particulars which must be disclosed, Article 14 of that directive mentions, in point (d), ‘the appointment, termination of office and particulars of the persons who either as a body constituted pursuant to law or as members of any such body, are authorised to represent the company in dealings with third parties and in legal proceedings’ and/or ‘take part in the administration, supervision or control of the company’. In accordance with Article 16(2) of Directive 2017/1132, as amended by Directive 2019/1151, all documents and information that must be disclosed pursuant to Article 14 are to be kept on the file referred to in paragraph 1 of that article, opened in a central, commercial or companies register, or entered directly in the register. (14) Under Article 16(3) and (4) of that directive, as amended by Directive 2019/1151, Member States are to ensure that the disclosure of the acts and particulars referred to in Article 14 of that directive is to be ensured by making them available to the public in the register. Furthermore, Member States may also require disclosure of all or part of the acts and information in particular in a national gazette designated for that purpose or by equally effective means. Member States are to take all necessary measures to avoid any discrepancy between what is in the register and on the file and between what is disclosed in the register and what is published in the gazette.

22.      The following observations may be made with respect to the abovementioned requirements of Directive 2017/1132.

23.      First, Directive 2017/1132 provides for the compulsory disclosure and accessibility by means of the register of the entire instrument of constitution of the company and any amendments thereto. (15)

24.      Second, as regards the companies referred to in Annex II, that directive requires the disclosure and accessibility by means of the register only of information relating to certain categories of persons, namely, among others, those authorised to bind the company or who take part in the administration, supervision or control of the company. In accordance with Article 4(i) of that directive, the identity of the natural persons who have signed the instrument of incorporation of the company is also subject to disclosure.

25.      Third, that information, relating to identified or identifiable natural persons, constitutes ‘personal data’ within the meaning of Article 4(1) of the GDPR. (16)

26.      Fourth, the abovementioned provisions of Directive 2017/1132 contain only minimum requirements concerning the disclosure of the acts and particulars relating to companies. It is therefore for the Member States to determine, inter alia, which categories of information concerning the identity of the persons referred to in Article 4(i) and Article 14(d) of that directive are to be subject to compulsory disclosure. The Member States are also free to subject to such disclosure other acts or other particulars relating, where relevant, to other categories of persons. It is self-evident that, in carrying out that exercise, Member States are required to comply with all provisions of EU law and, in particular, with the principles laid down in Article 8 and Article 52(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’) and the provisions of the GDPR.

4.      The controller

27.      Article 4(7) of the GDPR defines the concept of ‘controller’ broadly, as meaning the natural or legal person, public authority, agency or other body who or which, alone or jointly with others, ‘determines the purposes and means of the processing’ of personal data. The objective of that broad definition consists, in accordance with the objective pursued by that regulation, in ensuring effective protection of the fundamental rights and freedoms of natural persons and, in particular, in ensuring a high level of protection of the right of every person to the protection of personal data concerning him or her. (17) The concept of ‘processing’ is also given a broad interpretation. (18) In the words of Article 4(2) of the GDPR, ‘processing’ means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

28.      It follows from the judgment in Manni that, in transcribing and keeping in the commercial register the information about the identity of the persons referred to in Article 14(d) of Directive 2017/1132, and in communicating that information, the authority responsible for keeping that register is the ‘controller’ which ‘processes personal data’ within the meaning of the definitions given in Article 4(2) and (7) of the GDPR. The same clearly applies where what is transcribed in that register, kept and communicated constitutes personal data other than the data expressly referred to in that directive, where disclosure of those data is prescribed by the law of a Member State.

29.      The question that arises in the present case, however, is whether such an authority, in this instance the Agency, is responsible for making available to the public personal data the disclosure of which is not required either by Directive 2017/1132 or by the law of the Member State concerned, in this instance Bulgarian law, but which are contained in an instrument the transcription and disclosure of which are compulsory.

30.      In my view the answer to that question must be in the affirmative.

31.      The making available to the public in the commercial register of OL’s personal data occurred in the exercise of the powers vested in the Agency as the authority responsible for keeping that register. As stated above, Bulgarian law provides that the application to enter a company on the commercial register is to be accompanied by the original or an authenticated copy of the acts which are required to be disclosed, including the constitutive instrument, which the Agency is required to make available to the public. The purpose and the means of the processing of the personal data by the Agency in the performance of its task are also determined by Bulgarian law and also by EU law, which, as we have seen, has harmonised the laws of the Member States in relation to the disclosure obligations of companies. As the authority responsible for processing the personal data contained in the acts transcribed in the commercial register in accordance with the purposes and the means determined by the Bulgarian legislation and EU legislation, the Agency must therefore be considered to be the ‘controller’ within the meaning of Article 4(7) of the GDPR. I note that the Court recently reached a similar conclusion in the case of the national body responsible for maintaining the official journal of a Member State, in the judgment of 11 January 2024, État belge (Data processed by an official journal). (19)

32.      That conclusion is not called into question by the fact that, in this instance, the data contained in the 2020 constitutive instrument are not among those that must be made available to the public under Bulgarian law. First, the lack of impact of such a circumstance on the identification of the controller was implicitly accepted by the Court in the judgment in État belge. In the case that gave rise to that judgment, as in the case at the origin of the present reference for a preliminary ruling, the dispute related to data which were not required to be made available to the public by the law of the Member State concerned. Second, Article 13(9) of the Law on the registers expressly provides that, where the applicant does not submit an authenticated copy of the disclosable instrument from which the non-essential personal data have been erased, the Agency is to process those data and make them available to the public on the basis of presumed implied consent. Accordingly, even in such circumstances, the Bulgarian legislation expressly designates the Agency as controller.

