EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Document 52018XX0913(01)
Summary of the Opinion of the European Data Protection Supervisoron the proposal amending Directive 2017/1132/EC as regards the use of digital tools and processes in company law
Summary of the Opinion of the European Data Protection Supervisoron the proposal amending Directive 2017/1132/EC as regards the use of digital tools and processes in company law
Summary of the Opinion of the European Data Protection Supervisoron the proposal amending Directive 2017/1132/EC as regards the use of digital tools and processes in company law
OJ C 324, 13.9.2018, p. 13–16
(BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
|
13.9.2018 |
EN |
Official Journal of the European Union |
C 324/13 |
Summary of the Opinion of the European Data Protection Supervisoron the proposal amending Directive 2017/1132/EC as regards the use of digital tools and processes in company law
(The full text of this Opinion can be found in EN, FR and DE on the EDPS website www.edps.europa.eu)
(2018/C 324/06)
The Opinion is issued in response to a consultation by the European Commission, as well as upon a specific request of the European Parliament.
The Proposal for a Directive amending Directive (EU) 2017/1132/EC as regards the use of digital tools and processes in company law aims at complementing the current EU framework by addressing the lack of rules for online company registration, filing and publication of the registered information on companies and branches in electronic form or the divergence of such rules in the Member States. Moreover, it aims at ensuring that Member States enable companies to benefit from the use of electronic identification and at providing for an additional exchange of data between the national business registers concerning the disqualification of directors. It also ensures a free of charge access of a list of documents and information in all Member States and introduces the once-only principle in the area of company law so that companies should not have to provide the same information twice to different authorities. Finally, it introduces the possibility for the Commission to establish an optional access point for EU institutions to the platform.
The EDPS welcomes the Proposal and shares the Commission’s views that the use of digital tools may provide for more equal opportunities for companies while recalling the need to take into account the fact that increased access to personal data must be accompanied with effective measures to prevent unlawful or unfair processing of these data. That is why the Opinion focuses on specific recommendations with two objectives: to guarantee legal certainty and to raise awareness as to risks resulting from the accessibility of personal data that would be made widely available on the internet in digital form in multiple languages via an easily accessible European platform/access point.
The EDPS recommends to take the opportunity of the revision of the Business Registers Interconnection System provisions to carefully consider the recommendations provided in his Opinion on the Proposal for a Directive of the European Parliament and of the Council amending Directives 89/666/EEC, 2005/56/EC and 2009/101/EC as regards the interconnection of central, commercial and companies registers. Moreover he recommends to take into account the specific recommendations which were given in the Opinion on the proposal for a Regulation establishing a Single Digital Gateway and the ‘once-only’ principle, in order to ensure legal certainty in the personal data processing.
The EDPS further suggests adding a reference to the new Regulation that will soon replace Regulation (EC) No 45/2001 of the European Parliament and of the Council (1). He also recommends to make sure that the Proposal specifies the framework for data-flows and administrative cooperation procedures using the electronic network, in order to ensure that data is processed through a solid legal basis and that adequate data protection safeguards are provided for, in particular in relation to the personal data concerning the disqualification of directors.
Finally, the EDPS recommends to add a reference to the Commission Decision 204/333/EU (2), which states the tasks and responsibilities of the Commission in the data processing in the context of the E-justice portal. Moreover he calls for a clarification of the respective division of tasks and responsibilities of each party involved in the data processing in the context of controllership and joint controllership.
1. INTRODUCTION AND BACKGROUND
|
1. |
On 25 April 2018, the European Commission (‘Commission’) adopted the proposal for a Directive of the European Parliament (‘Parliament’) and of the Council amending Directive (EU) 2017/1132 as regards the use of digital tools and processes in company law (3) (‘Proposal’), together with the proposal for a Directive of the European Parliament and of the Council amending Directive (EU) 2017/1132 as regards cross-border conversions, mergers and divisions (4). As the latter provides for harmonised rules in the area of cross-border conversions, mergers and divisions of companies, the Opinion focuses on the Proposal. |
|
2. |
This Opinion is in response to a consultation by the Commission and a separate request from the Parliament to the European Data Protection Supervisor (‘EDPS’), as an independent supervisory authority, to provide an Opinion on the Proposal. The EDPS is grateful to have been consulted as required by Article 28(2) of Regulation (EC) No 45/2001 and that a reference to the Opinion is included in the preamble of the Proposal. |
1.1. Objectives of the Proposal
|
3. |
The Proposal is based on Article 50(1) and points (b), (c), (f) and (g) of Article 50(2) of the Treaty on the Functioning of the European Union. It aims at:
|
1.2. Context of the proposal
|
4. |
Directive (EU) 2017/1132, which is to be amended by the Proposal, has codified several Directives in the field of company law (8), including Directive 2012/17/EU of the European Parliament and of the Council (9). Directive 2012/17/EU has established the Business Registers Interconnection System (‘BRIS’), which has been further detailed under the Commission Implementing Regulation (EU) 2015/884 (10). The BRIS has been in place since 8 June 2017. According to the Commission’s website, 31 countries participate (the EU Member States plus European Economic Area countries). The BRIS connects the national business registers to a ‘European Central Platform’ and provides for a single point of access via the European e-Justice Portal, through which citizens, businesses and public administrations can search for information on companies and their branches opened in other Member States. CEF eDelivery (one of the building blocks of the European Commission’s Connecting Europe Facility) (11) allows Member State business register systems to exchange messages securely via the CEF eDelivery. Users of BRIS can also benefit from the login system as the E-justice Portal uses CEF-eDelivery. |