33.      In those circumstances, I am unable to subscribe to the argument, put forward by the Agency in its written observations, that if the applicant does not redact the information not required by law that is contained in the acts which he or she submits for the purposes of the entry in the register, the applicant himself or herself becomes controller for the processing consisting in that information being placed on line in that register. Irrespective of whether consent to the publication of that information can be lawfully given by bringing into play the presumption laid down in Article 13(9) of the Law on the registers, the existence of such consent cannot have an impact on the determination of the controller, but only on the lawfulness of the processing.

34.      Likewise, the fact, to which the Agency also draws attention, that the documents submitted in the context of an application for entry in the commercial register are not structured or machine-readable data, unlike the digital fields of that register, which are filled in by the agent making the entry and correspond to the legal definition of the ‘register’ in Bulgarian law, is also irrelevant. The Agency is the authority entrusted by Bulgarian law with keeping the commercial register and is therefore liable for all processing of the personal data published in the register, irrespective of whether those data are contained in a document accompanying the application or are encoded by an official of the Agency. Thus, even where it does not itself carry out a digital transformation of the documents which it receives, the Agency is nonetheless responsible for disclosing those documents and the data which they contain, by means of the register. More generally, in the context of the task which it carries out in the public interest, it collects, records, keeps, organises and arranges all the data, acts and documents which it receives in a structured database, which is recognised as a reliable and authentic source of information.

35.      Last, the classification of the Agency as ‘controller’ within the meaning of Article 4(7) of the GDPR is not called into question by the fact that it does not control, before they are placed on line, the personal data contained in the electronic images or the paper originals of the documents transmitted for the purposes of entry, or by the fact that it cannot alter or rectify those data. In that regard, I recall that the Court has already had occasion to reject an argument along similar lines in the judgment in État belge, concerning the publication in the official journal of a Member State of acts and documents prepared by third parties, then lodged with a judicial authority and transmitted to the body responsible for that journal for the purpose of their disclosure. In paragraph 38 of that judgment, the Court observed that the publication of such acts and documents without any possibility of checking or amending their content is intrinsically linked to the role of an official journal, which is confined to informing the public of the existence of those acts and documents in accordance with the applicable national law, so as to make them enforceable against third parties. The Court also observed that it would be contrary to the objective of Article 4(7) of the GDPR, which consists in ensuring effective and complete protection of natural persons with regard to the processing of their personal data, to exclude the official journal of a Member State from the concept of ‘controller’ on the ground that it does not exercise control over such data. Similar considerations apply, mutatis mutandis, to the publication of acts and documents in the companies registers of the Member States. As was the case for the Moniteur belge in that judgment, while it is true that the Agency must publish the instrument concerned as it stands, it is the Agency alone that must undertake that task and disseminate the act. (20)

36.      The question arises at this point whether the Agency must be considered to be the sole controller of the data at issue and therefore to be solely responsible for complying with the principles referred to in Article 5(1) of the GDPR or whether it shares that responsibility with the applicant, acting on behalf of the company, on the ground that the latter has not sent the Agency a copy of the 2020 constitutive instrument with those data redacted.

37.      In that regard, I recall, at the outset, that Article 26(1) of the GDPR provides that two or more controllers may assume joint responsibility for processing and that their responsibilities may be determined by agreement between them or be determined by EU law or by the law of the Member State to which they are subject. (21) In that regard, the Court has held that the classification as ‘joint controllers’ arises from the fact that several entities have participated in the determination of the purposes and means of processing. (22) In the absence of such participation, on the other hand, joint responsibility for processing is precluded and the different actors must be considered to be independent and successive controllers. As the EDPS has stated, the exchange of the same data or set of data between two entities without jointly determined purposes or jointly determined means of processing should be considered to be a transmission of data between separate controllers. (23)

38.      Thus, the mere fact that the Agency is at the same time ‘controller’ within the meaning of Article 4(7) of the GDPR and ‘recipient’ within the meaning of Article 4(9), on the ground that it receives a communication of the personal data in the acts and documents which accompany the application for entry in the commercial register, does not exclude the possibility that it alone assumes responsibility for making those data available to the public. Making those data available to the public, like the digital transformation, where it is carried out, of the data in the acts submitted to it, and their storage, constitutes a separate processing subsequent to the transmission of the data, for the purposes of registration of the company, by the applicant. The Agency alone performs the processing of those data, in the context of the public task entrusted to it and in accordance with the procedures determined by Bulgarian law. (24)

39.      Admittedly, the Court held, in the judgment in État belge, (25) that it is sufficient that a person exerts influence over the processing of personal data, for his, her or its own purposes, and participates, as a result, in the determination of the purposes and means of that processing, in order for him, her or it to be regarded as a joint processor. (26) However, in the present case, it is apparent from the file before the Court that the purposes and means of the processing of the data in the documents to be made available to the public through the commercial register are determined solely by law. The persons who, on behalf of the company, upload to the database of that register (27) the documents and the information disclosure of which is required by law have no influence on that determination and cannot therefore be held responsible – any more than the company itself can – for the subsequent processing of the data which they communicate to the Agency, including the disclosure of those data by means of the electronic database of the register. In addition, by transmitting the acts which are subject to disclosure to the Agency and processing the data which those acts contain, those persons pursue purposes which are their own, namely fulfilling the formalities necessary for the registration of the company, which are different from the public purposes attributed to the register and pursued by the Agency when it makes such acts available to the public. (28)

40.      Furthermore, in the judgment in État belge, the Court recognised that, in connection with a chain of processing operations that are performed by different persons or entities and relate to the same personal data, national law may determine the purposes and means of all the processing operations performed successively by those different persons or entities in such a way that they are regarded jointly as controllers. (29) Thus, under the combined provisions of Article 26(1) and Article 4(7) of the GDPR, the joint responsibility of several actors in a processing chain concerning the same personal data may be established by national law provided that the various processing operations are linked by purposes and means determined by national law and that national law determines the respective responsibilities of each of the joint controllers. (30) To my mind, that is not the case of Article 13(6) and (9) of the Law on the registers, which merely defines the circumstances in which, according to Bulgarian law, consent to the publication in the commercial register of personal data not subject to disclosure has been properly given by the data subject. It is not the purpose of that provision to establish the joint responsibility of the applicant for the subsequent processing of those data, but rather to specify the basis of the lawfulness of the processing carried out by the Agency. As I have already pointed out, moreover, the private purposes pursued by the company are different from the public purposes pursued by the Agency, so that the conditions required by the judgment in État belge in order for their joint responsibility, as actors in a ‘processing chain concerning the same personal data’, to be considered to be established by Bulgarian law are not in my view satisfied.

41.      On the basis of all of the foregoing considerations, I am of the view that Article 4(7) and Article 26(1) of the GDPR must be interpreted as meaning that the authority responsible for keeping the commercial register of a Member State which, under the legislation of that State, must ensure the disclosure of the acts transmitted to it within the framework of an application to enter a company on that register, is alone responsible for making available to the public the personal data contained in those acts, even in the case of data disclosure of which is not required and which, in accordance with that legislation, ought to have been redacted from those acts before they were transmitted to that authority.

5.      The basis of the lawfulness of the processing

42.      All processing of personal data must comply with the principles relating to processing of such data set out in Article 5(1) of the GDPR and satisfy the conditions listed in Article 6 of that regulation, (31) which sets out an exhaustive and restrictive list of the cases in which such processing can be regarded as lawful. (32) In the words of the first subparagraph of Article 6(1) of the GDPR, the processing of personal data is to be lawful only if and to the extent that the data subject has given consent to the processing of his or her personal data for one or more specific purposes. In the absence of such consent, or where that consent has not been freely given in a specific, informed and unambiguous manner by a statement or by a clear affirmative action, within the meaning of Article 4(11) of the GDPR, such processing is nonetheless justified where it meets one of the requirements of necessity mentioned in points (b) to (f) of the first subparagraph of Article 6(1) of that regulation, which must be interpreted restrictively. (33)

43.      In the present case, the presumption of consent established by Article 13(9) of the Law on the registers clearly does not satisfy the conditions required by point (a) of the first subparagraph of Article 6(1) of the GDPR, read in conjunction with Article 4(11) of that regulation. (34) It must therefore be ascertained whether the processing of data such as that at issue in the main proceedings satisfies one of the other justifications set out in the first subparagraph of Article 6(1) of that regulation.

44.      It follows from the judgment in Manni that the processing of personal data by the authority responsible for keeping the register in the implementation of EU acts which coordinate the national provisions relating to the disclosure of constitutive instruments meets, in particular, the grounds of lawfulness laid down in points (c) and (e) of the first subparagraph of Article 6(1) of the GDPR, the first of which concerns compliance with a legal obligation to which the controller is subject and the second of which concerns the performance of a task carried out in the public interest or the exercise of official authority vested in the controller. It is therefore by reference to those two grounds that I shall carry out my analysis.

45.      As regards, in the first place, the ground set out in point (c) of the first subparagraph of Article 6(1) of the GDPR, it is appropriate, first of all, to examine whether the making available to the public in the commercial register of the personal data at issue in the main proceedings, which are not included in the information subject to disclosure under Directive 2017/1132 or Bulgarian law, was justified by the requirement to ensure the disclosure of the acts referred to in Article 14 of that directive and was therefore necessary in order to comply with a legal obligation arising under EU law.

46.      In accordance with Article 16(3) of that directive, Member States are to ensure that those acts are to be made accessible to the public in the register referred to in the first subparagraph of Article 16(1). The German Government, Ireland and the Polish Government maintain, in essence, that pursuant to Article 16(3) read in conjunction with Article 14, the authorities responsible for keeping the register must disclose those acts in the form in which they receive them. They are therefore required to process all the personal data which those acts contain, including the data not required under EU law or the applicable national law.

47.      I do not share that interpretation. Directive 2017/1132 provides that certain basic documents of a company are compulsorily subject to disclosure and that such disclosure is to be effected by means of the register, but it does not require the systematic processing of all personal data contained in those acts, even if processing would prove to be contrary to the provisions of the GDPR. On the contrary, as I observed above, Article 161 of that directive, as amended by Directive 2019/1151, provides that the processing of all personal data carried out in the context of that directive is to be subject to that regulation. It is therefore for the Member States to strike a fair balance between, on the one hand, the objectives of legal certainty and the protection of the interests of third parties, which, as we shall soon see, underlie the rules on the disclosure of instruments of incorporation, and, on the other, fundamental respect for personal data.