|
5. |
Nonetheless, according to the impact assessment accompanying the Proposal, the EU still offers a very inconsistent landscape when it comes to the availability of online tools for companies in their contact with public authorities in the area of company law. Member States provide for e-government services at variable degrees. Currently, EU company law includes certain elements of digitalisation such as the obligation for Member States to make available online information about limited liability companies. However these requirements are limited and lack precision, leading to a very diverse implementation at national level. In addition, certain digital processes are not covered at all by EU law and today only 17 Member States provide for a procedure ensuring the fully online registration of companies. The situation is similar for the online registration of branches (12). |
1.3. Synergies with other initiatives
|
6. |
In the explanatory memorandum of the Proposal, it is noted that the provision of more specific, substantial rules on the procedures for establishing and registering limited liability companies and branches would complement the Commission’s proposal for a Regulation on the establishment of a Single Digital Gateway (13), which covers the general registration of business activity via onlines means except for the constitution of limited liability company. The introduction of the ‘once-only principle’ in the area of company law, according to which companies should not have to provide the same information twice to different authorities, is also in line with the e-Government Action Plan 2016-2020, supporting EU wide efforts to reduce the administrative burdens on citizens and businesses (14). |
3. CONCLUSION
Therefore, the EDPS recommends:
|
— |
to take the opportunity of the revision of the Directive (EU) 2017/1132 related to BRIS to carefully consider the recommendations provided in his previous Opinion of 2011; |
|
— |
to take into account the specific recommendations which were given in his previous Opinion on the proposal for a Regulation on the establishment of a Single Digital Gateway and the ‘once-only’ principle; |
|
— |
to add a reference to the new Regulation that will soon replace Regulation (EC) No 45/2001; |
|
— |
to make sure that the Proposal specifies the framework for data-flows and administrative cooperation procedures using the electronic network, in order to ensure that (i) any data exchange or other data processing activity using the electronic network (e.g. public disclosure of personal data via the common platform/access point) is made on a solid legal basis, and that (ii) adequate data protection safeguards are provided for, in particular in relation to the personal data concerning the disqualification of directors; |
|
— |
to add a reference to the Decision 2014/333/EU, which states the tasks and responsibilities of the Commission in the data processing in the context of the E-justice portal; |
|
— |
to clarify the respective division of tasks and responsibilities of each party involved in the data processing in the context of controllership and joint controllership. |
Brussels, 26 July 2018.
Giovanni BUTTARELLI
European Data Protection Supervisor
(1) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
(2) Commission Decision 2014/333/EU of 5 June 2014 on the protection of personal data in the European e-Justice Portal (OJ L 167, 6.6.2014, p. 57).
(3) COM(2018) 239 final, 2018/0113 (COD).
(4) COM(2018) 241 final, 2018/0114 (COD).
(5) Explanatory Memorandum to the Proposal, pages 4 and 5.
(6) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73). This Regulation establishes common standards for mutual recognition of electronic identification means for the purposes of cross-border authentication for online service provided by a public sector body in a Member State. See the EDPS Opinion 2013/C 28/04 on the Commission proposal for a regulation of the European Parliament and of the Council on trust and confidence in electronic transactions in the internal market (Electronic Trust Services Regulation) https://edps.europa.eu/sites/edp/files/publication/12-09-27_electronic_trust_services_en_0.pdf and its executive summary (OJ C 28, 30.1.2013, p. 6).
(7) Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (OJ L 169, 30.6.2017, p. 46).
(8) It repeals Council Directives 82/891/EEC and 89/666/EEC and Directives 2005/56/EC, 2009/101/EC, 2011/35/EU and 2012/30/EU of the European Parliament and of the Council.
(9) Directive 2012/17/EU of the European Parliament and of the Council of 13 June 2012 amending Council Directive 89/666/EEC and Directives 2005/56/EC and 2009/101/EC of the European Parliament and of the Council as regards the interconnection of central, commercial and companies registers (OJ L 156, 16.6.2012, p. 1).
(10) Commission Implementing Regulation (EU) 2015/884 of 8 June 2015 establishing technical specifications and procedures required for the system of interconnection of registers established by Directive 2009/101/EC of the European Parliament and of the Council (OJ L 144, 10.6.2015, p 1).
(11) eDelivery prescribes technical specifications that can be used in any Policy Domain of the EU (Justice, Procurement, Consumer Protection, etc.) to enable secure and reliable exchange of documents and data (structured, non-structured and/or binary), both across borders and sectors. As a result, organisations that have developed their IT systems independently from each other can start to securely communicate with one another once they have connected to a eDelivery node. See the Commission website:
https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/2017/06/19/BRIS+Now+Live+on+the+European+e-Justice+Portal
https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/What+is+eDelivery+-+Overview
(12) Commission Staff Working Document - Impact assessment - SWD(2018) 141 final, 1.4.1 Driver: What causes the problem?, page 13 and following.
(13) Proposal for a Regulation of the European Parliament and of the Council on establishing a single digital gateway to provide information, procedures, assistance and problem solving services and amending Regulation (EU) No 1024/2012, COM(2017) 256 final, 2017/0086 (COD). See the EDPS Opinion 8/2017 issued on the Single Digital Gateway Proposal and the ‘once-only’ principle: https://edps.europa.eu/sites/edp/files/publication/17-08-01_sdg_opinion_en.pdf
(14) Explanatory Memorandum to the Proposal, page 6.