48.      It must be ascertained, next, whether the publication in the commercial register of the data at issue in the main proceedings was necessary for the purpose of compliance with a legal obligation under Bulgarian law. In that regard, I recall that Article 2(2) of the Law on the registers provides that the acts to be included in the commercial register ‘shall be made available to the public, without the information constituting personal data within the meaning of Article 4(1) of [the GDPR] with the exception of information that must be made available to the public by law’. The lawfulness of the processing of the data at issue in the main proceedings does not therefore seem to be capable of resting on a ‘legal obligation’, within the meaning of point (c) of the first subparagraph of Article 6(1) of the GDPR, to which the Agency was subject under Bulgarian law, which the presumption of consent introduced by Article 13(9) of the Law on the registers also seems to confirm. It is nonetheless for the referring court, which alone has jurisdiction to interpret national law, to rule on that point. I shall confine myself to stating here that the mere fact, on which the Agency relies, that, in the absence of a copy in which the personal data not required by law are redacted, it must publish the instrument in the form in which it was transmitted to it, is not sufficient, in my view, to characterise a ‘legal obligation’ within the meaning of point (c) of the first subparagraph of Article 6(1) of the GDPR, since such publication is precluded outright by the law and is carried out by the Agency only on the basis of presumed consent. (35) In that regard, it must be emphasised that it is for the controller to ensure that the processing of the data which it carries out is ‘lawful’ in the light of the conditions laid down in points (a) to (f) of the first subparagraph of Article 6(1) of that regulation. (36)

49.      As regards, in the second place, the ground set out in point (e) of the first subparagraph of Article 6(1) of the GDPR, to which reference is made both by the referring court and by most of the Member States which have submitted observations in these proceedings, I recall that the Court has already had occasion to rule that the activity of a public authority consisting in storing in a database data which companies are required to communicate on the basis of statutory obligations, permitting interested persons to search for those data and providing them with print-outs of the data, falls within the exercise of public powers (37) and constitutes a task carried out in the public interest within the meaning of that provision. (38) As Advocate General Bot asserted in his Opinion in the case that gave rise to the judgment in Manni, the recording and disclosure of basic company information in the commercial and companies registers is intended to create a reliable source of information and thus provide the legal certainty which is necessary to protect the interests of third parties (in particular those of creditors), fair trading, and thus the proper functioning of the market. (39) Furthermore, as the Court has emphasised, the storing in those registers of all the relevant data and their accessibility by third parties help to foster trade between Member States, also with a view to the development of the internal market. (40)

50.      In the present case, the question arises as to whether those objectives and the ground of lawfulness laid down in point (e) of the first subparagraph of Article 6(1) of the GDPR may be relied on with respect to the making available to the public, by the Agency, of the personal data at issue in the main proceedings, which are not among the data ian law subject to compulsory disclosure under EU law or Bulgarian law.

51.      In that regard, I recall that Article 6(3) of the GDPR, read in conjunction with recital 45 of that regulation makes clear, as regards in particular the example of lawfulness referred to in point (e) of the first subparagraph of Article 6(1), that the processing must be based on EU law or the law of the Member State to which the controller is subject and that that legal basis must meet an objective of public interest and be proportionate to the legitimate objective pursued. (41) Neither of those requirements – which, according to the Court, constitute an expression of the requirements arising from Article 52(1) of the Charter (42) – appears to be satisfied in the context of the present case, which concerns the processing of personal data which, although carried out on the occasion of the exercise of a task carried out in the public interest within the meaning of point (e) of the first subparagraph of Article 6(1) of the GDPR, is not regarded as a priori necessary for the performance of that task under the applicable national legislation, or for the pursuit of the purposes assigned to the commercial register, and which is authorised only on the basis of the presumed consent of the data subject.

52.      More generally, it should be emphasised that the publication of personal data which are not required by EU law or by the law of the Member State concerned does not serve any of the objectives set out in point 49 of this Opinion, (43) which alone justify the interference with the rights of the data subjects to respect for their private life and the protection of personal data guaranteed by Articles 7 and 8 of the Charter. (44) Furthermore, as the Court pointed out in the judgment in Manni, it is because, in principle, disclosure is required only for a limited number of personal data – namely those which relate to the identify and respective functions of the persons with the power to bind the company and are therefore necessary for the purpose of protecting the interests of third parties – that such interference is not regarded as disproportionate. (45)

53.      The Bulgarian Government and the Agency maintain, in essence, that the processing at issue in the main proceedings has its basis, in Bulgarian law, in the requirement to ensure the disclosure of the basic acts of companies, preserve their integrity and reliability and not impede the Agency’s exercise of the task which it performs in the public interest. On the assumption that the referring court were to reach the same conclusion, it would be further required to ensure respect for the principle of proportionality. In accordance with that principle, limitations on the fundamental right to respect for personal data must apply only in so far as is strictly necessary, (46) which is not the case when the objective pursued in the general interest may reasonably be achieved in an equally effective manner by other means less prejudicial to that right. (47) It should also be borne in mind that Article 5(1)(c) of the GDPR provides that personal data are to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and requires that Member States respect the principle of ‘data minimisation’, which gives expression to the principle of proportionality. (48)

54.      It seems to me that the objective of ensuring the disclosure of the basic acts of companies may be reasonably achieved by putting in place procedures which allow the personal data which are not required to be made available to the public to be redacted before publication. Those procedures may include, inter alia, the obligation for the Agency to suspend the entry of the company in order to allow the acts containing such data to be altered or to delete them, of its own motion if need be.

55.      The arguments put forward by a considerable number of Member States which submitted observations in these proceedings, according to which the establishment of such procedures might delay the processing of applications for entry on the companies register, to the detriment, in particular, of the interests of the members, or impose excessively onerous tasks on the national authorities, cannot in my view succeed. First, those procedures are necessary in order to reconcile the interests pursued by the disclosure of constitutive instruments with the fundamental right to respect for personal data, especially when, as I emphasised in point 16 of this Opinion, the personal data at issue are intended to be made available to the public without restriction in a digitised environment. Second, those procedures could rely on tools for searching and identifying data that could facilitate their task and be conceived in a way that would initially give applicants the task of redacting the personal data which are not required to be disclosed, as provided for moreover in Bulgarian law.

56.      As for the requirement to preserve the integrity and reliability of the compulsorily disclosable constitutive instruments transmitted for the purpose of being entered on the companies register – which are also referred to by the Bulgarian Government and by the Agency, and also by most of the Member States which submitted observations in these proceedings – which would require publication of those instruments in the form in which they were transmitted to the authorities responsible for keeping the register, it cannot in my view prevail over the fundamental right to the protection of personal data, if it is not to render that protection purely illusory.

57.      Indeed, I am inclined to think that that requirement can at most justify only the retention of the personal data not subject to compulsory disclosure contained in such instruments, but not the publication of those data, without limit or restriction, in the publicly accessible database. More specifically, I consider that the making available to the public of the copy of those instruments with the non-essential personal data redacted and the retention of the original on the file would allow a fair balance to be struck between that requirement and the protection of the data subjects’ data. Any access to the original of the instrument and to all the data which it contains would then be permitted only on a case-by-case basis, where justified by a legitimate interest – including the interest in verifying the authenticity of the instrument – and in compliance with the provisions of the GDPR.

58.      In that regard, contrary to the argument put forward by Ireland, among others, I am of the view that Article 16a of Directive 2017/1132, as amended by Directive 2019/1151, in so far as it provides that ‘Member States shall ensure that copies of all or any part of the documents … referred to in Article 14 … may be obtained from the register’, does not mean that the Member States are required to permit unrestricted access to those documents in their entirety. Conversely, as I have already observed, Article 161 of Directive 2017/1132, as amended by Directive 2019/1151, requires Member States to put in place procedures that ensure that, in the exercise of the task of public interest entrusted to them, the authorities responsible for keeping the companies register comply with all the provisions of the GDPR.

59.      On the basis of all of the foregoing considerations, I am of the view that the processing of the data at issue in the main proceedings cannot be considered to be based on the consent of the respondent in the main proceedings, within the meaning of point (a) of the first subparagraph of Article 6(1) of the GDPR, read in conjunction with Article 4(11) of that regulation. Subject to the verifications to be carried out by the referring court, that processing also does not appear to satisfy either the conditions of lawfulness laid down in point (c) of the first subparagraph of Article 6(1) of the GDPR or those laid down in point (e) of that article, read in conjunction with Article 6(3) of that regulation. In the interest of completeness, I shall add that that processing also cannot come within the scope of point (f) of the first subparagraph of Article 6(1) of the GDPR, concerning the processing of personal data necessary for the purposes of the legitimate interests pursued by the controller. As the Court has held, it is clear from the wording of the second subparagraph of Article 6(1) of the GDPR that the processing of personal data by a public authority in the performance of its tasks cannot come within the scope of point (f) of the first subparagraph of Article 6(1) of the GDPR, so that the application of that provision and of point (e) of the first subparagraph of Article 6(1) of that regulation are mutually exclusive. (49) In the present case, the processing of personal data at issue in the main proceedings is carried out by the Agency in the exercise of the task of public interest entrusted to it, which precludes outright the application of point (f) of the first subparagraph of Article 6(1) of the GDPR, irrespective of whether it satisfies the conditions laid down in Article 6(3) of the GDPR.

60.      It cannot therefore be precluded that the referring court will be led to conclude that the data processing at issue in the main proceedings is unlawful, as it fails to satisfy one of the justifications laid down in Article 6(1) of the GDPR.

6.      Right to erasure

61.      Article 17 of the GDPR establishes a right for the data subject to obtain the erasure of personal data concerning him or her where one of the grounds listed in paragraph 1 of that article applies and, correlatively, imposes an obligation on the controller to erase such data without undue delay.

62.      Article 17(3) of the GDPR states, however, that paragraph 1 of that article is not to apply to the extent that processing is necessary on one of the grounds set out in Article 17(3). Those grounds include, in Article 17(3)(b) of that regulation, compliance with a legal obligation which requires processing by EU or Member State law to which the controller is subject or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

63.      In so far as those exceptions to the right to erasure reflect the grounds justifying processing set out in points (c) and (e) of the first subparagraph of Article 6(1) of the GDPR, I refer, so far as the ability to rely on them in circumstances such as those of the main proceedings is concerned, to the analysis carried out in points 45 to 58 of this Opinion. (50)

64.      Thus, if the referring court were to consider that the making available to the public in the commercial register of the personal data at issue in the main proceedings does not come, in Bulgarian law, within the scope of point (c) or point (e) of the first subparagraph of Article 6(1) of the GDPR, read in conjunction with Article 6(3) of that regulation, and therefore of Article 17(3)(b) of the GDPR, the respondent in the main proceedings would have a right to erasure, consisting in such a making available to the public being brought to an end, and the Agency, as controller, would be required to give effect to that right. Article 17(1)(d) of the GDPR lays down an absolute right for the data subject to have his or her personal data erased where those data have been unlawfully processed. (51)

65.      If, on the other hand, the referring court were to conclude that the processing of the data at issue in the main proceedings was consistent with point (c) or point (e) of the first subparagraph of Article 6(1) of the GDPR, Article 17(3)(b) of that regulation would be prima facie applicable. However, two points must be clarified.

66.      First, in the event that the referring court should reach the conclusion that the making available to the public of the personal data at issue in the main proceedings was necessary for the performance of the task carried out in the public interest entrusted to the Agency in order not to delay the entry of the company in the commercial register, that sole reason could not in my view be relied on to justify keeping those data in the register once the company has been entered and, therefore, in order to preclude, on the basis of Article 17(3)(b) of the GDPR, the right to erasure enjoyed by the respondent in the main proceedings. That right would then be guaranteed by Article 17(1)(c) of that regulation, which applies where the data subject objects, on the basis of Article 21(1) of that regulation, on grounds relating to his or her particular situation, to processing of his or her personal data based, inter alia, on point (e) of the first subparagraph of Article 6(1) of that regulation and where there are no ‘overriding legitimate grounds for the processing’, which it is for the controller to demonstrate. (52) For the same reasons as those set out in point 56 of this Opinion, I consider that the requirement to maintain the integrity and reliability of the acts on which the entry of the company in the register is based cannot constitute such an overriding legitimate ground. As I have observed, that requirement may be satisfied by the use of other means less prejudicial to the fundamental right to respect for personal data.

67.      Second, it follows from the judgment in Manni that a limitation of access only to third parties who can demonstrate a specific interest may, on a case-by-case basis, be justified, on compelling legitimate grounds relating to the particular situation of the data subjects, even in the case of personal data which under Directive 2017/1132 are subject to compulsory disclosure and therefore even in the event that the making available to the public arises under a legal obligation within the meaning of point (c) of the first subparagraph of Article 6(1) of the GDPR. Such a limitation should for even more compelling reasons be recognised in the case of personal data which are not subject to disclosure either under EU law or under national law. In such a situation, moreover, the condition to which the Court, in the judgment in Manni, subjected the limitation on access to information concerning the identity of the liquidator of the company, namely that a sufficiently long period has elapsed from the dissolution of the company, would not be applicable in that instance and the limitation of access to such data should therefore be applied without undue delay.

7.      The subordination of the exercise of the right to erasure to specific procedural rules

68.      It is apparent from the order for reference that the Agency made OL’s request for erasure of the personal data concerning her, the disclosure of which is not required by Bulgarian law, conditional on compliance with specific procedural rules, requiring the submission of a copy of the instrument containing those data in which the data had been redacted. As such a copy was not submitted, that request was rejected or deferred sine die. According to the explanations provided by the Agency, compliance with those procedural rules was necessary because the Agency does not have the power to amend the instrument in question, as its amendment falls within the sole power of the bodies of the company.

69.      I recall that, in accordance with Article 23(1) of the GDPR, EU law or Member State law ‘may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 …, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard’ one of the objectives set out in that provision. In that they result in a restriction on the exercise of the right to erasure, and also on the exercise of the right to object provided for in Article 21 of the GDPR, or indeed in the exclusion of those rights, in the event that the data subject does not succeed in obtaining from the company the necessary amendments of the instrument in question, the procedural rules applied by the Agency are liable to fall within Article 23(1) of the GDPR. (53) It must therefore be ascertained whether the conditions provided for in that provision are satisfied in the present case, even though the referring court does not expressly ask the Court to rule on that point.

70.      In that regard, I observe, first of all, that those procedural rules seem to be a matter of a simple internal practice of the Agency. (54) Therefore, subject to the verifications which it is for the referring court to carry out, they do not for that reason alone appear to be consistent with Article 23(1) of the GDPR, which provides that restrictions to the rights set out in that provision must form the subject matter of a ‘legislative measure’.

71.      Those procedural rules next prompt questions about respect for the principle of proportionality.

72.      While the requirement to ensure the reliability and the authenticity of the acts entered in the commercial register and, more broadly, transparency and legal certainty in the performance of the task entrusted to the Agency seem to me to be capable of meeting an ‘important objective of general public interest of the Union or of a Member State’, within the meaning of Article 23(1)(e) of the GDPR, it does not in my view justify the restriction, indeed the exclusion, of the right to erasure or of the right to object in circumstances such as those of the main proceedings, as other means less prejudicial to the fundamental right to respect for personal data could be employed.

73.      In that context, the Commission, while considering it justified to expect the company to amend the instrument by redacting the data erasure of which is requested, proposes that the Agency should itself redact those data after a reasonable time has elapsed, if it transpires that the data subject does not succeed in having the company make such an amendment.

74.      I am not persuaded that such a solution would ensure a fair balance between the various rights and interests involved, in that it has the consequence that data which were not intended to be disclosed would be kept available to the public, in a digitised environment, for an indefinite period. To my mind, such a balance might, on the other hand, be ensured if the Agency were itself empowered to redact the data at issue in the copy of the instrument made available to the public within a reasonable time after receiving the request for erasure, while keeping the original of that instrument on the file and requiring the company to submit an amendment of that act, in which those data would be redacted, with that amendment also being published in the register.

75.      Admittedly, Article 16(4) of Directive 2017/1132 provides, in its first and second subparagraphs, that Member States are to take the necessary measures to avoid any discrepancy between what is in the register and on the file and between what is disclosed in the register and what is published in the national gazette. However, the requirement to maintain consistency between the different parts of the register and with the national gazette, and the objective of legal certainly which such a requirement underlies, cannot to my mind justify keeping available to the public, without restrictions and without time limits, in the acts disclosed in the register, the personal data disclosure of which is not compulsory, when the data subject requests their erasure. First, the amendments of those acts which prove necessary for the purpose of redacting those data would be identifiable and traceable and would be made in a transparent manner. Second, those amendments would concern aspects of such acts disclosure of which is not necessary for the performance of the task carried out in the public interest entrusted to the register. Third, the integrity and authenticity of those acts might be preserved by keeping on the file the originals, to which third parties demonstrating a legitimate interest would have controlled access.

76.      On the basis of all of the foregoing, I am of the view that procedural rules such as those applied by the Agency in the present case are not consistent with Article 23(1) of the GDPR.

V.      Conclusion

77.      In the light of all of the foregoing considerations, I suggest that the Court answer the fourth and fifth questions for a preliminary ruling submitted by the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria) as follows:

(1)      Article 4(7) and Article 26(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the authority responsible for keeping the commercial register of a Member State which, under the legislation of that State, must ensure the disclosure of the acts transmitted to it, within the framework of an application to enter a company on that register, is alone responsible for making available to the public the personal data contained in those acts, even in the case of data disclosure of which is not required and which, in accordance with that legislation, ought to have been redacted from those acts before they were transmitted to that authority.

(2)      Regulation 2016/679, in particular Articles 17 and 23(1) thereof,

must be interpreted as precluding national legislation or a national practice which makes the right of a natural person to obtain, from the authority responsible for keeping the commercial register of a Member State, the erasure of the personal data concerning him or her contained in acts made available to the public in that register, conditional on procedural rules requiring the submission of a copy of the instrument in question in which those data have been redacted. In its capacity as controller, that authority cannot be exempted from its obligation to grant such a request for erasure without undue delay on the sole ground that it has not received communication of such a copy.

(3)      Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law, as amended by Directive (EU) 2019/1151 of the European Parliament and of the Council of 20 June 2019, in particular Article 16(2) and (4) thereof, read in the light of recital 8 of that directive,

cannot be interpreted as meaning that it permits the adoption of such procedural rules. That directive does not preclude the authority responsible for keeping the commercial register of a Member State from granting a request to erase personal data not required by the legislation of that Member State, contained in an instrument made available to the public in that register, by itself redacting those data from that instrument and keeping an unredacted version of the instrument on the file referred to in Article 16(1) of that directive.


1      Original language: French.


2      More precisely, the request for a preliminary ruling concerns the provisions of Directive 2009/101/EC of the European Parliament and of the Council of 16 September 2009 on coordination of safeguards which, for the protection of the interests of members and third parties, are required by Member States of companies within the meaning of the second paragraph of Article 48 of the Treaty, with a view to making such safeguards equivalent (OJ 2009 L 258, p. 11). However, as we shall see below, it is Directive (EU) 2017/1132 of the European Parliament and of the Council du 14 June 2017, relating to certain aspects of company law (OJ 2017 L 169, p. 46) that applies ratione temporis to the facts of the main proceedings.


3      Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1); ‘the GDPR’.


4      DV No 34 of 25 April 2006.


5 DV No 48 of 18 June 1991.


6      Opinion No 01-116(20)/01.02.2021.


7      Directive of the European Parliament and of the Council of 20 June 2019 amending Directive 2017/1132 (OJ 2019 L 186, p. 80).


8      See Article 2(1) of Directive 2019/1151. As regards the amendments made in Article 1(6) of that directive, with respect to Article 16(6) of Directive 2017/1132, the final date for transposition was 1 August 2023.


9      See to that effect my Opinion in État belge (Data processed by an official journal) (C‑231/22, EU:C:2023:468, point 80).


10      I note that the Commission adopted, on 29 March 2023, a Proposal for a Directive of the European Parliament and of the Council amending Directives 2009/102/EC and (EU) 2017/1132 as regards further expanding and upgrading the use of digital tools and processes in company law (COM/2023/177 final).


11      See system of interconnection of professional registers, put in place since 8 June 2017 by Directive 2012/17/EU of the European Parliament and of the Council of 13 June 2012 amending Council Directive 89/666/EEC and Directives 2005/56/EC and 2009/101/EC of the European Parliament and of the Council as regards the interconnection of central, commercial and companies registers (OJ 2012 L 156, p. 1), and now governed by Directive 2017/1132. That system connects national professional registers to a European central platform and provides a single access point through the e-Justice portal, through which citizens, undertakings and public administrations may seek information about companies and their branches opened in other Member States.


12      In its Opinion on the proposal amending Directive 2017/1132, the European Data Protection Supervisor (EDPS) drew attention to the need to ‘raise awareness as to risks resulting from the accessibility of personal data that would be made widely available on the internet in digital form in multiple languages via an easily accessible European platform/access point’ (Opinion of 26 July 2018, available at: https://edps.europa.eu/data-protection/our-work/publications/opinions/digital-tools-and-processed-company-law_en).


13      The OOD is referred to in Annex II to Directive 2017/1132 and by Annex IIa of that directive, as amended by Directive 2019/1151.


14      In that case, the subject matter of the entries in the register is to be placed on the file, see Article 16(2) of Directive 2017/1132.


15      See Article 16(5) of Directive 2017/1132, pursuant to which the disclosure of a partial text of the acts referred to in Article 14 of that directive may be made only in the national gazette of the Member State concerned.


16      See, as regards the First Council Directive 68/151/EEC of 9 March 1968, on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community (OJ 1968 L 65, p.8), judgment of 9 March 2017, Manni (C‑398/15, ‘the judgment in Manni’, EU:C:2017:197, paragraph 34).


17      Judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras (C‑683/21, EU:C:2023:949, paragraphs 28 and 29).


18      See, to that effect judgment of 5 October 2023, Ministerstvo zdravotnictví (COVID-19 mobile application) (C‑659/22, EU:C:2023:745, paragraph 28).


19      C‑231/22, ‘the judgment in État belge’, EU:C:2024:7, paragraph 35. See also my Opinion in the case that gave rise to that judgment (C‑231/22, EU:C:2023:468, points 34 to 75).


20      See to that effect judgment in État belge, paragraph 38.


21      See to that effect judgment in État belge, paragraphs 46 and 47.


22      See to that effect judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras (C‑683/21, EU:C:2023:949, paragraphs 44 and 45).


23      See to that effect ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, Version 2.0 adopted on 07 July 2021, available at the internet address https://edpb.europa.eu/system/files/2022-02/eppb_guidelines_202007_controllerprocessor_final_en.pdf, paragraphs 70 and 72. See also my Opinion in État belge (Data processed by an official journal) (C‑231/22, EU:C:2023:468, point 48 and footnote 55).


24      See, to that effect, judgment in État belge, paragraph 42.


25      See judgment in État belge, paragraph 48.


26      I recall, however, that the case that gave rise to the judgment in État belge concerned the publication of documents in the official journal of a Member State, constituting the final step of the processing which involved different public authorities. The factual situation at the origin of that judgment was therefore different from that at issue in the present case.


27      In its observations, the Agency explains that, in the event of an online application, the applicant uploads to the system of the commercial register electronic images of the signed hard copies of the documents necessary for the entry.


28      Those purposes are referred to in point 49 of this Opinion.


29      See judgment in État belge, paragraph 45.


30      See judgment in État belge, paragraphs 49 and 50.


31      See judgment of 21 December 2023, Krankenversicherung Nordrhein (C‑667/21, EU:C:2023:1022, paragraph 76 and the case-law cited).


32      See judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts) (C‑26/22 and C‑64/22, EU:C:2023:958, paragraphs 72 and 73 and the case-law cited).


33      See judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network) (C‑252/21, EU:C:2023:537, paragraphs 91 to 93).


34      I recall that the referring court asks about such compatibility in the context of the third question.


35      As the ‘Article 29’ Working Party makes clear in its Opinion 06/2014, the scope of point (c) of the first subparagraph of Article 6(1) of the GDPR is ‘strictly delimited’. In order for that provision to be applicable, the legal obligation must be sufficiently clear and consistent with the law applicable to data protection matters. That does not in my view appear to be the case of a law which, on the one hand, precludes the data processing at issue and, on the other, authorises, indeed requires, such processing, on the basis of presumed consent.


36      See judgment of 4 May 2023, Bundesrepublik Deutschland (Court electronic mailbox) (C‑60/22, EU:C:2023:373, paragraphs 54 and 55).


37      See judgment of 12 July 2012, Compass-Datenbank (C‑138/11, EU:C:2012:449, paragraphs 40 and 41), and judgment in Manni, paragraph 43.


38      See judgment in Manni, paragraph 43.


39      C‑398/15, EU:C:2016:652, point 54.


40      See to that effect judgment of 12 November 1974, Haaga (32/74, EU:C:1974:116, paragraph 6) and judgment in Manni, paragraph 50.


41      See to that effect judgment of 2 March 2023, Norra Stockholm Bygg (C‑268/21, EU:C:2023:145, paragraph 31).


42      See, to that effect, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraph 69).


43      In particular, the residence of the representative of the company or of its shareholders is not an aspect of its identity and knowing that address, as Advocate General Szpunar observes in his Opinion in All in One Star (C‑469/19, EU:C:2020:822, point 51), is not relevant to protecting third parties.


44      See judgment in Manni, paragraph 57.


45      See judgment in Manni, paragraph 58.


46      See judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601, paragraph 70).


47      See, to that effect judgment of 22 November 2022, Luxembourg Business registers (C‑37/20 and C‑601/20, EU:C:2022:912, paragraph 66).


48      See, by analogy, judgment of 30 January 2024, Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR – Sofia (C‑118/22, EU:C:2024:97, paragraph 41).


49      See judgment of 8 December 2022, Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation) (C‑180/21, EU:C:2022:967, paragraph 85).


50      Although, in an obiter dictum in paragraph 51 of the judgment in État belge, the Court referred to the possibility that the exceptions referred to in Article 17(3)(b) and (d) of the GDPR apply to the request for the erasure of personal data published in the official gazette of the Member State concerned, it did not rule on that question, which had not been raised by the referring court in the case that gave rise to that judgment.


51      See, to that effect, judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts) (C‑26/22 and C‑64/22, EU:C:2023:958, paragraph 108); see also the Opinion of Advocate General Pikamäe in that case (C‑26/22 and C‑64/22, EU:C:2023:222, point 91).


52      See, to that effect, judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts) (C‑26/22 and C‑64/22, EU:C:2023:958, paragraphs 111 and 112).


53      See, to that effect, judgment of 26 October 2023, FT (Copies of medical records) (C‑307/22, EU:C:2023:811, paragraphs 53 to 69). See also Opinion of Advocate General Emiliou in that case (C‑307/22, EU:C:2023:315, point 37).


54      Although that procedure reflects the procedure laid down in Article 13(6) of the Law on the registers, the latter provision does not appear to govern data subjects’ right to erasure or their right to object.

Top